maltfilter: maltfilter annotate

annotate maltfilter @ 13:fc053b001027

Improved reporting and documentation.

author	Matti Hamalainen <ccr@tnsp.org>
date	Fri, 14 Aug 2009 02:58:52 +0300
parents	26c2cc5077aa
children	b05d0f0ff106

rev	line source
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	1 #!/usr/bin/perl -w
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	2 #############################################################################
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	3 #
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	4 # Malicious Attack Livid Termination Filter daemon (maltfilter)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	5 # Programmed by Matti 'ccr' Hämäläinen <ccr@tnsp.org>
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	6 # (C) Copyright 2009 Tecnic Software productions (TNSP)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	7 #
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	8 #############################################################################
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	9 use strict;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	10 use Date::Parse;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	11 use Net::IP;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	12
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	13 my $progversion = "0.8";
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	14 my $progbanner =
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	15 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n".
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	16 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n".
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	17 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	18
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	19 #############################################################################
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	20 ### Settings / configuration
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	21 #############################################################################
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	22 my %settings = (
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	23 "VERBOSITY" => 3,
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	24 "DRY_RUN" => 1,
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	25 "WEEDPERIOD" => 150,
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	26 "TRESHOLD" => 3,
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	27 "ACTION" => "DROP",
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	28 "LOGFILE" => "",
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	29 "IPTABLES" => "/sbin/iptables",
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	30
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	31 "STATUS_FILE_PLAIN" => "",
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	32 "STATUS_FILE_HTML" => "",
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	33 "STATUS_FILE_CSS" => "",
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	34
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	35 "CHK_SSHD" => 1,
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	36 "CHK_KNOWN_CGI" => 1,
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	37 "CHK_PHP_XSS" => 1,
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	38 "CHK_PROXY_SCAN" => 1,
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	39 "CHK_ROOT_SSH_PWD" => 0,
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	40 "CHK_GOOD_HOSTS" => "",
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	41 );
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	42
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	43 # Default logfiles to monitor (SCANFILES setting of configuration overrides these)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	44 my @scanfiles_def = (
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	45 "/var/log/auth.log",
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	46 "/var/log/httpd/error.log",
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	47 "/var/log/httpd/access.log"
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	48 );
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	49
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	50 my @noblock_ips_def = (
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	51 "127.0.0.1",
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	52 );
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	53
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	54 #############################################################################
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	55 ### Script code
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	56 #############################################################################
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	57 my $report = 0;
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	58 my @scanfiles = ();
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	59 my @noblock_ips = ();
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	60 my %filehandles = ();
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	61 my %hitcount = ();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	62 my %iplist = ();
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	63 my %reason = ();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	64 my %reason_n = ();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	65 my %ignored = ();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	66 my %ignored_d = ();
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	67 my $pid_file = "";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	68 my $LOGFILE;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	69
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	70 ### Check given logfile line for matches
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	71 sub check_log_line($)
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	72 {
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	73 # (1) SSHD scans
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	74 if (/^(\S+\s+\d+\s+\d\d:\d\d:\d\d)\s+\S+\s+sshd\S?: (.)/) {
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	75 my $mdate = $1;
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	76 my $merr = $2;
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	77
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	78 # (1.1) Generic login scan attempts
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	79 if ($merr =~ /^Failed password for invalid user \S+ from (\d+\.\d+\.\d+\.\d+)/) {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	80 check_add_entry($1, $mdate, "SSH login scan", "", $settings{"CHK_SSHD"});
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	81 }
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	82 # (1.2) Root SSH login password bruteforcing attempts
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	83 # NOTICE! Do not enable this setting, if you allow SSH root logins via
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	84 # password authentication! Mistyping password may get you blocked then. :)
b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	85 elsif (/^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	86 check_add_entry($1, $mdate, "Root SSH password bruteforce", "", $settings{"CHK_ROOT_SSH_PWD"});
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	87 }
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	88 }
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	89 # (2) Common/known exploitable CGI/PHP software scans (like phpMyAdmin)
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	90 # NOTICE! This matches ERRORLOG, thus it only works if you DO NOT have
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	91 # any or some of these installed. Preferably none, or use uncommon
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	92 # paths and prefixes.
