Mercurial > hg > maltfilter
annotate maltfilter @ 97:3dbd9d392986
Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Mon, 31 Aug 2009 11:57:46 +0300 |
parents | b1f9df8bb084 |
children | 075b2b626d17 1cbefe9c26c1 |
rev | line source |
---|---|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1 #!/usr/bin/perl -w |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
2 ############################################################################# |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 # |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 # Malicious Attack Livid Termination Filter daemon (maltfilter) |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 # Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 # (C) Copyright 2009 Tecnic Software productions (TNSP) |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 # |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 ############################################################################# |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
9 use strict; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
10 use Date::Parse; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 use Net::IP; |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
12 use Net::DNS; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
13 use LWP::UserAgent; |
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
14 use IO::Seekable; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
15 |
97
3dbd9d392986
Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
Matti Hamalainen <ccr@tnsp.org>
parents:
95
diff
changeset
|
16 my $progversion = "0.19.4"; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
17 my $progbanner = |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
21 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
22 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
23 ############################################################################# |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
24 ### Default settings and configuration |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
25 ############################################################################# |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
26 my %settings = ( |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
27 "VERBOSITY" => 3, |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
28 "DRY_RUN" => 1, |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
29 "LOGFILE" => "", |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
30 "STATS_MAX_AGE" => 336, # in hours |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
31 |
65 | 32 "PASSWD" => "/etc/passwd", |
33 "SYSACCT_MIN_UID" => 1, | |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
34 "SYSACCT_MAX_UID" => 999, |
65 | 35 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
36 "FILTER" => 0, |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
37 "FILTER_THRESHOLD" => 3, |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
38 "FILTER_MAX_AGE" => 168, # in hours |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
39 "FILTER_TARGET" => "DROP", |
93
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
40 "FILTER_CHAIN" => "INPUT", |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
41 "FILTER_TABLE" => "filter", |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
42 "IPTABLES" => "/sbin/iptables", |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
43 |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
44 "FULL_TIME" => 1, |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
45 "STATUS_FILE_PLAIN" => "", |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
46 "STATUS_FILE_HTML" => "", |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
47 "STATUS_FILE_CSS" => "", |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
48 "WHOIS_URL" => "http://whois.domaintools.com/", |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
49 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
50 "CHK_SSHD" => 1, |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
51 "CHK_KNOWN_CGI" => 1, |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
52 "CHK_PHP_XSS" => 1, |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
53 "CHK_PROXY_SCAN" => 1, |
4
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
3
diff
changeset
|
54 "CHK_ROOT_SSH_PWD" => 0, |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
55 "CHK_SYSACCT_SSH_PWD" => 0, |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
56 "CHK_GOOD_HOSTS" => "", |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
57 |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
58 "EVIDENCE" => 0, |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
59 "EVIDENCE_DIR" => "", |
65 | 60 |
61 "DRONEBL" => 0, | |
62 "DRONEBL_THRESHOLD" => 5, | |
63 "DRONEBL_MAX_AGE" => 30, # in minutes | |
64 "DRONEBL_RPC_URI" => "http://dronebl.org/RPC2", | |
65 "DRONEBL_RPC_KEY" => "", | |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
66 "DRONEBL_MAX_ERRORS" => 5, |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
67 "DRONEBL_SUSPEND" => 10, |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
68 ); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
69 |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
70 # List loopback and private netblocks by default here |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
71 my @noaction_ips_def = ( |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
72 "127.0.0.0/8", |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
73 "10.0.0.0/8", |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
74 "172.16.0.0/12", |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
75 "192.168.0.0/16" |
7 | 76 ); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
77 |
93
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
78 # Valid target tables for FILTER_TABLE |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
79 my %filter_valid_tables = ("filter", "nat", "mangle", "raw"); |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
80 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
81 my %systemacct = (); |
65 | 82 sub check_add_hit($$$$$$); |
83 | |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
84 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
85 ############################################################################# |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
86 ### Check given logfile line for matches |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
87 ############################################################################# |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
88 sub check_log_line($) |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
89 { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
90 # (1) SSHD scans |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
91 if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: (.*)/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
92 my $mdate = $1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
93 my $merr = $2; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
94 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
95 # (1.1) Generic login scan attempts |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
96 if ($merr =~ /^Failed password for invalid user (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
97 check_add_hit($2, $mdate, "SSH login scan", "", 13, $settings{"CHK_SSHD"}); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
98 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
99 # (1.2) Root account SSH login password bruteforcing attempts. |
76
4769aad8bd14
Root password bruteforcing check was not always working, fixed.
Matti Hamalainen <ccr@tnsp.org>
parents:
74
diff
changeset
|
100 elsif ($merr =~ /^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
101 check_add_hit($1, $mdate, "Root SSH password bruteforce", "", 13, $settings{"CHK_ROOT_SSH_PWD"}); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
102 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
103 # (1.3) System account SSH login password bruteforcing attempts. |
76
4769aad8bd14
Root password bruteforcing check was not always working, fixed.
Matti Hamalainen <ccr@tnsp.org>
parents:
74
diff
changeset
|
104 elsif ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
105 my $mip = $2; my $macct = $1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
106 if (defined($systemacct{$macct})) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
107 check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, 13, $settings{"CHK_SYSACCT_SSH_PWD"}); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
108 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
109 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
110 } |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
111 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
112 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
113 elsif (/^\[(.+?)\]\s+\[error\]\s+\[client\s+(\d+\.\d+\.\d+\.\d+)\]\s+(.+)$/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
114 my $mdate = $1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
115 my $mip = $2; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
116 my $merr = $3; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
117 if ($merr =~ /^File does not exist: (.+)$/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
118 my $tmp = $1; |
97
3dbd9d392986
Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
Matti Hamalainen <ccr@tnsp.org>
parents:
95
diff
changeset
|
119 if ($tmp =~ /\/mss2|\/pma|cpanel|admin|\/sql|mysql|websql|\/SSI.php|\/horde|\/rc$|\/xmlrpc.php|sqladm|dbadm|\/roundcube|\/webmail|\/mail|\/email|xampp|\/zen|\/cart|\/shop|\/store|mailto:|appserv|roundcube|_vti_bin|wiki|bugtrack|mantis|mantisbt|phpmanager/i) { |
3dbd9d392986
Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
Matti Hamalainen <ccr@tnsp.org>
parents:
95
diff
changeset
|
120 check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 6, $settings{"CHK_KNOWN_CGI"}); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
121 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
122 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
123 } |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
124 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
125 # (3) Apache common logging format checks |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
126 elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
127 my $mdate = $2; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
128 my $mip = $1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
129 my $merr = $3; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
130 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
131 # (3.1) Simple match for generic PHP XSS vulnerability scans |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
132 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
133 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
134 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
135 evidence_queue($mip, $1, $merr); |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
136 } |
97
3dbd9d392986
Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
Matti Hamalainen <ccr@tnsp.org>
parents:
95
diff
changeset
|
137 check_add_hit($mip, $mdate, "PHP XSS", $merr, 6, $settings{"CHK_PHP_XSS"}); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
138 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
139 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
140 # (3.2) Try to match proxy scanning attempts |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
141 elsif ($merr =~ /^http:\/\/([^\/]+)/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
142 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
97
3dbd9d392986
Change XSS style attack DroneBL class to 6. Still not exactly what we want, though.
