= 8) { $hostname = htmlspecialchars(gethostbyaddr($getpfhostname), ENT_QUOTES); } else { $hostname = $getpfhostname; } if ($hostname == $getpfhostname) { $hostname = 'unknown'; } echo $hostname; die; } require_once("util.inc"); require_once("guiconfig.inc"); require_once("/usr/local/pkg/pfblockerng/pfblockerng.inc"); global $rule_list; pfb_global(); // Application Paths $pathgeoip = "/usr/pbi/pfblockerng-" . php_uname("m") . "/bin/geoiplookup"; $pathgeoip6 = "/usr/pbi/pfblockerng-" . php_uname("m") . "/bin/geoiplookup6"; // Define File Locations $filter_logfile = "{$g['varlog_path']}/filter.log"; $pathgeoipdat = "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIP.dat"; $pathgeoipdat6 = "/usr/pbi/pfblockerng-" . php_uname("m") . "/share/GeoIP/GeoIPv6.dat"; // Define Alerts Log filter Rollup window variable. (Alert Filtering Code adapted from B.Meeks - Snort Package) $pfb['filterlogentries'] = FALSE; // Emerging Threats IQRisk Header Name Reference $pfb['et_header'] = TRUE; $et_header = $config['installedpackages']['pfblockerngreputation']['config'][0]['et_header']; if (empty($et_header)) $pfb['et_header'] = FALSE; // Collect pfBlockerNGSuppress Alias and Create pfbsuppression.txt if ($pfb['supp'] == "on") pfb_create_suppression_file(); // Collect Number of Suppressed Hosts if (file_exists("{$pfb['supptxt']}")) { $pfbsupp_cnt = exec ("/usr/bin/grep -c ^ {$pfb['supptxt']}"); } else { $pfbsupp_cnt = 0; } // Collect pfBlockerNG Rule Names and Number $rule_list = array(); $results = array(); $data = exec ("/sbin/pfctl -vv -sr | grep 'pfB_'", $results); if (!isset($config['installedpackages']['pfblockerngglobal']['pfbdenycnt'])) $config['installedpackages']['pfblockerngglobal']['pfbdenycnt'] = '25'; if (!isset($config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'])) $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'] = '5'; if (!isset($config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'])) $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'] = '5'; if (empty($config['installedpackages']['pfblockerngglobal']['alertrefresh'])) $config['installedpackages']['pfblockerngglobal']['alertrefresh'] = 'off'; if (empty($config['installedpackages']['pfblockerngglobal']['hostlookup'])) $config['installedpackages']['pfblockerngglobal']['hostlookup'] = 'off'; if (isset($_POST['save'])) { if (!is_array($config['installedpackages']['pfblockerngglobal'])) $config['installedpackages']['pfblockerngglobal'] = array(); $config['installedpackages']['pfblockerngglobal']['alertrefresh'] = $_POST['alertrefresh'] ? 'on' : 'off'; $config['installedpackages']['pfblockerngglobal']['hostlookup'] = $_POST['hostlookup'] ? 'on' : 'off'; if (is_numeric($_POST['pfbdenycnt'])) $config['installedpackages']['pfblockerngglobal']['pfbdenycnt'] = $_POST['pfbdenycnt']; if (is_numeric($_POST['pfbpermitcnt'])) $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt'] = $_POST['pfbpermitcnt']; if (is_numeric($_POST['pfbmatchcnt'])) $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt'] = $_POST['pfbmatchcnt']; write_config("pfBlockerNG pkg: updated ALERTS tab settings."); header("Location: " . $_SERVER['PHP_SELF']); exit; } if (is_array($config['installedpackages']['pfblockerngglobal'])) { $alertrefresh = $config['installedpackages']['pfblockerngglobal']['alertrefresh']; $hostlookup = $config['installedpackages']['pfblockerngglobal']['hostlookup']; $pfbdenycnt = $config['installedpackages']['pfblockerngglobal']['pfbdenycnt']; $pfbpermitcnt = $config['installedpackages']['pfblockerngglobal']['pfbpermitcnt']; $pfbmatchcnt = $config['installedpackages']['pfblockerngglobal']['pfbmatchcnt']; } function pfb_match_filter_field($flent, $fields) { foreach ($fields as $key => $field) { if ($field == null) continue; if ((strpos($field, '!') === 0)) { $field = substr($field, 1); $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); if (@preg_match("/{$field_regex}/i", $flent[$key])) return false; } else { $field_regex = str_replace('/', '\/', str_replace('\/', '/', $field)); if (!@preg_match("/{$field_regex}/i", $flent[$key])) return false; } } return true; } if ($_POST['filterlogentries_submit']) { // Set flag for filtering alert entries $pfb['filterlogentries'] = TRUE; // Note the order of these fields must match the order decoded from the alerts log $filterfieldsarray = array(); $filterfieldsarray[0] = $_POST['filterlogentries_rule'] ? $_POST['filterlogentries_rule'] : null; $filterfieldsarray[2] = $_POST['filterlogentries_int'] ? $_POST['filterlogentries_int'] : null; $filterfieldsarray[6] = strtolower($_POST['filterlogentries_proto']) ? $_POST['filterlogentries_proto'] : null; // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation $filterfieldsarray[7] = $_POST['filterlogentries_srcip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_srcip']) : null; $filterfieldsarray[8] = $_POST['filterlogentries_dstip'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_dstip']) : null; $filterfieldsarray[9] = $_POST['filterlogentries_srcport'] ? $_POST['filterlogentries_srcport'] : null; $filterfieldsarray[10] = $_POST['filterlogentries_dstport'] ? $_POST['filterlogentries_dstport'] : null; $filterfieldsarray[99] = $_POST['filterlogentries_date'] ? $_POST['filterlogentries_date'] : null; } if ($_POST['filterlogentries_clear']) { $pfb['filterlogentries'] = TRUE; $filterfieldsarray = array(); } // Collect pfBlockerNG Firewall Rules if (!empty($results)) { foreach ($results as $result) { # Find Rule Descriptions $descr = ""; if (preg_match("/USER_RULE: (\w+)/",$result,$desc)) $descr = $desc[1]; if ($pfb['pfsenseversion'] >= '2.2') { preg_match ("/@(\d+)\(/",$result, $rule); } else { preg_match ("/@(\d+)\s/",$result, $rule); } $id = $rule[1]; # Create array of Rule Description and pfctl Rule Number $rule_list['id'][] = $id; $rule_list[$id]['name'] = $descr; } } // Add IP to the Suppression Alias if (isset($_POST['addsuppress'])) { $ip = ""; if (isset($_POST['ip'])) { $ip = $_POST['ip']; $table = $_POST['table']; $descr = $_POST['descr']; $cidr = $_POST['cidr']; // If Description or CIDR field is empty, exit. if (empty($descr) || empty($cidr)) { header("Location: " . $_SERVER['PHP_SELF']); exit; } if (is_ipaddr($ip)) { $savemsg1 = "Host IP address {$ip}"; if (is_ipaddrv4($ip)) { $iptrim1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '$1.$2.$3.0/24', $ip); $iptrim2 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '$1.$2.