maltfilter: maltfilter annotate

annotate maltfilter @ 105:5786194984c5 maltfilter-0.20.1

Version bump.

author	Matti Hamalainen <ccr@tnsp.org>
date	Mon, 07 Sep 2009 02:32:33 +0300
parents	df68cf1eaf39
children	3894755d78df

rev	line source
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1 #!/usr/bin/perl -w
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	2 #############################################################################
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	3 #
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	4 # Malicious Attack Livid Termination Filter daemon (maltfilter)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	5 # Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org>
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	6 # (C) Copyright 2009 Tecnic Software productions (TNSP)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	7 #
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	8 #############################################################################
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	9 use strict;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	10 use Date::Parse;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	11 use Net::IP;
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	12 use Net::DNS;
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	13 use LWP::UserAgent;
79 9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	14 use IO::Seekable;
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	15
105 5786194984c5 Version bump. Matti Hamalainen <ccr@tnsp.org> parents: 103 diff changeset	16 my $progversion = "0.20.1";
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	17 my $progbanner =
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n".
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n".
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	21
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	22
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	23 #############################################################################
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	24 ### Default settings and configuration
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	25 #############################################################################
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	26 my %settings = (
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	27 "VERBOSITY" => 3,
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	28 "DRY_RUN" => 1,
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	29 "LOGFILE" => "",
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	30 "STATS_MAX_AGE" => 336, # in hours
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	31
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	32 "PASSWD" => "/etc/passwd",
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	33 "SYSACCT_MIN_UID" => 1,
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	34 "SYSACCT_MAX_UID" => 999,
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	35
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	36 "FILTER" => 0,
102 1cbefe9c26c1 Swap defaults for filter and dronebl threshold values. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	37 "FILTER_THRESHOLD" => 5,
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	38 "FILTER_MAX_AGE" => 168, # in hours
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	39 "FILTER_TARGET" => "DROP",
93 55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	40 "FILTER_CHAIN" => "INPUT",
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	41 "FILTER_TABLE" => "filter",
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	42 "IPTABLES" => "/sbin/iptables",
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	43
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	44 "FULL_TIME" => 1,
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	45 "STATUS_FILE_PLAIN" => "",
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	46 "STATUS_FILE_HTML" => "",
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	47 "STATUS_FILE_CSS" => "",
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	48 "WHOIS_URL" => "http://whois.domaintools.com/",
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	49
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	50 "CHK_SSHD" => 1,
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	51 "CHK_KNOWN_CGI" => 1,
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	52 "CHK_PHP_XSS" => 1,
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	53 "CHK_PROXY_SCAN" => 1,
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	54 "CHK_ROOT_SSH_PWD" => 0,
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	55 "CHK_SYSACCT_SSH_PWD" => 0,
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	56 "CHK_GOOD_HOSTS" => "",
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	57
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	58 "EVIDENCE" => 0,
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	59 "EVIDENCE_DIR" => "",
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	60
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	61 "DRONEBL" => 0,
102 1cbefe9c26c1 Swap defaults for filter and dronebl threshold values. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	62 "DRONEBL_THRESHOLD" => 3,
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	63 "DRONEBL_MAX_AGE" => 30, # in minutes
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	64 "DRONEBL_RPC_URI" => "http://dronebl.org/RPC2",
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	65 "DRONEBL_RPC_KEY" => "",
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	66 "DRONEBL_MAX_ERRORS" => 5,
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	67 "DRONEBL_SUSPEND" => 10,
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	68 );
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	69
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	70 # List loopback and private netblocks by default here
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	71 my @noaction_ips_def = (
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	72 "127.0.0.0/8",
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	73 "10.0.0.0/8",
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	74 "172.16.0.0/12",
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	75 "192.168.0.0/16"
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	76 );
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	77
93 55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	78 # Valid target tables for FILTER_TABLE
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	79 my %filter_valid_tables = ("filter", "nat", "mangle", "raw");
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	80
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	81 my %systemacct = ();
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	82 sub check_add_hit($$$$$$);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	83
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	84
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	85 #############################################################################
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	86 ### Check given logfile line for matches
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	87 #############################################################################
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	88 sub check_log_line($)
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	89 {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	90 # (1) SSHD scans
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	91 if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S?: (.)/) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	92 my $mdate = $1;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	93 my $merr = $2;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	94
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	95 # (1.1) Generic login scan attempts
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	96 if ($merr =~ /^Failed password for invalid user (\S+) from (\d+\.\d+\.\d+\.\d+)/) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	97 check_add_hit($2, $mdate, "SSH login scan", "", 13, $settings{"CHK_SSHD"});
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	98 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	99 # (1.2) Root account SSH login password bruteforcing attempts.
76 4769aad8bd14 Root password bruteforcing check was not always working, fixed. Matti Hamalainen <ccr@tnsp.org> parents: 74 diff changeset	100 elsif ($merr =~ /^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	101 check_add_hit($1, $mdate, "Root SSH password bruteforce", "", 13, $settings{"CHK_ROOT_SSH_PWD"});
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	102 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	103 # (1.3) System account SSH login password bruteforcing attempts.
76 4769aad8bd14 Root password bruteforcing check was not always working, fixed. Matti Hamalainen <ccr@tnsp.org> parents: 74 diff changeset	104 elsif ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) {
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	105 my $mip = $2; my $macct = $1;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	106 if (defined($systemacct{$macct})) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	107 check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, 13, $settings{"CHK_SYSACCT_SSH_PWD"});
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	108 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	109 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	110 }
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	111
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	112 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin)
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	113 elsif (/^\[(.+?)\]\s+\[error\]\s+\[client\s+(\d+\.\d+\.\d+\.\d+)\]\s+(.+)$/) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	114 my $mdate = $1;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	115 my $mip = $2;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	116 my $merr = $3;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	117 if ($merr =~ /^File does not exist: (.+)$/) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	118 my $tmp = $1;
97 3dbd9d392986 Change XSS style attack DroneBL class to 6. Still not exactly what we want, though. Matti Hamalainen <ccr@tnsp.org> parents: 95 diff changeset	119 if ($tmp =~ /\/mss2\|\/pma\|cpanel\|admin\|\/sql\|mysql\|websql\|\/SSI.php\|\/horde\|\/rc$\|\/xmlrpc.php\|sqladm\|dbadm\|\/roundcube\|\/webmail\|\/mail\|\/email\|xampp\|\/zen\|\/cart\|\/shop\|\/store\|mailto:\|appserv\|roundcube\|_vti_bin\|wiki\|bugtrack\|mantis\|mantisbt\|phpmanager/i) {
3dbd9d392986 Change XSS style attack DroneBL class to 6. Still not exactly what we want, though. Matti Hamalainen <ccr@tnsp.org> parents: 95 diff changeset	120 check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 6, $settings{"CHK_KNOWN_CGI"});
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	121 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	122 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	123 }
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	124
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	125 # (3) Apache common logging format checks
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	126 elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	127 my $mdate = $2;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	128 my $mip = $1;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	129 my $merr = $3;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	130
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	131 # (3.1) Simple match for generic PHP XSS vulnerability scans
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	132 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	133 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	134 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	135 evidence_queue($mip, $1, $merr);
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	136 }
97 3dbd9d392986 Change XSS style attack DroneBL class to 6. Still not exactly what we want, though. Matti Hamalainen <ccr@tnsp.org> parents: 95 diff changeset	137 check_add_hit($mip, $mdate, "PHP XSS", $merr, 6, $settings{"CHK_PHP_XSS"});
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	138 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	139 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	140 # (3.2) Try to match proxy scanning attempts
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	141 elsif ($merr =~ /^http:\/\/([^\/]+)/) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	142 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
97 3dbd9d392986 Change XSS style attack DroneBL class to 6. Still not exactly what we want, though. Matti Hamalainen <ccr@tnsp.org> parents: 95 diff changeset	143 check_add_hit($mip, $mdate, "Proxy scan", $merr, 6, $settings{"CHK_PROXY_SCAN"});
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	144 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	145 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	146 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	147 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	148
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	149
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	150 #############################################################################
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	151 ### Global variables
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	152 #############################################################################
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	153 my $reportmode = 0; # Full report mode
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	154 my @scanfiles = (); # Files to scan
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	155 my @scanfiles_once = (); # Files to scan only once during startup or HUP (e.g. not continuously followed)
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	156 my @noaction_ips = (); # IPs not to filter
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	157 my %filehandles = (); # Global hash holding opened scanned log filehandles
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	158 my $pid_file = ""; # Name of Maltfilter daemon pid file
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	159 my @configfiles = (); # Array of configuration file names
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	160 my $LOGFILE; # Maltfilter logfile handle
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	161 my %dronebl = ();
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	162
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	163 # IPs currently blocked in Netfilter $filterlist{$ip} = date
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	164 my %filterlist = ();
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	165