Matti Hamalainen <ccr@tnsp.org>
parents:
95
diff
changeset
|
143 check_add_hit($mip, $mdate, "Proxy scan", $merr, 6, $settings{"CHK_PROXY_SCAN"}); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
144 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
145 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
146 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
147 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
148 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
149 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
150 ############################################################################# |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
151 ### Global variables |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
152 ############################################################################# |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
153 my $reportmode = 0; # Full report mode |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
154 my @scanfiles = (); # Files to scan |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
155 my @scanfiles_once = (); # Files to scan only once during startup or HUP (e.g. not continuously followed) |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
156 my @noaction_ips = (); # IPs not to filter |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
157 my %filehandles = (); # Global hash holding opened scanned log filehandles |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
158 my $pid_file = ""; # Name of Maltfilter daemon pid file |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
159 my @configfiles = (); # Array of configuration file names |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
160 my $LOGFILE; # Maltfilter logfile handle |
65 | 161 my %dronebl = (); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
162 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
163 # IPs currently blocked in Netfilter $filterlist{$ip} = date |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
164 my %filterlist = (); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
165 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
166 # Gathered information about hosts |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
167 # $statlist{$ip}-> |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
168 # "date1" = timestamp of first hit |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
169 # "date2" = timestamp of latest hit |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
170 # "hits" = number of hits to this IP |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
171 # "dronebl" = 0 == n/a, 1 == queued for submission, 2 == submitted |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
172 # $statlist{$ip}{"reason"}{$class}-> |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
173 # "msg" = reason message (array if $reportmode) |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
174 # "hits" = hits to this class |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
175 # "date1" = timestamp of first hit |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
176 # "date2" = timestamp of latest hit |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
177 my %statlist = (); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
178 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
179 # Gathered information about ignored hits (e.g. hits for tests that are not enabled) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
180 # Same fields as in %statlist |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
181 my %ignorelist = (); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
182 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
183 |
2
3da95f3082d9
Misc. variable name cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
184 ############################################################################# |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
185 ### Status output functionality |
2
3da95f3082d9
Misc. variable name cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
186 ############################################################################# |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
187 ## Return string expressing given UNIX timestamp or "?" if not valid |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
188 sub get_time_str($) |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
189 { |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
190 return ($_[0] >= 0) ? (scalar localtime($_[0])) : "?"; |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
191 } |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
192 |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
193 ## Return string expressing how long ago given UNIX timestamp is from current time |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
194 my @paskat = (30*24*60*60, 7*24*60*60, 24*60*60, 60*60, 60); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
195 my @opaskat = ("months", "weeks", "days", "hours", "minutes"); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
196 my @upaskat = ("month", "week", "day", "hour", "minute"); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
197 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
198 sub get_ago_str($) |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
199 { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
200 return get_time_str($_[0]) if ($settings{"FULL_TIME"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
201 if ($_[0] >= 0) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
202 my $str = ""; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
203 my $cur = time() - $_[0]; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
204 my ($r, $k, $p, $n); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
205 $n = 0; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
206 foreach my $div (@paskat) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
207 $r = int($cur / $div); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
208 $k = ($cur % $div); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
209 if ($r > 0) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
210 $p = ($r > 1) ? $opaskat[$n] : $upaskat[$n]; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
211 $str .= ", " if ($str ne ""); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
212 $str .= sprintf("%d %s", $r, $p); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
213 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
214 $cur = $k; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
215 $n++; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
216 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
217 return $str." ago"; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
218 } else { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
219 return "?"; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
220 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
221 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
222 |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
223 ## Convert non-alphanumeric characters in strong to hex-coded URI style |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
224 sub urlencode($) |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
225 { |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
226 my $value = $_[0]; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
227 $value =~ s/([^a-zA-Z_0-9 ])/"%" . uc(sprintf "%lx" , unpack("C", $1))/eg; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
228 $value =~ tr/ /+/; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
229 return $value; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
230 } |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
231 |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
232 my %entities = ( |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
233 "<" => "lt", |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
234 ">" => "gt", |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
235 "&" => "amp", |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
236 ); |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
237 |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
238 ## Convert special characters to HTML/XML entities |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
239 sub htmlentities($) |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
240 { |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
241 my $value = $_[0]; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
242 $value =~ s/$_/\&$entities{$_}\;/g foreach (keys %entities); |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
243 return $value; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
244 } |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
245 |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
246 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
247 sub printH($$$$) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
248 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
249 my $fh = $_[1]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
250 if ($_[0]) { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
251 print $fh "<h".$_[2].">".$_[3]."</h".$_[2].">\n"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
252 } else { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
253 my $c = ($_[2] <= 1) ? "=" : "-"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
254 print $fh $_[3]."\n". $c x length($_[3]) ."\n"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
255 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
256 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
257 |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
258 sub printTD |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
259 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
260 my $fh = $_[1]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
261 if ($_[0]) { |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
262 my $s = defined($_[3]) ? " ".$_[3]." " : ""; |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
263 print $fh "<td".$s.">".$_[2]."</td>"; |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
264 } else { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
265 print $fh $_[2]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
266 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
267 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
268 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
269 sub printP($$$) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
270 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
271 my $fh = $_[1]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
272 if ($_[0]) { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
273 print $fh "<p>\n".$_[2]."</p>\n"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
274 } else { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
275 print $fh $_[2]."\n"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
276 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
277 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
278 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
279 sub printElem |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
280 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
281 my $fh = $_[1]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
282 if ($_[0]) { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
283 print $fh $_[2]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
284 } elsif (defined($_[3])) { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
285 print $fh $_[3]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
286 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
287 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
288 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
289 sub bb($) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
290 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
291 return $_[0] ? "<b>" : ""; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
292 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
293 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
294 sub eb($) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
295 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
296 return $_[0] ? "</b>" : ""; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
297 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
298 |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
299 sub pe($$) |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
300 { |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
301 return $_[0] ? "<$_[1]>" : ""; |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
302 } |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
303 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
304 sub get_link($$) |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
305 { |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
306 if ($settings{"WHOIS_URL"} ne "") { |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
307 return $_[0] ? "<a href=\"".$settings{"WHOIS_URL"}.$_[1]. |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
308 "\">".htmlentities($_[1])."</a>" : $_[1]; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
309 } else { |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
310 return $_[0]; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
311 } |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
312 } |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
313 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
314 sub print_table1($$$$$$) |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
315 { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
316 my ($m, $f, $table, $keys, $func, $class) = @_; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
317 my $ntotal = 0; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
318 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
319 printElem($m, $f, |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
320 "<table class=\"".$class."\">\n". |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
321 "<tr><th>Hits</th><th>IP-address</th><th>First hit</th><th>Latest hit</th><th>Reason(s)</th></tr>\n", |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
322 |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
323 "Hits | IP-address | First hit | Latest hit | Reason(s)\n" |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
324 ); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
325 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
326 foreach my $mip (sort { $func->($table, $a, $b) } keys %{$keys}) { |
68 | 327 my $blocked = defined($filterlist{$mip}) ? "filtered" : "unfiltered"; |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
328 printElem($m, $f, " <tr class=\"$blocked\">"); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
329 printTD($m, $f, sprintf(bb($m)."%-10d".eb($m), $table->{$mip}{"hits"})); |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
330 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
331 printTD($m, $f, sprintf("%-15s", get_link($m, $mip))); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
332 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
333 printTD($m, $f, get_ago_str($table->{$mip}{"date1"})); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
334 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
335 printTD($m, $f, get_ago_str($table->{$mip}{"date2"})); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
336 printElem(!$m, $f, " | "); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
337 my @reasons = (); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
338 foreach my $class (sort keys %{$table->{$mip}{"reason"}}) { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
339 my $msgs; |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
340 if ($class ne "IPTABLES") { |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
341 if ($reportmode) { |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
342 my @tmp = reverse(@{$table->{$mip}{"reason"}{$class}{"msg"}}); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
343 if ($#tmp > 5) { $#tmp = 5; } |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
344 foreach (@tmp) { $_ = htmlentities($_); } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
345 $msgs = join(" ".bb($m)."|".eb($m)." ", @tmp); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
346 } else { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
347 $msgs = $table->{$mip}{"reason"}{$class}{"msg"}; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
348 } |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
349 push(@reasons, bb($m).$class.eb($m)." #".$table->{$mip}{"reason"}{$class}{"hits"}. |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
350 " ( ".$msgs." )"); |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
351 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
352 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
353 printTD($m, $f, join(", ", @reasons)); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
354 printElem($m, $f, "</tr>\n", "\n"); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
355 $ntotal++; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
356 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
357 printElem($m, $f, "</table>\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
358 printP($m, $f, bb($m).$ntotal.eb($m)." entries total.\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
359 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
360 |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
361 sub cmp_ips($$$) |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
362 { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
363 my @ipa = split(/\./, $_[1]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
364 my @ipb = split(/\./, $_[2]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
365 for (my $i = 0; $i < 4; $i++) { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
366 return -1 if ($ipa[$i] > $ipb[$i]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
367 return 1 if ($ipa[$i] < $ipb[$i]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
368 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
369 return 0; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
370 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
371 |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
372 sub test_ips($$) |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
373 { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
374 my @ipa = split(/\./, $_[0]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
375 my @ipb = split(/\./, $_[1]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
376 for (my $i = 0; $i < 3; $i++) { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
377 return $i if ($ipa[$i] != $ipb[$i]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
378 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
379 return 4; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
380 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
381 |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
382 my @ipcolors = ( |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
383 "#666", |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
384 "#777", |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
385 ); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
386 |
87
cbe5761897f4
Use ("No", "Queue", "Sent") for DroneBL information in status reports.