$3.', $ip); $iptrim3 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '$4', $ip); if ($cidr == "32") { $pfb_pfctl = exec ("/sbin/pfctl -t {$table} -T show | grep {$iptrim1} 2>&1"); if ($pfb_pfctl == "") { $savemsg2 = " : Removed /32 entry"; exec ("/sbin/pfctl -t {$table} -T delete {$ip}"); } else { $savemsg2 = " : Removed /24 entry, added 254 addr"; exec ("/sbin/pfctl -t {$table} -T delete {$iptrim1}"); for ($add_ip=0; $add_ip <= 255; $add_ip++){ if ($add_ip != $iptrim3) { exec ("/sbin/pfctl -t {$table} -T add {$iptrim2}{$add_ip}"); } } } } else { $cidr = 24; $savemsg2 = " : Removed /24 entry"; exec ("/sbin/pfctl -t {$table} -T delete {$iptrim1} 2>&1", $pfb_pfctl); if (!preg_grep("/1\/1 addresses deleted/", $pfb_pfctl)) { $savemsg2 = " : Removed all entries"; // Remove 0-255 IP Address from Alias Table for ($del_ip=0; $del_ip <= 255; $del_ip++){ exec ("/sbin/pfctl -t {$table} -T delete {$iptrim2}{$del_ip}"); } } } } // Collect pfBlockerNGSuppress Alias Contents $pfb_sup_list = array(); $pfb_sup_array = array(); $pfb['found'] = FALSE; $pfb['update'] = FALSE; if (is_array($config['aliases']['alias'])) { foreach ($config['aliases']['alias'] as $alias) { if ($alias['name'] == "pfBlockerNGSuppress") { $data = $alias['address']; $data2 = $alias['detail']; $arr1 = explode(" ",$data); $arr2 = explode("||",$data2); if (!empty($data)) { $row = 0; foreach ($arr1 as $host) { $pfb_sup_list[] = $host; $pfb_sup_array[$row]['host'] = $host; $row++; } $row = 0; foreach ($arr2 as $detail) { $pfb_sup_array[$row]['detail'] = $detail; $row++; } } $pfb['found'] = TRUE; } } } // Call Function to Create Suppression Alias if not found. if (!$pfb['found']) pfb_create_suppression_alias(); // Save New Suppress IP to pfBlockerNGSuppress Alias if (in_array($ip . '/' . $cidr, $pfb_sup_list)) { $savemsg = gettext("Host IP address {$ip} already exists in the pfBlockerNG Suppress Table."); } else { if (!$pfb['found'] && empty($pfb_sup_list)) { $next_id = 0; } else { $next_id = count($pfb_sup_list); } $pfb_sup_array[$next_id]['host'] = $ip . '/' . $cidr; $pfb_sup_array[$next_id]['detail'] = $descr; $address = ""; $detail = ""; foreach ($pfb_sup_array as $pfb_sup) { $address .= $pfb_sup['host'] . " "; $detail .= $pfb_sup['detail'] . "||"; } // Find pfBlockerNGSuppress Array ID Number if (is_array($config['aliases']['alias'])) { $pfb_id = 0; foreach ($config['aliases']['alias'] as $alias) { if ($alias['name'] == "pfBlockerNGSuppress") { break; } $pfb_id++; } } $config['aliases']['alias'][$pfb_id]['address'] = rtrim($address, " "); $config['aliases']['alias'][$pfb_id]['detail'] = rtrim($detail, "||"); $savemsg = gettext($savemsg1) . gettext($savemsg2) . gettext(" and added Host to the pfBlockerNG Suppress Table."); $pfb['update'] = TRUE; } if ($pfb['found'] || $pfb['update']) { // Save all Changes to pfsense config file write_config(); } } } } // Host Resolve Function lookup function getpfbhostname($type = 'src', $hostip, $countme = 0) { $hostnames['src'] = ''; $hostnames['dst'] = ''; $hostnames[$type] = '
