maltfilter: maltfilter comparison

comparison maltfilter @ 66:42889eed0ce8

Lots of cleanups, etc. Documentation updates.

author	Matti Hamalainen <ccr@tnsp.org>
date	Tue, 18 Aug 2009 03:21:30 +0300
parents	d2e2b82dd2f2
children	8df5d52436a1

comparison

equal deleted inserted replaced

-:d2e2b82dd2f2
+:42889eed0ce8
 use Date::Parse;
 use Net::IP;
 use Net::DNS;
 use LWP::UserAgent;
-my $progversion = "0.15.0";
+my $progversion = "0.16.0";
 my $progbanner =
 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n".
 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n".
 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n";
 #############################################################################
 ### Default settings and configuration
 #############################################################################
 my %settings = (
-"VERBOSITY" => 3,
+"VERBOSITY"           => 3,
-"DRY_RUN" => 1,
+"DRY_RUN"             => 1,
-"WEED_FILTER" => 168,  # in hours
+"LOGFILE"             => "",
-"WEED_GLOBAL" => 336,  # in hours
+"STATS_MAX_AGE"       => 336,  # in hours
-"THRESHOLD" => 3,
-"ACTION" => "DROP",
-"LOGFILE" => "",
-"IPTABLES" => "/sbin/iptables",
 "PASSWD"              => "/etc/passwd",
 "SYSACCT_MIN_UID"     => 1,
 "SYSACCT_MAX_UID"     => 100,
+"FILTER"              => 0,
+"FILTER_THRESHOLD"    => 3,
+"FILTER_MAX_AGE"      => 168,  # in hours
+"FILTER_TARGET"       => "DROP",
+"IPTABLES"            => "/sbin/iptables",
 "FULL_TIME"           => 1,
 "STATUS_FILE_PLAIN"   => "",
 "STATUS_FILE_HTML"    => "",
 "STATUS_FILE_CSS"     => "",
 "DRONEBL_MAX_AGE"     => 30, # in minutes
 "DRONEBL_RPC_URI"     => "http://dronebl.org/RPC2",
 "DRONEBL_RPC_KEY"     => "",
 );
-my @noblock_ips_def = (
+my @noaction_ips_def = (
 "127.0.0.1",
 );
 my %systemacct = ();
 sub check_add_hit($$$$$$);
 my $mdate = $1;
 my $merr = $2;
 # (1.1) Generic login scan attempts
 if ($merr =~ /^Failed password for invalid user (\S+) from (\d+\.\d+\.\d+\.\d+)/) {
-check_add_hit($2, $mdate, "SSH login scan", "", $settings{"CHK_SSHD"});
+check_add_hit($2, $mdate, "SSH login scan", "", 13, $settings{"CHK_SSHD"});
 }
 # (1.2) Root account SSH login password bruteforcing attempts.
 elsif (/^Failed password for root from (\d+\.\d+\.\d+\.\d+)/) {
-check_add_hit($1, $mdate, "Root SSH password bruteforce", "", $settings{"CHK_ROOT_SSH_PWD"});
+check_add_hit($1, $mdate, "Root SSH password bruteforce", "", 13, $settings{"CHK_ROOT_SSH_PWD"});
