Mercurial > hg > maltfilter
annotate maltfilter @ 65:d2e2b82dd2f2
Work on DroneBL support.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Tue, 18 Aug 2009 00:43:10 +0300 |
parents | 6917de5b91be |
children | 42889eed0ce8 |
rev | line source |
---|---|
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1 #!/usr/bin/perl -w |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
2 ############################################################################# |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
3 # |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
4 # Malicious Attack Livid Termination Filter daemon (maltfilter) |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
5 # Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org> |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
6 # (C) Copyright 2009 Tecnic Software productions (TNSP) |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
7 # |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
8 ############################################################################# |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
9 use strict; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
10 use Date::Parse; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
11 use Net::IP; |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
12 use Net::DNS; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
13 use LWP::UserAgent; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
14 |
65 | 15 my $progversion = "0.15.0"; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
16 my $progbanner = |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
17 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
18 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
19 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
20 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
21 ############################################################################# |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
22 ### Default settings and configuration |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
23 ############################################################################# |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
24 my %settings = ( |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
25 "VERBOSITY" => 3, |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
26 "DRY_RUN" => 1, |
65 | 27 "WEED_FILTER" => 168, # in hours |
28 "WEED_GLOBAL" => 336, # in hours | |
29 "THRESHOLD" => 3, | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
30 "ACTION" => "DROP", |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
31 "LOGFILE" => "", |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
32 "IPTABLES" => "/sbin/iptables", |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
33 |
65 | 34 "PASSWD" => "/etc/passwd", |
35 "SYSACCT_MIN_UID" => 1, | |
36 "SYSACCT_MAX_UID" => 100, | |
37 | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
38 "FULL_TIME" => 1, |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
39 "STATUS_FILE_PLAIN" => "", |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
40 "STATUS_FILE_HTML" => "", |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
41 "STATUS_FILE_CSS" => "", |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
42 "WHOIS_URL" => "http://whois.domaintools.com/", |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
43 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
44 "CHK_SSHD" => 1, |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
45 "CHK_KNOWN_CGI" => 1, |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
46 "CHK_PHP_XSS" => 1, |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
47 "CHK_PROXY_SCAN" => 1, |
4
b2c7c76b3529
Added scanning feature for SSH root login attempts with failed passwords.
Matti Hamalainen <ccr@tnsp.org>
parents:
3
diff
changeset
|
48 "CHK_ROOT_SSH_PWD" => 0, |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
49 "CHK_SYSACCT_SSH_PWD" => 0, |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
50 "CHK_GOOD_HOSTS" => "", |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
51 |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
52 "EVIDENCE" => 0, |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
53 "EVIDENCE_DIR" => "", |
65 | 54 |
55 "DRONEBL" => 0, | |
56 "DRONEBL_THRESHOLD" => 5, | |
57 "DRONEBL_MAX_AGE" => 30, # in minutes | |
58 "DRONEBL_RPC_URI" => "http://dronebl.org/RPC2", | |
59 "DRONEBL_RPC_KEY" => "", | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
60 ); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
61 |
7 | 62 my @noblock_ips_def = ( |
63 "127.0.0.1", | |
64 ); | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
65 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
66 my %systemacct = (); |
65 | 67 sub check_add_hit($$$$$$); |
68 | |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
69 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
70 ############################################################################# |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
71 ### Check given logfile line for matches |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
72 ############################################################################# |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
73 sub check_log_line($) |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
74 { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
75 # (1) SSHD scans |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
76 if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S*?: (.*)/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
77 my $mdate = $1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
78 my $merr = $2; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
79 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
80 # (1.1) Generic login scan attempts |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
81 if ($merr =~ /^Failed password for invalid user (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
82 check_add_hit($2, $mdate, "SSH login scan", "", $settings{"CHK_SSHD"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
83 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
84 # (1.2) Root account SSH login password bruteforcing attempts. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
85 elsif (/^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
86 check_add_hit($1, $mdate, "Root SSH password bruteforce", "", $settings{"CHK_ROOT_SSH_PWD"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
87 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
88 # (1.3) System account SSH login password bruteforcing attempts. |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
89 if ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
90 my $mip = $2; my $macct = $1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
91 if (defined($systemacct{$macct})) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
92 check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, $settings{"CHK_SYSACCT_SSH_PWD"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
93 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
94 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
95 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
96 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin) |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
97 elsif (/^\[(.+?)\]\s+\[error\]\s+\[client\s+(\d+\.\d+\.\d+\.\d+)\]\s+(.+)$/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
98 my $mdate = $1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
99 my $mip = $2; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
100 my $merr = $3; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
101 if ($merr =~ /^File does not exist: (.+)$/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
102 my $tmp = $1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
103 if ($tmp =~ /\/mss2|\/pma|admin|sql|\/roundcube|\/webmail|\/bin|\/mail|xampp|zen|mailto:|appserv|cube|round|_vti_bin|wiki/i) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
104 check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, $settings{"CHK_KNOWN_CGI"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
105 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
106 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
107 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
108 # (3) Apache common logging format checks |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
109 elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
110 my $mdate = $2; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
111 my $mip = $1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
112 my $merr = $3; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
113 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
114 # (3.1) Simple match for generic PHP XSS vulnerability scans |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
115 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
116 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
117 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) { |
65 | 118 check_add_evidence($mip, $1, $merr); |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
119 } |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
120 check_add_hit($mip, $mdate, "PHP XSS", $merr, $settings{"CHK_PHP_XSS"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
121 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
122 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
123 # (3.2) Try to match proxy scanning attempts |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
124 elsif ($merr =~ /^http:\/\/([^\/]+)/) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
125 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
126 check_add_hit($mip, $mdate, "Proxy scan", $merr, $settings{"CHK_PROXY_SCAN"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
127 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
128 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
129 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
130 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
131 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
132 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
133 ############################################################################# |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
134 ### Global variables |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
135 ############################################################################# |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
136 my $reportmode = 0; # Full report mode |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
137 my @scanfiles = (); # Files to scan |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
138 my @scanfiles_once = (); # Files to scan only once during startup or HUP (e.g. not continuously followed) |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
139 my @noblock_ips = (); # IPs not to block |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
140 my %filehandles = (); # Global hash holding opened scanned log filehandles |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
141 my $pid_file = ""; # Name of Maltfilter daemon pid file |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
142 my @configfiles = (); # Array of configuration file names |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
143 my $LOGFILE; # Maltfilter logfile handle |
65 | 144 my %dronebl = (); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
145 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
146 # IPs currently blocked in Netfilter $blocklist{$ip} = date |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
147 my %blocklist = (); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
148 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
149 # Gathered information about hosts |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
150 # $statlist{$ip}-> |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
151 # "date1" = timestamp of first hit |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
152 # "date2" = timestamp of latest hit |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
153 # "hits" = number of hits to this IP |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
154 # $statlist{$ip}{"reason"}{$class}-> |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
155 # "msg" = reason message (array if $reportmode) |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
156 # "hits" = hits to this class |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
157 # "date1" = timestamp of first hit |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
158 # "date2" = timestamp of latest hit |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
159 my %statlist = (); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
160 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
161 # Gathered information about ignored hits (e.g. hits for tests that are not enabled) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
162 # Same fields as in %statlist |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
163 my %ignorelist = (); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
164 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
165 |
2
3da95f3082d9
Misc. variable name cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
166 ############################################################################# |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
167 ### Status output functionality |
2
3da95f3082d9
Misc. variable name cleanups.
