Mercurial > hg > maltfilter
annotate maltfilter @ 79:9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
usage improvements.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Sat, 29 Aug 2009 05:24:31 +0300 |
| parents | 4769aad8bd14 |
| children | 4e3f87470426 |
| rev | line source |
|---|---|
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1 #!/usr/bin/perl -w |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
2 ############################################################################# |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 # |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 # Malicious Attack Livid Termination Filter daemon (maltfilter) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 # Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 # (C) Copyright 2009 Tecnic Software productions (TNSP) |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 # |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 ############################################################################# |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
9 use strict; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
10 use Date::Parse; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 use Net::IP; |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
12 use Net::DNS; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
13 use LWP::UserAgent; |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
14 use IO::Seekable; |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
15 |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
16 my $progversion = "0.18.0"; |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
17 my $progbanner = |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
21 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
22 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
23 ############################################################################# |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
24 ### Default settings and configuration |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
25 ############################################################################# |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
26 my %settings = ( |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
27 "VERBOSITY" => 3, |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
28 "DRY_RUN" => 1, |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
29 "LOGFILE" => "", |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
30 "STATS_MAX_AGE" => 336, # in hours |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
31 |
| 65 | 32 "PASSWD" => "/etc/passwd", |
| 33 "SYSACCT_MIN_UID" => 1, | |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
34 "SYSACCT_MAX_UID" => 999, |
| 65 | 35 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
36 "FILTER" => 0, |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
37 "FILTER_THRESHOLD" => 3, |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
38 "FILTER_MAX_AGE" => 168, # in hours |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
39 "FILTER_TARGET" => "DROP", |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
40 "IPTABLES" => "/sbin/iptables", |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
41 |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
42 "FULL_TIME" => 1, |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
43 "STATUS_FILE_PLAIN" => "", |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
44 "STATUS_FILE_HTML" => "", |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
45 "STATUS_FILE_CSS" => "", |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
46 "WHOIS_URL" => "http://whois.domaintools.com/", |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
47 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
48 "CHK_SSHD" => 1, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
49 "CHK_KNOWN_CGI" => 1, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
50 "CHK_PHP_XSS" => 1, |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
51 "CHK_PROXY_SCAN" => 1, |
|
4
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
3
diff
changeset
|
52 "CHK_ROOT_SSH_PWD" => 0, |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
53 "CHK_SYSACCT_SSH_PWD" => 0, |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
54 "CHK_GOOD_HOSTS" => "", |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
55 |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
56 "EVIDENCE" => 0, |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
57 "EVIDENCE_DIR" => "", |
| 65 | 58 |
| 59 "DRONEBL" => 0, | |
| 60 "DRONEBL_THRESHOLD" => 5, | |
| 61 "DRONEBL_MAX_AGE" => 30, # in minutes | |
| 62 "DRONEBL_RPC_URI" => "http://dronebl.org/RPC2", | |
| 63 "DRONEBL_RPC_KEY" => "", | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
64 ); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
65 |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
66 # List loopback and private netblocks by default here |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
67 my @noaction_ips_def = ( |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
68 "127.0.0.0/8", |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
69 "10.0.0.0/8", |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
70 "172.16.0.0/12", |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
71 "192.168.0.0/16" |
| 7 | 72 ); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
73 |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
74 my %systemacct = (); |
| 65 | 75 sub check_add_hit($$$$$$); |
| 76 | |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
77 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
78 ############################################################################# |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
79 ### Check given logfile line for matches |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
80 ############################################################################# |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
81 sub check_log_line($) |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
82 { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
83 # (1) SSHD scans |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
84 if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: (.*)/) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
85 my $mdate = $1; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
86 my $merr = $2; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
87 |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
88 # (1.1) Generic login scan attempts |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
89 if ($merr =~ /^Failed password for invalid user (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
90 check_add_hit($2, $mdate, "SSH login scan", "", 13, $settings{"CHK_SSHD"}); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
91 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
92 # (1.2) Root account SSH login password bruteforcing attempts. |
|
76
4769aad8bd14
Root password bruteforcing check was not always working, fixed.
Matti Hamalainen <ccr@tnsp.org>
parents:
74
diff
changeset
|
93 elsif ($merr =~ /^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
94 check_add_hit($1, $mdate, "Root SSH password bruteforce", "", 13, $settings{"CHK_ROOT_SSH_PWD"}); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
95 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
96 # (1.3) System account SSH login password bruteforcing attempts. |
|
76
4769aad8bd14
Root password bruteforcing check was not always working, fixed.
Matti Hamalainen <ccr@tnsp.org>
parents:
74
diff
changeset
|
97 elsif ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
98 my $mip = $2; my $macct = $1; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
99 if (defined($systemacct{$macct})) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
100 check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, 13, $settings{"CHK_SYSACCT_SSH_PWD"}); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
101 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
102 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
103 } |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
104 |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
105 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
106 elsif (/^\[(.+?)\]\s+\[error\]\s+\[client\s+(\d+\.\d+\.\d+\.\d+)\]\s+(.+)$/) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
107 my $mdate = $1; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
108 my $mip = $2; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
109 my $merr = $3; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
110 if ($merr =~ /^File does not exist: (.+)$/) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
111 my $tmp = $1; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
112 if ($tmp =~ /\/mss2|\/pma|admin|sql|\/roundcube|\/webmail|\/bin|\/mail|xampp|zen|mailto:|appserv|cube|round|_vti_bin|wiki/i) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
113 check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 2, $settings{"CHK_KNOWN_CGI"}); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
114 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
115 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
116 } |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
117 |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
118 # (3) Apache common logging format checks |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
119 elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
120 my $mdate = $2; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
121 my $mip = $1; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
122 my $merr = $3; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
123 |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
124 # (3.1) Simple match for generic PHP XSS vulnerability scans |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
125 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
126 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
127 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
128 evidence_queue($mip, $1, $merr); |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
129 } |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
130 check_add_hit($mip, $mdate, "PHP XSS", $merr, 2, $settings{"CHK_PHP_XSS"}); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
131 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
132 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
133 # (3.2) Try to match proxy scanning attempts |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
134 elsif ($merr =~ /^http:\/\/([^\/]+)/) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
135 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
136 check_add_hit($mip, $mdate, "Proxy scan", $merr, 2, $settings{"CHK_PROXY_SCAN"}); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
137 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
138 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
139 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
140 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
141 |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
142 |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
143 ############################################################################# |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
144 ### Global variables |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
145 ############################################################################# |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
146 my $reportmode = 0; # Full report mode |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
147 my @scanfiles = (); # Files to scan |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
148 my @scanfiles_once = (); # Files to scan only once during startup or HUP (e.g. not continuously followed) |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
149 my @noaction_ips = (); # IPs not to filter |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
150 my %filehandles = (); # Global hash holding opened scanned log filehandles |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
151 my $pid_file = ""; # Name of Maltfilter daemon pid file |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