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	93 elsif (/^\[(.+?)\]\s+\[error\]\s+\[client\s+(\d+\.\d+\.\d+\.\d+)\]\s+(.+)$/) {
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	94 my $mdate = $1;
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	95 my $mip = $2;
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	96 my $merr = $3;
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	97 if ($merr =~ /^File does not exist: (.+)$/) {
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	98 my $tmp = $1;
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	99 if ($tmp =~ /\/mss2\|\/pma\|admin\|sql\|\/roundcube\|\/webmail\|\/bin\|\/mail\|xampp\|zen\|mailto:\|appserv\|cube\|round\|_vti_bin\|wiki/i) {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	100 check_add_entry($mip, $mdate, "CGI vuln scan", $tmp, $settings{"CHK_KNOWN_CGI"});
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	101 }
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	102 }
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	103 }
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	104 # (3) Match Apache common logging format GET requests here
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	105 elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) {
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	106 my $mdate = $2;
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	107 my $mip = $1;
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	108 my $merr = $3;
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	109
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	110 # (3.1) Simple match for generic PHP XSS vulnerability scans
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	111 # NOTICE! If your site genuinely uses (checked) PHP parameters with
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	112 # URIs, you should set CHK_GOOD_HOSTS to match your hostname(s)/IP(s)
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	113 # used in the URIs.
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	114 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) {
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	115 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	116 check_add_entry($mip, $mdate, "PHP XSS", $merr, $settings{"CHK_PHP_XSS"});
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	117 }
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	118 }
4 b2c7c76b3529 Added scanning feature for SSH root login attempts with failed passwords. Matti Hamalainen <ccr@tnsp.org> parents: 3 diff changeset	119 # (3.2) Try to match proxy scanning attempts
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	120 elsif ($merr =~ /^http:\/\/([^\/]+)/) {
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	121 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	122 check_add_entry($mip, $mdate, "Proxy scan", $merr, $settings{"CHK_PROXY_SCAN"});
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	123 }
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	124 }
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	125 }
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	126 }
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	127
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	128
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	129 #############################################################################
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	130 ### Script code
3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	131 #############################################################################
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	132 sub mlog
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	133 {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	134 my $level = shift;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	135 my $msg = shift;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	136 if (defined($LOGFILE)) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	137 print $LOGFILE "[".scalar localtime()."] ".$msg if ($settings{"VERBOSITY"} > $level);
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	138 } elsif ($settings{"DRY_RUN"}) {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	139 print $msg if ($settings{"VERBOSITY"} > $level);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	140 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	141 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	142
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	143 ### Host and IP matching functions
8 29ddb6b9b521 Moar changes! Matti Hamalainen <ccr@tnsp.org> parents: 7 diff changeset	144 sub check_hosts_array($$)
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	145 {
8 29ddb6b9b521 Moar changes! Matti Hamalainen <ccr@tnsp.org> parents: 7 diff changeset	146 my $chk_host = $_[1];
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	147 my $chk_ip = new Net::IP($chk_host);
8 29ddb6b9b521 Moar changes! Matti Hamalainen <ccr@tnsp.org> parents: 7 diff changeset	148 foreach my $host (@{$_[0]}) {
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	149 if ($chk_host eq $host) {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	150 return 1;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	151 }
8 29ddb6b9b521 Moar changes! Matti Hamalainen <ccr@tnsp.org> parents: 7 diff changeset	152 my $ip = new Net::IP($host);
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	153 if (defined($chk_ip) && defined($ip)) {
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	154 if ($chk_ip->binip() eq $ip->binip()) {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	155 return 1;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	156 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	157 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	158 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	159 return 0;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	160 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	161
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	162 sub check_hosts($$)
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	163 {
8 29ddb6b9b521 Moar changes! Matti Hamalainen <ccr@tnsp.org> parents: 7 diff changeset	164 my @tmp = split(/\s\\|\s/, $_[0]);
29ddb6b9b521 Moar changes! Matti Hamalainen <ccr@tnsp.org> parents: 7 diff changeset	165 return check_hosts_array(\@tmp, $_[1]);
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	166 }
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	167
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	168
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	169 ### Execute iptables
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	170 sub exec_iptables(@)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	171 {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	172 my @args = ($settings{"IPTABLES"}, @_);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	173 if ($settings{"DRY_RUN"}) {
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	174 mlog(3, ":: ".join(" ", @args)."\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	175 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	176 system(@args) == 0 or print join(" ", @args)." failed: $?\n";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	177 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	178 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	179
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	180 ### Get current Netfilter INPUT table entries we manage
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	181 sub update_iplist($)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	182 {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	183 open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT \|") or