Matti Hamalainen <ccr@tnsp.org>
parents:
0
diff
changeset
|
168 ############################################################################# |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
169 sub urlencode($) |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
170 { |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
171 my $value = $_[0]; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
172 $value =~ s/([^a-zA-Z_0-9 ])/"%" . uc(sprintf "%lx" , unpack("C", $1))/eg; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
173 $value =~ tr/ /+/; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
174 return $value; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
175 } |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
176 |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
177 my %entities = ( |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
178 "<" => "lt", |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
179 ">" => "gt", |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
180 "&" => "amp", |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
181 ); |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
182 |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
183 sub htmlentities($) |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
184 { |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
185 my $value = $_[0]; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
186 # $value =~ s/([keys %entities])/"&".$entities{$1}.";"/eg; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
187 foreach my $val (keys %entities) { |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
188 $value =~ s/$val/\&$entities{$val}\;/g; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
189 } |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
190 return $value; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
191 } |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
192 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
193 sub get_time_str($) |
34
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
194 { |
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
195 if ($_[0] >= 0) { |
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
196 return scalar localtime($_[0]); |
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
197 } else { |
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
198 return "?"; |
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
199 } |
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
200 } |
e4ffe2ce29a3
Generalize timestamp conversion to strings; Re-enable setting of timestamps in
Matti Hamalainen <ccr@tnsp.org>
parents:
32
diff
changeset
|
201 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
202 my @paskat = (30*24*60*60, 7*24*60*60, 24*60*60, 60*60, 60); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
203 my @opaskat = ("months", "weeks", "days", "hours", "minutes"); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
204 my @upaskat = ("month", "week", "day", "hour", "minute"); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
205 |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
206 sub get_ago_str($) |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
207 { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
208 return get_time_str($_[0]) if ($settings{"FULL_TIME"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
209 if ($_[0] >= 0) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
210 my $str = ""; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
211 my $cur = time() - $_[0]; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
212 my ($r, $k, $p, $n); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
213 $n = 0; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
214 foreach my $div (@paskat) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
215 $r = int($cur / $div); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
216 $k = ($cur % $div); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
217 if ($r > 0) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
218 $p = ($r > 1) ? $opaskat[$n] : $upaskat[$n]; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
219 $str .= ", " if ($str ne ""); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
220 $str .= sprintf("%d %s", $r, $p); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
221 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
222 $cur = $k; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
223 $n++; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
224 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
225 return $str." ago"; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
226 } else { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
227 return "?"; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
228 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
229 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
230 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
231 sub printH($$$$) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
232 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
233 my $fh = $_[1]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
234 if ($_[0]) { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
235 print $fh "<h".$_[2].">".$_[3]."</h".$_[2].">\n"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
236 } else { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
237 my $c = ($_[2] <= 1) ? "=" : "-"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
238 print $fh $_[3]."\n". $c x length($_[3]) ."\n"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
239 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
240 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
241 |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
242 sub printTD |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
243 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
244 my $fh = $_[1]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
245 if ($_[0]) { |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
246 my $s = defined($_[3]) ? " ".$_[3]." " : ""; |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
247 print $fh "<td".$s.">".$_[2]."</td>"; |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
248 } else { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
249 print $fh $_[2]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
250 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
251 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
252 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
253 sub printP($$$) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
254 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
255 my $fh = $_[1]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
256 if ($_[0]) { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
257 print $fh "<p>\n".$_[2]."</p>\n"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
258 } else { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
259 print $fh $_[2]."\n"; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
260 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
261 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
262 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
263 sub printElem |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
264 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
265 my $fh = $_[1]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
266 if ($_[0]) { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
267 print $fh $_[2]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
268 } elsif (defined($_[3])) { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
269 print $fh $_[3]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
270 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
271 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
272 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
273 sub bb($) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
274 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
275 return $_[0] ? "<b>" : ""; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
276 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
277 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
278 sub eb($) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
279 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
280 return $_[0] ? "</b>" : ""; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
281 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
282 |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
283 sub pe($$) |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
284 { |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
285 return $_[0] ? "<$_[1]>" : ""; |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
286 } |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
287 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
288 sub get_link($$) |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
289 { |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
290 if ($settings{"WHOIS_URL"} ne "") { |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
291 return $_[0] ? "<a href=\"".$settings{"WHOIS_URL"}.$_[1]. |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
292 "\">".htmlentities($_[1])."</a>" : $_[1]; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
293 } else { |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
294 return $_[0]; |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
295 } |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
296 } |
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
297 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
298 sub print_table1($$$$$$) |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
299 { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
300 my ($m, $f, $table, $keys, $func, $class) = @_; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
301 my $ntotal = 0; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
302 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
303 printElem($m, $f, |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
304 "<table class=\"".$class."\">\n". |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
305 "<tr><th>Hits</th><th>IP-address</th><th>First hit</th><th>Latest hit</th><th>Reason(s)</th></tr>\n", |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
306 |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
307 "Hits | IP-address | First hit | Latest hit | Reason(s)\n" |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
308 ); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
309 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
310 foreach my $mip (sort { $func->($table, $a, $b) } keys %{$keys}) { |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
311 my $blocked = defined($blocklist{$mip}) ? "blocked" : "unblocked"; |
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
312 printElem($m, $f, " <tr class=\"$blocked\">"); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