152 my @configfiles = (); # Array of configuration file names |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
153 my $LOGFILE; # Maltfilter logfile handle |
| 65 | 154 my %dronebl = (); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
155 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
156 # IPs currently blocked in Netfilter $filterlist{$ip} = date |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
157 my %filterlist = (); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
158 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
159 # Gathered information about hosts |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
160 # $statlist{$ip}-> |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
161 # "date1" = timestamp of first hit |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
162 # "date2" = timestamp of latest hit |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
163 # "hits" = number of hits to this IP |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
164 # "dronebl" = 0 == n/a, 1 == queued for submission, 2 == submitted |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
165 # $statlist{$ip}{"reason"}{$class}-> |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
166 # "msg" = reason message (array if $reportmode) |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
167 # "hits" = hits to this class |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
168 # "date1" = timestamp of first hit |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
169 # "date2" = timestamp of latest hit |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
170 my %statlist = (); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
171 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
172 # Gathered information about ignored hits (e.g. hits for tests that are not enabled) |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
173 # Same fields as in %statlist |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
174 my %ignorelist = (); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
175 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
176 |
|
2
3da95f3082d9
Misc. variable name cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
177 ############################################################################# |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
178 ### Status output functionality |
|
2
3da95f3082d9
Misc. variable name cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
179 ############################################################################# |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
180 sub urlencode($) |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
181 { |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
182 my $value = $_[0]; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
183 $value =~ s/([^a-zA-Z_0-9 ])/"%" . uc(sprintf "%lx" , unpack("C", $1))/eg; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
184 $value =~ tr/ /+/; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
185 return $value; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
186 } |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
187 |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
188 my %entities = ( |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
189 "<" => "lt", |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
190 ">" => "gt", |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
191 "&" => "amp", |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
192 ); |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
193 |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
194 sub htmlentities($) |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
195 { |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
196 my $value = $_[0]; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
197 # $value =~ s/([keys %entities])/"&".$entities{$1}.";"/eg; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
198 foreach my $val (keys %entities) { |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
199 $value =~ s/$val/\&$entities{$val}\;/g; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
200 } |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
201 return $value; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
202 } |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
203 |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
204 sub get_time_str($) |
|
34
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
205 { |
|
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
206 if ($_[0] >= 0) { |
|
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
207 return scalar localtime($_[0]); |
|
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
208 } else { |
|
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
209 return "?"; |
|
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
210 } |
|
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
211 } |
|
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
212 |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
213 my @paskat = (30*24*60*60, 7*24*60*60, 24*60*60, 60*60, 60); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
214 my @opaskat = ("months", "weeks", "days", "hours", "minutes"); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
215 my @upaskat = ("month", "week", "day", "hour", "minute"); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
216 |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
217 sub get_ago_str($) |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
218 { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
219 return get_time_str($_[0]) if ($settings{"FULL_TIME"}); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
220 if ($_[0] >= 0) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
221 my $str = ""; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
222 my $cur = time() - $_[0]; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
223 my ($r, $k, $p, $n); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
224 $n = 0; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
225 foreach my $div (@paskat) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
226 $r = int($cur / $div); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
227 $k = ($cur % $div); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
228 if ($r > 0) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
229 $p = ($r > 1) ? $opaskat[$n] : $upaskat[$n]; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
230 $str .= ", " if ($str ne ""); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
231 $str .= sprintf("%d %s", $r, $p); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
232 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
233 $cur = $k; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
234 $n++; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
235 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
236 return $str." ago"; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
237 } else { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
238 return "?"; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
239 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
240 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
241 |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
242 sub printH($$$$) |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
243 { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
244 my $fh = $_[1]; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
245 if ($_[0]) { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
246 print $fh "<h".$_[2].">".$_[3]."</h".$_[2].">\n"; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
247 } else { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
248 my $c = ($_[2] <= 1) ? "=" : "-"; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
249 print $fh $_[3]."\n". $c x length($_[3]) ."\n"; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
250 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
251 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
252 |
|
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
253 sub printTD |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
254 { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
255 my $fh = $_[1]; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
256 if ($_[0]) { |
|
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
257 my $s = defined($_[3]) ? " ".$_[3]." " : ""; |
|
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
258 print $fh "<td".$s.">".$_[2]."</td>"; |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
259 } else { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
260 print $fh $_[2]; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
261 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
262 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
263 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
264 sub printP($$$) |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
265 { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
266 my $fh = $_[1]; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
267 if ($_[0]) { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
268 print $fh "<p>\n".$_[2]."</p>\n"; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
269 } else { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
270 print $fh $_[2]."\n"; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
271 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
272 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
273 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
274 sub printElem |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
275 { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
276 my $fh = $_[1]; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
277 if ($_[0]) { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
278 print $fh $_[2]; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
279 } elsif (defined($_[3])) { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
280 print $fh $_[3]; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
281 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
282 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
283 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
284 sub bb($) |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
285 { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
286 return $_[0] ? "<b>" : ""; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
287 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
288 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
289 sub eb($) |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
290 { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
291 return $_[0] ? "</b>" : ""; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
292 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
293 |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
294 sub pe($$) |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
295 { |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
296 return $_[0] ? "<$_[1]>" : ""; |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
297 } |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
298 |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
299 sub get_link($$) |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
300 { |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
301 if ($settings{"WHOIS_URL"} ne "") { |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
302 return $_[0] ? "<a href=\"".$settings{"WHOIS_URL"}.$_[1]. |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
303 "\">".htmlentities($_[1])."</a>" : $_[1]; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
304 } else { |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
305 return $_[0]; |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
306 } |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
307 } |
|
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
308 |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
309 sub print_table1($$$$$$) |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
310 { |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
311 my ($m, $f, $table, $keys, $func, $class) = @_; |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
312 my $ntotal = 0; |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