Matti Hamalainen <ccr@tnsp.org>
parents:
86
diff
changeset
|
387 my @drone_status = ("No", "Queue", "Sent"); |
cbe5761897f4
Use ("No", "Queue", "Sent") for DroneBL information in status reports.
Matti Hamalainen <ccr@tnsp.org>
parents:
86
diff
changeset
|
388 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
389 sub print_table2($$$$$$) |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
390 { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
391 my ($m, $f, $table, $keys, $func, $class) = @_; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
392 my $nhits = 0; |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
393 my $str = "<th>IP-address</th><th>Hits</th><th>DroneBL?</th><th>First hit</th><th>Latest hit</th><th>Class</th>"; |
88
3bcc17b754bf
Remove nbsp from status output.
Matti Hamalainen <ccr@tnsp.org>
parents:
87
diff
changeset
|
394 my $str2 = "IP-address | Hits | DroneBL | First hit | Latest hit | Class "; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
395 |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
396 printElem($m, $f, |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
397 "<table class=\"".$class."\">\n<tr>". $str."<th> </th>".$str ."</tr>\n", |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
398 $str2." || ".$str2."\n"); |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
399 |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
400 my @previp = ("0.0.0.0", "0.0.0.0"); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
401 my @ncolor = (0, 0); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
402 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
403 my $printEntry = sub { |
68 | 404 my $blocked = "class=\"".(defined($filterlist{$_[0]}) ? "filtered" : "unfiltered")."\""; |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
405 if (test_ips($previp[$_[1]], $_[0]) < 3) { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
406 $ncolor[$_[1]]++; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
407 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
408 $previp[$_[1]] = $_[0]; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
409 my $str = "style=\"background: ".$ipcolors[$ncolor[$_[1]] % scalar @ipcolors].";\""; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
410 |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
411 printTD($m, $f, sprintf("%-15s", get_link($m, $_[0])), $str); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
412 printElem(!$m, $f, " | "); |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
413 printTD($m, $f, sprintf("%-8d ", $table->{$_[0]}{"hits"}), $blocked); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
414 printElem(!$m, $f, " | "); |
87
cbe5761897f4
Use ("No", "Queue", "Sent") for DroneBL information in status reports.
Matti Hamalainen <ccr@tnsp.org>
parents:
86
diff
changeset
|
415 printTD($m, $f, sprintf("%-6s ", $drone_status[$table->{$_[0]}{"dronebl"}]), $blocked); |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
416 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
417 printTD($m, $f, get_ago_str($table->{$_[0]}{"date1"}), $blocked); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
418 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
419 printTD($m, $f, get_ago_str($table->{$_[0]}{"date2"}), $blocked); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
420 printElem(!$m, $f, " | "); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
421 my $tmp = join(", ", sort keys %{$table->{$_[0]}{"reason"}}); |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
422 printTD($m, $f, sprintf("%-30s", $tmp), $blocked); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
423 $nhits += $table->{$_[0]}{"hits"}; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
424 }; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
425 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
426 my @mkeys = sort { $func->($table, $a, $b) } keys %{$keys}; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
427 my $nkeys = scalar @mkeys; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
428 my $kmax = $nkeys / 2; |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
429 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
430 for (my $i = 0; $i <= $kmax; $i++) { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
431 printElem($m, $f, " <tr>"); |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
432 if ($i < $kmax) { |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
433 $printEntry->($mkeys[$i], 0); |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
434 printElem($m, $f, "<th> </th>", " || "); |
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
435 } |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
436 if ($i + $kmax + 1 < $nkeys) { $printEntry->($mkeys[$i + $kmax + 1], 1); } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
437 printElem($m, $f, "</tr>\n", "\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
438 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
439 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
440 printElem($m, $f, "</table>\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
441 printP($m, $f, bb($m).$nkeys.eb($m)." entries total, ".bb($m).$nhits.eb($m)." hits total.\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
442 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
443 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
444 sub cmp_hits($$$) |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
445 { |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
446 my $s1 = $_[0]->{$_[1]}; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
447 my $s2 = $_[0]->{$_[2]}; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
448 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
449 return -1 if ($s2->{"date2"} < $s1->{"date2"}); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
450 return 1 if ($s2->{"date2"} > $s1->{"date2"}); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
451 return $s2->{"hits"} <=> $s1->{"hits"}; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
452 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
453 |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
454 sub get_period($) |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
455 { |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
456 my ($str, $r, $k); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
457 if ($_[0] > 30 * 24) { |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
458 $r = $_[0] / (30 * 24); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
459 $k = $_[0] % (30 * 24); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
460 $str = sprintf("%d months", $r); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
461 $str .= sprintf(", %d days", $k) if ($k > 0); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
462 } elsif ($_[0] > 24 * 7) { |
29
6d3e33e9ee9b
Oops, fix printing of weeks.