313 printTD($m, $f, sprintf(bb($m)."%-10d".eb($m), $table->{$mip}{"hits"})); |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
314 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
315 printTD($m, $f, sprintf("%-15s", get_link($m, $mip))); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
316 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
317 printTD($m, $f, get_ago_str($table->{$mip}{"date1"})); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
318 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
319 printTD($m, $f, get_ago_str($table->{$mip}{"date2"})); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
320 printElem(!$m, $f, " | "); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
321 my @reasons = (); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
322 foreach my $class (sort keys %{$table->{$mip}{"reason"}}) { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
323 my $msgs; |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
324 if ($class ne "IPTABLES") { |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
325 if ($reportmode) { |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
326 my @tmp = reverse(@{$table->{$mip}{"reason"}{$class}{"msg"}}); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
327 if ($#tmp > 5) { $#tmp = 5; } |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
328 foreach (@tmp) { $_ = htmlentities($_); } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
329 $msgs = join(" ".bb($m)."|".eb($m)." ", @tmp); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
330 } else { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
331 $msgs = $table->{$mip}{"reason"}{$class}{"msg"}; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
332 } |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
333 push(@reasons, bb($m).$class.eb($m)." #".$table->{$mip}{"reason"}{$class}{"hits"}. |
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
334 " ( ".$msgs." )"); |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
335 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
336 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
337 printTD($m, $f, join(", ", @reasons)); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
338 printElem($m, $f, "</tr>\n", "\n"); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
339 $ntotal++; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
340 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
341 printElem($m, $f, "</table>\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
342 printP($m, $f, bb($m).$ntotal.eb($m)." entries total.\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
343 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
344 |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
345 sub cmp_ips($$$) |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
346 { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
347 my @ipa = split(/\./, $_[1]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
348 my @ipb = split(/\./, $_[2]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
349 for (my $i = 0; $i < 4; $i++) { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
350 return -1 if ($ipa[$i] > $ipb[$i]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
351 return 1 if ($ipa[$i] < $ipb[$i]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
352 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
353 return 0; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
354 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
355 |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
356 sub test_ips($$) |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
357 { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
358 my @ipa = split(/\./, $_[0]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
359 my @ipb = split(/\./, $_[1]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
360 for (my $i = 0; $i < 3; $i++) { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
361 return $i if ($ipa[$i] != $ipb[$i]); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
362 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
363 return 4; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
364 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
365 |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
366 my @ipcolors = ( |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
367 "#666", |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
368 "#777", |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
369 ); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
370 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
371 sub print_table2($$$$$$) |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
372 { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
373 my ($m, $f, $table, $keys, $func, $class) = @_; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
374 my $nhits = 0; |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
375 my $str = "<th>IP-address</th><th>Hits</th><th>First hit</th><th>Latest hit</th><th>Class</th>"; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
376 my $str2 = "IP-address | Hits | First hit | Latest hit | Class "; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
377 |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
378 printElem($m, $f, |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
379 "<table class=\"".$class."\">\n<tr>". $str."<th> </th>".$str ."</tr>\n", |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
380 $str2." || ".$str2."\n"); |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
381 |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
382 my @previp = ("0.0.0.0", "0.0.0.0"); |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
383 my @ncolor = (0, 0); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
384 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
385 my $printEntry = sub { |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
386 my $blocked = "class=\"".(defined($blocklist{$_[0]}) ? "blocked" : "unblocked")."\""; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
387 if (test_ips($previp[$_[1]], $_[0]) < 3) { |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
388 $ncolor[$_[1]]++; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
389 } |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
390 $previp[$_[1]] = $_[0]; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
391 my $str = "style=\"background: ".$ipcolors[$ncolor[$_[1]] % scalar @ipcolors].";\""; |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
392 |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
393 printTD($m, $f, sprintf("%-15s", get_link($m, $_[0])), $str); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
394 printElem(!$m, $f, " | "); |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
395 printTD($m, $f, sprintf("%-8d ", $table->{$_[0]}{"hits"}), $blocked); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
396 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
397 printTD($m, $f, get_ago_str($table->{$_[0]}{"date1"}), $blocked); |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
398 printElem(!$m, $f, " | "); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
399 printTD($m, $f, get_ago_str($table->{$_[0]}{"date2"}), $blocked); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
400 printElem(!$m, $f, " | "); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
401 my $tmp = join(", ", sort keys %{$table->{$_[0]}{"reason"}}); |
32
e7e484c89dbc
Added highlighting of blocked entries in summary tables.
Matti Hamalainen <ccr@tnsp.org>
parents:
30
diff
changeset
|
402 printTD($m, $f, sprintf("%-30s", $tmp), $blocked); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
403 $nhits += $table->{$_[0]}{"hits"}; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
404 }; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
405 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
406 my @mkeys = sort { $func->($table, $a, $b) } keys %{$keys}; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
407 my $nkeys = scalar @mkeys; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
408 my $kmax = $nkeys / 2; |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
409 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
410 for (my $i = 0; $i <= $kmax; $i++) { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
411 printElem($m, $f, " <tr>"); |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
412 if ($i < $kmax) { |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
413 $printEntry->($mkeys[$i], 0); |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
414 printElem($m, $f, "<th> </th>", " || "); |
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
415 } |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
416 if ($i + $kmax + 1 < $nkeys) { $printEntry->($mkeys[$i + $kmax + 1], 1); } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
417 printElem($m, $f, "</tr>\n", "\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
418 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
419 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
420 printElem($m, $f, "</table>\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
421 printP($m, $f, bb($m).$nkeys.eb($m)." entries total, ".bb($m).$nhits.eb($m)." hits total.\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
422 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
423 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
424 sub cmp_hits($$$) |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
425 { |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
426 my $s1 = $_[0]->{$_[1]}; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
427 my $s2 = $_[0]->{$_[2]}; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
428 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
429 return -1 if ($s2->{"date2"} < $s1->{"date2"}); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
430 return 1 if ($s2->{"date2"} > $s1->{"date2"}); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
431 return $s2->{"hits"} <=> $s1->{"hits"}; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
432 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
433 |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
434 sub get_period($) |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
435 { |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
436 my ($str, $r, $k); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
437 if ($_[0] > 30 * 24) { |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
438 $r = $_[0] / (30 * 24); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
439 $k = $_[0] % (30 * 24); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
440 $str = sprintf("%d months", $r); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
441 $str .= sprintf(", %d days", $k) if ($k > 0); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
442 } elsif ($_[0] > 24 * 7) { |
29
6d3e33e9ee9b
Oops, fix printing of weeks.