313 |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
314 printElem($m, $f, |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
315 "<table class=\"".$class."\">\n". |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
316 "<tr><th>Hits</th><th>IP-address</th><th>First hit</th><th>Latest hit</th><th>Reason(s)</th></tr>\n", |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
317 |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
318 "Hits | IP-address | First hit | Latest hit | Reason(s)\n" |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
319 ); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
320 |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
321 foreach my $mip (sort { $func->($table, $a, $b) } keys %{$keys}) { |
| 68 | 322 my $blocked = defined($filterlist{$mip}) ? "filtered" : "unfiltered"; |
|
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
323 printElem($m, $f, " <tr class=\"$blocked\">"); |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
324 printTD($m, $f, sprintf(bb($m)."%-10d".eb($m), $table->{$mip}{"hits"})); |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
325 printElem(!$m, $f, " | "); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
326 printTD($m, $f, sprintf("%-15s", get_link($m, $mip))); |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
327 printElem(!$m, $f, " | "); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
328 printTD($m, $f, get_ago_str($table->{$mip}{"date1"})); |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
329 printElem(!$m, $f, " | "); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
330 printTD($m, $f, get_ago_str($table->{$mip}{"date2"})); |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
331 printElem(!$m, $f, " | "); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
332 my @reasons = (); |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
333 foreach my $class (sort keys %{$table->{$mip}{"reason"}}) { |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
334 my $msgs; |
|
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
335 if ($class ne "IPTABLES") { |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
336 if ($reportmode) { |
|
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
337 my @tmp = reverse(@{$table->{$mip}{"reason"}{$class}{"msg"}}); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
338 if ($#tmp > 5) { $#tmp = 5; } |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
339 foreach (@tmp) { $_ = htmlentities($_); } |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
340 $msgs = join(" ".bb($m)."|".eb($m)." ", @tmp); |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
341 } else { |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
342 $msgs = $table->{$mip}{"reason"}{$class}{"msg"}; |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
343 } |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
344 push(@reasons, bb($m).$class.eb($m)." #".$table->{$mip}{"reason"}{$class}{"hits"}. |
|
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
345 " ( ".$msgs." )"); |
|
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
346 } |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
347 } |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
348 printTD($m, $f, join(", ", @reasons)); |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
349 printElem($m, $f, "</tr>\n", "\n"); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
350 $ntotal++; |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
351 } |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
352 printElem($m, $f, "</table>\n"); |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
353 printP($m, $f, bb($m).$ntotal.eb($m)." entries total.\n"); |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
354 } |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
355 |
|
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
356 sub cmp_ips($$$) |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
357 { |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
358 my @ipa = split(/\./, $_[1]); |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
359 my @ipb = split(/\./, $_[2]); |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
360 for (my $i = 0; $i < 4; $i++) { |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
361 return -1 if ($ipa[$i] > $ipb[$i]); |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
362 return 1 if ($ipa[$i] < $ipb[$i]); |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
363 } |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
364 return 0; |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
365 } |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
366 |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
367 sub test_ips($$) |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
368 { |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
369 my @ipa = split(/\./, $_[0]); |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
370 my @ipb = split(/\./, $_[1]); |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
371 for (my $i = 0; $i < 3; $i++) { |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
372 return $i if ($ipa[$i] != $ipb[$i]); |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
373 } |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
374 return 4; |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
375 } |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
376 |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
377 my @ipcolors = ( |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
378 "#666", |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
379 "#777", |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
380 ); |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
381 |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
382 sub print_table2($$$$$$) |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
383 { |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
384 my ($m, $f, $table, $keys, $func, $class) = @_; |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
385 my $nhits = 0; |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
386 my $str = "<th>IP-address</th><th>Hits</th><th>DroneBL?</th><th>First hit</th><th>Latest hit</th><th>Class</th>"; |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
387 my $str2 = "IP-address | Hits | DroneBL | First hit | Latest hit | Class "; |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
388 |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
389 printElem($m, $f, |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
390 "<table class=\"".$class."\">\n<tr>". $str."<th> </th>".$str ."</tr>\n", |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
391 $str2." || ".$str2."\n"); |
|
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
392 |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
393 my @previp = ("0.0.0.0", "0.0.0.0"); |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
394 my @ncolor = (0, 0); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
395 |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
396 my $printEntry = sub { |
| 68 | 397 my $blocked = "class=\"".(defined($filterlist{$_[0]}) ? "filtered" : "unfiltered")."\""; |
|
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
398 if (test_ips($previp[$_[1]], $_[0]) < 3) { |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
399 $ncolor[$_[1]]++; |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
400 } |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
401 $previp[$_[1]] = $_[0]; |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
402 my $str = "style=\"background: ".$ipcolors[$ncolor[$_[1]] % scalar @ipcolors].";\""; |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
403 |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
404 printTD($m, $f, sprintf("%-15s", get_link($m, $_[0])), $str); |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
405 printElem(!$m, $f, " | "); |
|
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
406 printTD($m, $f, sprintf("%-8d ", $table->{$_[0]}{"hits"}), $blocked); |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
407 printElem(!$m, $f, " | "); |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
408 printTD($m, $f, sprintf("%-6s ", $table->{$_[0]}{"dronebl"}), $blocked); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
409 printElem(!$m, $f, " | "); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
410 printTD($m, $f, get_ago_str($table->{$_[0]}{"date1"}), $blocked); |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
411 printElem(!$m, $f, " | "); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
412 printTD($m, $f, get_ago_str($table->{$_[0]}{"date2"}), $blocked); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
413 printElem(!$m, $f, " | "); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
414 my $tmp = join(", ", sort keys %{$table->{$_[0]}{"reason"}}); |
|
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
415 printTD($m, $f, sprintf("%-30s", $tmp), $blocked); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
416 $nhits += $table->{$_[0]}{"hits"}; |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
417 }; |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
418 |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
419 my @mkeys = sort { $func->($table, $a, $b) } keys %{$keys}; |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
420 my $nkeys = scalar @mkeys; |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
421 my $kmax = $nkeys / 2; |
|
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
422 |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
423 for (my $i = 0; $i <= $kmax; $i++) { |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
424 printElem($m, $f, " <tr>"); |
|
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
425 if ($i < $kmax) { |
|
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
426 $printEntry->($mkeys[$i], 0); |
|
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
427 printElem($m, $f, "<th> </th>", " || "); |
|
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
428 } |
|
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
429 if ($i + $kmax + 1 < $nkeys) { $printEntry->($mkeys[$i + $kmax + 1], 1); } |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
430 printElem($m, $f, "</tr>\n", "\n"); |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
431 } |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
432 |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
433 printElem($m, $f, "</table>\n"); |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
434 printP($m, $f, bb($m).$nkeys.eb($m)." entries total, ".bb($m).$nhits.eb($m)." hits total.\n"); |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
435 } |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
436 |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
437 sub cmp_hits($$$) |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
438 { |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
439 my $s1 = $_[0]->{$_[1]}; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
440 my $s2 = $_[0]->{$_[2]}; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
441 |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
442 return -1 if ($s2->{"date2"} < $s1->{"date2"}); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
443 return 1 if ($s2->{"date2"} > $s1->{"date2"}); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
444 return $s2->{"hits"} <=> $s1->{"hits"}; |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
445 } |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
446 |
|
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
447 sub get_period($) |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
448 { |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
449 my ($str, $r, $k); |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
450 if ($_[0] > 30 * 24) { |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
451 $r = $_[0] / (30 * 24); |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
452 $k = $_[0] % (30 * 24); |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
453 $str = sprintf("%d months", $r); |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
454 $str .= sprintf(", %d days", $k) if ($k > 0); |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
455 } elsif ($_[0] > 24 * 7) { |
|
29
6d3e33e9ee9b
Oops, fix printing of weeks.