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	184 die("Could not execute ".$settings{"IPTABLES"}."\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	185 while (<STATUS>) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	186 chomp;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	187 if (/^\s(\d+)\s+\d+\s+$settings{"ACTION"}\s+all\s+--\s+\\s+\\s+(\d+\.\d+\.\d+\.\d+)\s+0\.0\.0\.0\/0\s$/) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	188 if (!defined($iplist{$2})) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	189 $hitcount{$2} = $settings{"TRESHOLD"};
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	190 $iplist{$2} = $_[0];
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	191 if ($_[0] >= 0) { mlog(2, "* $2 appeared in iptables, adding.\n"); }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	192 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	193 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	194 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	195 close(STATUS);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	196 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	197
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	198 ### Weed out old entries
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	199 sub check_time($)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	200 {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	201 return ($_[0] >= time() - ($settings{"WEEDPERIOD"} * 60 * 60));
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	202 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	203
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	204 sub weed_do($)
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	205 {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	206 if (defined($iplist{$_[0]})) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	207 mlog(2, "* Weeding $_[0] ($iplist{$_[0]})\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	208 exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"ACTION"});
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	209 undef($reason{$_[0]});
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	210 undef($reason_n{$_[0]});
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	211 undef($ignored{$_[0]});
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	212 undef($ignored_d{$_[0]});
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	213 undef($iplist{$_[0]});
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	214 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	215 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	216
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	217 sub weed_entries()
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	218 {
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	219 # Don't weed in report mode.
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	220 return if ($report);
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	221
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	222 foreach my $mip (keys %iplist) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	223 if (defined($iplist{$mip})) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	224 if ($iplist{$mip} >= 0) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	225 if (!check_time($iplist{$mip})) { weed_do($mip); }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	226 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	227 weed_do($mip);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	228 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	229 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	230 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	231 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	232
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	233 ### Output status file
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	234 sub cmp_ips($$)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	235 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	236 my @ipa = split(/\./, $_[0]);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	237 my @ipb = split(/\./, $_[1]);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	238 for (my $i = 0; $i < 4; $i++) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	239 return -1 if ($ipa[$i] > $ipb[$i]);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	240 return 1 if ($ipa[$i] < $ipb[$i]);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	241 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	242 return 0;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	243 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	244
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	245 sub cmp_ip_hits($$$$)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	246 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	247 return -1 if ($_[2] > $_[3]);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	248 return 1 if ($_[2] < $_[3]);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	249 return cmp_ips($_[0], $_[1]);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	250 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	251
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	252 sub printH($$$$)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	253 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	254 my $fh = $_[1];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	255 if ($_[0]) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	256 print $fh "<h".$_[2].">".$_[3]."</h".$_[2].">\n";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	257 } else {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	258 my $c = ($_[2] <= 1) ? "=" : "-";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	259 print $fh $_[3]."\n". $c x length($_[3]) ."\n";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	260 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	261 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	262
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	263 sub printTD($$$)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	264 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	265 my $fh = $_[1];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	266 if ($_[0]) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	267 print $fh "<td>".$_[2]."</td>";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	268 } else {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	269 print $fh $_[2];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	270 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	271 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	272
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	273 sub printP($$$)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	274 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	275 my $fh = $_[1];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	276 if ($_[0]) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	277 print $fh "<p>\n".$_[2]."</p>\n";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	278 } else {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	279 print $fh $_[2]."\n";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	280 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	281 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	282
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	283 sub printElem
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	284 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	285 my $fh = $_[1];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	286 if ($_[0]) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	287 print $fh $_[2];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	288 } elsif (defined($_[3])) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	289 print $fh $_[3];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	290 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	291 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	292