Matti Hamalainen <ccr@tnsp.org>
parents:
27
diff
changeset
|
443 $str = sprintf("%1.1f weeks", $_[0] / (24.0 * 7.0)); |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
444 } elsif ($_[0] > 24) { |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
445 $r = $_[0] / 24; |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
446 $k = $_[0] % 24; |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
447 $str = sprintf("%d days", $r); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
448 $str .= sprintf(", %d hours", $k) if ($k > 0); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
449 } else { |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
450 $str = sprintf("%d hours", $_[0]); |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
451 } |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
452 return $str; |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
453 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
454 |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
455 sub generate_status($$) |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
456 { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
457 my $filename = shift; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
458 my $m = shift; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
459 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
460 return unless ($filename ne ""); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
461 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
462 open(STATUS, ">", $filename) or mdie("Could not open '".$filename."'!\n"); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
463 my $f = \*STATUS; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
464 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
465 printElem($m, $f, " |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
466 <html> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
467 <head> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
468 <title>Maltfilter status report</title> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
469 "); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
470 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
471 printElem($m, $f, "<link href=\"".$settings{"STATUS_FILE_CSS"}."\" rel=\"stylesheet\" type=\"text/css\" />") |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
472 if ($settings{"STATUS_FILE_CSS"}); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
473 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
474 printElem($m, $f, " |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
475 </head> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
476 <body> |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
477 "); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
478 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
479 printH($m, $f, 1, "Maltfilter v$progversion status report"); |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
480 my $period = get_period($settings{"WEED_GLOBAL"}); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
481 |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
482 printP($m, $f, |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
483 "Generated ".bb($m).get_time_str(time()).eb($m).". Data computed from ". |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
484 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n"); |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
485 |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
486 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n". |
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
487 "blocked IP that was in Netfilter before Maltfilter was started.\n"); |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
488 |
65 | 489 printH($m, $f, 2, "Currently filtered entries"); |
490 $period = get_period($settings{"WEED_FILTER"}); | |
491 printP($m, $f, "List of IPs that are currently filtered (or would be, if this is\n". | |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
492 "a report-only mode). Data from period of $period.\n"); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
493 print_table1($m, $f, \%statlist, \%blocklist, \&cmp_hits, "blocked"); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
494 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
495 printH($m, $f, 2, "Summary of non-ignored entries"); |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
496 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n". |
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
497 "necessarily acted upon. Sorted by descending IP address.\n"); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
498 print_table2($m, $f, \%statlist, \%statlist, \&cmp_ips, "global"); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
499 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
500 printH($m, $f, 2, "Ignored entries"); |
52
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
501 printP($m, $f, "List of hits that were ignored (not acted upon), because the test was disabled.\n". |
8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
Matti Hamalainen <ccr@tnsp.org>
parents:
49
diff
changeset
|
502 "Notice that the entry may be blocked due to other checks, however.\n"); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
503 print_table1($m, $f, \%ignorelist, \%ignorelist, \&cmp_hits, "ignored"); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
504 |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
505 printElem($m, $f, "</body>\n</html>\n"); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
506 close(STATUS); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
507 } |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
508 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
509 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
510 ############################################################################# |
65 | 511 ### DroneBL submission support |
512 ############################################################################# | |
513 sub dronebl_process | |
514 { | |
515 # return if ($reportmode); | |
516 return unless ($settings{"DRONEBL"} > 0); | |
517 | |
518 # Create submission data | |
519 my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n"; | |
520 my $entries = 0; | |
521 while (my ($ip, $entry) = each(%dronebl)) { | |
522 if ($entry->{"sent"} == 0) { | |
523 $xml .= "<add ip=\"".$ip."\" type=\"".$entry->{"type"}."\" />\n"; | |
524 $entries++; | |
525 } | |
526 } | |
527 $xml .= "</request>\n"; | |
528 | |
529 mlog(1, "Trying to submit $entries entries to DroneBL.\n"); | |
530 print STDERR $xml; | |
531 return; | |
532 | |
533 return unless ($entries > 0); | |
534 | |
535 # Submit via HTTP XML-RPC | |
536 my $tmp = LWP::UserAgent->new; | |
537 $tmp->agent("Maltfilter/".$progversion); | |
538 $tmp->timeout(10); | |
539 my $req = HTTP::Request->new(POST => $settings{"DRONEBL_RPC_URI"}); | |
540 $req->content_type("text/xml"); | |
541 $req->content($xml); | |
542 $req->user_agent("Maltfilter/".$progversion); | |
543 my $res = $tmp->request($req); | |
544 | |
545 if ($res->is_success) { | |
546 while (my ($ip, $entry) = each(%dronebl)) { | |
547 $entry->{"sent"} = 1; | |
548 } | |
549 } else { | |
550 mlog(-1, "DroneBL submission failed: [".$res->code."] ".$res->message."\n"); | |
551 } | |
552 | |
553 # Remove submitted expired entries | |
554 while (my ($ip, $entry) = each(%dronebl)) { | |
555 print "$ip: ".$entry->{"sent"}."\n" unless check_time3($entry->{"date"}); | |
556 } | |
557 } | |
558 | |
559 | |
560 ############################################################################# | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
561 ### Evidence gathering |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
562 ############################################################################# |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
563 my %evidence = (); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
564 |
65 | 565 sub check_add_evidence($$$) |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
566 { |
65 | 567 my ($mip, $mdata, $mfull) = @_; |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
568 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
569 return unless ($settings{"EVIDENCE"}); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
570 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
571 my $tmp = $mdata; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
572 $tmp =~ s/http:\/\///; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
573 $tmp =~ s/^\.+/_/; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
574 $tmp =~ s/[^A-Za-z0-9:\.]/_/g; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
575 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
576 $evidence{$mdata}{"coll"} = $tmp; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
577 $evidence{$mdata}{"hosts"}{$mip} = 1; |
65 | 578 $evidence{$mdata}{"full"}{$mfull} = 1; |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
579 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
580 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
581 sub http_fetch($$) |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
582 { |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
583 my $tmp = LWP::UserAgent->new; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
584 $tmp->agent("-"); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
585 $tmp->timeout(10); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
586 $tmp->default_headers->referer($_[1]); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
587 my $req = HTTP::Request->new(GET => $_[0]); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
588 return $tmp->request($req); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
589 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
590 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
591 sub gather_evidence |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
592 { |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
593 my $dns = Net::DNS::Resolver->new; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
594 my $base = $settings{"EVIDENCE_DIR"}; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
595 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
596 return unless ($settings{"EVIDENCE"}); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
597 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
598 mdie("Evidence directory '$base' has disappeared.\n") unless (-e $base); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
599 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
600 foreach my $url (keys %evidence) { |
65 | 601 my $did_fetch = 0; |
602 my $filename = $base."/".$evidence{$url}{"coll"}.".data"; | |
603 my $filename2 = $base."/".$evidence{$url}{"coll"}.".hosts"; | |
604 my $filename3 = $base."/".$evidence{$url}{"coll"}.".info"; | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
605 |
65 | 606 # Get data contents only once |
607 if (! -e $filename) { | |
608 $did_fetch = 1; | |
609 mlog(1, "Fetching evidence for $url\n"); | |
610 my $res = http_fetch($url, ""); | |
611 open(FILE, ">:raw", $filename) or mdie("Could not open '$filename' for writing.\n"); | |