Matti Hamalainen <ccr@tnsp.org>
parents:
27
diff
changeset
|
456 $str = sprintf("%1.1f weeks", $_[0] / (24.0 * 7.0)); |
|
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
457 } elsif ($_[0] > 24) { |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
458 $r = $_[0] / 24; |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
459 $k = $_[0] % 24; |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
460 $str = sprintf("%d days", $r); |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
461 $str .= sprintf(", %d hours", $k) if ($k > 0); |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
462 } else { |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
463 $str = sprintf("%d hours", $_[0]); |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
464 } |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
465 return $str; |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
466 } |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
467 |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
468 sub generate_status($$) |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
469 { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
470 my $filename = shift; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
471 my $m = shift; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
472 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
473 return unless ($filename ne ""); |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
474 |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
475 open(STATUS, ">", $filename) or mdie("Could not open '".$filename."'!\n"); |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
476 my $f = \*STATUS; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
477 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
478 printElem($m, $f, " |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
479 <html> |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
480 <head> |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
481 <title>Maltfilter status report</title> |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
482 "); |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
483 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
484 printElem($m, $f, "<link href=\"".$settings{"STATUS_FILE_CSS"}."\" rel=\"stylesheet\" type=\"text/css\" />") |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
485 if ($settings{"STATUS_FILE_CSS"}); |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
486 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
487 printElem($m, $f, " |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
488 </head> |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
489 <body> |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
490 "); |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
491 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
492 printH($m, $f, 1, "Maltfilter v$progversion status report"); |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
493 my $period = get_period($settings{"STATS_MAX_AGE"}); |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
494 |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
495 printP($m, $f, |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
496 "Generated ".bb($m).get_time_str(time()).eb($m).". Data computed from ". |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
497 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n"); |
|
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
498 |
|
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
499 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n". |
| 68 | 500 "filtered IP that was in Netfilter before Maltfilter was started.\n"); |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
501 |
| 68 | 502 if ($settings{"FILTER"} > 0) { |
| 503 printH($m, $f, 2, "Currently filtered entries"); | |
| 504 $period = get_period($settings{"FILTER_MAX_AGE"}); | |
| 505 printP($m, $f, "List of IPs that are currently filtered (or would be, if this is\n". | |
| 506 "a report-only mode). Data from period of $period.\n"); | |
| 507 print_table1($m, $f, \%statlist, \%filterlist, \&cmp_hits, "filtered"); | |
| 508 } | |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
509 |
| 68 | 510 printH($m, $f, 2, "Summary of entries"); |
|
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
511 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n". |
|
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
512 "necessarily acted upon. Sorted by descending IP address.\n"); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
513 print_table2($m, $f, \%statlist, \%statlist, \&cmp_ips, "global"); |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
514 |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
515 printH($m, $f, 2, "Ignored entries"); |
|
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
516 printP($m, $f, "List of hits that were ignored (not acted upon), because the test was disabled.\n". |
|
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
517 "Notice that the entry may be blocked due to other checks, however.\n"); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
518 print_table1($m, $f, \%ignorelist, \%ignorelist, \&cmp_hits, "ignored"); |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
519 |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
520 printElem($m, $f, "</body>\n</html>\n"); |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
521 close(STATUS); |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
522 } |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
523 |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
524 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
525 ############################################################################# |
| 65 | 526 ### DroneBL submission support |
| 527 ############################################################################# | |
| 528 sub dronebl_process | |
| 529 { | |
| 530 return unless ($settings{"DRONEBL"} > 0); | |
| 531 | |
| 532 # Create submission data | |
| 533 my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n"; | |
| 534 my $entries = 0; | |
| 535 while (my ($ip, $entry) = each(%dronebl)) { | |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
536 if ($entry->{"sent"} == 0 && $entry->{"tries"} < 3) { |
| 74 | 537 # $xml .= "<add ip=\"".$ip."\" type=\"".$entry->{"type"}."\" />\n"; |
| 538 $xml .= "<add ip=\"".$ip."\" type=\"1\" />\n"; | |
| 65 | 539 $entries++; |
| 540 } | |
| 541 } | |
| 542 $xml .= "</request>\n"; | |
| 543 | |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
544 # Bait out if no entries to submit |
| 65 | 545 return unless ($entries > 0); |
|
67
8df5d52436a1
More work towards DroneBL support.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
546 if ($settings{"DRY_RUN"}) { |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
547 mlog(2, "[DroneBL] Would submit $entries entries.\n"); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
548 return; |
|
67
8df5d52436a1
More work towards DroneBL support.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
549 } else { |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
550 mlog(2, "[DroneBL] Trying to submit $entries entries.\n"); |
|
67
8df5d52436a1
More work towards DroneBL support.
Matti Hamalainen <ccr@tnsp.org>
parents:
66
diff
changeset
|
551 } |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
552 |
| 65 | 553 # Submit via HTTP XML-RPC |
| 554 my $tmp = LWP::UserAgent->new; | |
| 555 $tmp->agent("Maltfilter/".$progversion); | |
| 556 $tmp->timeout(10); | |
| 557 my $req = HTTP::Request->new(POST => $settings{"DRONEBL_RPC_URI"}); | |
| 558 $req->content_type("text/xml"); | |
| 559 $req->content($xml); | |
| 560 $req->user_agent("Maltfilter/".$progversion); | |
| 561 my $res = $tmp->request($req); | |
| 562 | |
| 563 if ($res->is_success) { | |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
564 mlog(3, "[DroneBL] HTTP response [".$res->code."] ".$res->message."\n"); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
565 my $str = $res->content; |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
566 my ($type, $msg); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
567 $str =~ tr/\n/ /; |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
568 |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
569 if ($str =~ /<response\s*type=.(success|error).>(.*?)<\/response>/gm) { |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
570 $type = $1; $msg = $2; |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
571 } elsif ($str =~ /<response\s*type=.(success|error). *\/>/gm) { |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
572 $type = $1; $msg = ""; |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
573 } |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
574 |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
575 if ($type eq "success") { |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
576 mlog(1, "[DroneBL] Succesfully submitted $entries entries.\n$msg\n"); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
577 while (my ($ip, $entry) = each(%dronebl)) { |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
578 $entry->{"sent"} = 1; |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
579 $statlist{$ip}{"dronebl"} = 2 if defined($statlist{$ip}); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
580 } |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
581 } elsif ($type eq "error") { |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
582 # If we don't have a valid key, disable further submissions. |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
583 if ($msg =~ /<code>403<\/code>/) { |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
584 mlog(-1, "Disabling DroneBL submission due to invalid key.\n"); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
585 $settings{"DRONEBL"} = 0; |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
586 } |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
587 # Log error message mangled |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
588 $msg =~ s{\s*</?[^>]+>}{ }g; |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
589 mlog(-1, "[DroneBL] Error in submission: $msg\n"); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
590 } else { |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
591 mlog(-1, "[DroneBL] Unsupported response message ".$str."\n"); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
592 } |
| 65 | 593 } else { |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
594 mlog(-1, "[DroneBL] HTTP request failed: [".$res->code."] ".$res->message."\n"); |
| 65 | 595 } |
| 596 | |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
597 # Clean up expired entries, warn/note about unsubmitted ones. |
| 65 | 598 while (my ($ip, $entry) = each(%dronebl)) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
599 if (!check_time3($entry->{"date"})) { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
600 mlog(1, "[DroneBL] $ip submission expired.\n") unless ($entry->{"sent"} > 0); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
601 delete($dronebl{$ip}); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
602 } |
| 65 | 603 } |
| 604 } | |
| 605 | |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
606 sub dronebl_queue($$$) |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
607 { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
608 my ($mip, $mdate, $mtype) = @_; |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
609 |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
610 return unless ($settings{"DRONEBL"} > 0); |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
611 return if check_hosts_array(\@noaction_ips, $mip); |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
612 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
613 if (!defined($dronebl{$mip})) { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
614 mlog(3, "[DroneBL] Queueing $mip \@ $mdate ($mtype)\n"); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
615 $dronebl{$mip}{"type"} = $mtype; |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
616 $dronebl{$mip}{"date"} = $mdate; |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
617 $dronebl{$mip}{"sent"} = 0; |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
618 $dronebl{$mip}{"tries"} = 0; |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
619 $statlist{$mip}{"dronebl"} = 1 if defined($statlist{$mip}); |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
620 } |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
621 } |
| 65 | 622 |
| 623 ############################################################################# | |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
624 ### Evidence gathering |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
625 ############################################################################# |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
626 my %evidence = (); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
627 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
628 sub evidence_queue($$$) |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
629 { |
| 65 | 630 my ($mip, $mdata, $mfull) = @_; |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
631 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
632 return unless ($settings{"EVIDENCE"} > 0); |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
633 |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
634 my $tmp = $mdata; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
635 $tmp =~ s/http:\/\///; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
636 $tmp =~ s/^\.+/_/; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
637 $tmp =~ s/[^A-Za-z0-9:\.]/_/g; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
638 |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
639 $evidence{$mdata}{"coll"} = $tmp; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
640 $evidence{$mdata}{"hosts"}{$mip} = 1; |
| 65 | 641 $evidence{$mdata}{"full"}{$mfull} = 1; |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