 }
 # (1.3) System account SSH login password bruteforcing attempts.
 if ($merr =~ /^Failed password for (\S+) from (\d+\.\d+\.\d+\.\d+)/) {
 my $mip = $2; my $macct = $1;
 if (defined($systemacct{$macct})) {
-check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, $settings{"CHK_SYSACCT_SSH_PWD"});
+check_add_hit($mip, $mdate, "SSH system account bruteforce", $macct, 13, $settings{"CHK_SYSACCT_SSH_PWD"});
 }
 }
 }
 # (2) Common/known vulnerable CGI/PHP software scans (like phpMyAdmin)
 elsif (/^\[(.+?)\]\s+\[error\]\s+\[client\s+(\d+\.\d+\.\d+\.\d+)\]\s+(.+)$/) {
 my $mdate = $1;
 my $mip = $2;
 my $merr = $3;
 if ($merr =~ /^File does not exist: (.+)$/) {
 my $tmp = $1;
 if ($tmp =~ /\/mss2|\/pma|admin|sql|\/roundcube|\/webmail|\/bin|\/mail|xampp|zen|mailto:|appserv|cube|round|_vti_bin|wiki/i) {
-check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, $settings{"CHK_KNOWN_CGI"});
+check_add_hit($mip, $mdate, "CGI vuln scan", $tmp, 2, $settings{"CHK_KNOWN_CGI"});
 }
 }
 }
 # (3) Apache common logging format checks
 elsif (/(\d+\.\d+\.\d+\.\d+)\s+-\s+-\s+\[(.+?)\]\s+\"GET (\S*?) HTTP\//) {
 my $mdate = $2;
 my $mip = $1;
 my $merr = $3;
 # (3.1) Simple match for generic PHP XSS vulnerability scans
 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) {
 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) {
-check_add_evidence($mip, $1, $merr);
+evidence_queue($mip, $1, $merr);
 }
-check_add_hit($mip, $mdate, "PHP XSS", $merr, $settings{"CHK_PHP_XSS"});
+check_add_hit($mip, $mdate, "PHP XSS", $merr, 2, $settings{"CHK_PHP_XSS"});
 }
 }
 # (3.2) Try to match proxy scanning attempts
 elsif ($merr =~ /^http:\/\/([^\/]+)/) {
 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
-check_add_hit($mip, $mdate, "Proxy scan", $merr, $settings{"CHK_PROXY_SCAN"});
+check_add_hit($mip, $mdate, "Proxy scan", $merr, 2, $settings{"CHK_PROXY_SCAN"});
 }
 }
 }
 }
 ### Global variables
 #############################################################################
 my $reportmode = 0;      # Full report mode
 my @scanfiles = ();      # Files to scan
 my @scanfiles_once = (); # Files to scan only once during startup or HUP (e.g. not continuously followed)
-my @noblock_ips = ();    # IPs not to block
+my @noaction_ips = ();    # IPs not to block
 my %filehandles = ();    # Global hash holding opened scanned log filehandles
 my $pid_file = "";       # Name of Maltfilter daemon pid file
 my @configfiles = ();    # Array of configuration file names
 my $LOGFILE;             # Maltfilter logfile handle
 my %dronebl = ();
-# IPs currently blocked in Netfilter $blocklist{$ip} = date
+# IPs currently blocked in Netfilter $filterlist{$ip} = date
-my %blocklist = ();
+my %filterlist = ();
 # Gathered information about hosts
 # $statlist{$ip}->
 # "date1"    = timestamp of first hit
 # "date2"    = timestamp of latest hit
 "Hits       | IP-address      | First hit                | Latest hit               | Reason(s)\n"
 );
 foreach my $mip (sort { $func->($table, $a, $b) } keys %{$keys}) {
-my $blocked = defined($blocklist{$mip}) ? "blocked" : "unblocked";
+my $blocked = defined($filterlist{$mip}) ? "blocked" : "unblocked";
 printElem($m, $f, " <tr class=\"$blocked\">");
 printTD($m, $f, sprintf(bb($m)."%-10d".eb($m), $table->{$mip}{"hits"}));
 printElem(!$m, $f, " | ");
 printTD($m, $f, sprintf("%-15s", get_link($m, $mip)));
 printElem(!$m, $f, " | ");
 my @previp = ("0.0.0.0", "0.0.0.0");
 my @ncolor = (0, 0);
 my $printEntry = sub {
-my $blocked = "class=\"".(defined($blocklist{$_[0]}) ? "blocked" : "unblocked")."\"";
+my $blocked = "class=\"".(defined($filterlist{$_[0]}) ? "blocked" : "unblocked")."\"";
 if (test_ips($previp[$_[1]], $_[0]) < 3) {
 $ncolor[$_[1]]++;
 }
 $previp[$_[1]] = $_[0];
 my $str = "style=\"background: ".$ipcolors[$ncolor[$_[1]] % scalar @ipcolors].";\"";
 </head>
 <body>
 ");
 printH($m, $f, 1, "Maltfilter v$progversion status report");
-my $period = get_period($settings{"WEED_GLOBAL"});
+my $period = get_period($settings{"STATS_MAX_AGE"});
 printP($m, $f,
 "Generated ".bb($m).get_time_str(time()).eb($m).". Data computed from ".