'; return $hostnames; } // Determine if Alert Host 'Dest' is within the Local Lan IP Range. function check_lan_dest($lan_ip,$lan_mask,$dest_ip,$dest_mask="32") { $result = check_subnets_overlap($lan_ip, $lan_mask, $dest_ip, $dest_mask); return $result; } // Parse Filter log for pfBlockerNG Alerts function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt) { global $pfb, $rule_list, $filterfieldsarray; $fields_array = array(); $logarr = ""; $denycnt = 0; $permitcnt = 0; $matchcnt = 0; if (file_exists($logfile)) { exec("/usr/local/sbin/clog " . escapeshellarg($logfile) . " | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/grep 'filterlog:' | /usr/bin/tail -r -n {$tail}", $logarr); } else return; if (!empty($logarr) && !empty($rule_list['id'])) { foreach ($logarr as $logent) { $pfbalert = array(); $log_split = ""; if (!preg_match("/(.*)\s(.*)\sfilterlog:\s(.*)$/", $logent, $log_split)) continue; list($all, $pfbalert[99], $host, $rule) = $log_split; $rule_data = explode(",", $rule); $pfbalert[0] = $rule_data[0]; // Rulenum // Skip Alert if Rule is not a pfBNG Alert if (!in_array($pfbalert[0], $rule_list['id'])) continue; $pfbalert[1] = $rule_data[4]; // Realint $pfbalert[3] = $rule_data[6]; // Act $pfbalert[4] = $rule_data[8]; // Version if ($pfbalert[4] == "4") { $pfbalert[5] = $rule_data[15]; // Protocol ID $pfbalert[6] = $rule_data[16]; // Protocol $pfbalert[7] = $rule_data[18]; // SRC IP $pfbalert[8] = $rule_data[19]; // DST IP $pfbalert[9] = $rule_data[20]; // SRC Port $pfbalert[10] = $rule_data[21]; // DST Port $pfbalert[11] = $rule_data[23]; // TCP Flags } else { $pfbalert[5] = $rule_data[13]; // Protocol ID $pfbalert[6] = $rule_data[12]; // Protocol $pfbalert[7] = $rule_data[15]; // SRC IP $pfbalert[8] = $rule_data[16]; // DST IP $pfbalert[9] = $rule_data[17]; // SRC Port $pfbalert[10] = $rule_data[18]; // DST Port $pfbalert[11] = $rule_data[20]; // TCP Flags } if ($pfbalert[5] == "6" || $pfbalert[5] == "17") { // skip } else { $pfbalert[9] = ""; $pfbalert[10] = ""; $pfbalert[11] = ""; } // Skip Repeated Alerts if (($pfbalert[3] . $pfbalert[8] . $pfbalert[10]) == $previous_dstip || ($pfbalert[3] . $pfbalert[7] . $pfbalert[9]) == $previous_srcip) continue; $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name $pfbalert[6] = str_replace("TCP", "TCP-", strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11]; // Protocol Flags // If Alerts Filtering is selected, process Filters as required. if ($pfb['filterlogentries'] && !pfb_match_filter_field($pfbalert, $filterfieldsarray)) { continue; } if ($pfbalert[3] == "block") { if ($denycnt < $pfbdenycnt) { $fields_array['Deny'][] = $pfbalert; $denycnt++; } } elseif ($pfbalert[3] == "pass") { if ($permitcnt < $pfbpermitcnt) { $fields_array['Permit'][] = $pfbalert; $permitcnt++; } } elseif ($pfbalert[3] == "unkn(%u)" || $pfbalert[3] == "unkn(11)") { if ($matchcnt < $pfbmatchcnt) { $fields_array['Match'][] = $pfbalert; $matchcnt++; } } // Exit function if Sufficinet Matches found. if ($denycnt >= $pfbdenycnt && $permitcnt >= $pfbpermitcnt && $matchcnt >= $pfbmatchcnt) { unset ($pfbalert, $logarr); return $fields_array; } // Collect Details for Repeated Alert Comparison $previous_srcip = $pfbalert[3] . $pfbalert[7] . $pfbalert[9]; $previous_dstip = $pfbalert[3] . $pfbalert[8] . $pfbalert[10]; } unset ($pfbalert, $logarr); return $fields_array; } } $pgtitle = gettext("pfBlockerNG: Alerts"); include_once("head.inc"); ?>
\n"; if ($savemsg) { print_info_box($savemsg); } ?>