612 binmode(FILE, ":raw"); | |
613 if ($res->is_success && $res->code >= 200 && $res->code <= 201) { | |
614 print FILE $res->content; | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
615 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
616 close(FILE); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
617 |
65 | 618 open(FILE, ">:raw", $filename3) or mdie("Could not open '$filename3' for writing.\n"); |
619 binmode(FILE, ":raw"); | |
620 print FILE "XSS URI : $url\n"; | |
621 print FILE "Time of retrieval : ".get_time_str(time())."\n"; | |
622 print FILE "HTTP return code : [".$res->code."] ".$res->message."\n"; | |
623 print FILE "Content-Type : ".($res->content_type ? $res->content_type : "?")."\n"; | |
624 print FILE "Last modified : ".($res->last_modified ? $res->last_modified : "?")."\n"; | |
625 print FILE "------ HTTP Headers ------\n".$res->headers_as_string."\n"; | |
626 print FILE "------ Requests ------\n"; | |
627 print FILE $_."\n" foreach (keys %{$evidence{$url}{"full"}}); | |
628 close(FILE); | |
629 } | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
630 |
65 | 631 # Check if we are appending hosts to existing data |
632 if (-e $filename2) { | |
633 open(FILE, "<", $filename2) or mdie("Could not open '$filename2' for reading.\n"); | |
634 while (<FILE>) { | |
635 if (/^(\d+\.\d+\.\d+\.\d+) *\|/) { | |
636 if (defined($evidence{$url}{"hosts"}{$1})) { | |
637 delete($evidence{$url}{"hosts"}{$1}); | |
638 } | |
639 } | |
640 } | |
641 close(FILE); | |
642 open(FILE, ">>", $filename2) or mdie("Could not open '$filename2' for appending.\n"); | |
643 } else { | |
644 open(FILE, ">", $filename2) or mdie("Could not open '$filename2' for writing.\n"); | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
645 } |
65 | 646 foreach my $host (sort keys %{$evidence{$url}{"hosts"}}) { |
647 my $query = $dns->search($host); | |
648 my @names = (); | |
649 undef(@names); | |
650 if ($query) { | |
651 foreach my $rr ($query->answer) { | |
652 push(@names, $rr->{"ptrdname"}) if defined($rr->{"ptrdname"}); | |
653 } | |
654 } | |
655 printf FILE "%-15s | %s\n", $host, join(" | ", @names); | |
656 } | |
657 close(FILE); | |
658 | |
659 # This entry has been handled, delete it | |
660 delete($evidence{$url}); | |
661 | |
662 # If not in report mode, handle only one fetched entry | |
663 return unless ($reportmode || !$did_fetch); | |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
664 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
665 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
666 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
667 |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
668 ############################################################################# |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
669 ### Entry management / handling functions |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
670 ############################################################################# |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
671 ### Check if given IP or host exists in array |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
672 sub check_hosts_array($$) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
673 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
674 my $chk_host = $_[1]; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
675 my $chk_ip = new Net::IP($chk_host); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
676 foreach my $host (@{$_[0]}) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
677 if ($chk_host eq $host) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
678 return 1; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
679 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
680 my $ip = new Net::IP($host); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
681 if (defined($chk_ip) && defined($ip)) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
682 if ($chk_ip->binip() eq $ip->binip()) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
683 return 1; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
684 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
685 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
686 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
687 return 0; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
688 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
689 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
690 ### Check IP/host against | separated list of IPs/hosts |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
691 sub check_hosts($$) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
692 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
693 my @tmp = split(/\s*\|\s*/, $_[0]); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
694 return check_hosts_array(\@tmp, $_[1]); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
695 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
696 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
697 ### Execute iptables |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
698 sub exec_iptables(@) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
699 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
700 my @args = ($settings{"IPTABLES"}, @_); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
701 if ($settings{"DRY_RUN"}) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
702 mlog(3, ":: ".join(" ", @args)."\n"); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
703 } else { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
704 system(@args) == 0 or print join(" ", @args)." failed: $?\n"; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
705 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
706 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
707 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
708 ### Get current Netfilter INPUT table entries that match |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
709 ### entry types we manage, e.g. blocklist |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
710 sub update_blocklist($) |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
711 { |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
712 # NOTICE: argument not used now |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
713 my $first = $_[0]; |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
714 |
17
fe220b5a975a
Cleanups, add configuration for WHOIS linking.
Matti Hamalainen <ccr@tnsp.org>
parents:
16
diff
changeset
|
715 $ENV{"PATH"} = ""; |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
716 open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT |") or |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
717 mdie("Could not execute ".$settings{"IPTABLES"}."\n"); |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
718 my %newlist = (); |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
719 undef(%newlist); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
720 while (<STATUS>) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
721 chomp; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
722 if (/^\s*(\d+)\s+\d+\s+$settings{"ACTION"}\s+all\s+--\s+\*\s+\*\s+(\d+\.\d+\.\d+\.\d+)\s+0\.0\.0\.0\/0\s*$/) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
723 my $mip = $2; |
20
429b42047d04
Fix blocklist entry updating.
Matti Hamalainen <ccr@tnsp.org>
parents:
18
diff
changeset
|
724 my $mdate = time(); |
429b42047d04
Fix blocklist entry updating.
Matti Hamalainen <ccr@tnsp.org>
parents:
18
diff
changeset
|
725 if (!defined($blocklist{$mip})) { |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
726 mlog(2, "* $mip appeared in iptables.\n") if ($first > 0); |
20
429b42047d04
Fix blocklist entry updating.
Matti Hamalainen <ccr@tnsp.org>
parents:
18
diff
changeset
|
727 $blocklist{$2} = $mdate; |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
728 } |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
729 $newlist{$2} = $mdate; |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
730 update_entry(\%statlist, $mip, -1, "IPTABLES", "", 0); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
731 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
732 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
733 close(STATUS); |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
734 |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
735 foreach my $mip (keys %blocklist) { |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
736 if (!defined($newlist{$mip})) { |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
737 mlog(2, "* $mip removed from iptables.\n"); |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
738 delete($blocklist{$mip}); |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
739 } |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
740 } |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
741 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
742 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
743 ### Check if given timestamp is _newer_ than weedperiod threshold. |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
744 ### Returns false if timestamp is over weed period, e.g. needs weeding. |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
745 sub check_time1($) |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
746 { |
65 | 747 return ($_[0] > time() - ($settings{"WEED_FILTER"} * 60 * 60)); |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
748 } |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
749 |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
750 sub check_time2($) |
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
751 { |
65 | 752 return ($_[0] > time() - ($settings{"WEED_GLOBAL"} * 60 * 60)); |
753 } | |
754 | |
755 sub check_time3($) | |
756 { | |
757 return ($_[0] > time() - ($settings{"DRONEBL_MAX_AGE"} * 60)); | |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
758 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
759 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
760 ### Weed out old entries |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
761 sub weed_do($) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
762 { |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
763 my $mtime = $blocklist{$_[0]}; |
59 | 764 mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n"); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
765 exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"ACTION"}); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
766 delete($blocklist{$_[0]}); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
767 delete($statlist{$_[0]}); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
768 delete($ignorelist{$_[0]}); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
769 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
770 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
771 sub weed_entries() |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
772 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
773 # Don't weed in report mode. |
18
b0017a324040
Cleanups; Disable weeding in report mode again; Don't display redundant IPTABLES reasons in blocklist report.