 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n");
 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n".
 "blocked IP that was in Netfilter before Maltfilter was started.\n");
 printH($m, $f, 2, "Currently filtered entries");
-$period = get_period($settings{"WEED_FILTER"});
+$period = get_period($settings{"FILTER_MAX_AGE"});
 printP($m, $f, "List of IPs that are currently filtered (or would be, if this is\n".
 "a report-only mode). Data from period of $period.\n");
-print_table1($m, $f, \%statlist, \%blocklist, \&cmp_hits, "blocked");
+print_table1($m, $f, \%statlist, \%filterlist, \&cmp_hits, "blocked");
 printH($m, $f, 2, "Summary of non-ignored entries");
 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n".
 "necessarily acted upon. Sorted by descending IP address.\n");
 print_table2($m, $f, \%statlist, \%statlist, \&cmp_ips, "global");
 #############################################################################
 ### DroneBL submission support
 #############################################################################
 sub dronebl_process
 {
-#  return if ($reportmode);
 return unless ($settings{"DRONEBL"} > 0);
+return if ($settings{"DRY_RUN"});
 # Create submission data
 my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n";
 my $entries = 0;
 while (my ($ip, $entry) = each(%dronebl)) {
-if ($entry->{"sent"} == 0) {
+if ($entry->{"sent"} == 0 && $entry->{"tries"} < 3) {
-$xml .= "<add ip=\"".$ip."\" type=\"".$entry->{"type"}."\" />\n";
+$xml .= "<add ip=\"".$ip."\" type=\"1\" />\n";
+#      $xml .= "<add ip=\"".$ip."\" type=\"".$entry->{"type"}."\" />\n";
 $entries++;
 }
 }
 $xml .= "</request>\n";
-mlog(1, "Trying to submit $entries entries to DroneBL.\n");
+# Bait out if no entries to submit
-print STDERR $xml;
-return;
 return unless ($entries > 0);
+mlog(1, "[DroneBL] Trying to submit $entries entries.\n");
+return;
 # Submit via HTTP XML-RPC
 my $tmp = LWP::UserAgent->new;
 $tmp->agent("Maltfilter/".$progversion);
 $tmp->timeout(10);
 $req->content($xml);
 $req->user_agent("Maltfilter/".$progversion);
 my $res = $tmp->request($req);
 if ($res->is_success) {
-while (my ($ip, $entry) = each(%dronebl)) {
+mlog(2, "[DroneBL] [".$res->code."] ".$res->message."\n");
-$entry->{"sent"} = 1;
+print $res->content."\n";
-}
+#    while (my ($ip, $entry) = each(%dronebl)) {
-} else {
+#      $entry->{"sent"} = 1;
-mlog(-1, "DroneBL submission failed: [".$res->code."] ".$res->message."\n");
+#    }
+} else {
+mlog(-1, "[DroneBL] Submission failed: [".$res->code."] ".$res->message."\n");
 }
 # Remove submitted expired entries
 while (my ($ip, $entry) = each(%dronebl)) {
-print "$ip: ".$entry->{"sent"}."\n" unless check_time3($entry->{"date"});
+if (!check_time3($entry->{"date"})) {
-}
+mlog(1, "[DroneBL] $ip submission expired.\n") unless ($entry->{"sent"} > 0);
-}
+delete($dronebl{$ip});
+}
+}
+}
+sub dronebl_queue($$$)
+{
+my ($mip, $mdate, $mtype) = @_;
+if (!defined($dronebl{$mip})) {
+mlog(3, "[DroneBL] Queueing $mip \@ $mdate ($mtype)\n");
+$dronebl{$mip}{"type"} = $mtype;
+$dronebl{$mip}{"date"} = $mdate;
+$dronebl{$mip}{"sent"} = 0;
+$dronebl{$mip}{"tries"} = 0;
+}
+}