Matti Hamalainen <ccr@tnsp.org>
parents:
27
diff
changeset
|
463 $str = sprintf("%1.1f weeks", $_[0] / (24.0 * 7.0)); |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
464 } elsif ($_[0] > 24) { |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
465 $r = $_[0] / 24; |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
466 $k = $_[0] % 24; |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
467 $str = sprintf("%d days", $r); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
468 $str .= sprintf(", %d hours", $k) if ($k > 0); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
469 } else { |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
470 $str = sprintf("%d hours", $_[0]); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
471 } |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
472 return $str; |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
473 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
474 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
475 sub generate_status($$) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
476 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
477 my $filename = shift; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
478 my $m = shift; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
479 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
480 return unless ($filename ne ""); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
481 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
482 open(STATUS, ">", $filename) or mdie("Could not open '".$filename."'!\n"); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
483 my $f = \*STATUS; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
484 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
485 printElem($m, $f, " |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
486 <html> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
487 <head> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
488 <title>Maltfilter status report</title> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
489 "); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
490 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
491 printElem($m, $f, "<link href=\"".$settings{"STATUS_FILE_CSS"}."\" rel=\"stylesheet\" type=\"text/css\" />") |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
492 if ($settings{"STATUS_FILE_CSS"}); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
493 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
494 printElem($m, $f, " |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
495 </head> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
496 <body> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
497 "); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
498 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
499 printH($m, $f, 1, "Maltfilter v$progversion status report"); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
500 my $period = get_period($settings{"STATS_MAX_AGE"}); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
501 |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
502 printP($m, $f, |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
503 "Generated ".bb($m).get_time_str(time()).eb($m).". Data computed from ". |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
504 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n"); |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
505 |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
506 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n". |
68 | 507 "filtered IP that was in Netfilter before Maltfilter was started.\n"); |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
508 |
68 | 509 if ($settings{"FILTER"} > 0) { |
510 printH($m, $f, 2, "Currently filtered entries"); | |
511 $period = get_period($settings{"FILTER_MAX_AGE"}); | |
512 printP($m, $f, "List of IPs that are currently filtered (or would be, if this is\n". | |
513 "a report-only mode). Data from period of $period.\n"); | |
514 print_table1($m, $f, \%statlist, \%filterlist, \&cmp_hits, "filtered"); | |
515 } | |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
516 |
68 | 517 printH($m, $f, 2, "Summary of entries"); |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
518 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n". |
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
519 "necessarily acted upon. Sorted by descending IP address.\n"); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
520 print_table2($m, $f, \%statlist, \%statlist, \&cmp_ips, "global"); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
521 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
522 printH($m, $f, 2, "Ignored entries"); |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
523 printP($m, $f, "List of hits that were ignored (not acted upon), because the test was disabled.\n". |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
524 "Notice that the entry may be blocked due to other checks, however.\n"); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
525 print_table1($m, $f, \%ignorelist, \%ignorelist, \&cmp_hits, "ignored"); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
526 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
527 printElem($m, $f, "</body>\n</html>\n"); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
528 close(STATUS); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
529 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
530 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
531 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
532 ############################################################################# |
65 | 533 ### DroneBL submission support |
534 ############################################################################# | |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
535 my $dronebl_errors = 0; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
536 my $dronebl_suspend = 0; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
537 |
65 | 538 sub dronebl_process |
539 { | |
540 return unless ($settings{"DRONEBL"} > 0); | |
541 | |
86
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
542 if ($dronebl_suspend > 0) { |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
543 $dronebl_suspend--; |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
544 return; |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
545 } |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
546 |
65 | 547 # Create submission data |
548 my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n"; | |
549 my $entries = 0; | |
550 while (my ($ip, $entry) = each(%dronebl)) { | |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
551 if ($entry->{"sent"} == 0 && $entry->{"tries"} < 3) { |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
552 $xml .= "<add ip=\"".$ip."\" type=\"".$entry->{"type"}."\" />\n"; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
553 # $xml .= "<add ip=\"".$ip."\" type=\"1\" />\n"; |
65 | 554 $entries++; |
555 } | |
556 } | |
557 $xml .= "</request>\n"; | |
558 | |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
559 # Bait out if no entries to submit |
65 | 560 return unless ($entries > 0); |
67
8df5d52436a1
More work towards DroneBL support.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
561 if ($settings{"DRY_RUN"}) { |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
562 mlog(2, "[DroneBL] Would submit $entries entries.\n"); |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
563 return; |
67
8df5d52436a1
More work towards DroneBL support.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
564 } else { |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
565 mlog(2, "[DroneBL] Trying to submit $entries entries.\n"); |
67
8df5d52436a1
More work towards DroneBL support.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
566 } |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
567 |
65 | 568 # Submit via HTTP XML-RPC |
569 my $tmp = LWP::UserAgent->new; | |
570 $tmp->agent("Maltfilter/".$progversion); | |
571 $tmp->timeout(10); | |
572 my $req = HTTP::Request->new(POST => $settings{"DRONEBL_RPC_URI"}); | |
573 $req->content_type("text/xml"); | |
574 $req->content($xml); | |
575 $req->user_agent("Maltfilter/".$progversion); | |
576 my $res = $tmp->request($req); | |
577 | |
578 if ($res->is_success) { | |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
579 mlog(3, "[DroneBL] HTTP response [".$res->code."] ".$res->message."\n"); |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
580 my $str = $res->content; |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
581 my ($type, $msg); |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
582 $str =~ tr/\n/ /; |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
583 |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
584 if ($str =~ /<response\s*type=.(success|error).>(.*?)<\/response>/gm) { |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
585 $type = $1; $msg = $2; |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
586 } elsif ($str =~ /<response\s*type=.(success|error). *\/>/gm) { |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
587 $type = $1; $msg = ""; |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
588 } |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
589 |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
590 if ($type eq "success") { |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
591 $dronebl_errors = 0; |
86
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
592 mlog(1, "[DroneBL] Succesfully submitted $entries entries.\n"); |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
593 while (my ($ip, $entry) = each(%dronebl)) { |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
594 $entry->{"sent"} = 1; |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
595 $statlist{$ip}{"dronebl"} = 2 if defined($statlist{$ip}); |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
596 } |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
597 } elsif ($type eq "error") { |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
598 # If we don't have a valid key, disable further submissions. |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
599 if ($msg =~ /<code>403<\/code>/) { |
87
cbe5761897f4
Use ("No", "Queue", "Sent") for DroneBL information in status reports.
Matti Hamalainen <ccr@tnsp.org>
parents:
86
diff
changeset
|
600 mlog(-1, "[DroneBL] Disabling submissions due to invalid key.\n"); |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
601 $settings{"DRONEBL"} = 0; |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
602 } else { |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
603 $dronebl_errors++; |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
604 } |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
605 # Log error message mangled |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
606 $msg =~ s{\s*</?[^>]+>}{ }g; |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
607 mlog(-1, "[DroneBL] Error in submission: $msg\n"); |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
608 } else { |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
609 mlog(-1, "[DroneBL] Unsupported response message ".$str."\n"); |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
610 $dronebl_errors++; |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
611 } |
65 | 612 } else { |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
613 mlog(-1, "[DroneBL] HTTP request failed: [".$res->code."] ".$res->message."\n"); |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
614 $dronebl_errors++; |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
615 } |
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
616 |
86
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
617 # Check error counts |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
618 if ($dronebl_errors >= $settings{"DRONEBL_MAX_ERRORS"}) { |
86
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
619 # Only log suspension message if don't have recent previous errors |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
620 mlog(-1, "Temporarily disabling DroneBL submissions due to too many errors for next ".$settings{"DRONEBL_SUSPEND"}. " rounds.\n") |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
621 if ($dronebl_errors == $settings{"DRONEBL_MAX_ERRORS"}); |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
622 $dronebl_suspend = $settings{"DRONEBL_SUSPEND"}; |
65 | 623 } |
624 | |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
625 # Clean up expired entries, warn/note about unsubmitted ones. |
65 | 626 while (my ($ip, $entry) = each(%dronebl)) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
627 if (!check_time3($entry->{"date"})) { |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
628 mlog(1, "[DroneBL] $ip submission expired.\n") unless ($entry->{"sent"} > 0); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
629 delete($dronebl{$ip}); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
630 } |
65 | 631 } |
632 } | |
633 | |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
634 sub dronebl_queue($$$) |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
635 { |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
636 my ($mip, $mdate, $mtype) = @_; |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
637 |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
638 return unless ($settings{"DRONEBL"} > 0); |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
639 return if check_hosts_array(\@noaction_ips, $mip); |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
640 |
95
b1f9df8bb084
Do not resubmit entries to DroneBL that are still at "submitted" OR
Matti Hamalainen <ccr@tnsp.org>
parents:
93
diff
changeset
|
641 if (defined($statlist{$mip}) && defined($statlist{$mip}{"dronebl"})) { |
b1f9df8bb084
Do not resubmit entries to DroneBL that are still at "submitted" OR
Matti Hamalainen <ccr@tnsp.org>
parents:
93
diff
changeset
|
642 return if ($statlist{$mip}{"dronebl"} > 0); |
b1f9df8bb084
Do not resubmit entries to DroneBL that are still at "submitted" OR
Matti Hamalainen <ccr@tnsp.org>
parents:
93
diff
changeset
|
643 } |
b1f9df8bb084
Do not resubmit entries to DroneBL that are still at "submitted" OR
Matti Hamalainen <ccr@tnsp.org>
parents:
93
diff
changeset
|
644 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
645 if (!defined($dronebl{$mip})) { |
86
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
