Mercurial > hg > maltfilter

comparison maltfilter @ 26:61b6d742c49c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
author Matti Hamalainen <ccr@tnsp.org>
date Sat, 15 Aug 2009 23:43:22 +0300
parents 34dcb7462043
children 632bce74cf38
comparison
equal deleted inserted replaced
25:34dcb7462043 26:61b6d742c49c
20 ### Settings / configuration 20 ### Settings / configuration
21 ############################################################################# 21 #############################################################################
22 my %settings = ( 22 my %settings = (
23 "VERBOSITY" => 3, 23 "VERBOSITY" => 3,
24 "DRY_RUN" => 1, 24 "DRY_RUN" => 1,
25 "WEEDPERIOD" => 150, 25 "WEED_BLOCK" => 168,
26 "WEED_GLOBAL" => 336,
26 "TRESHOLD" => 3, 27 "TRESHOLD" => 3,
27 "ACTION" => "DROP", 28 "ACTION" => "DROP",
28 "LOGFILE" => "", 29 "LOGFILE" => "",
29 "IPTABLES" => "/sbin/iptables", 30 "IPTABLES" => "/sbin/iptables",
30 31
337 sub cmp_hits($$$) 338 sub cmp_hits($$$)
338 { 339 {
339 return $_[0]->{$_[2]}{"hits"} <=> $_[0]->{$_[1]}{"hits"}; 340 return $_[0]->{$_[2]}{"hits"} <=> $_[0]->{$_[1]}{"hits"};
340 } 341 }
341 342
343 sub get_period($)
344 {
345 my ($str, $r, $k);
346 if ($_[0] > 30 * 24) {
347 $r = $_[0] / (30 * 24);
348 $k = $_[0] % (30 * 24);
349 $str = sprintf("%d months", $r);
350 $str .= sprintf(", %d days", $k) if ($k > 0);
351 } elsif ($_[0] > 24 * 7) {
352 $str = sprintf("%1.1f weeks", $_[0] / 24);
353 } elsif ($_[0] > 24) {
354 $r = $_[0] / 24;
355 $k = $_[0] % 24;
356 $str = sprintf("%d days", $r);
357 $str .= sprintf(", %d hours", $k) if ($k > 0);
358 } else {
359 $str = sprintf("%d hours", $_[0]);
360 }
361 return $str;
362 }
342 363
343 sub generate_status($$) 364 sub generate_status($$)
344 { 365 {
345 my $filename = shift; 366 my $filename = shift;
346 my $m = shift; 367 my $m = shift;
364 </head> 385 </head>
365 <body> 386 <body>
366 "); 387 ");
367 388
368 printH($m, $f, 1, "Maltfilter v$progversion status report"); 389 printH($m, $f, 1, "Maltfilter v$progversion status report");
369 my $val = $settings{"WEEDPERIOD"}; 390 my $period = get_period($settings{"WEED_GLOBAL"});
370 my $period;
371
372 if ($val > 30 * 24) {
373 $period = sprintf("%1.1f months", $val / (30.0 * 24.0));
374 } elsif ($val > 24 * 7) {
375 $period = sprintf("%1.1f weeks", $val / 24);
376 } elsif ($val > 24) {
377 $period = sprintf("%d days", $val / 24);
378 } else {
379 $period = sprintf("%d hours", $val);
380 }
381 391
382 printP($m, $f, 392 printP($m, $f,
383 "Generated ".bb($m).$mtime.eb($m).". Data computed from ". 393 "Generated ".bb($m).$mtime.eb($m).". Data computed from ".
384 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n"); 394 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n");
395
385 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n". 396 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n".
386 "blocked IP that was in Netfilter before Maltfilter was started.\n"); 397 "blocked IP that was in Netfilter before Maltfilter was started.\n");
387 398
388 printH($m, $f, 2, "Currently blocked entries"); 399 printH($m, $f, 2, "Currently blocked entries");
400 $period = get_period($settings{"WEED_BLOCK"});
389 printP($m, $f, "List of IPs that are currently blocked (or would be, if this is\n". 401 printP($m, $f, "List of IPs that are currently blocked (or would be, if this is\n".