 #############################################################################
 ### Evidence gathering
 #############################################################################
 my %evidence = ();
-sub check_add_evidence($$$)
+sub evidence_queue($$$)
 {
 my ($mip, $mdata, $mfull) = @_;
-return unless ($settings{"EVIDENCE"});
+return unless ($settings{"EVIDENCE"} > 0);
 my $tmp = $mdata;
 $tmp =~ s/http:\/\///;
 $tmp =~ s/^\.+/_/;
 $tmp =~ s/[^A-Za-z0-9:\.]/_/g;
 $evidence{$mdata}{"coll"} = $tmp;
 $evidence{$mdata}{"hosts"}{$mip} = 1;
 $evidence{$mdata}{"full"}{$mfull} = 1;
 }
-sub http_fetch($$)
+sub evidence_fetch($$)
 {
 my $tmp = LWP::UserAgent->new;
 $tmp->agent("-");
 $tmp->timeout(10);
 $tmp->default_headers->referer($_[1]);
 my $req = HTTP::Request->new(GET => $_[0]);
 return $tmp->request($req);
 }
-sub gather_evidence
+sub evidence_gather
 {
 my $dns = Net::DNS::Resolver->new;
 my $base = $settings{"EVIDENCE_DIR"};
-return unless ($settings{"EVIDENCE"});
+return unless ($settings{"EVIDENCE"} > 0);
 mdie("Evidence directory '$base' has disappeared.\n") unless (-e $base);
 foreach my $url (keys %evidence) {
 my $did_fetch = 0;
 # Get data contents only once
 if (! -e $filename) {
 $did_fetch = 1;
 mlog(1, "Fetching evidence for $url\n");
-my $res = http_fetch($url, "");
+my $res = evidence_fetch($url, "");
 open(FILE, ">:raw", $filename) or mdie("Could not open '$filename' for writing.\n");
 binmode(FILE, ":raw");
 if ($res->is_success && $res->code >= 200 && $res->code <= 201) {
 print FILE $res->content;
 }
 }
 ### Execute iptables
 sub exec_iptables(@)
 {
+$ENV{"PATH"} = "";
 my @args = ($settings{"IPTABLES"}, @_);
 if ($settings{"DRY_RUN"}) {
 mlog(3, ":: ".join(" ", @args)."\n");
 } else {
 system(@args) == 0 or print join(" ", @args)." failed: $?\n";
 }
 }
 ### Get current Netfilter INPUT table entries that match
-### entry types we manage, e.g. blocklist
+### entry types we manage, e.g. filterlist
-sub update_blocklist($)
+sub update_filterlist($)
 {
-# NOTICE: argument not used now
+return unless ($settings{"FILTER"} > 0);
 my $first = $_[0];
+mlog(0, "Updating initial filterlist from netfilter.\n") unless ($first > 0);
 $ENV{"PATH"} = "";
 open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT |") or
 mdie("Could not execute ".$settings{"IPTABLES"}."\n");
 my %newlist = ();
 undef(%newlist);
 while (<STATUS>) {
 chomp;
-if (/^\s*(\d+)\s+\d+\s+$settings{"ACTION"}\s+all\s+--\s+\*\s+\*\s+(\d+\.\d+\.\d+\.\d+)\s+0\.0\.0\.0\/0\s*$/) {
+if (/^\s*(\d+)\s+\d+\s+$settings{"FILTER_TARGET"}\s+all\s+--\s+\*\s+\*\s+(\d+\.\d+\.\d+\.\d+)\s+0\.0\.0\.0\/0\s*$/) {
 my $mip = $2;
 my $mdate = time();
-if (!defined($blocklist{$mip})) {
+if (!defined($filterlist{$mip})) {
-mlog(2, "* $mip appeared in iptables.\n") if ($first > 0);
+mlog(2, "* $mip appeared in iptables.\n") unless ($first < 0);
-$blocklist{$2} = $mdate;
+$filterlist{$2} = $mdate;
 }
 $newlist{$2} = $mdate;
 update_entry(\%statlist, $mip, -1, "IPTABLES", "", 0);
 }
 }
 close(STATUS);
-foreach my $mip (keys %blocklist) {
+foreach my $mip (keys %filterlist) {
 if (!defined($newlist{$mip})) {
 mlog(2, "* $mip removed from iptables.\n");
-delete($blocklist{$mip});
+delete($filterlist{$mip});