Matti Hamalainen <ccr@tnsp.org>
parents:
17
diff
changeset
|
774 return if ($reportmode); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
775 |
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
776 # Weed blocked entries. |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
777 my @mips = keys %blocklist; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
778 foreach my $mip (@mips) { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
779 if (defined($blocklist{$mip})) { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
780 if ($blocklist{$mip} >= 0) { |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
781 weed_do($mip) unless check_time1($blocklist{$mip}); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
782 } else { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
783 weed_do($mip); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
784 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
785 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
786 } |
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
787 |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
788 # Clean up old entries from other lists |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
789 foreach my $mip (keys %statlist) { |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
790 if (defined($statlist{$mip})) { |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
791 my $mtime = $statlist{$mip}{"date2"}; |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
792 if (!check_time2($mtime) && !defined($blocklist{$mip})) { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
793 mlog(3, "* Deleting stale $mip (".get_time_str($mtime).")\n"); |
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
794 delete($statlist{$mip}); |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
795 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
796 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
797 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
798 |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
799 foreach my $mip (keys %ignorelist) { |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
800 if (defined($ignorelist{$mip})) { |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
801 my $mtime = $ignorelist{$mip}{"date2"}; |
26
61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
Matti Hamalainen <ccr@tnsp.org>
parents:
25
diff
changeset
|
802 if (!check_time2($mtime)) { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
803 mlog(3, "* Deleting stale ignored $mip (".get_time_str($mtime).")\n"); |
25
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
804 delete($ignorelist{$mip}); |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
805 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
806 } |
34dcb7462043
Sanitize weeding of entries, separating blocklist weeding from global lists.
Matti Hamalainen <ccr@tnsp.org>
parents:
24
diff
changeset
|
807 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
808 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
809 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
810 ### Update one entry data |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
811 sub update_date($$) |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
812 { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
813 if (!defined($_[0]->{"date1"}) || ($_[1] > 0 && $_[0]->{"date1"} < 0)) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
814 $_[0]->{"date1"} = $_[1]; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
815 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
816 if (!defined($_[0]->{"date2"}) || $_[1] > $_[0]->{"date2"}) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
817 $_[0]->{"date2"} = $_[1]; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
818 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
819 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
820 |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
821 sub update_entry($$$$$$) |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
822 { |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
823 my ($struct, $mip, $mdate, $mclass, $mreason, $addhits) = @_; |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
824 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
825 $struct->{$mip} = {} unless defined($struct->{$mip}); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
826 my $entry = $struct->{$mip}; |
62
924720517cf9
Fix initialization of hash structure part, this fixes resetting of class hits to 1.
Matti Hamalainen <ccr@tnsp.org>
parents:
60
diff
changeset
|
827 $entry->{"reason"}{$mclass} = {} unless defined($entry->{"reason"}{$mclass}); |
924720517cf9
Fix initialization of hash structure part, this fixes resetting of class hits to 1.
Matti Hamalainen <ccr@tnsp.org>
parents:
60
diff
changeset
|
828 my $reason = $entry->{"reason"}{$mclass}; |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
829 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
830 # Add hits only when requested |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
831 if ($addhits) { |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
832 $entry->{"hits"}++; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
833 $reason->{"hits"}++; |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
834 } else { |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
835 $entry->{"hits"} = 1 unless defined($entry->{"hits"}); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
836 $reason->{"hits"} = 1 unless defined($reason->{"hits"}); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
837 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
838 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
839 # Messages is an array in reportmode |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
840 if ($reportmode) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
841 push(@{$reason->{"msg"}}, $mreason); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
842 } else { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
843 $reason->{"msg"} = $mreason; |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
844 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
845 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
846 # Update timestamps (generic and reason) |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
847 update_date($entry, $mdate); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
848 update_date($reason, $mdate); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
849 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
850 return $entry->{"hits"}; |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
851 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
852 |
65 | 853 ### Check if given "try count" exceeds threshold and if entry |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
854 ### is NOT in Netfilter already, then add it if so. |
65 | 855 sub check_add_hit($$$$$$) |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
856 { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
857 my $mip = $_[0]; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
858 my $mdate = str2time($_[1]); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
859 my $mclass = $_[2]; |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
860 my $mreason = $_[3]; |
65 | 861 my $mtype = $_[4]; |
862 my $mcond = $_[5]; | |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
863 my $cnt; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
864 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
865 if (check_hosts_array(\@noblock_ips, $mip)) { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
866 mlog(3, "Hit to NOBLOCK_IPS($mip): [$mclass] $mreason\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
867 return; |
13
fc053b001027
Improved reporting and documentation.
Matti Hamalainen <ccr@tnsp.org>
parents:
11
diff
changeset
|
868 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
869 |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
870 # If condition is true, we add to regular statlist |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
871 if ($mcond) { |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
872 $cnt = update_entry(\%statlist, $mip, $mdate, $mclass, $mreason, 1); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
873 } else { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
874 # This is an ignored hit (for disabled test), add to ignorelist |
53
dc072a56f343
Don't add hits when updating entries from netfilter.
Matti Hamalainen <ccr@tnsp.org>
parents:
52
diff
changeset
|
875 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason, 1); |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
876 return; |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
877 } |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
878 |
65 | 879 # Check if we have exceeded threshold etc. |
880 if ($cnt >= $settings{"THRESHOLD"} && check_time1($mdate)) { | |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
881 # Add to blocklist, unless already there. |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
882 if (!defined($blocklist{$mip})) { |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
883 mlog(1, "* Adding $mip ($mdate): [$mclass] $mreason\n"); |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
884 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"}); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
885 } |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
886 # Update date of last hit |
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
887 $blocklist{$mip} = $mdate; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
888 } |
65 | 889 |
890 # Separate check for DroneBL | |
891 if ($settings{"DRONEBL"} > 0 && $mtype > 0 && $cnt >= $settings{"DRONEBL_THRESHOLD"} && check_time3($mdate)) { | |
892 $dronebl{$mip}{"type"} = $mtype; | |
893 $dronebl{$mip}{"date"} = $mdate; | |
894 $dronebl{$mip}{"sent"} = 0 unless defined($dronebl{$mip}{"sent"}); | |
895 } | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
896 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
897 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
898 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
899 ############################################################################# |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
900 ### Main helper functions |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
901 ############################################################################# |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
902 ### Print log entry |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
903 sub mlog($$) |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
904 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
905 my $level = shift; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
906 my $msg = shift; |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
907 if ($LOGFILE) { |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
908 print $LOGFILE "[".get_time_str(time())."] ".$msg if ($settings{"VERBOSITY"} > $level); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
909 } elsif ($settings{"DRY_RUN"}) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
910 print STDERR $msg if ($settings{"VERBOSITY"} > $level); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
911 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
912 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
913 |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
914 ### Like Perl's die(), but also print a logfile entry. |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
915 sub mdie($) |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
916 { |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
917 mlog(-1, $_[0]) if ($LOGFILE); |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
918 die($_[0]); |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
919 } |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
920 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
921 ### Initialize |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
922 sub malt_init |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
923 { |
57
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
924 %statlist = (); |
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
925 undef(%statlist); |
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
926 %ignorelist = (); |
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
927 undef(%ignorelist); |
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
928 mlog(0, "Updating initial blocklist from netfilter.\n"); |
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
929 update_blocklist(-1); |
a70493b6c916
Clear %statlist and %ignorelist when re-initializing (due to HUP), so we don't count stats twice.