642 } |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
643 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
644 sub evidence_fetch($$) |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
645 { |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
646 my $tmp = LWP::UserAgent->new; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
647 $tmp->agent("-"); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
648 $tmp->timeout(10); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
649 $tmp->default_headers->referer($_[1]); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
650 my $req = HTTP::Request->new(GET => $_[0]); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
651 return $tmp->request($req); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
652 } |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
653 |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
654 my $evidence_dir = 0; |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
655 sub evidence_gather |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
656 { |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
657 my $dns = Net::DNS::Resolver->new; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
658 my $base = $settings{"EVIDENCE_DIR"}; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
659 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
660 return unless ($settings{"EVIDENCE"} > 0); |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
661 |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
662 if (! -e $base) { |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
663 mlog(-1, "Evidence directory '$base' has disappeared.\n") unless ($evidence_dir > 0); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
664 mdie("Evidence directory '$base' has been absent for $evidence_dir cycles, dying.\n") if ($evidence_dir++ > 10); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
665 return; |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
666 } else { |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
667 $evidence_dir = 0; |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
668 } |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
669 |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
670 my $fetched = 0; |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
671 foreach my $url (keys %evidence) { |
| 65 | 672 my $filename = $base."/".$evidence{$url}{"coll"}.".data"; |
| 673 my $filename2 = $base."/".$evidence{$url}{"coll"}.".hosts"; | |
| 674 my $filename3 = $base."/".$evidence{$url}{"coll"}.".info"; | |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
675 |
| 65 | 676 # Get data contents only once |
| 677 if (! -e $filename) { | |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
678 $fetched++; |
| 65 | 679 mlog(1, "Fetching evidence for $url\n"); |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
680 my $res = evidence_fetch($url, ""); |
| 65 | 681 open(FILE, ">:raw", $filename) or mdie("Could not open '$filename' for writing.\n"); |
| 682 binmode(FILE, ":raw"); | |
| 683 if ($res->is_success && $res->code >= 200 && $res->code <= 201) { | |
| 684 print FILE $res->content; | |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
685 } |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
686 close(FILE); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
687 |
| 65 | 688 open(FILE, ">:raw", $filename3) or mdie("Could not open '$filename3' for writing.\n"); |
| 689 binmode(FILE, ":raw"); | |
| 690 print FILE "XSS URI : $url\n"; | |
| 691 print FILE "Time of retrieval : ".get_time_str(time())."\n"; | |
| 692 print FILE "HTTP return code : [".$res->code."] ".$res->message."\n"; | |
| 693 print FILE "Content-Type : ".($res->content_type ? $res->content_type : "?")."\n"; | |
| 694 print FILE "Last modified : ".($res->last_modified ? $res->last_modified : "?")."\n"; | |
| 695 print FILE "------ HTTP Headers ------\n".$res->headers_as_string."\n"; | |
| 696 print FILE "------ Requests ------\n"; | |
| 697 print FILE $_."\n" foreach (keys %{$evidence{$url}{"full"}}); | |
| 698 close(FILE); | |
| 699 } | |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
700 |
| 65 | 701 # Check if we are appending hosts to existing data |
| 702 if (-e $filename2) { | |
| 703 open(FILE, "<", $filename2) or mdie("Could not open '$filename2' for reading.\n"); | |
| 704 while (<FILE>) { | |
| 705 if (/^(\d+\.\d+\.\d+\.\d+) *\|/) { | |
| 706 if (defined($evidence{$url}{"hosts"}{$1})) { | |
| 707 delete($evidence{$url}{"hosts"}{$1}); | |
| 708 } | |
| 709 } | |
| 710 } | |
| 711 close(FILE); | |
| 712 open(FILE, ">>", $filename2) or mdie("Could not open '$filename2' for appending.\n"); | |
| 713 } else { | |
| 714 open(FILE, ">", $filename2) or mdie("Could not open '$filename2' for writing.\n"); | |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
715 } |
| 65 | 716 foreach my $host (sort keys %{$evidence{$url}{"hosts"}}) { |
| 717 my $query = $dns->search($host); | |
| 718 my @names = (); | |
| 719 undef(@names); | |
| 720 if ($query) { | |
| 721 foreach my $rr ($query->answer) { | |
| 722 push(@names, $rr->{"ptrdname"}) if defined($rr->{"ptrdname"}); | |
| 723 } | |
| 724 } | |
| 725 printf FILE "%-15s | %s\n", $host, join(" | ", @names); | |
| 726 } | |
| 727 close(FILE); | |
| 728 | |
| 729 # This entry has been handled, delete it | |
| 730 delete($evidence{$url}); | |
| 731 | |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
732 # If not in report mode, handle only 5 fetched entries at time |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
733 return unless ($reportmode || $fetched < 5); |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
734 } |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
735 } |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
736 |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
737 |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
738 ############################################################################# |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
739 ### Entry management / handling functions |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
740 ############################################################################# |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
741 ### Check if given IP or host exists in array |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
742 sub check_hosts_array($$) |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
743 { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
744 my $chk_host = $_[1]; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
745 my $chk_ip = new Net::IP($chk_host); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
746 foreach my $host (@{$_[0]}) { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
747 my $ip = new Net::IP($host); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
748 if (defined($chk_ip) && defined($ip)) { |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
749 my $res = $chk_ip->overlaps($ip); |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
750 if (defined($res)) { |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
751 return 1 if ($res == $IP_IDENTICAL); |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
752 return 2 if ($res == $IP_B_IN_A_OVERLAP); |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
753 return 3 if ($res == $IP_A_IN_B_OVERLAP); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
754 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
755 } |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
756 return 4 if ($chk_host eq $host); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
757 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
758 return 0; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
759 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
760 |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
761 ### Check IP/host against | separated list of IPs/hosts |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
762 sub check_hosts($$) |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
763 { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
764 my @tmp = split(/\s*\|\s*/, $_[0]); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
765 return check_hosts_array(\@tmp, $_[1]); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
766 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
767 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
768 ### Execute iptables |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
769 sub exec_iptables(@) |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
770 { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
771 $ENV{"PATH"} = ""; |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
772 my @args = ($settings{"IPTABLES"}, @_); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
773 if ($settings{"DRY_RUN"}) { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
774 mlog(3, ":: ".join(" ", @args)."\n"); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
775 } else { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
776 system(@args) == 0 or print join(" ", @args)." failed: $?\n"; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
777 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
778 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
779 |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
780 ### Get current Netfilter INPUT table entries that match |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
781 ### entry types we manage, e.g. filterlist |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
782 sub update_filterlist($) |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
783 { |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
784 my $first = $_[0]; |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
785 return unless ($settings{"FILTER"} > 0); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
786 |
|
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
787 $ENV{"PATH"} = ""; |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
788 open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT |") or |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
789 mdie("Could not execute ".$settings{"IPTABLES"}."\n"); |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
790 my %newlist = (); |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
791 undef(%newlist); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
792 while (<STATUS>) { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
793 chomp; |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
794 if (/^\s*(\d+)\s+\d+\s+$settings{"FILTER_TARGET"}\s+all\s+--\s+\*\s+\*\s+(\d+\.\d+\.\d+\.\d+)\s+0\.0\.0\.0\/0\s*$/) { |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
795 my $mip = $2; |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
796 if (!defined($filterlist{$mip})) { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
797 mlog(2, "* $mip appeared in iptables.\n") unless ($first < 0); |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
798 $filterlist{$2} = time(); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
799 } |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
800 $newlist{$2} = 1; |
|
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
801 update_entry(\%statlist, $mip, -1, "IPTABLES", "", 0); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
802 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
803 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
804 close(STATUS); |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
805 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
806 foreach my $mip (keys %filterlist) { |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
807 if (!defined($newlist{$mip})) { |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
808 mlog(2, "* $mip removed from iptables.\n"); |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
809 delete($filterlist{$mip}); |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
810 } |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
811 } |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
812 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
813 |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
814 ### Check if given timestamp is _newer_ than weedperiod threshold. |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
815 ### Returns false if timestamp is over weed period, e.g. needs weeding. |
|
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
816 sub check_time1($) |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
817 { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
818 return ($_[0] > time() - ($settings{"FILTER_MAX_AGE"} * 60 * 60)); |
|
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
819 } |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
820 |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
821 sub check_time2($) |
|
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
822 { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
823 return ($_[0] > time() - ($settings{"STATS_MAX_AGE"} * 60 * 60)); |
| 65 | 824 } |
| 825 | |
| 826 sub check_time3($) | |
| 827 { | |
| 828 return ($_[0] > time() - ($settings{"DRONEBL_MAX_AGE"} * 60)); | |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
829 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
830 |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
831 ### Weed out old entries |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
832 sub weed_do($) |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
833 { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
834 my $mtime = $filterlist{$_[0]}; |
| 59 | 835 mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n"); |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
836 exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"}); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
837 delete($filterlist{$_[0]}); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
838 delete($statlist{$_[0]}); |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
839 delete($ignorelist{$_[0]}); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