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	166 # Gathered information about hosts
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	167 # $statlist{$ip}->
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	168 # "date1" = timestamp of first hit
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	169 # "date2" = timestamp of latest hit
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	170 # "hits" = number of hits to this IP
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	171 # "dronebl" = 0 == n/a, 1 == queued for submission, 2 == submitted
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	172 # $statlist{$ip}{"reason"}{$class}->
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	173 # "msg" = reason message (array if $reportmode)
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	174 # "hits" = hits to this class
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	175 # "date1" = timestamp of first hit
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	176 # "date2" = timestamp of latest hit
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	177 my %statlist = ();
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	178
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	179 # Gathered information about ignored hits (e.g. hits for tests that are not enabled)
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	180 # Same fields as in %statlist
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	181 my %ignorelist = ();
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	182
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	183
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	184 #############################################################################
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	185 ### Status output functionality
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	186 #############################################################################
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	187 ## Return string expressing given UNIX timestamp or "?" if not valid
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	188 sub get_time_str($)
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	189 {
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	190 return ($_[0] >= 0) ? (scalar localtime($_[0])) : "?";
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	191 }
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	192
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	193 ## Return string expressing how long ago given UNIX timestamp is from current time
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	194 my @paskat = (30246060, 7246060, 246060, 60*60, 60);
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	195 my @opaskat = ("months", "weeks", "days", "hours", "minutes");
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	196 my @upaskat = ("month", "week", "day", "hour", "minute");
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	197
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	198 sub get_ago_str($)
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	199 {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	200 return get_time_str($_[0]) if ($settings{"FULL_TIME"});
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	201 if ($_[0] >= 0) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	202 my $str = "";
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	203 my $cur = time() - $_[0];
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	204 my ($r, $k, $p, $n);
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	205 $n = 0;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	206 foreach my $div (@paskat) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	207 $r = int($cur / $div);
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	208 $k = ($cur % $div);
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	209 if ($r > 0) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	210 $p = ($r > 1) ? $opaskat[$n] : $upaskat[$n];
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	211 $str .= ", " if ($str ne "");
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	212 $str .= sprintf("%d %s", $r, $p);
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	213 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	214 $cur = $k;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	215 $n++;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	216 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	217 return $str." ago";
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	218 } else {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	219 return "?";
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	220 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	221 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	222
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	223 ## Convert non-alphanumeric characters in strong to hex-coded URI style
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	224 sub urlencode($)
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	225 {
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	226 my $value = $_[0];
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	227 $value =~ s/([^a-zA-Z_0-9 ])/"%" . uc(sprintf "%lx" , unpack("C", $1))/eg;
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	228 $value =~ tr/ /+/;
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	229 return $value;
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	230 }
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	231
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	232 my %entities = (
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	233 "<" => "lt",
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	234 ">" => "gt",
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	235 "&" => "amp",
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	236 );
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	237
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	238 ## Convert special characters to HTML/XML entities
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	239 sub htmlentities($)
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	240 {
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	241 my $value = $_[0];
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	242 $value =~ s/$_/\&$entities{$_}\;/g foreach (keys %entities);
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	243 return $value;
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	244 }
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	245
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	246
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	247 sub printH($$$$)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	248 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	249 my $fh = $_[1];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	250 if ($_[0]) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	251 print $fh "<h".$_[2].">".$_[3]."</h".$_[2].">\n";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	252 } else {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	253 my $c = ($_[2] <= 1) ? "=" : "-";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	254 print $fh $_[3]."\n". $c x length($_[3]) ."\n";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	255 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	256 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	257
32 e7e484c89dbc Added highlighting of blocked entries in summary tables. Matti Hamalainen <ccr@tnsp.org> parents: 30 diff changeset	258 sub printTD
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	259 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	260 my $fh = $_[1];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	261 if ($_[0]) {
52 8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	262 my $s = defined($_[3]) ? " ".$_[3]." " : "";
32 e7e484c89dbc Added highlighting of blocked entries in summary tables. Matti Hamalainen <ccr@tnsp.org> parents: 30 diff changeset	263 print $fh "<td".$s.">".$_[2]."</td>";
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	264 } else {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	265 print $fh $_[2];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	266 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	267 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	268
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	269 sub printP($$$)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	270 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	271 my $fh = $_[1];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	272 if ($_[0]) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	273 print $fh "<p>\n".$_[2]."</p>\n";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	274 } else {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	275 print $fh $_[2]."\n";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	276 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	277 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	278
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	279 sub printElem
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	280 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	281 my $fh = $_[1];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	282 if ($_[0]) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	283 print $fh $_[2];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	284 } elsif (defined($_[3])) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	285 print $fh $_[3];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	286 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	287 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	288
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	289 sub bb($)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	290 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	291 return $_[0] ? "<b>" : "";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	292 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	293
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	294 sub eb($)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	295 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	296 return $_[0] ? "</b>" : "";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	297 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	298
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	299 sub pe($$)
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	300 {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	301 return $_[0] ? "<$_[1]>" : "";
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	302 }
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	303
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	304 sub get_link($$)
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	305 {
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	306 if ($settings{"WHOIS_URL"} ne "") {
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	307 return $_[0] ? "<a href=\"".$settings{"WHOIS_URL"}.$_[1].
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	308 "\">".htmlentities($_[1])."</a>" : $_[1];
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	309 } else {
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	310 return $_[0];
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	311 }
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	312 }
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	313
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	314 sub print_table1($$$$$$)
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	315 {
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	316 my ($m, $f, $table, $keys, $func, $class) = @_;
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	317 my $ntotal = 0;
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	318
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	319 printElem($m, $f,
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	320 "<table class=\"".$class."\">\n".
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	321 "<tr><th>Hits</th><th>IP-address</th><th>First hit</th><th>Latest hit</th><th>Reason(s)</th></tr>\n",
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	322
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	323 "Hits \| IP-address \| First hit \| Latest hit \| Reason(s)\n"
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	324 );
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	325
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	326 foreach my $mip (sort { $func->($table, $a, $b) } keys %{$keys}) {
68 bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	327 my $blocked = defined($filterlist{$mip}) ? "filtered" : "unfiltered";
32 e7e484c89dbc Added highlighting of blocked entries in summary tables. Matti Hamalainen <ccr@tnsp.org> parents: 30 diff changeset	328 printElem($m, $f, " <tr class=\"$blocked\">");
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	329 printTD($m, $f, sprintf(bb($m)."%-10d".eb($m), $table->{$mip}{"hits"}));
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	330 printElem(!$m, $f, " \| ");
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	331 printTD($m, $f, sprintf("%-15s", get_link($m, $mip)));
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	332 printElem(!$m, $f, " \| ");
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	333 printTD($m, $f, get_ago_str($table->{$mip}{"date1"}));
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	334 printElem(!$m, $f, " \| ");
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	335 printTD($m, $f, get_ago_str($table->{$mip}{"date2"}));
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	336 printElem(!$m, $f, " \| ");
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	337 my @reasons = ();
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	338 foreach my $class (sort keys %{$table->{$mip}{"reason"}}) {
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	339 my $msgs;
18 b0017a324040 Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	340 if ($class ne "IPTABLES") {
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	341 if ($reportmode) {
18 b0017a324040 Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	342 my @tmp = reverse(@{$table->{$mip}{"reason"}{$class}{"msg"}});
100 075b2b626d17 Fix check for number of SCANFILEs and SCANFILE_ONCEs. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	343 if (scalar @tmp > 5) { $#tmp = 5; }
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	344 foreach (@tmp) { $_ = htmlentities($_); }
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	345 $msgs = join(" ".bb($m)."\|".eb($m)." ", @tmp);
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	346 } else {
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	347 $msgs = $table->{$mip}{"reason"}{$class}{"msg"};
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	348 }
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	349 push(@reasons, bb($m).$class.eb($m)." #".$table->{$mip}{"reason"}{$class}{"hits"}.
fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	350 " ( ".$msgs." )");
18 b0017a324040 Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	351 }
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	352 }
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	353 printTD($m, $f, join(", ", @reasons));
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	354 printElem($m, $f, "</tr>\n", "\n");
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	355 $ntotal++;
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	356 }
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	357 printElem($m, $f, "</table>\n");
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	358 printP($m, $f, bb($m).$ntotal.eb($m)." entries total.\n");
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	359 }
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	360
52 8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	361 sub cmp_ips($$$)
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	362 {
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	363 my @ipa = split(/\./, $_[1]);
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	364 my @ipb = split(/\./, $_[2]);
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	365 for (my $i = 0; $i < 4; $i++) {
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	366 return -1 if ($ipa[$i] > $ipb[$i]);
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	367 return 1 if ($ipa[$i] < $ipb[$i]);
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	368 }
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	369 return 0;
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	370 }
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	371
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	372 sub test_ips($$)
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	373 {
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	374 my @ipa = split(/\./, $_[0]);
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	375 my @ipb = split(/\./, $_[1]);
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	376 for (my $i = 0; $i < 3; $i++) {
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	377 return $i if ($ipa[$i] != $ipb[$i]);
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	378 }
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	379 return 4;
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	380 }
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	381
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	382 my @ipcolors = (
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	383 "#666",
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	384 "#777",
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	385 );
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	386
87 cbe5761897f4 Use ("No", "Queue", "Sent") for DroneBL information in status reports. Matti Hamalainen <ccr@tnsp.org> parents: 86 diff changeset	387 my @drone_status = ("No", "Queue", "Sent");
cbe5761897f4 Use ("No", "Queue", "Sent") for DroneBL information in status reports. Matti Hamalainen <ccr@tnsp.org> parents: 86 diff changeset	388
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	389 sub print_table2($$$$$$)
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	390 {
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	391 my ($m, $f, $table, $keys, $func, $class) = @_;
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	392 my $nhits = 0;
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	393 my $str = "<th>IP-address</th><th>Hits</th><th>DroneBL?</th><th>First hit</th><th>Latest hit</th><th>Class</th>";
88 3bcc17b754bf Remove nbsp from status output. Matti Hamalainen <ccr@tnsp.org> parents: 87 diff changeset	394 my $str2 = "IP-address \| Hits \| DroneBL \| First hit \| Latest hit \| Class ";
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	395
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	396 printElem($m, $f,
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	397 "<table class=\"".$class."\">\n<tr>". $str."<th> </th>".$str ."</tr>\n",
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	398 $str2." \|\| ".$str2."\n");
52 8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	399
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	400 my @previp = ("0.0.0.0", "0.0.0.0");
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	401 my @ncolor = (0, 0);
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	402
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	403 my $printEntry = sub {
68 bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	404 my $blocked = "class=\"".(defined($filterlist{$_[0]}) ? "filtered" : "unfiltered")."\"";
52 8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	405 if (test_ips($previp[$_[1]], $_[0]) < 3) {
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	406 $ncolor[$_[1]]++;
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	407 }
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	408 $previp[$_[1]] = $_[0];
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	409 my $str = "style=\"background: ".$ipcolors[$ncolor[$_[1]] % scalar @ipcolors].";\"";
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	410
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	411 printTD($m, $f, sprintf("%-15s", get_link($m, $_[0])), $str);
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	412 printElem(!$m, $f, " \| ");
32 e7e484c89dbc Added highlighting of blocked entries in summary tables. Matti Hamalainen <ccr@tnsp.org> parents: 30 diff changeset	413 printTD($m, $f, sprintf("%-8d ", $table->{$_[0]}{"hits"}), $blocked);
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	414 printElem(!$m, $f, " \| ");
87 cbe5761897f4 Use ("No", "Queue", "Sent") for DroneBL information in status reports. Matti Hamalainen <ccr@tnsp.org> parents: 86 diff changeset	415 printTD($m, $f, sprintf("%-6s ", $drone_status[$table->{$_[0]}{"dronebl"}]), $blocked);
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	416 printElem(!$m, $f, " \| ");
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	417 printTD($m, $f, get_ago_str($table->{$_[0]}{"date1"}), $blocked);
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	418 printElem(!$m, $f, " \| ");
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	419 printTD($m, $f, get_ago_str($table->{$_[0]}{"date2"}), $blocked);
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	420 printElem(!$m, $f, " \| ");
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	421 my $tmp = join(", ", sort keys %{$table->{$_[0]}{"reason"}});
32 e7e484c89dbc Added highlighting of blocked entries in summary tables. Matti Hamalainen <ccr@tnsp.org> parents: 30 diff changeset	422 printTD($m, $f, sprintf("%-30s", $tmp), $blocked);
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	423 $nhits += $table->{$_[0]}{"hits"};
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	424 };
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	425
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	426 my @mkeys = sort { $func->($table, $a, $b) } keys %{$keys};
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	427 my $nkeys = scalar @mkeys;
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	428 my $kmax = $nkeys / 2;
52 8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	429
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	430 for (my $i = 0; $i <= $kmax; $i++) {
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	431 printElem($m, $f, " <tr>");
18 b0017a324040 Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	432 if ($i < $kmax) {
52 8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	433 $printEntry->($mkeys[$i], 0);
18 b0017a324040 Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	434 printElem($m, $f, "<th> </th>", " \|\| ");
b0017a324040 Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	435 }
52 8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	436 if ($i + $kmax + 1 < $nkeys) { $printEntry->($mkeys[$i + $kmax + 1], 1); }
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	437 printElem($m, $f, "</tr>\n", "\n");
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	438 }
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	439
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	440 printElem($m, $f, "</table>\n");
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	441 printP($m, $f, bb($m).$nkeys.eb($m)." entries total, ".bb($m).$nhits.eb($m)." hits total.\n");
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	442 }
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	443
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	444 sub cmp_hits($$$)
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	445 {
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	446 my $s1 = $_[0]->{$_[1]};
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	447 my $s2 = $_[0]->{$_[2]};
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	448
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	449 return -1 if ($s2->{"date2"} < $s1->{"date2"});
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	450 return 1 if ($s2->{"date2"} > $s1->{"date2"});
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	451 return $s2->{"hits"} <=> $s1->{"hits"};
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	452 }
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	453
26 61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	454 sub get_period($)
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	455 {
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	456 my ($str, $r, $k);
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	457 if ($_[0] > 30 * 24) {
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	458 $r = $_[0] / (30 * 24);
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	459 $k = $_[0] % (30 * 24);
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	460 $str = sprintf("%d months", $r);
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	461 $str .= sprintf(", %d days", $k) if ($k > 0);
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	462 } elsif ($_[0] > 24 * 7) {
29 6d3e33e9ee9b Oops, fix printing of weeks. Matti Hamalainen <ccr@tnsp.org> parents: 27 diff changeset	463 $str = sprintf("%1.1f weeks", $_[0] / (24.0 * 7.0));
26 61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	464 } elsif ($_[0] > 24) {
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	465 $r = $_[0] / 24;
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	466 $k = $_[0] % 24;
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	467 $str = sprintf("%d days", $r);
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	468 $str .= sprintf(", %d hours", $k) if ($k > 0);
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	469 } else {
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	470 $str = sprintf("%d hours", $_[0]);
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	471 }
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	472 return $str;
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	473 }
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	474
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	475 sub generate_status($$)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	476 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	477 my $filename = shift;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	478 my $m = shift;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	479
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	480 return unless ($filename ne "");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	481
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	482 open(STATUS, ">", $filename) or mdie("Could not open '".$filename."'!\n");
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	483 my $f = \*STATUS;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	484
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	485 printElem($m, $f, "
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	486 <html>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	487 <head>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	488 <title>Maltfilter status report</title>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	489 ");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	490
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	491 printElem($m, $f, "<link href=\"".$settings{"STATUS_FILE_CSS"}."\" rel=\"stylesheet\" type=\"text/css\" />")
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	492 if ($settings{"STATUS_FILE_CSS"});
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	493
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	494 printElem($m, $f, "
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	495 </head>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	496 <body>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	497 ");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	498
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	499 printH($m, $f, 1, "Maltfilter v$progversion status report");
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	500 my $period = get_period($settings{"STATS_MAX_AGE"});
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	501
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	502 printP($m, $f,
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	503 "Generated ".bb($m).get_time_str(time()).eb($m).". Data computed from ".
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	504 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n");
26 61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	505
18 b0017a324040 Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	506 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n".
68 bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	507 "filtered IP that was in Netfilter before Maltfilter was started.\n");
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	508
68 bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	509 if ($settings{"FILTER"} > 0) {
bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	510 printH($m, $f, 2, "Currently filtered entries");
bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	511 $period = get_period($settings{"FILTER_MAX_AGE"});
bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	512 printP($m, $f, "List of IPs that are currently filtered (or would be, if this is\n".
bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	513 "a report-only mode). Data from period of $period.\n");
bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	514 print_table1($m, $f, \%statlist, \%filterlist, \&cmp_hits, "filtered");
bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	515 }
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	516
68 bac5931b8312 Cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 67 diff changeset	517 printH($m, $f, 2, "Summary of entries");
18 b0017a324040 Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	518 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n".
b0017a324040 Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report. Matti Hamalainen <ccr@tnsp.org> parents: 17 diff changeset	519 "necessarily acted upon. Sorted by descending IP address.\n");
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	520 print_table2($m, $f, \%statlist, \%statlist, \&cmp_ips, "global");
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	521
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	522 printH($m, $f, 2, "Ignored entries");
52 8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	523 printP($m, $f, "List of hits that were ignored (not acted upon), because the test was disabled.\n".