646 mlog(2, "[DroneBL] Queueing $mip \@ $mdate (type $mtype)\n"); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
647 $dronebl{$mip}{"type"} = $mtype; |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
648 $dronebl{$mip}{"date"} = $mdate; |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
649 $dronebl{$mip}{"sent"} = 0; |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
650 $dronebl{$mip}{"tries"} = 0; |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
651 $statlist{$mip}{"dronebl"} = 1 if defined($statlist{$mip}); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
652 } |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
653 } |
65 | 654 |
655 ############################################################################# | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
656 ### Evidence gathering |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
657 ############################################################################# |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
658 my %evidence = (); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
659 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
660 sub evidence_queue($$$) |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
661 { |
65 | 662 my ($mip, $mdata, $mfull) = @_; |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
663 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
664 return unless ($settings{"EVIDENCE"} > 0); |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
665 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
666 my $tmp = $mdata; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
667 $tmp =~ s/http:\/\///; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
668 $tmp =~ s/^\.+/_/; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
669 $tmp =~ s/[^A-Za-z0-9:\.]/_/g; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
670 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
671 $evidence{$mdata}{"coll"} = $tmp; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
672 $evidence{$mdata}{"hosts"}{$mip} = 1; |
65 | 673 $evidence{$mdata}{"full"}{$mfull} = 1; |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
674 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
675 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
676 sub evidence_fetch($$) |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
677 { |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
678 my $tmp = LWP::UserAgent->new; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
679 $tmp->agent("-"); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
680 $tmp->timeout(10); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
681 $tmp->default_headers->referer($_[1]); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
682 my $req = HTTP::Request->new(GET => $_[0]); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
683 return $tmp->request($req); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
684 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
685 |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
686 my $evidence_dir = 0; |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
687 sub evidence_gather |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
688 { |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
689 my $dns = Net::DNS::Resolver->new; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
690 my $base = $settings{"EVIDENCE_DIR"}; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
691 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
692 return unless ($settings{"EVIDENCE"} > 0); |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
693 |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
694 if (! -e $base) { |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
695 mlog(-1, "Evidence directory '$base' has disappeared.\n") unless ($evidence_dir > 0); |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
696 mdie("Evidence directory '$base' has been absent for $evidence_dir cycles, dying.\n") if ($evidence_dir++ > 10); |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
697 return; |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
698 } else { |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
699 $evidence_dir = 0; |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
700 } |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
701 |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
702 my $fetched = 0; |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
703 foreach my $url (keys %evidence) { |
65 | 704 my $filename = $base."/".$evidence{$url}{"coll"}.".data"; |
705 my $filename2 = $base."/".$evidence{$url}{"coll"}.".hosts"; | |
706 my $filename3 = $base."/".$evidence{$url}{"coll"}.".info"; | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
707 |
65 | 708 # Get data contents only once |
709 if (! -e $filename) { | |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
710 $fetched++; |
65 | 711 mlog(1, "Fetching evidence for $url\n"); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
712 my $res = evidence_fetch($url, ""); |
65 | 713 open(FILE, ">:raw", $filename) or mdie("Could not open '$filename' for writing.\n"); |
714 binmode(FILE, ":raw"); | |
715 if ($res->is_success && $res->code >= 200 && $res->code <= 201) { | |
716 print FILE $res->content; | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
717 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
718 close(FILE); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
719 |
65 | 720 open(FILE, ">:raw", $filename3) or mdie("Could not open '$filename3' for writing.\n"); |
721 binmode(FILE, ":raw"); | |
722 print FILE "XSS URI : $url\n"; | |
723 print FILE "Time of retrieval : ".get_time_str(time())."\n"; | |
724 print FILE "HTTP return code : [".$res->code."] ".$res->message."\n"; | |
725 print FILE "Content-Type : ".($res->content_type ? $res->content_type : "?")."\n"; | |
726 print FILE "Last modified : ".($res->last_modified ? $res->last_modified : "?")."\n"; | |
727 print FILE "------ HTTP Headers ------\n".$res->headers_as_string."\n"; | |
728 print FILE "------ Requests ------\n"; | |
729 print FILE $_."\n" foreach (keys %{$evidence{$url}{"full"}}); | |
730 close(FILE); | |
731 } | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
732 |
65 | 733 # Check if we are appending hosts to existing data |
734 if (-e $filename2) { | |
735 open(FILE, "<", $filename2) or mdie("Could not open '$filename2' for reading.\n"); | |
736 while (<FILE>) { | |
737 if (/^(\d+\.\d+\.\d+\.\d+) *\|/) { | |
738 if (defined($evidence{$url}{"hosts"}{$1})) { | |
739 delete($evidence{$url}{"hosts"}{$1}); | |
740 } | |
741 } | |
742 } | |
743 close(FILE); | |
744 open(FILE, ">>", $filename2) or mdie("Could not open '$filename2' for appending.\n"); | |
745 } else { | |
746 open(FILE, ">", $filename2) or mdie("Could not open '$filename2' for writing.\n"); | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
747 } |
65 | 748 foreach my $host (sort keys %{$evidence{$url}{"hosts"}}) { |
749 my $query = $dns->search($host); | |
750 my @names = (); | |
751 undef(@names); | |
752 if ($query) { | |
753 foreach my $rr ($query->answer) { | |
754 push(@names, $rr->{"ptrdname"}) if defined($rr->{"ptrdname"}); | |
755 } | |
756 } | |
757 printf FILE "%-15s | %s\n", $host, join(" | ", @names); | |
758 } | |
759 close(FILE); | |
760 | |
761 # This entry has been handled, delete it | |
762 delete($evidence{$url}); | |
763 | |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
764 # If not in report mode, handle only 5 fetched entries at time |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
765 return unless ($reportmode || $fetched < 5); |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
766 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
767 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
768 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
769 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
770 ############################################################################# |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
771 ### Entry management / handling functions |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
772 ############################################################################# |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
773 ### Check if given IP or host exists in array |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
774 sub check_hosts_array($$) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
775 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
776 my $chk_host = $_[1]; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
777 my $chk_ip = new Net::IP($chk_host); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
778 foreach my $host (@{$_[0]}) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
779 my $ip = new Net::IP($host); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
780 if (defined($chk_ip) && defined($ip)) { |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
781 my $res = $chk_ip->overlaps($ip); |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
782 if (defined($res)) { |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
783 return 1 if ($res == $IP_IDENTICAL); |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
784 return 2 if ($res == $IP_B_IN_A_OVERLAP); |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
785 return 3 if ($res == $IP_A_IN_B_OVERLAP); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
786 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
787 } |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
788 return 4 if ($chk_host eq $host); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
789 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
790 return 0; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
791 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
792 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
793 ### Check IP/host against | separated list of IPs/hosts |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
794 sub check_hosts($$) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
795 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
796 my @tmp = split(/\s*\|\s*/, $_[0]); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
797 return check_hosts_array(\@tmp, $_[1]); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
798 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
799 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
800 ### Execute iptables |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
801 sub exec_iptables(@) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
802 { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
803 $ENV{"PATH"} = ""; |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
804 my @args = ($settings{"IPTABLES"}, @_); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
805 if ($settings{"DRY_RUN"}) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
806 mlog(3, ":: ".join(" ", @args)."\n"); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
807 } else { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
808 system(@args) == 0 or print join(" ", @args)." failed: $?\n"; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
809 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
810 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
811 |
93
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
812 ### Get current Netfilter table entries that match entry types we |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
813 ### manage, e.g. filterlist |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
814 sub update_filterlist($) |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
815 { |
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
816 my $first = $_[0]; |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
817 return unless ($settings{"FILTER"} > 0); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
818 |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
819 $ENV{"PATH"} = ""; |
93
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
820 open(STATUS, $settings{"IPTABLES"}." -v -n -t ".$settings{"FILTER_TABLE"}." -L ".$settings{"FILTER_CHAIN"}." |") or |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
821 mdie("Could not execute ".$settings{"IPTABLES"}."\n"); |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
822 my %newlist = (); |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
823 undef(%newlist); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
824 while (<STATUS>) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
825 chomp; |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
826 if (/^\s*(\d+)\s+\d+\s+$settings{"FILTER_TARGET"}\s+all\s+--\s+\*\s+\*\s+(\d+\.\d+\.\d+\.\d+)\s+0\.0\.0\.0\/0\s*$/) { |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
827 my $mip = $2; |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
828 if (!defined($filterlist{$mip})) { |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
829 mlog(2, "* $mip appeared in iptables.\n") unless ($first < 0); |
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
830 $filterlist{$2} = time(); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
831 } |
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
832 $newlist{$2} = 1; |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
833 update_entry(\%statlist, $mip, -1, "IPTABLES", "", 0); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
834 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
835 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
836 close(STATUS); |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
837 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
838 foreach my $mip (keys %filterlist) { |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
839 if (!defined($newlist{$mip})) { |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
840 mlog(2, "* $mip removed from iptables.\n"); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
841 delete($filterlist{$mip}); |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
842 } |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
843 } |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
844 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
845 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
846 ### Check if given timestamp is _newer_ than weedperiod threshold. |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
847 ### Returns false if timestamp is over weed period, e.g. needs weeding. |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