840 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
841 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
842 sub weed_entries() |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
843 { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
844 # Don't weed in report mode. |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
845 return unless ($settings{"FILTER"} > 0 && $reportmode == 0); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
846 |
|
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
847 # Weed blocked entries. |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
848 my @mips = keys %filterlist; |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
849 foreach my $mip (@mips) { |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
850 if (defined($statlist{$mip})) { |
|
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
851 if ($statlist{$mip}{"date2"} >= 0) { |
|
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
852 weed_do($mip) unless check_time1($statlist{$mip}{"date2"}); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
853 } else { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
854 weed_do($mip); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
855 } |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
856 } elsif (defined($filterlist{$mip})) { |
|
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
857 weed_do($mip); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
858 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
859 } |
|
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
860 |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
861 # Clean up old entries from other lists |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
862 foreach my $mip (keys %statlist) { |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
863 if (defined($statlist{$mip})) { |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
864 my $mtime = $statlist{$mip}{"date2"}; |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
865 if (!check_time2($mtime) && !defined($filterlist{$mip})) { |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
866 mlog(3, "* Deleting stale $mip (".get_time_str($mtime).")\n"); |
|
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
867 delete($statlist{$mip}); |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
868 } |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
869 } |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
870 } |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
871 |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
872 foreach my $mip (keys %ignorelist) { |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
873 if (defined($ignorelist{$mip})) { |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
874 my $mtime = $ignorelist{$mip}{"date2"}; |
|
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
875 if (!check_time2($mtime)) { |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
876 mlog(3, "* Deleting stale ignored $mip (".get_time_str($mtime).")\n"); |
|
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
877 delete($ignorelist{$mip}); |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
878 } |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
879 } |
|
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
880 } |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
881 } |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
882 |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
883 ### Update one entry data |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
884 sub update_date($$) |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
885 { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
886 if (!defined($_[0]->{"date1"}) || ($_[1] > 0 && $_[0]->{"date1"} < 0)) { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
887 $_[0]->{"date1"} = $_[1]; |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
888 } |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
889 if (!defined($_[0]->{"date2"}) || $_[1] > $_[0]->{"date2"}) { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
890 $_[0]->{"date2"} = $_[1]; |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
891 } |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
892 } |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
893 |
|
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
894 sub update_entry($$$$$$) |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
895 { |
|
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
896 my ($struct, $mip, $mdate, $mclass, $mreason, $addhits) = @_; |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
897 |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
898 return if check_hosts_array(\@noaction_ips, $mip); |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
899 |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
900 $struct->{$mip} = {} unless defined($struct->{$mip}); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
901 my $entry = $struct->{$mip}; |
|
62
924720517cf9
Fix initialization of hash structure part, this fixes resetting of class hits to 1.
Matti Hamalainen <ccr@tnsp.org>
parents:
60
diff
changeset
|
902 $entry->{"reason"}{$mclass} = {} unless defined($entry->{"reason"}{$mclass}); |
|
924720517cf9
Fix initialization of hash structure part, this fixes resetting of class hits to 1.
Matti Hamalainen <ccr@tnsp.org>
parents:
60
diff
changeset
|
903 my $reason = $entry->{"reason"}{$mclass}; |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
904 |
|
70
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
905 $entry->{"dronebl"} = 0 unless defined($entry->{"dronebl"}); |
|
adb4795f451e
Finished DroneBL support (hopefully).
Matti Hamalainen <ccr@tnsp.org>
parents:
69
diff
changeset
|
906 |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
907 # Add hits only when requested |
|
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
908 if ($addhits) { |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
909 $entry->{"hits"}++; |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
910 $reason->{"hits"}++; |
|
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
911 } else { |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
912 $entry->{"hits"} = 1 unless defined($entry->{"hits"}); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
913 $reason->{"hits"} = 1 unless defined($reason->{"hits"}); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
914 } |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
915 |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
916 # Messages is an array in reportmode |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
917 if ($reportmode) { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
918 push(@{$reason->{"msg"}}, $mreason); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
919 } else { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
920 $reason->{"msg"} = $mreason; |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
921 } |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
922 |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
923 # Update timestamps (generic and reason) |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
924 update_date($entry, $mdate); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
925 update_date($reason, $mdate); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
926 |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
927 return $entry->{"hits"}; |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
928 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
929 |
| 65 | 930 ### Check if given "try count" exceeds threshold and if entry |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
931 ### is NOT in Netfilter already, then add it if so. |
| 65 | 932 sub check_add_hit($$$$$$) |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
933 { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
934 my $mip = $_[0]; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
935 my $mdate = str2time($_[1]); |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
936 my $mclass = $_[2]; |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
937 my $mreason = $_[3]; |
| 65 | 938 my $mtype = $_[4]; |
| 939 my $mcond = $_[5]; | |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
940 my $cnt; |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
941 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
942 if (check_hosts_array(\@noaction_ips, $mip)) { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
943 mlog(2, "Hit to NOACTION_IPS($mip): [$mclass] $mreason\n"); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
944 return; |
|
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
945 } |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
946 |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
947 # If condition is true, we add to regular statlist |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
948 if ($mcond) { |
|
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
949 $cnt = update_entry(\%statlist, $mip, $mdate, $mclass, $mreason, 1); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
950 } else { |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
951 # This is an ignored hit (for disabled test), add to ignorelist |
|
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
952 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason, 1); |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
953 return; |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
954 } |
|
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
955 |
| 65 | 956 # Check if we have exceeded threshold etc. |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
957 if ($settings{"FILTER"} > 0 && $cnt >= $settings{"FILTER_THRESHOLD"} && check_time1($mdate)) { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
958 # Add to filterlist, unless already there. |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
959 if (!defined($filterlist{$mip})) { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
960 mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n"); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
961 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"}); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
962 } |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
963 # Update date of last hit |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
964 $filterlist{$mip} = $mdate; |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
965 } |
| 65 | 966 |
| 967 # Separate check for DroneBL | |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
968 if ($mtype > 0 && $cnt >= $settings{"DRONEBL_THRESHOLD"} && check_time3($mdate)) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
969 dronebl_queue($mip, $mdate, $mtype); |
| 65 | 970 } |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
971 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
972 |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
973 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
974 ############################################################################# |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
975 ### Main helper functions |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
976 ############################################################################# |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
977 ### Print log entry |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
978 sub mlog($$) |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
979 { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
980 my $level = shift; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
981 my $msg = shift; |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
982 if ($LOGFILE) { |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
983 print $LOGFILE "[".get_time_str(time())."] ".$msg if ($settings{"VERBOSITY"} > $level); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
984 } elsif ($settings{"DRY_RUN"}) { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
985 print STDERR $msg if ($settings{"VERBOSITY"} > $level); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
986 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
987 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
988 |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
989 ### Like Perl's die(), but also print a logfile entry. |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
990 sub mdie($) |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
991 { |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
992 mlog(-1, $_[0]) if ($LOGFILE); |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
993 die($_[0]); |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
994 } |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
995 |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
996 ### Initialize |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
997 sub malt_init |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
998 { |
|
57
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
999 %statlist = (); |
|
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
1000 undef(%statlist); |
|
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
1001 %ignorelist = (); |
|
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
1002 undef(%ignorelist); |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1003 update_filterlist(-1); |
|
57
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
1004 |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1005 foreach my $filename (@scanfiles_once) { |
|
58
a780a23e19a8
Change parsing status log messages.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