8cfb71b296da Added colour-coded grouping of IP addresses in summary table. Matti Hamalainen <ccr@tnsp.org> parents: 49 diff changeset	524 "Notice that the entry may be blocked due to other checks, however.\n");
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	525 print_table1($m, $f, \%ignorelist, \%ignorelist, \&cmp_hits, "ignored");
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	526
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	527 printElem($m, $f, "</body>\n</html>\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	528 close(STATUS);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	529 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	530
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	531
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	532 #############################################################################
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	533 ### DroneBL submission support
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	534 #############################################################################
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	535 my $dronebl_errors = 0;
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	536 my $dronebl_suspend = 0;
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	537
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	538 sub dronebl_process
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	539 {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	540 return unless ($settings{"DRONEBL"} > 0);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	541
100 075b2b626d17 Fix check for number of SCANFILEs and SCANFILE_ONCEs. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	542 # If suspended, bail out until it's time to retry
86 4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	543 if ($dronebl_suspend > 0) {
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	544 $dronebl_suspend--;
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	545 return;
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	546 }
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	547
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	548 # Create submission data
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	549 my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	550 my $entries = 0;
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	551 while (my ($ip, $entry) = each(%dronebl)) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	552 if ($entry->{"sent"} == 0 && $entry->{"tries"} < 3) {
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	553 $xml .= "<add ip=\"".$ip."\" type=\"".$entry->{"type"}."\" />\n";
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	554 # $xml .= "<add ip=\"".$ip."\" type=\"1\" />\n";
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	555 $entries++;
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	556 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	557 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	558 $xml .= "</request>\n";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	559
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	560 # Bait out if no entries to submit
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	561 return unless ($entries > 0);
67 8df5d52436a1 More work towards DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	562 if ($settings{"DRY_RUN"}) {
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	563 mlog(2, "[DroneBL] Would submit $entries entries.\n");
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	564 return;
67 8df5d52436a1 More work towards DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	565 } else {
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	566 mlog(2, "[DroneBL] Trying to submit $entries entries.\n");
67 8df5d52436a1 More work towards DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 66 diff changeset	567 }
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	568
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	569 # Submit via HTTP XML-RPC
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	570 my $tmp = LWP::UserAgent->new;
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	571 $tmp->agent("Maltfilter/".$progversion);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	572 $tmp->timeout(10);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	573 my $req = HTTP::Request->new(POST => $settings{"DRONEBL_RPC_URI"});
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	574 $req->content_type("text/xml");
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	575 $req->content($xml);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	576 $req->user_agent("Maltfilter/".$progversion);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	577 my $res = $tmp->request($req);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	578
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	579 if ($res->is_success) {
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	580 mlog(3, "[DroneBL] HTTP response [".$res->code."] ".$res->message."\n");
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	581 my $str = $res->content;
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	582 my ($type, $msg);
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	583 $str =~ tr/\n/ /;
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	584
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	585 if ($str =~ /<response\stype=.(success\|error).>(.?)<\/response>/gm) {
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	586 $type = $1; $msg = $2;
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	587 } elsif ($str =~ /<response\stype=.(success\|error). \/>/gm) {
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	588 $type = $1; $msg = "";
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	589 }
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	590
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	591 if ($type eq "success") {
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	592 $dronebl_errors = 0;
86 4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	593 mlog(1, "[DroneBL] Succesfully submitted $entries entries.\n");
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	594 while (my ($ip, $entry) = each(%dronebl)) {
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	595 $entry->{"sent"} = 1;
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	596 $statlist{$ip}{"dronebl"} = 2 if defined($statlist{$ip});
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	597 }
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	598 } elsif ($type eq "error") {
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	599 # If we don't have a valid key, disable further submissions.
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	600 if ($msg =~ /<code>403<\/code>/) {
87 cbe5761897f4 Use ("No", "Queue", "Sent") for DroneBL information in status reports. Matti Hamalainen <ccr@tnsp.org> parents: 86 diff changeset	601 mlog(-1, "[DroneBL] Disabling submissions due to invalid key.\n");
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	602 $settings{"DRONEBL"} = 0;
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	603 } else {
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	604 $dronebl_errors++;
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	605 }
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	606 # Log error message mangled
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	607 $msg =~ s{\s*</?[^>]+>}{ }g;
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	608 mlog(-1, "[DroneBL] Error in submission: $msg\n");
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	609 } else {
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	610 mlog(-1, "[DroneBL] Unsupported response message ".$str."\n");
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	611 $dronebl_errors++;
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	612 }
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	613 } else {
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	614 mlog(-1, "[DroneBL] HTTP request failed: [".$res->code."] ".$res->message."\n");
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	615 $dronebl_errors++;
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	616 }
532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	617
86 4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	618 # Check error counts
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	619 if ($dronebl_errors >= $settings{"DRONEBL_MAX_ERRORS"}) {
86 4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	620 # Only log suspension message if don't have recent previous errors
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	621 mlog(-1, "Temporarily disabling DroneBL submissions due to too many errors for next ".$settings{"DRONEBL_SUSPEND"}. " rounds.\n")
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	622 if ($dronebl_errors == $settings{"DRONEBL_MAX_ERRORS"});
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	623 $dronebl_suspend = $settings{"DRONEBL_SUSPEND"};
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	624 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	625
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	626 # Clean up expired entries, warn/note about unsubmitted ones.
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	627 while (my ($ip, $entry) = each(%dronebl)) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	628 if (!check_time3($entry->{"date"})) {
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	629 mlog(1, "[DroneBL] $ip submission expired.\n") unless ($entry->{"sent"} > 0);
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	630 delete($dronebl{$ip});
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	631 }
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	632 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	633 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	634
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	635 sub dronebl_queue($$$)
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	636 {
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	637 my ($mip, $mdate, $mtype) = @_;
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	638
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	639 return unless ($settings{"DRONEBL"} > 0);
100 075b2b626d17 Fix check for number of SCANFILEs and SCANFILE_ONCEs. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	640
075b2b626d17 Fix check for number of SCANFILEs and SCANFILE_ONCEs. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	641 # Check against noaction IPs
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	642 return if check_hosts_array(\@noaction_ips, $mip);
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	643
100 075b2b626d17 Fix check for number of SCANFILEs and SCANFILE_ONCEs. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	644 # If we have the host/IP in "recent memory", and it has been submitted
075b2b626d17 Fix check for number of SCANFILEs and SCANFILE_ONCEs. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	645 # or queued already, do not requeue.