848 sub check_time1($) |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
849 { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
850 return ($_[0] > time() - ($settings{"FILTER_MAX_AGE"} * 60 * 60)); |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
851 } |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
852 |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
853 sub check_time2($) |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
854 { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
855 return ($_[0] > time() - ($settings{"STATS_MAX_AGE"} * 60 * 60)); |
65 | 856 } |
857 | |
858 sub check_time3($) | |
859 { | |
860 return ($_[0] > time() - ($settings{"DRONEBL_MAX_AGE"} * 60)); | |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
861 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
862 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
863 ### Weed out old entries |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
864 sub weed_do($) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
865 { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
866 my $mtime = $filterlist{$_[0]}; |
59 | 867 mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n"); |
93
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
868 exec_iptables("-t", $settings{"FILTER_TABLE"}, "-D", $settings{"FILTER_CHAIN"}, "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"}); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
869 delete($filterlist{$_[0]}); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
870 delete($statlist{$_[0]}); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
871 delete($ignorelist{$_[0]}); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
872 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
873 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
874 sub weed_entries() |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
875 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
876 # Don't weed in report mode. |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
877 return unless ($settings{"FILTER"} > 0 && $reportmode == 0); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
878 |
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
879 # Weed blocked entries. |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
880 my @mips = keys %filterlist; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
881 foreach my $mip (@mips) { |
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
882 if (defined($statlist{$mip})) { |
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
883 if ($statlist{$mip}{"date2"} >= 0) { |
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
884 weed_do($mip) unless check_time1($statlist{$mip}{"date2"}); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
885 } else { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
886 weed_do($mip); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
887 } |
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
888 } elsif (defined($filterlist{$mip})) { |
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
889 weed_do($mip); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
890 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
891 } |
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
892 |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
893 # Clean up old entries from other lists |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
894 foreach my $mip (keys %statlist) { |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
895 if (defined($statlist{$mip})) { |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
896 my $mtime = $statlist{$mip}{"date2"}; |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
897 if (!check_time2($mtime) && !defined($filterlist{$mip})) { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
898 mlog(3, "* Deleting stale $mip (".get_time_str($mtime).")\n"); |
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
899 delete($statlist{$mip}); |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
900 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
901 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
902 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
903 |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
904 foreach my $mip (keys %ignorelist) { |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
905 if (defined($ignorelist{$mip})) { |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
906 my $mtime = $ignorelist{$mip}{"date2"}; |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
907 if (!check_time2($mtime)) { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
908 mlog(3, "* Deleting stale ignored $mip (".get_time_str($mtime).")\n"); |
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
909 delete($ignorelist{$mip}); |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
910 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
911 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
912 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
913 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
914 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
915 ### Update one entry data |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
916 sub update_date($$) |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
917 { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
918 if (!defined($_[0]->{"date1"}) || ($_[1] > 0 && $_[0]->{"date1"} < 0)) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
919 $_[0]->{"date1"} = $_[1]; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
920 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
921 if (!defined($_[0]->{"date2"}) || $_[1] > $_[0]->{"date2"}) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
922 $_[0]->{"date2"} = $_[1]; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
923 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
924 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
925 |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
926 sub update_entry($$$$$$) |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
927 { |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
928 my ($struct, $mip, $mdate, $mclass, $mreason, $addhits) = @_; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
929 |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
930 return if check_hosts_array(\@noaction_ips, $mip); |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
931 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
932 $struct->{$mip} = {} unless defined($struct->{$mip}); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
933 my $entry = $struct->{$mip}; |
62
924720517cf9
Fix initialization of hash structure part, this fixes resetting of class hits to 1.
Matti Hamalainen <ccr@tnsp.org>
parents:
60
diff
changeset
|
934 $entry->{"reason"}{$mclass} = {} unless defined($entry->{"reason"}{$mclass}); |
924720517cf9
Fix initialization of hash structure part, this fixes resetting of class hits to 1.
Matti Hamalainen <ccr@tnsp.org>
parents:
60
diff
changeset
|
935 my $reason = $entry->{"reason"}{$mclass}; |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
936 |
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
937 $entry->{"dronebl"} = 0 unless defined($entry->{"dronebl"}); |
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
938 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
939 # Add hits only when requested |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
940 if ($addhits) { |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
941 $entry->{"hits"}++; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
942 $reason->{"hits"}++; |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
943 } else { |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
944 $entry->{"hits"} = 1 unless defined($entry->{"hits"}); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
945 $reason->{"hits"} = 1 unless defined($reason->{"hits"}); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
946 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
947 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
948 # Messages is an array in reportmode |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
949 if ($reportmode) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
950 push(@{$reason->{"msg"}}, $mreason); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
951 } else { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
952 $reason->{"msg"} = $mreason; |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
953 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
954 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
955 # Update timestamps (generic and reason) |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
956 update_date($entry, $mdate); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
957 update_date($reason, $mdate); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
958 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
959 return $entry->{"hits"}; |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
960 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
961 |
65 | 962 ### Check if given "try count" exceeds threshold and if entry |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
963 ### is NOT in Netfilter already, then add it if so. |
65 | 964 sub check_add_hit($$$$$$) |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
965 { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
966 my $mip = $_[0]; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
967 my $mdate = str2time($_[1]); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
968 my $mclass = $_[2]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
969 my $mreason = $_[3]; |
65 | 970 my $mtype = $_[4]; |
971 my $mcond = $_[5]; | |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
972 my $cnt; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
973 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
974 if (check_hosts_array(\@noaction_ips, $mip)) { |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
975 mlog(2, "Hit to NOACTION_IPS($mip): [$mclass] $mreason\n"); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
976 return; |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
977 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
978 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
979 # If condition is true, we add to regular statlist |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
980 if ($mcond) { |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
981 $cnt = update_entry(\%statlist, $mip, $mdate, $mclass, $mreason, 1); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
982 } else { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
983 # This is an ignored hit (for disabled test), add to ignorelist |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
984 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason, 1); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
985 return; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
986 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
987 |
65 | 988 # Check if we have exceeded threshold etc. |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
989 if ($settings{"FILTER"} > 0 && $cnt >= $settings{"FILTER_THRESHOLD"} && check_time1($mdate)) { |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
990 # Add to filterlist, unless already there. |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
991 if (!defined($filterlist{$mip})) { |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
992 mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n"); |
93
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
993 exec_iptables("-t", $settings{"FILTER_TABLE"}, "-I", $settings{"FILTER_CHAIN"}, "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"}); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
994 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
995 # Update date of last hit |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
996 $filterlist{$mip} = $mdate; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
997 } |
65 | 998 |
999 # Separate check for DroneBL | |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1000 if ($mtype > 0 && $cnt >= $settings{"DRONEBL_THRESHOLD"} && check_time3($mdate)) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1001 dronebl_queue($mip, $mdate, $mtype); |
65 | 1002 } |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1003 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1004 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1005 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1006 ############################################################################# |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1007 ### Main helper functions |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1008 ############################################################################# |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1009 ### Print log entry |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1010 sub mlog($$) |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1011 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1012 my $level = shift; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1013 my $msg = shift; |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1014 if ($LOGFILE) { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1015 print $LOGFILE "[".get_time_str(time())."] ".$msg if ($settings{"VERBOSITY"} > $level); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1016 } elsif ($settings{"DRY_RUN"}) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1017 print STDERR $msg if ($settings{"VERBOSITY"} > $level); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1018 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1019 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1020 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1021 ### Like Perl's die(), but also print a logfile entry. |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1022 sub mdie($) |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1023 { |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1024 mlog(-1, $_[0]) if ($LOGFILE); |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1025 die($_[0]); |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1026 } |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1027 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1028 ### Initialize |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1029 sub malt_init |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1030 { |