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	293 sub bb($)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	294 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	295 return $_[0] ? "<b>" : "";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	296 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	297
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	298
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	299 sub eb($)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	300 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	301 return $_[0] ? "</b>" : "";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	302 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	303
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	304 sub pe($$)
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	305 {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	306 return $_[0] ? "<$_[1]>" : "";
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	307 }
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	308
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	309 sub getIP($$)
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	310 {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	311 return $_[0] ? "<a href=\"http://whois.domaintools.com/$_[1]\">$_[1]</a>" : $_[1];
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	312 }
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	313
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	314 sub generate_status($$)
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	315 {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	316 my $filename = shift;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	317 my $m = shift;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	318
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	319 return unless ($filename ne "");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	320
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	321 open(STATUS, ">", $filename) or die("Could not open '".$filename."'!\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	322 my $f = \*STATUS;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	323 my $mtime = scalar localtime();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	324
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	325 printElem($m, $f, "
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	326 <html>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	327 <head>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	328 <title>Maltfilter status report</title>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	329 ");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	330
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	331 printElem($m, $f, "<link href=\"".$settings{"STATUS_FILE_CSS"}."\" rel=\"stylesheet\" type=\"text/css\" />")
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	332 if ($settings{"STATUS_FILE_CSS"});
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	333
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	334 printElem($m, $f, "
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	335 </head>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	336 <body>
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	337 ");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	338
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	339
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	340 printH($m, $f, 1, "Maltfilter v$progversion status report");
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	341 my $val = $settings{"WEEDPERIOD"};
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	342 my $period;
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	343
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	344 if ($val > 30 * 24) {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	345 $period = sprintf("%1.1f months", $val / (30.0 * 24.0));
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	346 } elsif ($val > 24 * 7) {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	347 $period = sprintf("%1.1f weeks", $val / 24);
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	348 } elsif ($val > 24) {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	349 $period = sprintf("%d days", $val / 24);
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	350 } else {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	351 $period = sprintf("%d hours", $val);
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	352 }
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	353
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	354 printP($m, $f,
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	355 "Generated ".bb($m).$mtime.eb($m).". Data computed from ".
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	356 ($report ? "complete logfile scan" : "a period of last $period").".\n");
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	357
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	358 printH($m, $f, 2, $report ? "Detailed report" : "Blocked entries");
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	359 printElem($m, $f, "<table>\n<tr>". "<th>Hits</th><th>IP-address</th><th>Date of last hit</th><th>Reason(s)</th>"."</tr>\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	360 my $nexcluded = 0;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	361 my $ntotal = 0;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	362 foreach my $mip (sort { $hitcount{$b} <=> $hitcount{$a} } keys %iplist) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	363 $nexcluded++ if check_hosts_array(\@noblock_ips, $mip);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	364
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	365 printElem($m, $f, " <tr>");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	366 printTD($m, $f, sprintf("%-10d", $hitcount{$mip}));
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	367 printTD($m, $f, sprintf("%-15s", getIP($m, $mip)));
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	368 printElem(!$m, $f, " : ");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	369 printTD($m, $f, scalar localtime($iplist{$mip}));
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	370 my @s = ();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	371 foreach my $cond (sort keys %{$reason{$mip}}) {
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	372 my $str;
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	373 if ($report) {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	374 my @tmp = reverse(@{$reason{$mip}{$cond}});
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	375 $#tmp = 5 if ($#tmp > 5);
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	376 $str = join(" \| ", @tmp);
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	377 } else {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	378 $str = $reason{$mip}{$cond};
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	379 }
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	380 push(@s, bb($m).$cond.eb($m)." [".$reason_n{$mip}{$cond}." hits] (".$str.")");
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	381 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	382 printTD($m, $f, join(", ".($m ? "<br />" : ""), @s));
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	383 printElem($m, $f, "</tr>\n", "\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	384 $ntotal++;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	385 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	386 printElem($m, $f, "</table>\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	387 printP($m, $f, bb($m).$ntotal.eb($m)." entries listed, ".
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	388 bb($m).($ntotal - $nexcluded).eb($m)." blocked, ".bb($m).$nexcluded.eb($m).