95 b1f9df8bb084 Do not resubmit entries to DroneBL that are still at "submitted" OR Matti Hamalainen <ccr@tnsp.org> parents: 93 diff changeset	646 if (defined($statlist{$mip}) && defined($statlist{$mip}{"dronebl"})) {
b1f9df8bb084 Do not resubmit entries to DroneBL that are still at "submitted" OR Matti Hamalainen <ccr@tnsp.org> parents: 93 diff changeset	647 return if ($statlist{$mip}{"dronebl"} > 0);
b1f9df8bb084 Do not resubmit entries to DroneBL that are still at "submitted" OR Matti Hamalainen <ccr@tnsp.org> parents: 93 diff changeset	648 }
b1f9df8bb084 Do not resubmit entries to DroneBL that are still at "submitted" OR Matti Hamalainen <ccr@tnsp.org> parents: 93 diff changeset	649
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	650 if (!defined($dronebl{$mip})) {
86 4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	651 mlog(2, "[DroneBL] Queueing $mip \@ $mdate (type $mtype)\n");
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	652 $dronebl{$mip}{"type"} = $mtype;
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	653 $dronebl{$mip}{"date"} = $mdate;
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	654 $dronebl{$mip}{"sent"} = 0;
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	655 $dronebl{$mip}{"tries"} = 0;
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	656 $statlist{$mip}{"dronebl"} = 1 if defined($statlist{$mip});
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	657 }
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	658 }
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	659
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	660 #############################################################################
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	661 ### Evidence gathering
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	662 #############################################################################
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	663 my %evidence = ();
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	664
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	665 sub evidence_queue($$$)
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	666 {
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	667 my ($mip, $mdata, $mfull) = @_;
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	668
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	669 return unless ($settings{"EVIDENCE"} > 0);
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	670
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	671 my $tmp = $mdata;
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	672 $tmp =~ s/http:\/\///;
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	673 $tmp =~ s/^\.+/_/;
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	674 $tmp =~ s/[^A-Za-z0-9:\.]/_/g;
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	675
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	676 $evidence{$mdata}{"coll"} = $tmp;
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	677 $evidence{$mdata}{"hosts"}{$mip} = 1;
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	678 $evidence{$mdata}{"full"}{$mfull} = 1;
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	679 }
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	680
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	681 sub evidence_fetch($$)
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	682 {
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	683 my $tmp = LWP::UserAgent->new;
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	684 $tmp->agent("-");
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	685 $tmp->timeout(10);
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	686 $tmp->default_headers->referer($_[1]);
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	687 my $req = HTTP::Request->new(GET => $_[0]);
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	688 return $tmp->request($req);
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	689 }
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	690
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	691 my $evidence_dir = 0;
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	692 sub evidence_gather
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	693 {
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	694 my $dns = Net::DNS::Resolver->new;
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	695 my $base = $settings{"EVIDENCE_DIR"};
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	696
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	697 return unless ($settings{"EVIDENCE"} > 0);
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	698
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	699 if (! -e $base) {
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	700 mlog(-1, "Evidence directory '$base' has disappeared.\n") unless ($evidence_dir > 0);
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	701 mdie("Evidence directory '$base' has been absent for $evidence_dir cycles, dying.\n") if ($evidence_dir++ > 10);
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	702 return;
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	703 } else {
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	704 $evidence_dir = 0;
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	705 }
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	706
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	707 my $fetched = 0;
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	708 foreach my $url (keys %evidence) {
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	709 my $filename = $base."/".$evidence{$url}{"coll"}.".data";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	710 my $filename2 = $base."/".$evidence{$url}{"coll"}.".hosts";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	711 my $filename3 = $base."/".$evidence{$url}{"coll"}.".info";
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	712
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	713 # Get data contents only once
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	714 if (! -e $filename) {
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	715 $fetched++;
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	716 mlog(1, "Fetching evidence for $url\n");
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	717 my $res = evidence_fetch($url, "");
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	718 open(FILE, ">:raw", $filename) or mdie("Could not open '$filename' for writing.\n");
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	719 binmode(FILE, ":raw");
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	720 if ($res->is_success && $res->code >= 200 && $res->code <= 201) {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	721 print FILE $res->content;
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	722 }
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	723 close(FILE);
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	724
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	725 open(FILE, ">:raw", $filename3) or mdie("Could not open '$filename3' for writing.\n");
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	726 binmode(FILE, ":raw");
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	727 print FILE "XSS URI : $url\n";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	728 print FILE "Time of retrieval : ".get_time_str(time())."\n";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	729 print FILE "HTTP return code : [".$res->code."] ".$res->message."\n";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	730 print FILE "Content-Type : ".($res->content_type ? $res->content_type : "?")."\n";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	731 print FILE "Last modified : ".($res->last_modified ? $res->last_modified : "?")."\n";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	732 print FILE "------ HTTP Headers ------\n".$res->headers_as_string."\n";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	733 print FILE "------ Requests ------\n";
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	734 print FILE $_."\n" foreach (keys %{$evidence{$url}{"full"}});
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	735 close(FILE);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	736 }
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	737
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	738 # Check if we are appending hosts to existing data
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	739 if (-e $filename2) {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	740 open(FILE, "<", $filename2) or mdie("Could not open '$filename2' for reading.\n");
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	741 while (<FILE>) {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	742 if (/^(\d+\.\d+\.\d+\.\d+) *\\|/) {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	743 if (defined($evidence{$url}{"hosts"}{$1})) {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	744 delete($evidence{$url}{"hosts"}{$1});
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	745 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	746 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	747 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	748 close(FILE);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	749 open(FILE, ">>", $filename2) or mdie("Could not open '$filename2' for appending.\n");
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	750 } else {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	751 open(FILE, ">", $filename2) or mdie("Could not open '$filename2' for writing.\n");
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	752 }
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	753 foreach my $host (sort keys %{$evidence{$url}{"hosts"}}) {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	754 my $query = $dns->search($host);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	755 my @names = ();
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	756 undef(@names);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	757 if ($query) {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	758 foreach my $rr ($query->answer) {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	759 push(@names, $rr->{"ptrdname"}) if defined($rr->{"ptrdname"});
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	760 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	761 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	762 printf FILE "%-15s \| %s\n", $host, join(" \| ", @names);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	763 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	764 close(FILE);
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	765
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	766 # This entry has been handled, delete it
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	767 delete($evidence{$url});
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	768
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	769 # If not in report mode, handle only 5 fetched entries at time
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	770 return unless ($reportmode \|\| $fetched < 5);
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	771 }
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	772 }
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	773
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	774
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	775 #############################################################################
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	776 ### Entry management / handling functions
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	777 #############################################################################
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	778 ### Check if given IP or host exists in array
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	779 sub check_hosts_array($$)
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	780 {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	781 my $chk_host = $_[1];
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	782 my $chk_ip = new Net::IP($chk_host);
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	783 foreach my $host (@{$_[0]}) {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	784 my $ip = new Net::IP($host);
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	785 if (defined($chk_ip) && defined($ip)) {
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	786 my $res = $chk_ip->overlaps($ip);
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	787 if (defined($res)) {
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	788 return 1 if ($res == $IP_IDENTICAL);
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	789 return 2 if ($res == $IP_B_IN_A_OVERLAP);
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	790 return 3 if ($res == $IP_A_IN_B_OVERLAP);
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	791 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	792 }
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	793 return 4 if ($chk_host eq $host);
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	794 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	795 return 0;
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	796 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	797
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	798 ### Check IP/host against \| separated list of IPs/hosts
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	799 sub check_hosts($$)
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	800 {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	801 my @tmp = split(/\s\\|\s/, $_[0]);
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	802 return check_hosts_array(\@tmp, $_[1]);
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	803 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	804
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	805 ### Execute iptables
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	806 sub exec_iptables(@)
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	807 {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	808 $ENV{"PATH"} = "";
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	809 my @args = ($settings{"IPTABLES"}, @_);
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	810 if ($settings{"DRY_RUN"}) {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	811 mlog(3, ":: ".join(" ", @args)."\n");
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	812 } else {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	813 system(@args) == 0 or print join(" ", @args)." failed: $?\n";
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	814 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	815 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	816
93 55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	817 ### Get current Netfilter table entries that match entry types we
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	818 ### manage, e.g. filterlist
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	819 sub update_filterlist($)
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	820 {
79 9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	821 my $first = $_[0];
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	822 return unless ($settings{"FILTER"} > 0);
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	823
17 fe220b5a975a Cleanups, add configuration for WHOIS linking. Matti Hamalainen <ccr@tnsp.org> parents: 16 diff changeset	824 $ENV{"PATH"} = "";
93 55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	825 open(STATUS, $settings{"IPTABLES"}." -v -n -t ".$settings{"FILTER_TABLE"}." -L ".$settings{"FILTER_CHAIN"}." \|") or
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	826 mdie("Could not execute ".$settings{"IPTABLES"}."\n");
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	827 my %newlist = ();
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	828 undef(%newlist);
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	829 while (<STATUS>) {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	830 chomp;
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	831 if (/^\s(\d+)\s+\d+\s+$settings{"FILTER_TARGET"}\s+all\s+--\s+\\s+\\s+(\d+\.\d+\.\d+\.\d+)\s+0\.0\.0\.0\/0\s$/) {
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	832 my $mip = $2;
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	833 if (!defined($filterlist{$mip})) {
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	834 mlog(2, "* $mip appeared in iptables.\n") unless ($first < 0);
79 9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	835 $filterlist{$2} = time();
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	836 }
79 9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	837 $newlist{$2} = 1;
53 dc072a56f343 Don't add hits when updating entries from netfilter. Matti Hamalainen <ccr@tnsp.org> parents: 52 diff changeset	838 update_entry(\%statlist, $mip, -1, "IPTABLES", "", 0);
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	839 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	840 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	841 close(STATUS);
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	842
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	843 foreach my $mip (keys %filterlist) {
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	844 if (!defined($newlist{$mip})) {
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	845 mlog(2, "* $mip removed from iptables.\n");
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	846 delete($filterlist{$mip});
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	847 }
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	848 }
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	849 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	850
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	851 ### Check if given timestamp is _newer_ than weedperiod threshold.
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	852 ### Returns false if timestamp is over weed period, e.g. needs weeding.
26 61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	853 sub check_time1($)
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	854 {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	855 return ($_[0] > time() - ($settings{"FILTER_MAX_AGE"} * 60 * 60));
26 61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	856 }
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	857
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	858 sub check_time2($)
61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	859 {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	860 return ($_[0] > time() - ($settings{"STATS_MAX_AGE"} * 60 * 60));
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	861 }
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	862
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	863 sub check_time3($)
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	864 {
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	865 return ($_[0] > time() - ($settings{"DRONEBL_MAX_AGE"} * 60));
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	866 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	867
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	868 ### Weed out old entries
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	869 sub weed_do($)
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	870 {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	871 my $mtime = $filterlist{$_[0]};
59 69c39b5c6277 Typofix. Matti Hamalainen <ccr@tnsp.org> parents: 58 diff changeset	872 mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n");
93 55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	873 exec_iptables("-t", $settings{"FILTER_TABLE"}, "-D", $settings{"FILTER_CHAIN"}, "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"});
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	874 delete($filterlist{$_[0]});
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	875 delete($statlist{$_[0]});
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	876 delete($ignorelist{$_[0]});
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	877 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	878
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	879 sub weed_entries()
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	880 {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	881 # Don't weed in report mode.