1006 mlog(0, "Parsing [ONCE] ".$filename." ...\n"); |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1007 if (open(INFILE, "<", $filename)) { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1008 while (<INFILE>) { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1009 chomp; |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1010 check_log_line($_); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1011 } |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1012 } else { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1013 mlog(-1, "Could not open '".$filename."', skipping now.\n"); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1014 } |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1015 close(INFILE); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1016 } |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1017 |
| 3 | 1018 foreach my $filename (@scanfiles) { |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1019 local *INFILE; |
|
58
a780a23e19a8
Change parsing status log messages.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
1020 mlog(0, "Initial parsing ".$filename." ...\n"); |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1021 if (open(INFILE, "<", $filename)) { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1022 $filehandles{$filename} = *INFILE; |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1023 while (<INFILE>) { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1024 chomp; |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1025 check_log_line($_); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1026 } |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1027 } else { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1028 mlog(-1, "Could not open '".$filename."', skipping now.\n"); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1029 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1030 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1031 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1032 |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1033 ### Quick cleanup (not complete shutdown) |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1034 sub malt_cleanup |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1035 { |
| 3 | 1036 foreach my $filename (keys %filehandles) { |
| 1037 close($filehandles{$filename}); | |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1038 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1039 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1040 |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1041 sub malt_finish |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1042 { |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1043 # Unlink pid-file |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1044 if ($pid_file ne "" && -e $pid_file) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1045 unlink $pid_file; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1046 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1047 # Close logfile |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1048 close($LOGFILE) if (defined($LOGFILE)); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1049 undef($LOGFILE); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1050 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1051 |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
1052 ### Signal handlers |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1053 sub malt_int |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1054 { |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1055 mlog(-1, "\nCaught Interrupt (^C), aborting.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1056 malt_cleanup(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1057 malt_finish(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1058 exit(1); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1059 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1060 |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1061 sub malt_term |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1062 { |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1063 mlog(-1, "Received TERM, quitting.\n"); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1064 malt_cleanup(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1065 malt_finish(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1066 exit(1); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1067 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1068 |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1069 sub malt_hup |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1070 { |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1071 mlog(-1, "Received HUP, reinitializing.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1072 malt_cleanup(); |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1073 malt_configure(); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1074 malt_init(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1075 mlog(-1, "Reinitialization finished, resuming scanning.\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1076 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1077 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1078 sub malt_maintenance |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1079 { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1080 update_filterlist(time()); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1081 weed_entries(); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1082 generate_status($settings{"STATUS_FILE_PLAIN"}, 0); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1083 generate_status($settings{"STATUS_FILE_HTML"}, 1); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1084 evidence_gather(); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1085 dronebl_process(); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1086 } |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1087 |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1088 ### Main scanning function |
|
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1089 sub malt_scan |
|
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1090 { |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1091 mlog(1, "Entering main scanning loop.\n"); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1092 my $counter = -1; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1093 while (1) { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1094 my %filepos = (); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1095 foreach my $filename (keys %filehandles) { |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1096 for ($filepos{$filename} = tell($filehandles{$filename}); |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1097 $_ = readline($filehandles{$filename}); |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1098 $filepos{$filename} = tell($filehandles{$filename})) { |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1099 chomp($_); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1100 check_log_line($_); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1101 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1102 } |
|
79
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1103 sleep(1); |
|
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1104 foreach my $filename (keys %filehandles) { |
|
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1105 seek($filehandles{$filename}, $filepos{$filename}, 0); |
|
9095db0fad8f
v0.18.0: Bunch of bugfixes; logfile trailing/scanning speed improved; memory
Matti Hamalainen <ccr@tnsp.org>
parents:
76
diff
changeset
|
1106 } |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1107 if ($counter < 0 || $counter++ >= 30) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1108 # Every once in a while, execute maintenance functions |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1109 $counter = 0; |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1110 malt_maintenance(); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1111 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1112 } |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1113 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1114 |
|
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
1115 ### Read one configuration file |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1116 sub malt_read_config($) |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1117 { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1118 my $filename = $_[0]; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1119 my $errors = 0; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1120 my $line = 0; |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1121 |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1122 open(CONFFILE, "<", $filename) or mdie("Could not open configuration '".$filename."'!\n"); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1123 while (<CONFFILE>) { |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1124 $line++; |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1125 chomp; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1126 if (/(^\s*#|^\s*$)/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1127 # Ignore comments and empty lines |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1128 } elsif (/^\s*\"?([a-zA-Z0-9_]+)\"?\s*=>?\s*(\d+),?\s*$/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1129 my $key = uc($1); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1130 my $value = $2; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1131 if (defined($settings{$key})) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1132 $settings{$key} = $value; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1133 } else { |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1134 mlog(-1, "[$filename:$line] Unknown setting '$key' = $value\n"); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1135 $errors = 1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1136 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1137 } elsif (/^\s*\"?([a-zA-Z0-9_]+)\"?\s*=>?\s*\"(.*?)\",?\s*$/) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1138 my $key = uc($1); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1139 my $value = $2; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1140 if ($key eq "SCANFILE") { |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1141 push(@scanfiles, $value); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1142 } elsif ($key eq "SCANFILE_ONCE") { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1143 push(@scanfiles_once, $value); |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1144 } elsif ($key eq "NOACTION_IPS") { |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1145 push(@noaction_ips, $value); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1146 } elsif (defined($settings{$key})) { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1147 $settings{$key} = $value; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1148 } else { |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1149 mlog(-1, "[$filename:$line] Unknown setting '$key' = '$value'\n"); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1150 $errors = 1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1151 } |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1152 # Force dry run mode if we are reporting only |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1153 if ($reportmode) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1154 $settings{"DRY_RUN"} = 1; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1155 } |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1156 } else { |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1157 mlog(-1, "[$filename:$line] Syntax error: $_\n"); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1158 $errors = 1; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1159 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1160 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1161 close(CONFFILE); |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1162 return $errors; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1163 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1164 |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1165 ### Read all configuration files |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1166 sub malt_configure |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1167 { |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1168 # Let user define his/her own logfiles to scan |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1169 @scanfiles = (); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1170 undef(@scanfiles); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1171 |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1172 @scanfiles_once = (); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1173 undef(@scanfiles_once); |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1174 |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1175 @noaction_ips = (); |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1176 undef(@noaction_ips); |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1177 |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1178 foreach my $filename (@configfiles) { |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1179 mdie("Errors in configuration file '$filename', bailing out.\n") |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1180 unless (malt_read_config($filename) == 0); |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1181 } |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1182 |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1183 # Clean up certain arrays duplicate entries |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1184 my %saw = (); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1185 @scanfiles = grep(!$saw{$_}++, @scanfiles); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1186 |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1187 %saw = (); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1188 @scanfiles_once = grep(!$saw{$_}++, @scanfiles_once); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1189 |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1190 %saw = (); |
|
69
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1191 push(@noaction_ips, @noaction_ips_def); |
|
b090ddfccdab
Cleanups. Improve IP/host definitions.