57
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
1031 %statlist = (); |
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
1032 undef(%statlist); |
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
1033 %ignorelist = (); |
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
1034 undef(%ignorelist); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1035 update_filterlist(-1); |
57
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
1036 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1037 foreach my $filename (@scanfiles_once) { |
58
a780a23e19a8
Change parsing status log messages.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
1038 mlog(0, "Parsing [ONCE] ".$filename." ...\n"); |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1039 if (open(INFILE, "<", $filename)) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1040 while (<INFILE>) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1041 chomp; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1042 check_log_line($_); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1043 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1044 } else { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1045 mlog(-1, "Could not open '".$filename."', skipping now.\n"); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1046 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1047 close(INFILE); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1048 } |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1049 |
3 | 1050 foreach my $filename (@scanfiles) { |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1051 local *INFILE; |
58
a780a23e19a8
Change parsing status log messages.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
1052 mlog(0, "Initial parsing ".$filename." ...\n"); |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1053 if (open(INFILE, "<", $filename)) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1054 $filehandles{$filename} = *INFILE; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1055 while (<INFILE>) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1056 chomp; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1057 check_log_line($_); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1058 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1059 } else { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1060 mlog(-1, "Could not open '".$filename."', skipping now.\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1061 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1062 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1063 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1064 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1065 ### Quick cleanup (not complete shutdown) |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1066 sub malt_cleanup |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1067 { |
3 | 1068 foreach my $filename (keys %filehandles) { |
1069 close($filehandles{$filename}); | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1070 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1071 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1072 |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1073 sub malt_finish |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1074 { |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1075 # Unlink pid-file |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1076 if ($pid_file ne "" && -e $pid_file) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1077 unlink $pid_file; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1078 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1079 # Close logfile |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1080 close($LOGFILE) if (defined($LOGFILE)); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1081 undef($LOGFILE); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1082 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1083 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
1084 ### Signal handlers |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1085 sub malt_int |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1086 { |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1087 mlog(-1, "\nCaught Interrupt (^C), aborting.\n"); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1088 malt_cleanup(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1089 malt_finish(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1090 exit(1); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1091 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1092 |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1093 sub malt_term |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1094 { |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1095 mlog(-1, "Received TERM, quitting.\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1096 malt_cleanup(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1097 malt_finish(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1098 exit(1); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1099 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1100 |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1101 sub malt_hup |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1102 { |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1103 mlog(-1, "Received HUP, reinitializing.\n"); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1104 malt_cleanup(); |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1105 malt_configure(); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1106 malt_init(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1107 mlog(-1, "Reinitialization finished, resuming scanning.\n"); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1108 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1109 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1110 sub malt_maintenance |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1111 { |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1112 update_filterlist(time()); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1113 weed_entries(); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1114 generate_status($settings{"STATUS_FILE_PLAIN"}, 0); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1115 generate_status($settings{"STATUS_FILE_HTML"}, 1); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1116 evidence_gather(); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1117 dronebl_process(); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1118 } |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1119 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1120 ### Main scanning function |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1121 sub malt_scan |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1122 { |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1123 mlog(1, "Entering main scanning loop.\n"); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1124 my $counter = -1; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1125 while (1) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1126 my %filepos = (); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1127 foreach my $filename (keys %filehandles) { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1128 for ($filepos{$filename} = tell($filehandles{$filename}); |
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1129 $_ = readline($filehandles{$filename}); |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1130 $filepos{$filename} = tell($filehandles{$filename})) { |
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1131 chomp($_); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1132 check_log_line($_); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1133 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1134 } |
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1135 sleep(1); |
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1136 foreach my $filename (keys %filehandles) { |
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1137 seek($filehandles{$filename}, $filepos{$filename}, 0); |
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1138 } |
83
532169789f52
Add automatic temporary suspension of DroneBL submissions if enough HTTP
Matti Hamalainen <ccr@tnsp.org>
parents:
80
diff
changeset
|
1139 if ($counter < 0 || $counter >= 60) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1140 # Every once in a while, execute maintenance functions |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1141 $counter = 0; |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1142 malt_maintenance(); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1143 } |
80
4e3f87470426
Only execute maintenance procedures every 5 minutes or so.
Matti Hamalainen <ccr@tnsp.org>
parents:
79
diff
changeset
|
1144 $counter++; |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1145 } |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1146 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1147 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
1148 ### Read one configuration file |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1149 sub malt_read_config($) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1150 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1151 my $filename = $_[0]; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1152 my $errors = 0; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1153 my $line = 0; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1154 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1155 open(CONFFILE, "<", $filename) or mdie("Could not open configuration '".$filename."'!\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1156 while (<CONFFILE>) { |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1157 $line++; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1158 chomp; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1159 if (/(^\s*#|^\s*$)/) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1160 # Ignore comments and empty lines |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1161 } elsif (/^\s*\"?([a-zA-Z0-9_]+)\"?\s*=>?\s*(\d+),?\s*$/) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1162 my $key = uc($1); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1163 my $value = $2; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1164 if (defined($settings{$key})) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1165 $settings{$key} = $value; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1166 } else { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1167 mlog(-1, "[$filename:$line] Unknown setting '$key' = $value\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1168 $errors = 1; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1169 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1170 } elsif (/^\s*\"?([a-zA-Z0-9_]+)\"?\s*=>?\s*\"(.*?)\",?\s*$/) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1171 my $key = uc($1); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1172 my $value = $2; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1173 if ($key eq "SCANFILE") { |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1174 push(@scanfiles, $value); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1175 } elsif ($key eq "SCANFILE_ONCE") { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1176 push(@scanfiles_once, $value); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1177 } elsif ($key eq "NOACTION_IPS") { |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1178 push(@noaction_ips, $value); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1179 } elsif (defined($settings{$key})) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1180 $settings{$key} = $value; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1181 } else { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1182 mlog(-1, "[$filename:$line] Unknown setting '$key' = '$value'\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1183 $errors = 1; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1184 } |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1185 # Force dry run mode if we are reporting only |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1186 if ($reportmode) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1187 $settings{"DRY_RUN"} = 1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1188 } |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1189 } else { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1190 mlog(-1, "[$filename:$line] Syntax error: $_\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1191 $errors = 1; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1192 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1193 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1194 close(CONFFILE); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1195 return $errors; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1196 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1197 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1198 ### Read all configuration files |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1199 sub malt_configure |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1200 { |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1201 # Let user define his/her own logfiles to scan |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1202 @scanfiles = (); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1203 undef(@scanfiles); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1204 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1205 @scanfiles_once = (); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1206 undef(@scanfiles_once); |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1207 |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1208 @noaction_ips = (); |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1209 undef(@noaction_ips); |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1210 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1211 foreach my $filename (@configfiles) { |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1212 mdie("Errors in configuration file '$filename', bailing out.\n") |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1213 unless (malt_read_config($filename) == 0); |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1214 } |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1215 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1216 # Clean up certain arrays duplicate entries |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1217 my %saw = (); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1218 @scanfiles = grep(!$saw{$_}++, @scanfiles); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1219 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1220 %saw = (); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1221 @scanfiles_once = grep(!$saw{$_}++, @scanfiles_once); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1222 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1223 %saw = (); |