Matti Hamalainen <ccr@tnsp.org>
parents:
55
diff
changeset
|
930 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
931 foreach my $filename (@scanfiles_once) { |
58
a780a23e19a8
Change parsing status log messages.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
932 mlog(0, "Parsing [ONCE] ".$filename." ...\n"); |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
933 if (open(INFILE, "<", $filename)) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
934 while (<INFILE>) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
935 chomp; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
936 check_log_line($_); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
937 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
938 } else { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
939 mlog(-1, "Could not open '".$filename."', skipping now.\n"); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
940 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
941 close(INFILE); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
942 } |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
943 |
3 | 944 foreach my $filename (@scanfiles) { |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
945 local *INFILE; |
58
a780a23e19a8
Change parsing status log messages.
Matti Hamalainen <ccr@tnsp.org>
parents:
57
diff
changeset
|
946 mlog(0, "Initial parsing ".$filename." ...\n"); |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
947 if (open(INFILE, "<", $filename)) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
948 $filehandles{$filename} = *INFILE; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
949 while (<INFILE>) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
950 chomp; |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
951 check_log_line($_); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
952 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
953 } else { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
954 mlog(-1, "Could not open '".$filename."', skipping now.\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
955 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
956 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
957 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
958 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
959 ### Quick cleanup (not complete shutdown) |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
960 sub malt_cleanup |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
961 { |
3 | 962 foreach my $filename (keys %filehandles) { |
963 close($filehandles{$filename}); | |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
964 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
965 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
966 |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
967 sub malt_finish |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
968 { |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
969 # Unlink pid-file |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
970 if ($pid_file ne "" && -e $pid_file) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
971 unlink $pid_file; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
972 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
973 # Close logfile |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
974 close($LOGFILE) if (defined($LOGFILE)); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
975 undef($LOGFILE); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
976 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
977 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
978 ### Signal handlers |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
979 sub malt_int |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
980 { |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
981 mlog(-1, "\nCaught Interrupt (^C), aborting.\n"); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
982 malt_cleanup(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
983 malt_finish(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
984 exit(1); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
985 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
986 |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
987 sub malt_term |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
988 { |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
989 mlog(-1, "Received TERM, quitting.\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
990 malt_cleanup(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
991 malt_finish(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
992 exit(1); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
993 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
994 |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
995 sub malt_hup |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
996 { |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
997 mlog(-1, "Received HUP, reinitializing.\n"); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
998 malt_cleanup(); |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
999 malt_configure(); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1000 malt_init(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1001 mlog(-1, "Reinitialization finished, resuming scanning.\n"); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1002 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1003 |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1004 ### Main scanning function |
23
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1005 sub malt_scan |
cb0a4b747cf0
Handle importing of current netfilter entries differently.
Matti Hamalainen <ccr@tnsp.org>
parents:
21
diff
changeset
|
1006 { |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1007 mlog(1, "Entering main scanning loop.\n"); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1008 my $counter = -1; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1009 while (1) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1010 my %filepos = (); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1011 foreach my $filename (keys %filehandles) { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1012 for ($filepos{$filename} = tell($filehandles{$filename}); |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1013 $_ = <$filehandles{$filename}>; |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1014 $filepos{$filename} = tell($filehandles{$filename})) { |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1015 chomp; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1016 check_log_line($_); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1017 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1018 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1019 if ($counter < 0 || $counter++ >= 30) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1020 # Every once in a while, update known IP list from iptables |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1021 # (in case entries have appeared there from "outside") |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1022 # and perform weeding of old entries. |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1023 $counter = 0; |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1024 update_blocklist(time()); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1025 weed_entries(); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1026 generate_status($settings{"STATUS_FILE_PLAIN"}, 0); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1027 generate_status($settings{"STATUS_FILE_HTML"}, 1); |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1028 gather_evidence(); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1029 } |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1030 sleep(2); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1031 foreach my $filename (keys %filehandles) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1032 seek($filehandles{$filename}, $filepos{$filename}, 0); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1033 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1034 } |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1035 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1036 |
16
87c0cdc048f5
Many changes and cleanups. Works again.
Matti Hamalainen <ccr@tnsp.org>
parents:
15
diff
changeset
|
1037 ### Read one configuration file |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1038 sub malt_read_config($) |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1039 { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1040 my $filename = $_[0]; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1041 my $errors = 0; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1042 my $line = 0; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1043 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1044 open(CONFFILE, "<", $filename) or mdie("Could not open configuration '".$filename."'!\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1045 while (<CONFFILE>) { |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1046 $line++; |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1047 chomp; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1048 if (/(^\s*#|^\s*$)/) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1049 # Ignore comments and empty lines |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1050 } elsif (/^\s*\"?([a-zA-Z0-9_]+)\"?\s*=>?\s*(\d+),?\s*$/) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1051 my $key = uc($1); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1052 my $value = $2; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1053 if (defined($settings{$key})) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1054 $settings{$key} = $value; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1055 } else { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1056 mlog(-1, "[$filename:$line] Unknown setting '$key' = $value\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1057 $errors = 1; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1058 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1059 } elsif (/^\s*\"?([a-zA-Z0-9_]+)\"?\s*=>?\s*\"(.*?)\",?\s*$/) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1060 my $key = uc($1); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1061 my $value = $2; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1062 if ($key eq "SCANFILE") { |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1063 push(@scanfiles, $value); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1064 } elsif ($key eq "SCANFILE_ONCE") { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1065 push(@scanfiles_once, $value); |
8 | 1066 } elsif ($key eq "NOBLOCK_IPS") { |
