From 5c8a91ca5e5f05a19d9b63df81ad5e3de9d13031 Mon Sep 17 00:00:00 2001
From: Ermal <eri@pfsense.org>
Date: Mon, 9 Jul 2012 14:01:20 +0000
Subject: Make snort blocked [page more usable with input from 
 http://forum.pfsense.org/index.php/topic,51168.msg274011.html#msg274011

---
 config/snort/snort_blocked.php | 254 ++++++++++++++++++-----------------------
 1 file changed, 108 insertions(+), 146 deletions(-)

(limited to 'config')

diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index 6994cb19..b3fb7aea 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -40,17 +40,19 @@ if (!is_array($config['installedpackages']['snortglobal']['alertsblocks']))
 $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
 $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
 
-if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0')
+if (empty($pconfig['blertnumber']))
 	$bnentries = '500';
 else
 	$bnentries = $pconfig['blertnumber'];
 
-if($_POST['todelete'] or $_GET['todelete']) {
+if ($_POST['todelete'] || $_GET['todelete']) {
+	$ip = "";
 	if($_POST['todelete'])
 		$ip = $_POST['todelete'];
-	if($_GET['todelete'])
+	else if($_GET['todelete'])
 		$ip = $_GET['todelete'];
-	exec("/sbin/pfctl -t snort2c -T delete {$ip}");
+	if (is_ipaddr($ip))
+		exec("/sbin/pfctl -t snort2c -T delete {$ip}");
 }
 
 if ($_POST['remove']) {
@@ -62,48 +64,46 @@ if ($_POST['remove']) {
 /* TODO: build a file with block ip and disc */
 if ($_POST['download'])
 {
-
-	ob_start(); //important or other posts will fail
-	$save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
-	$file_name = "snort_blocked_{$save_date}.tar.gz";
-	exec('/bin/mkdir /tmp/snort_blocked');
-	exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf');
-
-	$blocked_ips_array_save = str_replace('   ', '', explode("\n", file_get_contents('/tmp/snort_block.pf')));
-
-	if ($blocked_ips_array_save[0] != '') {
-		/* build the list */
+	$blocked_ips_array_save = "";
+	exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save);
+	/* build the list */
+	if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) {
+		ob_start(); //important or other posts will fail
+		$save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+		$file_name = "snort_blocked_{$save_date}.tar.gz";
+		exec('/bin/mkdir -p /tmp/snort_blocked');
 		file_put_contents("/tmp/snort_blocked/snort_block.pf", "");
-		foreach($blocked_ips_array_save as $counter => $fileline)
+		foreach($blocked_ips_array_save as $counter => $fileline) {
+			if (empty($fileline))
+				continue;
+			$fileline = trim($fileline, " \n\t");
 			file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND);
-	}
-
-	exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked");
-
-	if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) {
-		header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n");
-		header("Pragma: private"); // needed for IE
-		header("Cache-Control: private, must-revalidate"); // needed for IE
-		header('Content-type: application/force-download');
-		header('Content-Transfer-Encoding: Binary');
-		header("Content-length: " . filesize("/tmp/snort_blocked_{$save_date}.tar.gz"));
-		header("Content-disposition: attachment; filename = {$file_name}");
-		readfile("$file");
-		od_end_clean(); //importanr or other post will fail
-		@unlink("/tmp/snort_blocked_{$save_date}.tar.gz");
-		@unlink("/tmp/snort_block.pf");
-		@unlink("/tmp/snort_blocked/snort_block.pf");
+		}
+
+		exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked");
+
+		if(file_exists("/tmp/{$file_name}")) {
+			header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n");
+			header("Pragma: private"); // needed for IE
+			header("Cache-Control: private, must-revalidate"); // needed for IE
+			header('Content-type: application/force-download');
+			header('Content-Transfer-Encoding: Binary');
+			header("Content-length: " . filesize("/tmp/{$file_name}"));
+			header("Content-disposition: attachment; filename = {$file_name}");
+			readfile("/tmp/{$file_name}");
+			ob_end_clean(); //importanr or other post will fail
+			@unlink("/tmp/snort_blocked_{$save_date}.tar.gz");
+			@unlink("/tmp/snort_blocked/snort_block.pf");
+		} else
+			$savemsg = "An error occurred while createing archive";
 	} else
-		echo 'Error no saved file.';
-
+		$savemsg = "No content on snort block list";
 }
 
 if ($_POST['save'])
 {
-
 	/* no errors */
-	if (!$input_errors)
-	{
+	if (!$input_errors) {
 		$config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off';
 		$config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber'];
 
@@ -123,37 +123,18 @@ function get_snort_alert_ip_src($fileline)
 	$re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
 
 	if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4))
-		$alert_ip_src = $matches4[1][0];
+		return $matches4[1][0];
 
-	return $alert_ip_src;
+	return "";
 }
 
 function get_snort_alert_disc($fileline)
 {
 	/* disc */
-	if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
-		$alert_disc =  "$matches[2]";
-
-	return $alert_disc;
-}
-
-/* build sec filters */
-function get_snort_block_ip($fileline)
-{
-	/* ip */
-	if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches))
-		$alert_block_ip =  "$matches[0]";
-
-	return $alert_block_ip;
-}
-
-function get_snort_block_disc($fileline)
-{
-	/* disc */
-	if (preg_match("/\]\s\[.+\]$/", $fileline, $matches))
-		$alert_block_disc =  "$matches[0]";
+	if (preg_match("/\[\*\*\]\s+(\[[0-9:]+\])\s+(.+)\s+(\[\*\*\])/", $fileline, $matches))
+		return "{$matches[2]}";
 