Matti Hamalainen <ccr@tnsp.org>
parents:
68
diff
changeset
|
1192 @noaction_ips = grep(!$saw{$_}++, @noaction_ips); |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1193 undef(%saw); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1194 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1195 mlog(-1, "Not acting on IPs: ".join(", ", @noaction_ips)."\n"); |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1196 |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1197 # Check if we have anything to do |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1198 if ($reportmode) { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1199 mdie("Nothing to do, no SCANFILE(s) or SCANFILE_ONCE(s) defined in configuration.\n") unless ($#scanfiles > 0 || $#scanfiles_once > 0); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1200 } else { |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1201 mdie("Nothing to do, no SCANFILE(s) defined in configuration.\n") unless ($#scanfiles > 0); |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1202 } |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1203 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1204 # General settings |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1205 my $val = $settings{"STATS_MAX_AGE"}; |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1206 mdie("Invalid STATS_MAX_AGE value $val, must be > 0.\n") unless ($val > 0); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1207 |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1208 # Filtering |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1209 if ($settings{"FILTER"} > 0) { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1210 $val = $settings{"FILTER_MAX_AGE"}; |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1211 mdie("Invalid FILTER_MAX_AGE value $val, must be > 0.\n") unless ($val > 0); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1212 |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1213 $val = $settings{"FILTER_THRESHOLD"}; |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1214 mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1215 |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1216 $val = $settings{"IPTABLES"}; |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1217 mdie("iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1218 } else { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1219 mlog(1, "Netfilter handling disabled.\n"); |
|
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1220 } |
|
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1221 |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1222 # Check evidence settings |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1223 if ($settings{"EVIDENCE"} > 0) { |
|
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1224 my $base = $settings{"EVIDENCE_DIR"}; |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1225 mdie("Evidence directory (EVIDENCE_DIR) not set in configuration.\n") if ($base eq ""); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1226 mdie("Evidence directory '$base' does not exist.\n") unless (-e $base); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1227 mdie("Path '$base' is not a directory.\n") unless (-d $base); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1228 mdie("Evidence directory '$base' is not writable by euid.\n") unless (-w $base); |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1229 } |
|
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1230 |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1231 # Sanitize DroneBL configuration |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1232 if ($settings{"DRONEBL"} > 0) { |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1233 mdie("DroneBL RPC key not set.\n") unless ($settings{"DRONEBL_RPC_KEY"} ne ""); |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1234 } |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1235 |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1236 # Check system account / passwd settings |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1237 mdie("SYSACCT_MIN_UID must be >= 1.\n") unless ($settings{"SYSACCT_MIN_UID"} >= 1); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1238 mdie("SYSACCT_MAX_UID must be >= SYSACCT_MIN_UID.\n") unless ($settings{"SYSACCT_MAX_UID"} >= $settings{"SYSACCT_MIN_UID"}); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1239 |
|
44
471731c79bb3
Add configuration setting for PASSWD file.
Matti Hamalainen <ccr@tnsp.org>
parents:
40
diff
changeset
|
1240 open(PASSWD, "<", $settings{"PASSWD"}) or mdie("Could not open '".$settings{"PASSWD"}."' for reading!\n"); |
|
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1241 while (<PASSWD>) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1242 my @fields = split(/\s*:\s*/); |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1243 if ($fields[2] >= $settings{"SYSACCT_MIN_UID"} && $fields[2] <= $settings{"SYSACCT_MAX_UID"}) { |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1244 $systemacct{$fields[0]} = $fields[2]; |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1245 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1246 } |
|
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1247 close(PASSWD); |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1248 } |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1249 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1250 ############################################################################# |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1251 ### |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1252 ### Main program |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1253 ### |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1254 ############################################################################# |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1255 # Setup signal handlers |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1256 $SIG{'INT'} = 'malt_int'; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1257 $SIG{'TERM'} = 'malt_term'; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1258 $SIG{'HUP'} = 'malt_hup'; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1259 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1260 # Print banner and help if no arguments |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1261 my $argc = $#ARGV + 1; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1262 if ($argc < 1) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1263 print STDERR $progbanner. |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1264 "\n". |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1265 "Usage: maltfilter <pid filename> [config filename] [config filename...]\n". |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1266 " maltfilter -f [config filename] [config filename...]\n". |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1267 "-f turns on the full report mode.\n"; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1268 exit; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1269 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1270 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1271 # Test pid file existence unless report mode |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1272 $pid_file = shift; |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1273 if ($pid_file eq "-f") { |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1274 $reportmode = 1; |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1275 print STDERR $progbanner; |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1276 } else { |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1277 mdie("'$pid_file' already exists, not starting.\n". |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1278 "If the daemon is NOT running, remove the pid-file and re-start.\n") |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1279 if (-e $pid_file); |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1280 } |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1281 |
|
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1282 # Read configuration files |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1283 while (defined(my $filename = shift)) { |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1284 push(@configfiles, $filename); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1285 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1286 |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1287 malt_configure(); |
|
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1288 |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1289 # Open logfile |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1290 if ($settings{"DRY_RUN"}) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1291 print STDERR |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1292 "*********************************\n". |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1293 "* NOTICE! DRY-RUN MODE ENABLED! *\n". |
|
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1294 "*********************************\n"; |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1295 } elsif ($settings{"LOGFILE"} ne "") { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1296 open($LOGFILE, ">>", $settings{"LOGFILE"}) or die("Could not open logfile '".$settings{"LOGFILE"}."' for writing!\n"); |
|
63
6917de5b91be
Disable output buffering of logfile.
Matti Hamalainen <ccr@tnsp.org>
parents:
62
diff
changeset
|
1297 select((select($LOGFILE), $| = 1)[0]); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1298 mlog(-1, "Log started\n"); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1299 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1300 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1301 # Initialize |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1302 malt_init(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1303 |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1304 # Fork to background, unless dry-running |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1305 if ($settings{"DRY_RUN"}) { |
|
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1306 if ($reportmode) { |
|
66
42889eed0ce8
Lots of cleanups, etc. Documentation updates.
Matti Hamalainen <ccr@tnsp.org>
parents:
65
diff
changeset
|
1307 malt_maintenance(); |
|
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1308 malt_cleanup(); |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1309 } else { |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1310 malt_scan(); |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1311 malt_cleanup(); |
|
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1312 } |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1313 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1314 if (my $pid = fork) { |
|
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1315 open(PIDFILE, ">", $pid_file) or mdie("Could not open pid file '".$pid_file."' for writing!\n"); |
|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1316 print PIDFILE "$pid\n"; |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1317 close(PIDFILE); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1318 } else { |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1319 malt_scan(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1320 malt_cleanup(); |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1321 } |
|
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1322 } |