7 | 1067 push(@noblock_ips_def, $value); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1068 } elsif (defined($settings{$key})) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1069 $settings{$key} = $value; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1070 } else { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1071 mlog(-1, "[$filename:$line] Unknown setting '$key' = '$value'\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1072 $errors = 1; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1073 } |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1074 # Force dry run mode if we are reporting only |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1075 if ($reportmode) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1076 $settings{"DRY_RUN"} = 1; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1077 } |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1078 } else { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1079 mlog(-1, "[$filename:$line] Syntax error: $_\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1080 $errors = 1; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1081 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1082 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1083 close(CONFFILE); |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1084 return $errors; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1085 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1086 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1087 ### Read all configuration files |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1088 sub malt_configure |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1089 { |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1090 # Let user define his/her own logfiles to scan |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1091 @scanfiles = (); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1092 undef(@scanfiles); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1093 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1094 @scanfiles_once = (); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1095 undef(@scanfiles_once); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1096 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1097 foreach my $filename (@configfiles) { |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1098 mdie("Errors in configuration file '$filename', bailing out.\n") |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1099 unless (malt_read_config($filename) == 0); |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1100 } |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1101 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1102 # Clean up certain arrays duplicate entries |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1103 my %saw = (); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1104 @scanfiles = grep(!$saw{$_}++, @scanfiles); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1105 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1106 %saw = (); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1107 @scanfiles_once = grep(!$saw{$_}++, @scanfiles_once); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1108 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1109 %saw = (); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1110 @noblock_ips = grep(!$saw{$_}++, @noblock_ips_def); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1111 undef(%saw); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1112 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1113 mlog(-1, "Not blocking following IPs: ".join(", ", @noblock_ips)."\n"); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1114 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1115 # Check if we have anything to do |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1116 if ($reportmode) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1117 mdie("Nothing to do, no SCANFILE(s) or SCANFILE_ONCE(s) defined in configuration.\n") unless ($#scanfiles > 0 || $#scanfiles_once > 0); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1118 } else { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1119 mdie("Nothing to do, no SCANFILE(s) defined in configuration.\n") unless ($#scanfiles > 0); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1120 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1121 |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1122 # Test existence of iptables |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1123 if (! -e $settings{"IPTABLES"} || ! -x $settings{"IPTABLES"}) { |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1124 mdie("iptables binary does not exist or is not executable: ".$settings{"IPTABLES"}."\n"); |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1125 } |
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1126 |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1127 # Check evidence settings |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1128 if ($settings{"EVIDENCE"}) { |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1129 my $base = $settings{"EVIDENCE_DIR"}; |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1130 mdie("Evidence directory (EVIDENCE_DIR) not set in configuration.\n") if ($base eq ""); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1131 mdie("Evidence directory '$base' does not exist.\n") unless (-e $base); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1132 mdie("Path '$base' is not a directory.\n") unless (-d $base); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1133 mdie("Evidence directory '$base' is not writable by euid.\n") unless (-w $base); |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1134 } |
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1135 |
54
19dace24ad46
Remove default scanfiles; Clean up update_entry() code; Add "SCANFILE_ONCE"
Matti Hamalainen <ccr@tnsp.org>
parents:
53
diff
changeset
|
1136 # Check settings |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1137 mdie("SYSACCT_MIN_UID must be >= 1.\n") unless ($settings{"SYSACCT_MIN_UID"} >= 1); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1138 mdie("SYSACCT_MAX_UID must be >= SYSACCT_MIN_UID.\n") unless ($settings{"SYSACCT_MAX_UID"} >= $settings{"SYSACCT_MIN_UID"}); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1139 |
44
471731c79bb3
Add configuration setting for PASSWD file.
Matti Hamalainen <ccr@tnsp.org>
parents:
40
diff
changeset
|
1140 open(PASSWD, "<", $settings{"PASSWD"}) or mdie("Could not open '".$settings{"PASSWD"}."' for reading!\n"); |
40
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1141 while (<PASSWD>) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1142 my @fields = split(/\s*:\s*/); |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1143 if ($fields[2] >= $settings{"SYSACCT_MIN_UID"} && $fields[2] <= $settings{"SYSACCT_MAX_UID"}) { |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1144 $systemacct{$fields[0]} = $fields[2]; |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1145 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1146 } |
24babaa1e331
Many cleanups and fixes; Example configuration updated.
Matti Hamalainen <ccr@tnsp.org>
parents:
39
diff
changeset
|
1147 close(PASSWD); |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1148 } |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1149 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1150 ############################################################################# |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1151 ### |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1152 ### Main program |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1153 ### |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1154 ############################################################################# |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1155 # Setup signal handlers |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1156 $SIG{'INT'} = 'malt_int'; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1157 $SIG{'TERM'} = 'malt_term'; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1158 $SIG{'HUP'} = 'malt_hup'; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1159 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1160 # Print banner and help if no arguments |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1161 my $argc = $#ARGV + 1; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1162 if ($argc < 1) { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1163 print $progbanner. |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1164 "\n". |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1165 "Usage: maltfilter <pid filename> [config filename] [config filename...]\n". |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1166 " maltfilter -f [config filename] [config filename...]\n". |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1167 "-f turns on the full report mode.\n"; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1168 exit; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1169 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1170 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1171 # Test pid file existence unless report mode |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1172 $pid_file = shift; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1173 if ($pid_file eq "-f") { |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1174 $reportmode = 1; |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1175 } else { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1176 mdie("'$pid_file' already exists, not starting.\n". |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1177 "If the daemon is NOT running, remove the pid-file and re-start.\n") |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1178 if (-e $pid_file); |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1179 } |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1180 |
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1181 # Read configuration files |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1182 while (defined(my $filename = shift)) { |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1183 push(@configfiles, $filename); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1184 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1185 |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1186 malt_configure(); |
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1187 |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1188 # Open logfile |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1189 if ($settings{"DRY_RUN"}) { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1190 print $progbanner. |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1191 "*********************************************\n". |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1192 "* NOTICE! DRY-RUN MODE ENABLED! No changes *\n". |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1193 "* will actually get committed to netfilter! *\n". |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1194 "*********************************************\n"; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1195 } elsif ($settings{"LOGFILE"} ne "") { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1196 open($LOGFILE, ">>", $settings{"LOGFILE"}) or die("Could not open logfile '".$settings{"LOGFILE"}."' for writing!\n"); |
63
6917de5b91be
Disable output buffering of logfile.
Matti Hamalainen <ccr@tnsp.org>
parents:
62
diff
changeset
|
1197 select((select($LOGFILE), $| = 1)[0]); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1198 mlog(-1, "Log started\n"); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1199 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1200 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1201 # Initialize |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1202 malt_init(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1203 |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1204 # Fork to background, unless dry-running |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1205 if ($settings{"DRY_RUN"}) { |
15
b05d0f0ff106
Cleanups in progress, does not work.
Matti Hamalainen <ccr@tnsp.org>
parents:
13
diff
changeset
|
1206 if ($reportmode) { |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1207 mlog(-1, "Outputting report files.\n"); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1208 generate_status($settings{"STATUS_FILE_PLAIN"}, 0); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1209 generate_status($settings{"STATUS_FILE_HTML"}, 1); |
60
38885f5f34f6
Added evidence gathering functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
59
diff
changeset
|
1210 gather_evidence(); |
11
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1211 malt_cleanup(); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1212 } else { |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1213 malt_scan(); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1214 malt_cleanup(); |
26c2cc5077aa
Added reporting functionality.
Matti Hamalainen <ccr@tnsp.org>
parents:
8
diff
changeset
|
1215 } |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1216 } else { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1217 if (my $pid = fork) { |
39
d96229159abc
v0.11.0: More fixes; Configuration files are now re-read when HUP signal is
Matti Hamalainen <ccr@tnsp.org>
parents:
37
diff
changeset
|
1218 open(PIDFILE, ">", $pid_file) or mdie("Could not open pid file '".$pid_file."' for writing!\n"); |
0
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1219 print PIDFILE "$pid\n"; |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1220 close(PIDFILE); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1221 } else { |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1222 malt_scan(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1223 malt_cleanup(); |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1224 } |
fec14263801d
Initial import of maltfilter development version.
Matti Hamalainen <ccr@tnsp.org>
parents:
diff
changeset
|
1225 } |