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	882 return unless ($settings{"FILTER"} > 0 && $reportmode == 0);
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	883
25 34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	884 # Weed blocked entries.
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	885 my @mips = keys %filterlist;
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	886 foreach my $mip (@mips) {
79 9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	887 if (defined($statlist{$mip})) {
9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	888 if ($statlist{$mip}{"date2"} >= 0) {
9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	889 weed_do($mip) unless check_time1($statlist{$mip}{"date2"});
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	890 } else {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	891 weed_do($mip);
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	892 }
79 9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	893 } elsif (defined($filterlist{$mip})) {
9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	894 weed_do($mip);
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	895 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	896 }
25 34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	897
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	898 # Clean up old entries from other lists
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	899 foreach my $mip (keys %statlist) {
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	900 if (defined($statlist{$mip})) {
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	901 my $mtime = $statlist{$mip}{"date2"};
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	902 if (!check_time2($mtime) && !defined($filterlist{$mip})) {
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	903 mlog(3, "* Deleting stale $mip (".get_time_str($mtime).")\n");
25 34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	904 delete($statlist{$mip});
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	905 }
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	906 }
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	907 }
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	908
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	909 foreach my $mip (keys %ignorelist) {
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	910 if (defined($ignorelist{$mip})) {
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	911 my $mtime = $ignorelist{$mip}{"date2"};
26 61b6d742c49c Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings. Matti Hamalainen <ccr@tnsp.org> parents: 25 diff changeset	912 if (!check_time2($mtime)) {
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	913 mlog(3, "* Deleting stale ignored $mip (".get_time_str($mtime).")\n");
25 34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	914 delete($ignorelist{$mip});
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	915 }
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	916 }
34dcb7462043 Sanitize weeding of entries, separating blocklist weeding from global lists. Matti Hamalainen <ccr@tnsp.org> parents: 24 diff changeset	917 }
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	918 }
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	919
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	920 ### Update one entry data
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	921 sub update_date($$)
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	922 {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	923 if (!defined($_[0]->{"date1"}) \|\| ($_[1] > 0 && $_[0]->{"date1"} < 0)) {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	924 $_[0]->{"date1"} = $_[1];
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	925 }
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	926 if (!defined($_[0]->{"date2"}) \|\| $_[1] > $_[0]->{"date2"}) {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	927 $_[0]->{"date2"} = $_[1];
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	928 }
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	929 }
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	930
53 dc072a56f343 Don't add hits when updating entries from netfilter. Matti Hamalainen <ccr@tnsp.org> parents: 52 diff changeset	931 sub update_entry($$$$$$)
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	932 {
53 dc072a56f343 Don't add hits when updating entries from netfilter. Matti Hamalainen <ccr@tnsp.org> parents: 52 diff changeset	933 my ($struct, $mip, $mdate, $mclass, $mreason, $addhits) = @_;
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	934
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	935 return if check_hosts_array(\@noaction_ips, $mip);
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	936
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	937 $struct->{$mip} = {} unless defined($struct->{$mip});
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	938 my $entry = $struct->{$mip};
62 924720517cf9 Fix initialization of hash structure part, this fixes resetting of class hits to 1. Matti Hamalainen <ccr@tnsp.org> parents: 60 diff changeset	939 $entry->{"reason"}{$mclass} = {} unless defined($entry->{"reason"}{$mclass});
924720517cf9 Fix initialization of hash structure part, this fixes resetting of class hits to 1. Matti Hamalainen <ccr@tnsp.org> parents: 60 diff changeset	940 my $reason = $entry->{"reason"}{$mclass};
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	941
70 adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	942 $entry->{"dronebl"} = 0 unless defined($entry->{"dronebl"});
adb4795f451e Finished DroneBL support (hopefully). Matti Hamalainen <ccr@tnsp.org> parents: 69 diff changeset	943
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	944 # Add hits only when requested
53 dc072a56f343 Don't add hits when updating entries from netfilter. Matti Hamalainen <ccr@tnsp.org> parents: 52 diff changeset	945 if ($addhits) {
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	946 $entry->{"hits"}++;
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	947 $reason->{"hits"}++;
53 dc072a56f343 Don't add hits when updating entries from netfilter. Matti Hamalainen <ccr@tnsp.org> parents: 52 diff changeset	948 } else {
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	949 $entry->{"hits"} = 1 unless defined($entry->{"hits"});
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	950 $reason->{"hits"} = 1 unless defined($reason->{"hits"});
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	951 }
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	952
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	953 # Messages is an array in reportmode
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	954 if ($reportmode) {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	955 push(@{$reason->{"msg"}}, $mreason);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	956 } else {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	957 $reason->{"msg"} = $mreason;
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	958 }
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	959
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	960 # Update timestamps (generic and reason)
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	961 update_date($entry, $mdate);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	962 update_date($reason, $mdate);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	963
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	964 return $entry->{"hits"};
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	965 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	966
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	967 ### Check if given "try count" exceeds threshold and if entry
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	968 ### is NOT in Netfilter already, then add it if so.
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	969 sub check_add_hit($$$$$$)
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	970 {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	971 my $mip = $_[0];
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	972 my $mdate = str2time($_[1]);
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	973 my $mclass = $_[2];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	974 my $mreason = $_[3];
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	975 my $mtype = $_[4];
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	976 my $mcond = $_[5];
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	977 my $cnt;
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	978
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	979 if (check_hosts_array(\@noaction_ips, $mip)) {
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	980 mlog(2, "Hit to NOACTION_IPS($mip): [$mclass] $mreason\n");
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	981 return;
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	982 }
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	983
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	984 # If condition is true, we add to regular statlist
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	985 if ($mcond) {
53 dc072a56f343 Don't add hits when updating entries from netfilter. Matti Hamalainen <ccr@tnsp.org> parents: 52 diff changeset	986 $cnt = update_entry(\%statlist, $mip, $mdate, $mclass, $mreason, 1);
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	987 } else {
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	988 # This is an ignored hit (for disabled test), add to ignorelist
53 dc072a56f343 Don't add hits when updating entries from netfilter. Matti Hamalainen <ccr@tnsp.org> parents: 52 diff changeset	989 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason, 1);
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	990 return;
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	991 }
87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	992
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	993 # Check if we have exceeded threshold etc.
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	994 if ($settings{"FILTER"} > 0 && $cnt >= $settings{"FILTER_THRESHOLD"} && check_time1($mdate)) {
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	995 # Add to filterlist, unless already there.
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	996 if (!defined($filterlist{$mip})) {
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	997 mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n");
93 55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	998 exec_iptables("-t", $settings{"FILTER_TABLE"}, "-I", $settings{"FILTER_CHAIN"}, "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"});
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	999 }
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	1000 # Update date of last hit
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1001 $filterlist{$mip} = $mdate;
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1002 }
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	1003
d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	1004 # Separate check for DroneBL
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	1005 if ($mtype > 0 && $cnt >= $settings{"DRONEBL_THRESHOLD"} && check_time3($mdate)) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1006 dronebl_queue($mip, $mdate, $mtype);
65 d2e2b82dd2f2 Work on DroneBL support. Matti Hamalainen <ccr@tnsp.org> parents: 63 diff changeset	1007 }
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1008 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1009
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1010
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1011 #############################################################################
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	1012 ### Main helper functions
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1013 #############################################################################
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1014 ### Print log entry
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1015 sub mlog($$)
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1016 {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1017 my $level = shift;
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1018 my $msg = shift;
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1019 if ($LOGFILE) {
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1020 print $LOGFILE "[".get_time_str(time())."] ".$msg if ($settings{"VERBOSITY"} > $level);
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1021 } elsif ($settings{"DRY_RUN"}) {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1022 print STDERR $msg if ($settings{"VERBOSITY"} > $level);
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1023 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1024 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1025
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1026 ### Like Perl's die(), but also print a logfile entry.