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	389 " excluded (defined in NOBLOCK_IPS).\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	390
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	391
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	392 printH($m, $f, 2, "Overview of hits in general");
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	393 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not necessarily acted upon.\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	394
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	395 my $tmp = "<th>IP-address</th><th># of hits</th><th>Reasons</th>";
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	396 printElem($m, $f, "<table>\n<tr>". $tmp."<th> </th>".$tmp ."</tr>\n");
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	397 my $hits = 0;
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	398 my @keys = sort { cmp_ips($a, $b) } keys %hitcount;
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	399 my $nkeys = scalar @keys;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	400
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	401 my $printEntry = sub {
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	402 printTD($m, $f, sprintf("%-15s", getIP($m, $_[0])));
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	403 printElem(!$m, $f, " : ");
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	404 printTD($m, $f, sprintf("%-8d ", $hitcount{$_[0]}));
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	405 printElem(!$m, $f, " : ");
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	406 my $tmp = join(", ", sort keys %{$reason{$_[0]}});
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	407 printTD($m, $f, sprintf("%-30s", $tmp));
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	408 $hits += $hitcount{$_[0]};
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	409 };
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	410
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	411 my $kmax = $nkeys / 2;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	412 for (my $i = 0; $i <= $kmax; $i++) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	413 printElem($m, $f, " <tr>");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	414 if ($i < $kmax) {
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	415 &$printEntry($keys[$i]);
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	416 }
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	417 printElem($m, $f, "<th> </th>", " \|\| ");
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	418 if ($i + $kmax + 1 < $nkeys) {
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	419 &$printEntry($keys[$i + $kmax + 1]);
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	420 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	421 printElem($m, $f, "</tr>\n", "\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	422 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	423
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	424 printElem($m, $f, "</table>\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	425
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	426 printP($m, $f, bb($m).(scalar keys %hitcount).eb($m)." IPs total, ".bb($m).$hits.eb($m)." hits total.\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	427
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	428
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	429 printH($m, $f, 2, "Ignored hit types");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	430 printP($m, $f, "List of hits that were ignored (not acted upon), because the test was disabled.\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	431
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	432 printElem($m, $f, "<table>\n<tr><th>IP-address</th><th>Type (hits, last time of note)</th></tr>\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	433 foreach my $mip (sort { cmp_ips($a, $b) } keys %ignored) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	434 printElem($m, $f, "<tr>");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	435 printTD($m, $f, sprintf("%-15s", $mip));
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	436 printElem($m, $f, "<td>", " : ");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	437 foreach my $mcond (sort keys %{$ignored{$mip}}) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	438 my $s = $mcond." (".$hitcount{$mip}." hits, last ".scalar localtime($ignored_d{$mip}{$mcond}).")";
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	439 unless ($ignored{$mip}{$mcond} eq "") { $s .= " for '".$ignored{$mip}{$mcond}."'"; }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	440 print $f $s;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	441 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	442 printElem($m, $f, "</td></tr>", "\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	443 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	444 printElem($m, $f, "</table>\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	445
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	446 printElem($m, $f, "</body>\n</html>\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	447 close(STATUS);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	448 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	449
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	450 ### Check if given "try count" exceeds treshold and if entry
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	451 ### is NOT in Netfilter already, then add it if so.
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	452 sub check_add_entry($$$$$)
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	453 {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	454 my $mip = $_[0];
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	455 my $mdate = str2time($_[1]);
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	456 my $mclass = $_[2];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	457 my $mreason = $_[3];
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	458 my $mcond = $_[4];
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	459
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	460 my $cnt = $hitcount{$mip}++;
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	461 $reason_n{$mip}{$mclass}++;
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	462 if ($report) {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	463 push(@{$reason{$mip}{$mclass}}, $mreason);
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	464 } else {
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	465 $reason{$mip}{$mclass} = $mreason;
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	466 }
fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	467 if ($report \|\| ($cnt >= $settings{"TRESHOLD"} && check_time($mdate))) {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	468 my $pat;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	469 if (!$mcond) {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	470 $ignored{$mip}{$mclass} = $mreason;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	471 $ignored_d{$mip}{$mclass} = $mdate;
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	472 return;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	473 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	474 if (!defined($iplist{$mip})) {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	475 if (!check_hosts_array(\@noblock_ips, $mip)) {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	476 # Add entry that has >= treshold hits and is not added yet
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	477 mlog(1, "* Adding $mip ($mdate): $mreason\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	478 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"});
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	479 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	480 $iplist{$mip} = $mdate;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	481 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	482 # Over treshold, but is added, check if we can update the timedate
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	483 $iplist{$mip} = $mdate if ($mdate > $iplist{$mip});
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	484 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	485 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	486 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	487
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	488 ###
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	489 ### Main helper functions
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	490 ###
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	491 sub malt_init {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	492 mlog(0, "Updating initial blocklist from netfilter.\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	493 update_iplist(-1);
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	494
3 368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	495 foreach my $filename (@scanfiles) {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	496 local *INFILE;
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	497 mlog(0, "Parsing ".$filename." ...\n");
3 368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	498 open(INFILE, "<", $filename) or die("Could not open '".$filename."'!\n");
368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	499 $filehandles{$filename} = *INFILE;
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	500 while (<INFILE>) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	501 chomp;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	502 check_log_line($_);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	503 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	504 }
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	505
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	506 mlog(0, "Weeding old entries.\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	507 weed_entries();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	508 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	509
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	510 sub malt_cleanup {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	511 # Close open filehandles
3 368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	512 foreach my $filename (keys %filehandles) {
368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	513 close($filehandles{$filename});
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	514 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	515 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	516
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	517 sub malt_scan {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	518 ### Keep on reading
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	519 mlog(1, "Entering main scanning loop.\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	520 my $counter = -1;
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	521 while (1) {
2 3da95f3082d9 Misc. variable name cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 0 diff changeset	522 my %filepos = ();
3 368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	523 foreach my $filename (keys %filehandles) {
368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	524 for ($filepos{$filename} = tell($filehandles{$filename}); $_ = <$filehandles{$filename}>; $filepos{$filename} = tell($filehandles{$filename})) {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	525 chomp;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	526 check_log_line($_);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	527 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	528 }
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	529 if ($counter < 0 \|\| $counter++ >= 30) {
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	530 # Every once in a while, update known IP list from iptables
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	531 # (in case entries have appeared there from "outside")
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	532 # and perform weeding of old entries.