"> "> $pfb['denydir'] . " " . $pfb['nativedir'], "Permit" => $pfb['permitdir'], "Match" => $pfb['matchdir']) as $type => $pfbfolder ): switch($type) { case "Deny": $rtype = "block"; $pfbentries = "{$pfbdenycnt}"; break; case "Permit": $rtype = "pass"; $pfbentries = "{$pfbpermitcnt}"; break; case "Match": if ($pfb['pfsenseversion'] >= '2.2') { $rtype = "unkn(%u)"; } else { $rtype = "unkn(11)"; } $pfbentries = "{$pfbmatchcnt}"; break; } ?>
     
', ''); ?> ', ''); ?> ', ''); ?>   />    />   
       ', '');?>
" onclick="enable_showFilter();" />   

', '');?>  

" title="" />    " title="" />    " onclick="enable_hideFilter();" title="" />
    
= '2.2') { $pfblines = exec("/usr/local/sbin/clog {$filter_logfile} | /usr/bin/grep -c ^"); } else { $pfblines = (exec("/usr/local/sbin/clog {$filter_logfile} | /usr/bin/grep -c ^") /2 ); } $fields_array = conv_log_filter_lite($filter_logfile, $pfblines, $pfblines, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt); $continents = array('pfB_Africa','pfB_Antartica','pfB_Asia','pfB_Europe','pfB_NAmerica','pfB_Oceania','pfB_SAmerica','pfB_Top'); $supp_ip_txt .= "Clicking this Suppression Icon, will immediately remove the Block.\n\nSuppressing a /32 CIDR is better than Suppressing the full /24"; $supp_ip_txt .= " CIDR.\nThe Host will be added to the pfBlockerNG Suppress Alias Table.\n\nOnly 32 or 24 CIDR IPs can be Suppressed with the '+' Icon."; $supp_ip_txt .= "\nTo manually add Host(s), edit the 'pfBlockerNGSuppress' Alias in the Alias Tab.\nManual entries will not remove existing Blocked Hosts"; // Array of all Local IPs for Alert Analysis $pfb_local = array(); // Collect Gateway IP Addresses for Inbound/Outbound List matching $int_gateway = get_interfaces_with_gateway(); if (is_array($int_gateway)) { foreach ($int_gateway as $gateway) { $convert = get_interface_ip($gateway); $pfb_local[] = $convert; } } // Collect Virtual IP Aliases for Inbound/Outbound List Matching if (is_array($config['virtualip']['vip'])) { foreach ($config['virtualip']['vip'] as $list) { if ($list['type'] == "single" && $list['subnet_bits'] == "32") $pfb_local[] = $list['subnet']; elseif ($list['type'] == "single" || $list['type'] == "network") $pfb_local = array_merge (subnet_expand ("{$list['subnet']}/{$list['subnet_bits']}"), $pfb_local); } } // Collect NAT IP Addresses for Inbound/Outbound List Matching if (is_array($config['nat']['rule'])) { foreach ($config['nat']['rule'] as $natent) { $pfb_local[] = $natent['target']; } } // Collect 1:1 NAT IP Addresses for Inbound/Outbound List Matching if(is_array($config['nat']['onetoone'])) { foreach ($config['nat']['onetoone'] as $onetoone) { $pfb_local[] = $onetoone['source']['address']; } } // Convert any 'Firewall Aliases' to IP Address Format if (is_array($config['aliases']['alias'])) { for ($cnt = 0; $cnt <= count($pfb_local); $cnt++) { foreach ($config['aliases']['alias'] as $i=> $alias) { if (isset($alias['name']) && isset($pfb_local[$cnt])) { if ($alias['name'] == $pfb_local[$cnt]) { $pfb_local[$cnt] = $alias['address']; } } } } } // Remove any Duplicate IPs $pfb_local = array_unique($pfb_local); // Determine Lan IP Address and Mask if (is_array($config['interfaces']['lan'])) { $lan_ip = $config['interfaces']['lan']['ipaddr']; $lan_mask = $config['interfaces']['lan']['subnet']; } } $counter = 0; // Process Fields_array and generate Output if (!empty($fields_array[$type]) && !empty($rule_list)) { $key = 0; foreach ($fields_array[$type] as $fields) { $rulenum = ""; $alert_ip = ""; $supp_ip = ""; $pfb_query = ""; /* Fields_array Reference [0] = Rulenum [6] = Protocol [1] = Real Interface [7] = SRC IP [2] = Friendly Interface Name [8] = DST IP [3] = Action [9] = SRC Port [4] = Version [10] = DST Port [5] = Protocol ID [11] = Flags [99] = Timestamp */ $rulenum = $fields[0]; if ($counter < $pfbentries) { // Cleanup Port Output if ($fields[6] == "ICMP" || $fields[6] == "ICMPV6") { $srcport = ""; $dstport = ""; } else { $srcport = ":" . $fields[9]; $dstport = ":" . $fields[10]; } // Don't add Suppress Icon to Country Block Lines if (in_array(substr($rule_list[$rulenum]['name'], 0, -3), $continents)) { $pfb_query = "Country"; } // Add DNS Resolve and Suppression Icons to External IPs only. GeoIP Code to External IPs only. if (in_array($fields[8], $pfb_local) || check_lan_dest($lan_ip,$lan_mask,$fields[8],"32")) { // Destination is Gateway/NAT/VIP $rule = $rule_list[$rulenum]['name'] . "
(" . $rulenum .")"; $host = $fields[7]; $alert_ip .= " "; if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { $supp_ip .= ""; } if ($pfb_query != "Country" && $rtype == "block" && $hostlookup == "on") { $hostname = getpfbhostname('src', $fields[7], $counter); } else { $hostname = ""; } $src_icons = $alert_ip . " " . $supp_ip . " "; $dst_icons = ""; } else { // Outbound $rule = $rule_list[$rulenum]['name'] . "
(" . $rulenum .")"; $host = $fields[8]; $alert_ip .= " "; if ($pfb_query != "Country" && $rtype == "block" && $pfb['supp'] == "on") { $supp_ip .= ""; } if ($pfb_query != "Country" && $rtype == "block" && $hostlookup == "on") { $hostname = getpfbhostname('dst', $fields[8], $counter); } else { $hostname = ""; } $src_icons = ""; $dst_icons = $alert_ip . " " . $supp_ip . " "; } // Determine Country Code of Host if (is_ipaddrv4($host)) { $country = substr(exec("$pathgeoip -f $pathgeoipdat $host"),23,2); } else { $country = substr(exec("$pathgeoip6 -f $pathgeoipdat6 $host"),26,2); } # IP Query Grep Exclusion $pfb_ex1 = "grep -v 'pfB\_\|\_v6\.txt'"; $pfb_ex2 = "grep -v 'pfB\_\|/32\|/24\|\_v6\.txt' | grep -m1 '/'"; // Find List which contains Blocked IP Host if (is_ipaddrv4($host) && $pfb_query != "Country") { // Search for exact IP Match $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'$1\.$2\.$3\.$4\'', $host); $pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/:.*//' -e 's/\..*/ /' | {$pfb_ex1}"); // Search for IP in /24 CIDR if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'$1\.$2\.$3\.0/24\'', $host); $pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex1}"); } // Search for First Two IP Octets in CIDR Matches Only. Skip any pfB (Country Lists) or /32,/24 Addresses. if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'^$1\.$2\.\'', $host); $pfb_query = exec("/usr/bin/grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); } // Search for First Two IP Octets in CIDR Matches Only (Subtract 1 from second Octet on each loop). // Skip (Country Lists) or /32,/24 Addresses. if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'^$1\.', $host); $host2 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '$2', $host); for ($cnt = 1; $cnt <= 5; $cnt++) { $host3 = $host2 - $cnt . '\''; $pfb_query = exec("/usr/bin/grep -rH {$host1}{$host3} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); // Break out of loop if found. if (!empty($pfb_query)) $cnt = 6; } } // Search for First Three Octets if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'^$1\.