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1027 sub mdie($)
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1028 {
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1029 mlog(-1, $_[0]) if ($LOGFILE);
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1030 die($_[0]);
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1031 }
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1032
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1033 ### Initialize
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1034 sub malt_init
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1035 {
57 a70493b6c916 Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice. Matti Hamalainen <ccr@tnsp.org> parents: 55 diff changeset	1036 %statlist = ();
a70493b6c916 Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice. Matti Hamalainen <ccr@tnsp.org> parents: 55 diff changeset	1037 undef(%statlist);
a70493b6c916 Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice. Matti Hamalainen <ccr@tnsp.org> parents: 55 diff changeset	1038 %ignorelist = ();
a70493b6c916 Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice. Matti Hamalainen <ccr@tnsp.org> parents: 55 diff changeset	1039 undef(%ignorelist);
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1040 update_filterlist(-1);
57 a70493b6c916 Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice. Matti Hamalainen <ccr@tnsp.org> parents: 55 diff changeset	1041
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1042 foreach my $filename (@scanfiles_once) {
58 a780a23e19a8 Change parsing status log messages. Matti Hamalainen <ccr@tnsp.org> parents: 57 diff changeset	1043 mlog(0, "Parsing [ONCE] ".$filename." ...\n");
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1044 if (open(INFILE, "<", $filename)) {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1045 while (<INFILE>) {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1046 chomp;
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1047 check_log_line($_);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1048 }
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1049 } else {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1050 mlog(-1, "Could not open '".$filename."', skipping now.\n");
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1051 }
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1052 close(INFILE);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1053 }
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1054
3 368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	1055 foreach my $filename (@scanfiles) {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1056 local *INFILE;
58 a780a23e19a8 Change parsing status log messages. Matti Hamalainen <ccr@tnsp.org> parents: 57 diff changeset	1057 mlog(0, "Initial parsing ".$filename." ...\n");
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1058 if (open(INFILE, "<", $filename)) {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1059 $filehandles{$filename} = *INFILE;
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1060 while (<INFILE>) {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1061 chomp;
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1062 check_log_line($_);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1063 }
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1064 } else {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1065 mlog(-1, "Could not open '".$filename."', skipping now.\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1066 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1067 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1068 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1069
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1070 ### Quick cleanup (not complete shutdown)
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1071 sub malt_cleanup
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1072 {
3 368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	1073 foreach my $filename (keys %filehandles) {
368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	1074 close($filehandles{$filename});
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1075 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1076 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1077
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1078 sub malt_finish
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1079 {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1080 # Unlink pid-file
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1081 if ($pid_file ne "" && -e $pid_file) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1082 unlink $pid_file;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1083 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1084 # Close logfile
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1085 close($LOGFILE) if (defined($LOGFILE));
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1086 undef($LOGFILE);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1087 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1088
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	1089 ### Signal handlers
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1090 sub malt_int
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1091 {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1092 mlog(-1, "\nCaught Interrupt (^C), aborting.\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1093 malt_cleanup();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1094 malt_finish();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1095 exit(1);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1096 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1097
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1098 sub malt_term
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1099 {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	1100 mlog(-1, "Received TERM, quitting.\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1101 malt_cleanup();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1102 malt_finish();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1103 exit(1);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1104 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1105
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1106 sub malt_hup
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1107 {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1108 mlog(-1, "Received HUP, reinitializing.\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1109 malt_cleanup();
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1110 malt_configure();
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1111 malt_init();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1112 mlog(-1, "Reinitialization finished, resuming scanning.\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1113 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1114
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1115 sub malt_maintenance
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1116 {
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1117 update_filterlist(time());
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1118 weed_entries();
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1119 generate_status($settings{"STATUS_FILE_PLAIN"}, 0);
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1120 generate_status($settings{"STATUS_FILE_HTML"}, 1);
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1121 evidence_gather();
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1122 dronebl_process();
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1123 }
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1124
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1125 ### Main scanning function
23 cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1126 sub malt_scan
cb0a4b747cf0 Handle importing of current netfilter entries differently. Matti Hamalainen <ccr@tnsp.org> parents: 21 diff changeset	1127 {
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1128 mlog(1, "Entering main scanning loop.\n");
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1129 my $counter = -1;
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1130 while (1) {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1131 my %filepos = ();
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1132 foreach my $filename (keys %filehandles) {
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1133 for ($filepos{$filename} = tell($filehandles{$filename});
79 9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	1134 $_ = readline($filehandles{$filename});
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1135 $filepos{$filename} = tell($filehandles{$filename})) {
79 9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	1136 chomp($_);
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1137 check_log_line($_);
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1138 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1139 }
79 9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	1140 sleep(1);
9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	1141 foreach my $filename (keys %filehandles) {
9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	1142 seek($filehandles{$filename}, $filepos{$filename}, 0);
9095db0fad8f v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory Matti Hamalainen <ccr@tnsp.org> parents: 76 diff changeset	1143 }
83 532169789f52 Add automatic temporary suspension of DroneBL submissions if enough HTTP Matti Hamalainen <ccr@tnsp.org> parents: 80 diff changeset	1144 if ($counter < 0 \|\| $counter >= 60) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1145 # Every once in a while, execute maintenance functions
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1146 $counter = 0;
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1147 malt_maintenance();
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1148 }
80 4e3f87470426 Only execute maintenance procedures every 5 minutes or so. Matti Hamalainen <ccr@tnsp.org> parents: 79 diff changeset	1149 $counter++;
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1150 }
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1151 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1152
16 87c0cdc048f5 Many changes and cleanups. Works again. Matti Hamalainen <ccr@tnsp.org> parents: 15 diff changeset	1153 ### Read one configuration file
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1154 sub malt_read_config($)
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1155 {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1156 my $filename = $_[0];
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1157 my $errors = 0;
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1158 my $line = 0;
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1159
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1160 open(CONFFILE, "<", $filename) or mdie("Could not open configuration '".$filename."'!\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1161 while (<CONFFILE>) {
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1162 $line++;
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1163 chomp;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1164 if (/(^\s#\|^\s$)/) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1165 # Ignore comments and empty lines
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1166 } elsif (/^\s\"?([a-zA-Z0-9_]+)\"?\s=>?\s(\d+),?\s$/) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1167 my $key = uc($1);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1168 my $value = $2;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1169 if (defined($settings{$key})) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1170 $settings{$key} = $value;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1171 } else {
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1172 mlog(-1, "[$filename:$line] Unknown setting '$key' = $value\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1173 $errors = 1;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1174 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1175 } elsif (/^\s\"?([a-zA-Z0-9_]+)\"?\s=>?\s\"(.?)\",?\s*$/) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1176 my $key = uc($1);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1177 my $value = $2;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1178 if ($key eq "SCANFILE") {
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1179 push(@scanfiles, $value);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1180 } elsif ($key eq "SCANFILE_ONCE") {
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1181 push(@scanfiles_once, $value);
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1182 } elsif ($key eq "NOACTION_IPS") {
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	1183 push(@noaction_ips, $value);
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1184 } elsif (defined($settings{$key})) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1185 $settings{$key} = $value;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1186 } else {
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1187 mlog(-1, "[$filename:$line] Unknown setting '$key' = '$value'\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1188 $errors = 1;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1189 }
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1190 # Force dry run mode if we are reporting only
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1191 if ($reportmode) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1192 $settings{"DRY_RUN"} = 1;
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1193 }
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1194 } else {
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1195 mlog(-1, "[$filename:$line] Syntax error: $_\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1196 $errors = 1;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1197 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1198 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1199 close(CONFFILE);
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1200 return $errors;
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1201 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1202
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1203 ### Read all configuration files
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1204 sub malt_configure
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1205 {
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1206 # Let user define his/her own logfiles to scan
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1207 @scanfiles = ();
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1208 undef(@scanfiles);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1209
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1210 @scanfiles_once = ();
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1211 undef(@scanfiles_once);
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	1212
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	1213 @noaction_ips = ();
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	1214 undef(@noaction_ips);
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1215
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1216 foreach my $filename (@configfiles) {
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1217 mdie("Errors in configuration file '$filename', bailing out.\n")