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	533 $counter = 0;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	534 update_iplist(time());
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	535 weed_entries();
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	536 generate_status($settings{"STATUS_FILE_PLAIN"}, 0);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	537 generate_status($settings{"STATUS_FILE_HTML"}, 1);
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	538 }
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	539 sleep(5);
3 368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	540 foreach my $filename (keys %filehandles) {
368182409eac More variable cleanups. Matti Hamalainen <ccr@tnsp.org> parents: 2 diff changeset	541 seek($filehandles{$filename}, $filepos{$filename}, 0);
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	542 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	543 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	544 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	545
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	546 sub malt_finish {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	547 # Unlink pid-file
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	548 if ($pid_file ne "" && -e $pid_file) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	549 unlink $pid_file;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	550 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	551 # Close logfile
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	552 close($LOGFILE) if (defined($LOGFILE));
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	553 undef($LOGFILE);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	554 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	555
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	556 sub malt_int {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	557 mlog(-1, "\nCaught Interrupt (^C), aborting.\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	558 malt_cleanup();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	559 malt_finish();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	560 exit(1);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	561 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	562
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	563 sub malt_term {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	564 mlog(-1, "Received TERM, quitting.\n");
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	565 malt_cleanup();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	566 malt_finish();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	567 exit(1);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	568 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	569
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	570 sub malt_hup {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	571 mlog(-1, "Received HUP, reinitializing.\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	572 malt_cleanup();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	573 malt_init();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	574 mlog(-1, "Reinitialization finished, resuming scanning.\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	575 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	576
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	577
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	578 ###
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	579 ### Main program
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	580 ###
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	581 # Setup signal handlers
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	582 $SIG{'INT'} = 'malt_int';
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	583 $SIG{'TERM'} = 'malt_term';
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	584 $SIG{'HUP'} = 'malt_hup';
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	585
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	586 # Banner
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	587 my $argc = $#ARGV + 1;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	588 if ($argc < 1) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	589 print $progbanner.
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	590 "\n".
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	591 "Usage: maltfilter <pid filename> [config filename]\n".
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	592 " maltfilter -f [config filename]\n".
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	593 "-f turns on the full report mode.\n";
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	594 exit;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	595 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	596
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	597 # Test pid file existence
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	598 $pid_file = shift;
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	599 if ($pid_file eq "-f") {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	600 $report = 1;
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	601 } else {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	602 die("'$pid_file' already exists, not starting.\n".