 }
 }
 }
 ### Check if given timestamp is _newer_ than weedperiod threshold.
 ### Returns false if timestamp is over weed period, e.g. needs weeding.
 sub check_time1($)
 {
-return ($_[0] > time() - ($settings{"WEED_FILTER"} * 60 * 60));
+return ($_[0] > time() - ($settings{"FILTER_MAX_AGE"} * 60 * 60));
 }
 sub check_time2($)
 {
-return ($_[0] > time() - ($settings{"WEED_GLOBAL"} * 60 * 60));
+return ($_[0] > time() - ($settings{"STATS_MAX_AGE"} * 60 * 60));
 }
 sub check_time3($)
 {
 return ($_[0] > time() - ($settings{"DRONEBL_MAX_AGE"} * 60));
 }
 ### Weed out old entries
 sub weed_do($)
 {
-my $mtime = $blocklist{$_[0]};
+my $mtime = $filterlist{$_[0]};
 mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n");
-exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"ACTION"});
+exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"});
-delete($blocklist{$_[0]});
+delete($filterlist{$_[0]});
 delete($statlist{$_[0]});
 delete($ignorelist{$_[0]});
 }
 sub weed_entries()
 {
 # Don't weed in report mode.
-return if ($reportmode);
+return unless ($settings{"FILTER"} > 0 && $reportmode == 0);
 # Weed blocked entries.
-my @mips = keys %blocklist;
+my @mips = keys %filterlist;
 foreach my $mip (@mips) {
-if (defined($blocklist{$mip})) {
+if (defined($filterlist{$mip})) {
-if ($blocklist{$mip} >= 0) {
+if ($filterlist{$mip} >= 0) {
-weed_do($mip) unless check_time1($blocklist{$mip});
+weed_do($mip) unless check_time1($filterlist{$mip});
 } else {
 weed_do($mip);
 }
 }
 }
 # Clean up old entries from other lists
 foreach my $mip (keys %statlist) {
 if (defined($statlist{$mip})) {
 my $mtime = $statlist{$mip}{"date2"};
-if (!check_time2($mtime) && !defined($blocklist{$mip})) {
+if (!check_time2($mtime) && !defined($filterlist{$mip})) {
 mlog(3, "* Deleting stale $mip (".get_time_str($mtime).")\n");
 delete($statlist{$mip});
 }
 }
 }
 my $mreason = $_[3];
 my $mtype = $_[4];
 my $mcond = $_[5];
 my $cnt;
-if (check_hosts_array(\@noblock_ips, $mip)) {
+if (check_hosts_array(\@noaction_ips, $mip)) {
-mlog(3, "Hit to NOBLOCK_IPS($mip): [$mclass] $mreason\n");
+mlog(2, "Hit to NOACTION_IPS($mip): [$mclass] $mreason\n");
 return;
 }
 # If condition is true, we add to regular statlist
 if ($mcond) {
 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason, 1);
 return;
 }
 # Check if we have exceeded threshold etc.
-if ($cnt >= $settings{"THRESHOLD"} && check_time1($mdate)) {
+if ($settings{"FILTER"} > 0 && $cnt >= $settings{"FILTER_THRESHOLD"} && check_time1($mdate)) {
-# Add to blocklist, unless already there.
+# Add to filterlist, unless already there.