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1218 unless (malt_read_config($filename) == 0);
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1219 }
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1220
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1221 # Clean up certain arrays duplicate entries
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1222 my %saw = ();
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1223 @scanfiles = grep(!$saw{$_}++, @scanfiles);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1224
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1225 %saw = ();
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1226 @scanfiles_once = grep(!$saw{$_}++, @scanfiles_once);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1227
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1228 %saw = ();
69 b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	1229 push(@noaction_ips, @noaction_ips_def);
b090ddfccdab Cleanups. Improve IP/host definitions. Matti Hamalainen <ccr@tnsp.org> parents: 68 diff changeset	1230 @noaction_ips = grep(!$saw{$_}++, @noaction_ips);
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1231 undef(%saw);
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1232
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1233 mlog(-1, "Not acting on IPs: ".join(", ", @noaction_ips)."\n");
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1234
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1235 # Check if we have anything to do
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1236 if ($reportmode) {
100 075b2b626d17 Fix check for number of SCANFILEs and SCANFILE_ONCEs. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	1237 mdie("Nothing to do, no SCANFILE(s) or SCANFILE_ONCE(s) defined in configuration.\n") unless (scalar @scanfiles > 0 \|\| scalar @scanfiles_once > 0);
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1238 } else {
100 075b2b626d17 Fix check for number of SCANFILEs and SCANFILE_ONCEs. Matti Hamalainen <ccr@tnsp.org> parents: 97 diff changeset	1239 mdie("Nothing to do, no SCANFILE(s) defined in configuration.\n") unless (scalar @scanfiles > 0);
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1240 }
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1241
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1242 # General settings
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1243 my $val = $settings{"STATS_MAX_AGE"};
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1244 mdie("Invalid STATS_MAX_AGE value $val, must be > 0.\n") unless ($val > 0);
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1245
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1246 # Filtering
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1247 if ($settings{"FILTER"} > 0) {
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1248 $val = $settings{"FILTER_MAX_AGE"};
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1249 mdie("Invalid FILTER_MAX_AGE value $val, must be > 0.\n") unless ($val > 0);
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1250
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1251 $val = $settings{"FILTER_THRESHOLD"};
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1252 mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0);
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1253
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1254 $val = $settings{"IPTABLES"};
93 55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1255 mdie("Iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val);
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1256
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1257 $val = $settings{"FILTER_TARGET"};
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1258 mdie("Value of FILTER_TARGET must not be empty!\n") unless ($val ne "");
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1259
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1260 my $mtable = $settings{"FILTER_TABLE"};
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1261 mdie("Value of FILTER_TABLE should be one of ".join(", ", keys %filter_valid_tables).".\n")
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1262 unless defined($filter_valid_tables{$mtable});
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1263
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1264 $val = $settings{"FILTER_CHAIN"};
55670dabda5a Add support for FILTER_CHAIN and FILTER_TABLE settings. Matti Hamalainen <ccr@tnsp.org> parents: 88 diff changeset	1265 mdie("Value of FILTER_CHAIN must not be empty!\n") unless ($val ne "");
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1266 } else {
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1267 mlog(1, "Netfilter handling disabled.\n");
54 19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1268 }
19dace24ad46 Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE" Matti Hamalainen <ccr@tnsp.org> parents: 53 diff changeset	1269
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	1270 # Check evidence settings
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1271 if ($settings{"EVIDENCE"} > 0) {
60 38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	1272 my $base = $settings{"EVIDENCE_DIR"};
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	1273 mdie("Evidence directory (EVIDENCE_DIR) not set in configuration.\n") if ($base eq "");
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	1274 mdie("Evidence directory '$base' does not exist.\n") unless (-e $base);
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	1275 mdie("Path '$base' is not a directory.\n") unless (-d $base);
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	1276 mdie("Evidence directory '$base' is not writable by euid.\n") unless (-w $base);
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	1277 }
38885f5f34f6 Added evidence gathering functionality. Matti Hamalainen <ccr@tnsp.org> parents: 59 diff changeset	1278
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1279 # Sanitize DroneBL configuration
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1280 if ($settings{"DRONEBL"} > 0) {
86 4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1281 mdie("DroneBL enabled, but DRONEBL_RPC_KEY not set.\n") unless ($settings{"DRONEBL_RPC_KEY"} ne "");
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1282
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1283 $val = $settings{"DRONEBL_MAX_AGE"};
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1284 mdie("Invalid DRONEBL_MAX_AGE value $val, must be > 10.\n") unless ($val > 10);
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1285
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1286 $val = $settings{"DRONEBL_THRESHOLD"};
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1287 mdie("Invalid DRONEBL_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0);
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1288
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1289 $val = $settings{"DRONEBL_MAX_ERRORS"};
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1290 mdie("Invalid DRONEBL_MAX_ERRORS value $val, must be >= 0.\n") unless ($val >= 0);
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1291
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1292 $val = $settings{"DRONEBL_SUSPEND"};
4362bf9e52e4 Add sanity checking of DroneBL configuration values; Misc. cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 83 diff changeset	1293 mdie("Invalid DRONEBL_SUSPEND value $val, must be >= 1.\n") unless ($val >= 1);
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1294 }
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1295
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1296 # Check system account / passwd settings
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1297 mdie("SYSACCT_MIN_UID must be >= 1.\n") unless ($settings{"SYSACCT_MIN_UID"} >= 1);
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1298 mdie("SYSACCT_MAX_UID must be >= SYSACCT_MIN_UID.\n") unless ($settings{"SYSACCT_MAX_UID"} >= $settings{"SYSACCT_MIN_UID"});
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1299
44 471731c79bb3 Add configuration setting for PASSWD file. Matti Hamalainen <ccr@tnsp.org> parents: 40 diff changeset	1300 open(PASSWD, "<", $settings{"PASSWD"}) or mdie("Could not open '".$settings{"PASSWD"}."' for reading!\n");
40 24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1301 while (<PASSWD>) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1302 my @fields = split(/\s:\s/);
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1303 if ($fields[2] >= $settings{"SYSACCT_MIN_UID"} && $fields[2] <= $settings{"SYSACCT_MAX_UID"}) {
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1304 $systemacct{$fields[0]} = $fields[2];
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1305 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1306 }
24babaa1e331 Many cleanups and fixes; Example configuration updated. Matti Hamalainen <ccr@tnsp.org> parents: 39 diff changeset	1307 close(PASSWD);
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1308 }
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1309
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1310 #############################################################################
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1311 ###
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1312 ### Main program
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1313 ###
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1314 #############################################################################
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1315 # Setup signal handlers
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1316 $SIG{'INT'} = 'malt_int';
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1317 $SIG{'TERM'} = 'malt_term';
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1318 $SIG{'HUP'} = 'malt_hup';
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1319
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1320 # Print banner and help if no arguments
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1321 my $argc = $#ARGV + 1;
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1322 if ($argc < 1) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1323 print STDERR $progbanner.
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1324 "\n".
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1325 "Usage: maltfilter <pid filename> [config filename] [config filename...]\n".
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1326 " maltfilter -f [config filename] [config filename...]\n".
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1327 "-f turns on the full report mode.\n";
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1328 exit;
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1329 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1330
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1331 # Test pid file existence unless report mode
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1332 $pid_file = shift;
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1333 if ($pid_file eq "-f") {
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1334 $reportmode = 1;
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1335 print STDERR $progbanner;
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1336 } else {
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1337 mdie("'$pid_file' already exists, not starting.\n".
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1338 "If the daemon is NOT running, remove the pid-file and re-start.\n")
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1339 if (-e $pid_file);
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1340 }
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1341
b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1342 # Read configuration files
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1343 while (defined(my $filename = shift)) {
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1344 push(@configfiles, $filename);
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1345 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1346
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1347 malt_configure();
d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1348
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1349 # Open logfile
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1350 if ($settings{"DRY_RUN"}) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1351 print STDERR
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1352 "*********************************\n".
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1353 "* NOTICE! DRY-RUN MODE ENABLED! *\n".
42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1354 "*********************************\n";
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1355 } elsif ($settings{"LOGFILE"} ne "") {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1356 open($LOGFILE, ">>", $settings{"LOGFILE"}) or die("Could not open logfile '".$settings{"LOGFILE"}."' for writing!\n");
63 6917de5b91be Disable output buffering of logfile. Matti Hamalainen <ccr@tnsp.org> parents: 62 diff changeset	1357 select((select($LOGFILE), $\| = 1)[0]);
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1358 mlog(-1, "Log started\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1359 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1360
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1361 # Initialize
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1362 malt_init();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1363
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1364 # Fork to background, unless dry-running
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1365 if ($settings{"DRY_RUN"}) {
15 b05d0f0ff106 Cleanups in progress, does not work. Matti Hamalainen <ccr@tnsp.org> parents: 13 diff changeset	1366 if ($reportmode) {
66 42889eed0ce8 Lots of cleanups, etc. Documentation updates. Matti Hamalainen <ccr@tnsp.org> parents: 65 diff changeset	1367 malt_maintenance();
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	1368 malt_cleanup();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	1369 } else {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	1370 malt_scan();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	1371 malt_cleanup();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	1372 }
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1373 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1374 if (my $pid = fork) {
39 d96229159abc v0.11.0: More fixes; Configuration files are now re-read when HUP signal is Matti Hamalainen <ccr@tnsp.org> parents: 37 diff changeset	1375 open(PIDFILE, ">", $pid_file) or mdie("Could not open pid file '".$pid_file."' for writing!\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1376 print PIDFILE "$pid\n";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1377 close(PIDFILE);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1378 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1379 malt_scan();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1380 malt_cleanup();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1381 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1382 }

Mercurial > hg > maltfilter

annotate maltfilter @ 105:5786194984c5 maltfilter-0.20.1