$2\.$3\.\'', $host); $pfb_query = exec("/usr/bin/grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); } // Search for First Two Octets if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'^$1\.$2\.\'', $host); $pfb_query = exec("/usr/bin/grep -rH {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex2}"); } // Report Specific ET IQRisk Details if ($pfb['et_header'] && preg_match("/{$et_header}/", $pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'$1\.$2\.$3\.$4\'', $host); $pfb_query = exec("/usr/bin/grep -Hm1 {$host1} {$pfb['etdir']}/* | sed -e 's/^.*[a-zA-Z]\///' -e 's/:.*//' -e 's/\..*/ /' -e 's/ET_/ET IPrep /' "); if (empty($pfb_query)) { $host1 = preg_replace("/(\d{1,3})\.(\d{1,3}).(\d{1,3}).(\d{1,3})/", '\'$1.$2.$3.0/24\'', $host); $pfb_query = exec("/usr/bin/grep -rHm1 {$host1} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | {$pfb_ex1}"); } } } elseif (is_ipaddrv6($host) && $pfb_query != "Country") { $pfb_query = exec("/usr/bin/grep -Hm1 {$host} {$pfbfolder} | sed -e 's/^.*[a-zA-Z]\///' -e 's/\.txt:/ /' | grep -v 'pfB\_'"); } // Default to "No Match" if not found. if (empty($pfb_query)) $pfb_query = "No Match"; # Split List Column into Two lines. unset ($pfb_match); if ($pfb_query == "No Match") { $pfb_match[1] = "{$pfb_query}"; $pfb_match[2] = ""; } else { preg_match ("/(.*)\s(.*)/", $pfb_query, $pfb_match); if ($pfb_match[1] == "") { $pfb_match[1] = "{$pfb_query}"; $pfb_match[2] = ""; } } // Add []'s to IPv6 Addresses and add a zero-width space as soft-break opportunity after each colon if we have an IPv6 address (from Snort) if ($fields[4] == "6") { $fields[97] = "[" . str_replace(":", ":​", $fields[7]) . "]"; $fields[98] = "[" . str_replace(":", ":​", $fields[8]) . "]"; } else { $fields[97] = $fields[7]; $fields[98] = $fields[8]; } // Truncate Long List Names $pfb_matchtitle = "Country Block Rules cannot be suppressed.\n\nTo allow a particular Country IP, either remove the particular Country or add the Host\nto a Permit Alias in the Firewall Tab.\n\nIf the IP is not listed beside the List, this means that the Block is a /32 entry.\nOnly /32 or /24 CIDR Hosts can be suppressed.\n\nIf (Duplication) Checking is not enabled. You may see /24 and /32 CIDR Blocks for a given blocked Host"; if (strlen($pfb_match[1]) >= 17) { $pfb_matchtitle = $pfb_match[1]; $pfb_match[1] = substr($pfb_match[1], 0, 16) . '...'; } // Print Alternating Line Shading if ($pfb['pfsenseversion'] > '2.0') { $alertRowEvenClass = "listMReven"; $alertRowOddClass = "listMRodd"; } else { $alertRowEvenClass = "listr"; $alertRowOddClass = "listr"; } $alertRowClass = $counter % 2 ? $alertRowEvenClass : $alertRowOddClass; echo ""; $counter++; if ($counter > 0 && $rtype == "block") { $mycounter = $counter; } } } } ?>
{$fields[99]} {$fields[2]} {$rule} {$fields[6]} {$src_icons}{$fields[97]}{$srcport}
{$hostname['src']}
{$dst_icons}{$fields[98]}{$dstport}
{$hostname['dst']}
{$country} {$pfb_match[1]}
{$pfb_match[2]}