-if (!defined($blocklist{$mip})) {
+if (!defined($filterlist{$mip})) {
-mlog(1, "* Adding $mip ($mdate): [$mclass] $mreason\n");
+mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n");
-exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"});
+exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"});
 }
 # Update date of last hit
-$blocklist{$mip} = $mdate;
+$filterlist{$mip} = $mdate;
 }
 # Separate check for DroneBL
 if ($settings{"DRONEBL"} > 0 && $mtype > 0 && $cnt >= $settings{"DRONEBL_THRESHOLD"} && check_time3($mdate)) {
-$dronebl{$mip}{"type"} = $mtype;
+dronebl_queue($mip, $mdate, $mtype);
-$dronebl{$mip}{"date"} = $mdate;
-$dronebl{$mip}{"sent"} = 0 unless defined($dronebl{$mip}{"sent"});
 }
 }
 #############################################################################
 {
 %statlist = ();
 undef(%statlist);
 %ignorelist = ();
 undef(%ignorelist);
-mlog(0, "Updating initial blocklist from netfilter.\n");
+update_filterlist(-1);
-update_blocklist(-1);
 foreach my $filename (@scanfiles_once) {
 mlog(0, "Parsing [ONCE] ".$filename." ...\n");
 if (open(INFILE, "<", $filename)) {
 while (<INFILE>) {
 mlog(-1, "Received HUP, reinitializing.\n");
 malt_cleanup();
 malt_configure();
 malt_init();
 mlog(-1, "Reinitialization finished, resuming scanning.\n");
+}
+sub malt_maintenance
+{
+update_filterlist(time());
+weed_entries();
+generate_status($settings{"STATUS_FILE_PLAIN"}, 0);
+generate_status($settings{"STATUS_FILE_HTML"}, 1);
+evidence_gather();
+dronebl_process();
 }
 ### Main scanning function
 sub malt_scan
 {
 chomp;
 check_log_line($_);
 }
 }
 if ($counter < 0 || $counter++ >= 30) {
-# Every once in a while, update known IP list from iptables
+# Every once in a while, execute maintenance functions
-# (in case entries have appeared there from "outside")
-# and perform weeding of old entries.
 $counter = 0;
-update_blocklist(time());
+malt_maintenance();
-weed_entries();
-generate_status($settings{"STATUS_FILE_PLAIN"}, 0);
-generate_status($settings{"STATUS_FILE_HTML"}, 1);
-gather_evidence();
 }
 sleep(2);
 foreach my $filename (keys %filehandles) {
 seek($filehandles{$filename}, $filepos{$filename}, 0);
 }
 my $value = $2;
 if ($key eq "SCANFILE") {
 push(@scanfiles, $value);
 } elsif ($key eq "SCANFILE_ONCE") {
 push(@scanfiles_once, $value);
-} elsif ($key eq "NOBLOCK_IPS") {
+} elsif ($key eq "NOACTION_IPS") {
-push(@noblock_ips_def, $value);
+push(@noaction_ips_def, $value);
 } elsif (defined($settings{$key})) {
 $settings{$key} = $value;
 } else {
 mlog(-1, "[$filename:$line] Unknown setting '$key' = '$value'\n");
 $errors = 1;
 %saw = ();
 @scanfiles_once = grep(!$saw{$_}++, @scanfiles_once);
 %saw = ();
-@noblock_ips = grep(!$saw{$_}++, @noblock_ips_def);
+@noaction_ips = grep(!$saw{$_}++, @noaction_ips_def);
 undef(%saw);
-mlog(-1, "Not blocking following IPs: ".join(", ", @noblock_ips)."\n");
+mlog(-1, "Not acting on IPs: ".join(", ", @noaction_ips)."\n");
 # Check if we have anything to do
 if ($reportmode) {
 mdie("Nothing to do, no SCANFILE(s) or SCANFILE_ONCE(s) defined in configuration.\n") unless ($#scanfiles > 0 || $#scanfiles_once > 0);
 } else {
 mdie("Nothing to do, no SCANFILE(s) defined in configuration.\n") unless ($#scanfiles > 0);
 }
-# Test existence of iptables
+# General settings
-if (! -e $settings{"IPTABLES"} || ! -x $settings{"IPTABLES"}) {