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1224 push(@noaction_ips, @noaction_ips_def); |
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1225 @noaction_ips = grep(!$saw{$_}++, @noaction_ips); |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1226 undef(%saw); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1227 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1228 mlog(-1, "Not acting on IPs: ".join(", ", @noaction_ips)."\n"); |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1229 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1230 # Check if we have anything to do |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1231 if ($reportmode) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1232 mdie("Nothing to do, no SCANFILE(s) or SCANFILE_ONCE(s) defined in configuration.\n") unless ($#scanfiles > 0 || $#scanfiles_once > 0); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1233 } else { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1234 mdie("Nothing to do, no SCANFILE(s) defined in configuration.\n") unless ($#scanfiles > 0); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1235 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1236 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1237 # General settings |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1238 my $val = $settings{"STATS_MAX_AGE"}; |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1239 mdie("Invalid STATS_MAX_AGE value $val, must be > 0.\n") unless ($val > 0); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1240 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1241 # Filtering |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1242 if ($settings{"FILTER"} > 0) { |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1243 $val = $settings{"FILTER_MAX_AGE"}; |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1244 mdie("Invalid FILTER_MAX_AGE value $val, must be > 0.\n") unless ($val > 0); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1245 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1246 $val = $settings{"FILTER_THRESHOLD"}; |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1247 mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0); |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1248 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1249 $val = $settings{"IPTABLES"}; |
93
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1250 mdie("Iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val); |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1251 |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1252 $val = $settings{"FILTER_TARGET"}; |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1253 mdie("Value of FILTER_TARGET must not be empty!\n") unless ($val ne ""); |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1254 |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1255 my $mtable = $settings{"FILTER_TABLE"}; |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1256 mdie("Value of FILTER_TABLE should be one of ".join(", ", keys %filter_valid_tables).".\n") |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1257 unless defined($filter_valid_tables{$mtable}); |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1258 |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1259 $val = $settings{"FILTER_CHAIN"}; |
55670dabda5a
Add support for FILTER_CHAIN and FILTER_TABLE settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
88
diff
changeset
|
1260 mdie("Value of FILTER_CHAIN must not be empty!\n") unless ($val ne ""); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1261 } else { |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1262 mlog(1, "Netfilter handling disabled.\n"); |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1263 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1264 |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1265 # Check evidence settings |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1266 if ($settings{"EVIDENCE"} > 0) { |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1267 my $base = $settings{"EVIDENCE_DIR"}; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1268 mdie("Evidence directory (EVIDENCE_DIR) not set in configuration.\n") if ($base eq ""); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1269 mdie("Evidence directory '$base' does not exist.\n") unless (-e $base); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1270 mdie("Path '$base' is not a directory.\n") unless (-d $base); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1271 mdie("Evidence directory '$base' is not writable by euid.\n") unless (-w $base); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1272 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1273 |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1274 # Sanitize DroneBL configuration |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1275 if ($settings{"DRONEBL"} > 0) { |
86
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1276 mdie("DroneBL enabled, but DRONEBL_RPC_KEY not set.\n") unless ($settings{"DRONEBL_RPC_KEY"} ne ""); |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1277 |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1278 $val = $settings{"DRONEBL_MAX_AGE"}; |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1279 mdie("Invalid DRONEBL_MAX_AGE value $val, must be > 10.\n") unless ($val > 10); |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1280 |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1281 $val = $settings{"DRONEBL_THRESHOLD"}; |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1282 mdie("Invalid DRONEBL_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0); |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1283 |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1284 $val = $settings{"DRONEBL_MAX_ERRORS"}; |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1285 mdie("Invalid DRONEBL_MAX_ERRORS value $val, must be >= 0.\n") unless ($val >= 0); |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1286 |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1287 $val = $settings{"DRONEBL_SUSPEND"}; |
4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
83
diff
changeset
|
1288 mdie("Invalid DRONEBL_SUSPEND value $val, must be >= 1.\n") unless ($val >= 1); |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1289 } |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1290 |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1291 # Check system account / passwd settings |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1292 mdie("SYSACCT_MIN_UID must be >= 1.\n") unless ($settings{"SYSACCT_MIN_UID"} >= 1); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1293 mdie("SYSACCT_MAX_UID must be >= SYSACCT_MIN_UID.\n") unless ($settings{"SYSACCT_MAX_UID"} >= $settings{"SYSACCT_MIN_UID"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1294 |
44
471731c79bb3
Add configuration setting for PASSWD file.
Matti Hamalainen <ccr@tnsp.org>
parents:
40
diff
changeset
|
1295 open(PASSWD, "<", $settings{"PASSWD"}) or mdie("Could not open '".$settings{"PASSWD"}."' for reading!\n"); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1296 while (<PASSWD>) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1297 my @fields = split(/\s*:\s*/); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1298 if ($fields[2] >= $settings{"SYSACCT_MIN_UID"} && $fields[2] <= $settings{"SYSACCT_MAX_UID"}) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1299 $systemacct{$fields[0]} = $fields[2]; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1300 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1301 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1302 close(PASSWD); |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1303 } |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1304 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1305 ############################################################################# |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1306 ### |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1307 ### Main program |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1308 ### |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1309 ############################################################################# |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1310 # Setup signal handlers |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1311 $SIG{'INT'} = 'malt_int'; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1312 $SIG{'TERM'} = 'malt_term'; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1313 $SIG{'HUP'} = 'malt_hup'; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1314 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1315 # Print banner and help if no arguments |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1316 my $argc = $#ARGV + 1; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1317 if ($argc < 1) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1318 print STDERR $progbanner. |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1319 "\n". |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1320 "Usage: maltfilter <pid filename> [config filename] [config filename...]\n". |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1321 " maltfilter -f [config filename] [config filename...]\n". |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1322 "-f turns on the full report mode.\n"; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1323 exit; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1324 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1325 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1326 # Test pid file existence unless report mode |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1327 $pid_file = shift; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1328 if ($pid_file eq "-f") { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1329 $reportmode = 1; |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1330 print STDERR $progbanner; |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1331 } else { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1332 mdie("'$pid_file' already exists, not starting.\n". |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1333 "If the daemon is NOT running, remove the pid-file and re-start.\n") |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1334 if (-e $pid_file); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1335 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1336 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1337 # Read configuration files |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1338 while (defined(my $filename = shift)) { |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1339 push(@configfiles, $filename); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1340 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1341 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1342 malt_configure(); |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1343 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1344 # Open logfile |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1345 if ($settings{"DRY_RUN"}) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1346 print STDERR |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1347 "*********************************\n". |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1348 "* NOTICE! DRY-RUN MODE ENABLED! *\n". |
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1349 "*********************************\n"; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1350 } elsif ($settings{"LOGFILE"} ne "") { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1351 open($LOGFILE, ">>", $settings{"LOGFILE"}) or die("Could not open logfile '".$settings{"LOGFILE"}."' for writing!\n"); |
63
6917de5b91be
Disable output buffering of logfile.
Matti Hamalainen <ccr@tnsp.org>
parents:
62
diff
changeset
|
1352 select((select($LOGFILE), $| = 1)[0]); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1353 mlog(-1, "Log started\n"); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1354 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1355 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1356 # Initialize |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1357 malt_init(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1358 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1359 # Fork to background, unless dry-running |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1360 if ($settings{"DRY_RUN"}) { |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1361 if ($reportmode) { |
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1362 malt_maintenance(); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1363 malt_cleanup(); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1364 } else { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1365 malt_scan(); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1366 malt_cleanup(); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1367 } |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1368 } else { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1369 if (my $pid = fork) { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1370 open(PIDFILE, ">", $pid_file) or mdie("Could not open pid file '".$pid_file."' for writing!\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1371 print PIDFILE "$pid\n"; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1372 close(PIDFILE); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1373 } else { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1374 malt_scan(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1375 malt_cleanup(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1376 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1377 } |