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	603 "If the daemon is NOT running, remove the pid-file and re-start.\n")
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	604 if (-e $pid_file);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	605 }
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	606
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	607 # Read configuration file
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	608 if (defined(my $config_file = shift)) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	609 my $errors = 0;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	610
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	611 # Let user define his/her own logfiles to scan
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	612 undef(@scanfiles_def);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	613
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	614 open(CONFFILE, "<", $config_file) or die("Could not open configuration '".$config_file."'!\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	615 while (<CONFFILE>) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	616 chomp;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	617 if (/(^\s#\|^\s$)/) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	618 # Ignore comments and empty lines
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	619 } elsif (/^\s\"?([a-zA-Z0-9_]+)\"?\s=>?\s(\d+),?\s$/) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	620 my $key = uc($1);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	621 my $value = $2;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	622 if (defined($settings{$key})) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	623 $settings{$key} = $value;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	624 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	625 print STDERR "Unknown setting '$key' = $value\n";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	626 $errors = 1;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	627 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	628 } elsif (/^\s\"?([a-zA-Z0-9_]+)\"?\s=>?\s\"(.?)\",?\s*$/) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	629 my $key = uc($1);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	630 my $value = $2;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	631 if ($key eq "SCANFILE") {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	632 push(@scanfiles_def, $value);
8 29ddb6b9b521 Moar changes! Matti Hamalainen <ccr@tnsp.org> parents: 7 diff changeset	633 } elsif ($key eq "NOBLOCK_IPS") {
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	634 push(@noblock_ips_def, $value);
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	635 } elsif (defined($settings{$key})) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	636 $settings{$key} = $value;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	637 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	638 print STDERR "Unknown setting '$key' = '$value'\n";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	639 $errors = 1;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	640 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	641 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	642 print STDERR "Syntax error: $_\n";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	643 $errors = 1;
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	644 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	645 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	646 close(CONFFILE);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	647 die("Errors in configuration file '$config_file', bailing out.\n") unless ($errors == 0);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	648 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	649
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	650 # Force dry run mode if we are reporting only
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	651 if ($report) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	652 $settings{"DRY_RUN"} = 1;
13 fc053b001027 Improved reporting and documentation. Matti Hamalainen <ccr@tnsp.org> parents: 11 diff changeset	653 $settings{"VERBOSITY"} = 1;
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	654 }
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	655
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	656 # Clean up certain arrays duplicate entries
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	657 my %saw = ();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	658 @scanfiles = grep(!$saw{$_}++, @scanfiles_def);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	659
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	660 undef(%saw);
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	661 @noblock_ips = grep(!$saw{$_}++, @noblock_ips_def);
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	662
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	663 # Open logfile
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	664 if ($settings{"DRY_RUN"}) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	665 print $progbanner.
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	666 "*********************************************\n".
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	667 "* NOTICE! DRY-RUN MODE ENABLED! No changes *\n".
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	668 "* will actually get committed to netfilter! *\n".
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	669 "*********************************************\n";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	670 } elsif ($settings{"LOGFILE"} ne "") {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	671 open($LOGFILE, ">>", $settings{"LOGFILE"}) or die("Could not open logfile '".$settings{"LOGFILE"}."' for writing!\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	672 mlog(-1, "Log started\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	673 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	674
7 ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	675 # Test existence of iptables
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	676 if (! -e $settings{"IPTABLES"} \|\| ! -x $settings{"IPTABLES"}) {
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	677 my $msg = "iptables binary does not exist or is not executable: ".$settings{"IPTABLES"}."\n";
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	678 mlog(-1, $msg);
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	679 die($msg);
ee5f7b8dcdea Features, yay. Matti Hamalainen <ccr@tnsp.org> parents: 4 diff changeset	680 }
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	681
8 29ddb6b9b521 Moar changes! Matti Hamalainen <ccr@tnsp.org> parents: 7 diff changeset	682 mlog(-1, "Not blocking following IPs: ".join(", ", @noblock_ips)."\n");
29ddb6b9b521 Moar changes! Matti Hamalainen <ccr@tnsp.org> parents: 7 diff changeset	683
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	684 # Initialize
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	685 malt_init();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	686
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	687 # Fork to background, unless dry-running
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	688 if ($settings{"DRY_RUN"}) {
11 26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	689 if ($report) {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	690 mlog(-1, "Outputting report files.\n");
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	691 generate_status($settings{"STATUS_FILE_PLAIN"}, 0);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	692 generate_status($settings{"STATUS_FILE_HTML"}, 1);
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	693 malt_cleanup();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	694 } else {
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	695 malt_scan();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	696 malt_cleanup();
26c2cc5077aa Added reporting functionality. Matti Hamalainen <ccr@tnsp.org> parents: 8 diff changeset	697 }
0 fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	698 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	699 if (my $pid = fork) {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	700 open(PIDFILE, ">", $pid_file) or die("Could not open pid file '".$pid_file."' for writing!\n");
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	701 print PIDFILE "$pid\n";
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	702 close(PIDFILE);
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	703 } else {
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	704 malt_scan();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	705 malt_cleanup();
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	706 }
fec14263801d Initial import of maltfilter development version. Matti Hamalainen <ccr@tnsp.org> parents: diff changeset	707 }

Mercurial > hg > maltfilter

annotate maltfilter @ 13:fc053b001027