-	return $alert_block_disc;
+	return "";
 }
 
 /* tell the user what settings they have */
@@ -278,100 +259,81 @@ if ($pconfig['brefresh'] == 'on')
 					<td class="listhdrr">IP</td>
 					<td class="listhdrr">Alert Description</td>
 				</tr>
-				<?php
-
-				/* set the arrays */
-				exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
-				$blocked_ips_array = explode("\n", str_replace('   ', '', file_get_contents('/tmp/snort_block.cache')));
-			if (!empty($blocked_ips_array)) {
-				$input = array();
-				$alert_ip_src_array = array();
-				foreach (glob("/var/log/snort/*/alert") as $alert) {
+		<?php
+			/* set the arrays */
+			$blocked_ips = "";
+			exec('/sbin/pfctl -t snort2c -T show', $blocked_ips);
+			$blocked_ips_array = array();
+		if (!empty($blocked_ips)) {
+			$blocked_ips_array = array();
+			if (is_array($blocked_ips)) {
+				foreach ($blocked_ips as $blocked_ip) {
+					if (empty($blocked_ip))
+						continue;
+					$blocked_ips_array[] = trim($blocked_ip, " \n\t");
+				}
+			}
+			$input = array();
+			$alert_ip_src_array = array();
+			foreach (glob("/var/log/snort/*/alert") as $alert) {
+				if ($pconfig['snortalertlogtype'] == 'full')
 					$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
-					if (!empty($alerts_array[0])) {
-						/* build the list and compare blocks to alerts */
-						$counter = 0;
-						foreach($alerts_array as $fileline) {
-
-							$counter++;
-
-							$alert_ip_src =  get_snort_alert_ip_src($fileline);
-							$alert_ip_disc = get_snort_alert_disc($fileline);
-							$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
-
-							if (in_array("$alert_ip_src", $blocked_ips_array))
-								$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
-						}
+				else
+					$alerts_array = array_reverse(file($alert));
+				/* build the list and compare blocks to alerts */
+				foreach($alerts_array as $counter => $fileline) {
+					if (empty($fileline))
+						continue;
 
+					$alert_ip_src =  get_snort_alert_ip_src($fileline);
+					$alert_ip_disc = get_snort_alert_disc($fileline);
+					$alert_ip_src_array[] = $alert_ip_src;
+					if (!empty($blocked_ips_array) && in_array("$alert_ip_src", $blocked_ips_array)) {
+						if (!isset($input[$alert_ip_src]))
+							$input[$alert_ip_src] = "{$alert_ip_disc}\n";
 					}
 				}
-
-				foreach($blocked_ips_array as $alert_block_ip) {
-					if (is_ipaddr($alert_block_ip) && !in_array($alert_block_ip, $alert_ip_src_array))
-						$input[] = "[$alert_block_ip] " . "[N\A]\n";
-				}
-
-				/* reduce double occurrences */
-				$result = array_unique($input);
-
-				/* buil final list, preg_match, buld html */
-				$counter2 = 0;
-				$logent = $bnentries;
-
-				foreach($result as $fileline) {
-					if($logent <= $counter2)
-						continue;
-
-					$counter2++;
-
-					$alert_block_ip_str =  get_snort_block_ip($fileline);
-
-					if($alert_block_ip_str != '') {
-						$alert_block_ip_match = array('[',']');
-						$alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str");
-					} else
-						$alert_block_ip = 'empty';
-
-					$alert_block_disc_str = get_snort_block_disc($fileline);
-
-					if($alert_block_disc_str != '') {
-						$alert_block_disc_match = array('] [',']');
-						$alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str");
-					}else
-						$alert_block_disc = 'empty';
-
-					/* use one echo to do the magic*/
-					echo "<tr>
-			<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($alert_block_ip)) . "'>
+			}
+
+			foreach($blocked_ips_array as $blocked_ip) {
+				if (is_ipaddr($blocked_ip) && !isset($input[$blocked_ip]))
+					$input[] = "N\A\n";
+			}
+
+			/* buil final list, preg_match, buld html */
+			$counter = 0;
+			foreach($input as $blocked_ip => $blocked_desc) {
+				if($counter > $bnentries)
+					break;
+				else
+					$counter++;
+
+				/* use one echo to do the magic*/
+				echo "<tr>
+			<td align=\"center\" valign=\"top\"'><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'>
 			<img title=\"Delete\" border=\"0\" name='todelete' id='todelete' alt=\"Delete\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td>
-			<td>&nbsp;{$counter2}</td>
-			<td>&nbsp;{$alert_block_ip}</td>
-			<td>&nbsp;{$alert_block_disc}</td>
+			<td>&nbsp;{$counter}</td>
+			<td>&nbsp;{$blocked_ip}</td>
+			<td>&nbsp;{$blocked_desc}</td>
 			</tr>\n";
 
-				}
+			}
 
-				echo '</table>' . "\n";
-				echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter2} items listed.</td></tr>";
-			} else
-				echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>";
+			echo '</table>' . "\n";
+			echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\">{$counter} items listed.</td></tr>";
+		} else
+			echo "\n<tr><td colspan='3' align=\"center\" valign=\"top\"><br><strong>There are currently no items being blocked by snort.</strong></td></tr>";
 
-				?>
-				</td>
-				</tr>
-			</table>
+		?>
 			</td>
-		</tr>
-	</table>
-	</div>
-
-	<?php
-
-	include("fend.inc");
-
-echo $snort_custom_rnd_box;
-
+			</tr>
+		</table>
+		</td>
+	</tr>
+</table>
+</div>
+<?php
+include("fend.inc");
 ?>
-
 </body>
 </html>
-- 
cgit v1.2.3