/tmp/snort_block.pf'); $blocked_ips_array_save = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.pf')))); if ($blocked_ips_array_save[0] != '') { /* build the list */ file_put_contents("/tmp/snort_blocked/snort_block.pf", ""); foreach($blocked_ips_array_save as $counter => $fileline3) file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline3}\n", FILE_APPEND); } exec("/usr/bin/tar cfz /tmp/snort_blocked_{$save_date}.tar.gz /tmp/snort_blocked"); if(file_exists("/tmp/snort_blocked_{$save_date}.tar.gz")) { $file = "/tmp/snort_blocked_{$save_date}.tar.gz"; header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); header("Pragma: private"); // needed for IE header("Cache-Control: private, must-revalidate"); // needed for IE header('Content-type: application/force-download'); header('Content-Transfer-Encoding: Binary'); header("Content-length: ".filesize($file)); header("Content-disposition: attachment; filename = {$file_name}"); readfile("$file"); exec("/bin/rm /tmp/snort_blocked_{$save_date}.tar.gz"); exec("/bin/rm /tmp/snort_block.pf"); exec("/bin/rm /tmp/snort_blocked/snort_block.pf"); od_end_clean(); //importanr or other post will fail } else echo 'Error no saved file.'; } if ($_POST['save']) { /* input validation */ if ($_POST['save']) { } /* no errors */ if (!$input_errors) { $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; write_config(); header("Location: /snort/snort_blocked.php"); } } /* build filter funcs */ function get_snort_alert_ip_src($fileline) { /* SRC IP */ $re1='.*?'; # Non-greedy match on filler $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) $alert_ip_src = $matches4[1][0]; return $alert_ip_src; } function get_snort_alert_disc($fileline) { /* disc */ if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) $alert_disc = "$matches[2]"; return $alert_disc; } /* build sec filters */ function get_snort_block_ip($fileline) { /* ip */ if (preg_match("/\[\d+\.\d+\.\d+\.\d+\]/", $fileline, $matches)) $alert_block_ip = "$matches[0]"; return $alert_block_ip; } function get_snort_block_disc($fileline) { /* disc */ if (preg_match("/\]\s\[.+\]$/", $fileline, $matches)) $alert_block_disc = "$matches[0]"; return $alert_block_disc; } /* tell the user what settings they have */ $blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; if ($blockedtab_msg_chk == "1h_b") { $blocked_msg = "hour"; } if ($blockedtab_msg_chk == "3h_b") { $blocked_msg = "3 hours"; } if ($blockedtab_msg_chk == "6h_b") { $blocked_msg = "6 hours"; } if ($blockedtab_msg_chk == "12h_b") { $blocked_msg = "12 hours"; } if ($blockedtab_msg_chk == "1d_b") { $blocked_msg = "day"; } if ($blockedtab_msg_chk == "4d_b") { $blocked_msg = "4 days"; } if ($blockedtab_msg_chk == "7d_b") { $blocked_msg = "7 days"; } if ($blockedtab_msg_chk == "28d_b") { $blocked_msg = "28 days"; } if ($blockedtab_msg_chk != "never_b") { $blocked_msg_txt = "Hosts are removed every $blocked_msg."; }else{ $blocked_msg_txt = "Settings are set to never remove hosts."; } $pgtitle = "Services: Snort Blocked Hosts"; include_once("head.inc"); ?> \n"; ?>
' . $pgtitle . '

';}?>
Last Blocked. This page lists hosts that have been blocked by Snort.  
Save or Remove Hosts
All blocked hosts will be saved. Warning: all hosts will be removed.
Auto Refresh and Log View
Refresh > Default is ON. Enter the number of blocked entries to view. Default is 500.

"; else echo "\n"; ?>
/tmp/snort_block.cache'); $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); $blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_contents('/tmp/snort_block.cache')))); $logent = $bnentries; if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') { /* build the list and compare blocks to alerts */ $counter = 0; foreach($alerts_array as $fileline) { $counter++; $alert_ip_src = get_snort_alert_ip_src($fileline); $alert_ip_disc = get_snort_alert_disc($fileline); $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); if (in_array("$alert_ip_src", $blocked_ips_array)) $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; } foreach($blocked_ips_array as $alert_block_ip) { if (!in_array($alert_block_ip, $alert_ip_src_array)) { $input[] = "[$alert_block_ip] " . "[N\A]\n"; } } /* reduce double occurrences */ $result = array_unique($input); /* buil final list, preg_match, buld html */ $counter2 = 0; foreach($result as $fileline2) { if($logent <= $counter2) continue; $counter2++; $alert_block_ip_str = get_snort_block_ip($fileline2); if($alert_block_ip_str != '') { $alert_block_ip_match = array('[',']'); $alert_block_ip = str_replace($alert_block_ip_match, '', "$alert_block_ip_str"); }else{ $alert_block_ip = 'empty'; } $alert_block_disc_str = get_snort_block_disc($fileline2); if($alert_block_disc_str != '') { $alert_block_disc_match = array('] [',']'); $alert_block_disc = str_replace($alert_block_disc_match, '', "$alert_block_disc_str"); }else{ $alert_block_disc = 'empty'; } /* use one echo to do the magic*/ echo "\n"; } }else{ /* if alerts file is empty and blocked table is not empty */ $counter2 = 0; foreach($blocked_ips_array as $alert_block_ip) { if($logent <= $counter2) continue; $counter2++; $alert_block_disc = 'N/A'; /* use one echo to do the magic*/ echo "\n"; } } echo '
Remove # IP Alert Description
\"Delete\"  {$counter2}  {$alert_block_ip}  {$alert_block_disc}
\"Delete\"  {$counter2}  {$alert_block_ip}  {$alert_block_disc}
' . "\n"; if (empty($blocked_ips_array[0])) echo "\n

There are currently no items being blocked by snort.
{$counter2} items listed.