+my $val = $settings{"STATS_MAX_AGE"};
-mdie("iptables binary does not exist or is not executable: ".$settings{"IPTABLES"}."\n");
+mdie("Invalid STATS_MAX_AGE value $val, must be > 0.\n") unless ($val > 0);
+# Filtering
+if ($settings{"FILTER"} > 0) {
+$val = $settings{"FILTER_MAX_AGE"};
+mdie("Invalid FILTER_MAX_AGE value $val, must be > 0.\n") unless ($val > 0);
+$val = $settings{"FILTER_THRESHOLD"};
+mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0);
+$val = $settings{"IPTABLES"};
+mdie("iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val);
+} else {
+mlog(1, "Netfilter handling disabled.\n");
 }
 # Check evidence settings
-if ($settings{"EVIDENCE"}) {
+if ($settings{"EVIDENCE"} > 0) {
 my $base = $settings{"EVIDENCE_DIR"};
 mdie("Evidence directory (EVIDENCE_DIR) not set in configuration.\n") if ($base eq "");
 mdie("Evidence directory '$base' does not exist.\n") unless (-e $base);
 mdie("Path '$base' is not a directory.\n") unless (-d $base);
 mdie("Evidence directory '$base' is not writable by euid.\n") unless (-w $base);
 }
-# Check settings
+# Sanitize DroneBL configuration
+if ($settings{"DRONEBL"} > 0) {
+mdie("DroneBL RPC key not set.\n") unless ($settings{"DRONEBL_RPC_KEY"} ne "");
+}
+# Check system account / passwd settings
 mdie("SYSACCT_MIN_UID must be >= 1.\n") unless ($settings{"SYSACCT_MIN_UID"} >= 1);
 mdie("SYSACCT_MAX_UID must be >= SYSACCT_MIN_UID.\n") unless ($settings{"SYSACCT_MAX_UID"} >= $settings{"SYSACCT_MIN_UID"});
 open(PASSWD, "<", $settings{"PASSWD"}) or mdie("Could not open '".$settings{"PASSWD"}."' for reading!\n");
 while (<PASSWD>) {
 $SIG{'HUP'} = 'malt_hup';
 # Print banner and help if no arguments
 my $argc = $#ARGV + 1;
 if ($argc < 1) {
-print $progbanner.
+print STDERR $progbanner.
 "\n".
 "Usage: maltfilter <pid filename> [config filename] [config filename...]\n".
 "       maltfilter -f [config filename] [config filename...]\n".
 "-f turns on the full report mode.\n";
 exit;
 # Test pid file existence unless report mode
 $pid_file = shift;
 if ($pid_file eq "-f") {
 $reportmode = 1;
+print STDERR $progbanner;
 } else {
 mdie("'$pid_file' already exists, not starting.\n".
 "If the daemon is NOT running, remove the pid-file and re-start.\n")
 if (-e $pid_file);
 }
 malt_configure();
 # Open logfile
 if ($settings{"DRY_RUN"}) {
-print $progbanner.
+print STDERR
-"*********************************************\n".
+"*********************************\n".
-"* NOTICE! DRY-RUN MODE ENABLED! No changes  *\n".
+"* NOTICE! DRY-RUN MODE ENABLED! *\n".
-"* will actually get committed to netfilter! *\n".
+"*********************************\n";
-"*********************************************\n";
 } elsif ($settings{"LOGFILE"} ne "") {
 open($LOGFILE, ">>", $settings{"LOGFILE"}) or die("Could not open logfile '".$settings{"LOGFILE"}."' for writing!\n");
 select((select($LOGFILE), $| = 1)[0]);
 mlog(-1, "Log started\n");
 }
 malt_init();
 # Fork to background, unless dry-running
 if ($settings{"DRY_RUN"}) {
 if ($reportmode) {
-mlog(-1, "Outputting report files.\n");
+malt_maintenance();
-generate_status($settings{"STATUS_FILE_PLAIN"}, 0);
-generate_status($settings{"STATUS_FILE_HTML"}, 1);
-gather_evidence();
 malt_cleanup();
 } else {
 malt_scan();
 malt_cleanup();
 }

Mercurial > hg > maltfilter

comparison maltfilter @ 66:42889eed0ce8