390 "a report-only mode)."); 402 "a report-only mode). Data from period of $period.\n");
391 printTable1($m, $f, \%statlist, \%blocklist, \&cmp_hits); 403 printTable1($m, $f, \%statlist, \%blocklist, \&cmp_hits);
392 404
393 printH($m, $f, 2, "Summary of non-ignored entries"); 405 printH($m, $f, 2, "Summary of non-ignored entries");
394 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n". 406 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n".
395 "necessarily acted upon. Sorted by descending IP address.\n"); 407 "necessarily acted upon. Sorted by descending IP address.\n");
476 } 488 }
477 } 489 }
478 490
479 ### Check if given timestamp is _newer_ than weedperiod threshold. 491 ### Check if given timestamp is _newer_ than weedperiod threshold.
480 ### Returns false if timestamp is over weed period, e.g. needs weeding. 492 ### Returns false if timestamp is over weed period, e.g. needs weeding.
481 sub check_time($) 493 sub check_time1($)
482 { 494 {
483 return ($_[0] >= time() - ($settings{"WEEDPERIOD"} * 60 * 60)); 495 return ($_[0] >= time() - ($settings{"WEED_BLOCK"} * 60 * 60));
496 }
497
498 sub check_time2($)
499 {
500 return ($_[0] >= time() - ($settings{"WEED_GLOBAL"} * 60 * 60));
484 } 501 }
485 502
486 ### Weed out old entries 503 ### Weed out old entries
487 sub weed_do($) 504 sub weed_do($)
488 { 505 {
502 # Weed blocked entries. 519 # Weed blocked entries.
503 my @mips = keys %blocklist; 520 my @mips = keys %blocklist;
504 foreach my $mip (@mips) { 521 foreach my $mip (@mips) {
505 if (defined($blocklist{$mip})) { 522 if (defined($blocklist{$mip})) {
506 if ($blocklist{$mip} >= 0) { 523 if ($blocklist{$mip} >= 0) {
507 weed_do($mip) unless check_time($blocklist{$mip}); 524 weed_do($mip) unless check_time1($blocklist{$mip});
508 } else { 525 } else {
509 weed_do($mip); 526 weed_do($mip);
510 } 527 }
511 } 528 }
512 } 529 }
513 530
514 # Clean up old entries from other lists 531 # Clean up old entries from other lists
515 foreach my $mip (keys %statlist) { 532 foreach my $mip (keys %statlist) {
516 if (defined($statlist{$mip})) { 533 if (defined($statlist{$mip})) {
517 my $mtime = $statlist{$mip}{"date2"}; 534 my $mtime = $statlist{$mip}{"date2"};
518 if (!check_time($mtime) && !defined($blocklist{$mip})) { 535 if (!check_time2($mtime) && !defined($blocklist{$mip})) {
519 mlog(3, "* Deleting stale $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n"); 536 mlog(3, "* Deleting stale $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n");
520 delete($statlist{$mip}); 537 delete($statlist{$mip});
521 } 538 }
522 } 539 }
523 } 540 }
524 541
525 foreach my $mip (keys %ignorelist) { 542 foreach my $mip (keys %ignorelist) {
526 if (defined($ignorelist{$mip})) { 543 if (defined($ignorelist{$mip})) {
527 my $mtime = $ignorelist{$mip}{"date2"}; 544 my $mtime = $ignorelist{$mip}{"date2"};
528 if (!check_time($mtime)) { 545 if (!check_time2($mtime)) {
529 mlog(3, "* Deleting stale ignored $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n"); 546 mlog(3, "* Deleting stale ignored $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n");
530 delete($ignorelist{$mip}); 547 delete($ignorelist{$mip});
531 } 548 }
532 } 549 }
533 } 550 }
586 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason); 603 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason);
587 return; 604 return;
588 } 605 }
589 606
590 # Check if we have exceeded treshold etc. 607 # Check if we have exceeded treshold etc.
591 if ($cnt >= $settings{"TRESHOLD"} && check_time($mdate)) { 608 if ($cnt >= $settings{"TRESHOLD"} && check_time1($mdate)) {
592 # Add to blocklist, unless already there. 609 # Add to blocklist, unless already there.
593 if (!defined($blocklist{$mip})) { 610 if (!defined($blocklist{$mip})) {
594 mlog(1, "* Adding $mip ($mdate): [$mclass] $mreason\n"); 611 mlog(1, "* Adding $mip ($mdate): [$mclass] $mreason\n");
595 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"}); 612 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"});
596 } 613 }