Mercurial > hg > maltfilter
comparison maltfilter @ 26:61b6d742c49c
Separate WEEDPERIOD into WEED_BLOCK and WEED_GLOBAL settings.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sat, 15 Aug 2009 23:43:22 +0300 |
parents | 34dcb7462043 |
children | 632bce74cf38 |
comparison
equal
deleted
inserted
replaced
25:34dcb7462043 | 26:61b6d742c49c |
---|---|
20 ### Settings / configuration | 20 ### Settings / configuration |
21 ############################################################################# | 21 ############################################################################# |
22 my %settings = ( | 22 my %settings = ( |
23 "VERBOSITY" => 3, | 23 "VERBOSITY" => 3, |
24 "DRY_RUN" => 1, | 24 "DRY_RUN" => 1, |
25 "WEEDPERIOD" => 150, | 25 "WEED_BLOCK" => 168, |
26 "WEED_GLOBAL" => 336, | |
26 "TRESHOLD" => 3, | 27 "TRESHOLD" => 3, |
27 "ACTION" => "DROP", | 28 "ACTION" => "DROP", |
28 "LOGFILE" => "", | 29 "LOGFILE" => "", |
29 "IPTABLES" => "/sbin/iptables", | 30 "IPTABLES" => "/sbin/iptables", |
30 | 31 |
337 sub cmp_hits($$$) | 338 sub cmp_hits($$$) |
338 { | 339 { |
339 return $_[0]->{$_[2]}{"hits"} <=> $_[0]->{$_[1]}{"hits"}; | 340 return $_[0]->{$_[2]}{"hits"} <=> $_[0]->{$_[1]}{"hits"}; |
340 } | 341 } |
341 | 342 |
343 sub get_period($) | |
344 { | |
345 my ($str, $r, $k); | |
346 if ($_[0] > 30 * 24) { | |
347 $r = $_[0] / (30 * 24); | |
348 $k = $_[0] % (30 * 24); | |
349 $str = sprintf("%d months", $r); | |
350 $str .= sprintf(", %d days", $k) if ($k > 0); | |
351 } elsif ($_[0] > 24 * 7) { | |
352 $str = sprintf("%1.1f weeks", $_[0] / 24); | |
353 } elsif ($_[0] > 24) { | |
354 $r = $_[0] / 24; | |
355 $k = $_[0] % 24; | |
356 $str = sprintf("%d days", $r); | |
357 $str .= sprintf(", %d hours", $k) if ($k > 0); | |
358 } else { | |
359 $str = sprintf("%d hours", $_[0]); | |
360 } | |
361 return $str; | |
362 } | |
342 | 363 |
343 sub generate_status($$) | 364 sub generate_status($$) |
344 { | 365 { |
345 my $filename = shift; | 366 my $filename = shift; |
346 my $m = shift; | 367 my $m = shift; |
364 </head> | 385 </head> |
365 <body> | 386 <body> |
366 "); | 387 "); |
367 | 388 |
368 printH($m, $f, 1, "Maltfilter v$progversion status report"); | 389 printH($m, $f, 1, "Maltfilter v$progversion status report"); |
369 my $val = $settings{"WEEDPERIOD"}; | 390 my $period = get_period($settings{"WEED_GLOBAL"}); |
370 my $period; | |
371 | |
372 if ($val > 30 * 24) { | |
373 $period = sprintf("%1.1f months", $val / (30.0 * 24.0)); | |
374 } elsif ($val > 24 * 7) { | |
375 $period = sprintf("%1.1f weeks", $val / 24); | |
376 } elsif ($val > 24) { | |
377 $period = sprintf("%d days", $val / 24); | |
378 } else { | |
379 $period = sprintf("%d hours", $val); | |
380 } | |
381 | 391 |
382 printP($m, $f, | 392 printP($m, $f, |
383 "Generated ".bb($m).$mtime.eb($m).". Data computed from ". | 393 "Generated ".bb($m).$mtime.eb($m).". Data computed from ". |
384 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n"); | 394 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n"); |
395 | |
385 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n". | 396 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n". |
386 "blocked IP that was in Netfilter before Maltfilter was started.\n"); | 397 "blocked IP that was in Netfilter before Maltfilter was started.\n"); |
387 | 398 |
388 printH($m, $f, 2, "Currently blocked entries"); | 399 printH($m, $f, 2, "Currently blocked entries"); |
400 $period = get_period($settings{"WEED_BLOCK"}); | |
389 printP($m, $f, "List of IPs that are currently blocked (or would be, if this is\n". | 401 printP($m, $f, "List of IPs that are currently blocked (or would be, if this is\n". |
390 "a report-only mode)."); | 402 "a report-only mode). Data from period of $period.\n"); |
391 printTable1($m, $f, \%statlist, \%blocklist, \&cmp_hits); | 403 printTable1($m, $f, \%statlist, \%blocklist, \&cmp_hits); |
392 | 404 |
393 printH($m, $f, 2, "Summary of non-ignored entries"); | 405 printH($m, $f, 2, "Summary of non-ignored entries"); |
394 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n". | 406 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n". |
395 "necessarily acted upon. Sorted by descending IP address.\n"); | 407 "necessarily acted upon. Sorted by descending IP address.\n"); |
476 } | 488 } |
477 } | 489 } |
478 | 490 |
479 ### Check if given timestamp is _newer_ than weedperiod threshold. | 491 ### Check if given timestamp is _newer_ than weedperiod threshold. |
480 ### Returns false if timestamp is over weed period, e.g. needs weeding. | 492 ### Returns false if timestamp is over weed period, e.g. needs weeding. |
481 sub check_time($) | 493 sub check_time1($) |
482 { | 494 { |
483 return ($_[0] >= time() - ($settings{"WEEDPERIOD"} * 60 * 60)); | 495 return ($_[0] >= time() - ($settings{"WEED_BLOCK"} * 60 * 60)); |
496 } | |
497 | |
498 sub check_time2($) | |
499 { | |
500 return ($_[0] >= time() - ($settings{"WEED_GLOBAL"} * 60 * 60)); | |
484 } | 501 } |
485 | 502 |
486 ### Weed out old entries | 503 ### Weed out old entries |
487 sub weed_do($) | 504 sub weed_do($) |
488 { | 505 { |
502 # Weed blocked entries. | 519 # Weed blocked entries. |
503 my @mips = keys %blocklist; | 520 my @mips = keys %blocklist; |
504 foreach my $mip (@mips) { | 521 foreach my $mip (@mips) { |
505 if (defined($blocklist{$mip})) { | 522 if (defined($blocklist{$mip})) { |
506 if ($blocklist{$mip} >= 0) { | 523 if ($blocklist{$mip} >= 0) { |
507 weed_do($mip) unless check_time($blocklist{$mip}); | 524 weed_do($mip) unless check_time1($blocklist{$mip}); |
508 } else { | 525 } else { |
509 weed_do($mip); | 526 weed_do($mip); |
510 } | 527 } |
511 } | 528 } |
512 } | 529 } |
513 | 530 |
514 # Clean up old entries from other lists | 531 # Clean up old entries from other lists |
515 foreach my $mip (keys %statlist) { | 532 foreach my $mip (keys %statlist) { |
516 if (defined($statlist{$mip})) { | 533 if (defined($statlist{$mip})) { |
517 my $mtime = $statlist{$mip}{"date2"}; | 534 my $mtime = $statlist{$mip}{"date2"}; |
518 if (!check_time($mtime) && !defined($blocklist{$mip})) { | 535 if (!check_time2($mtime) && !defined($blocklist{$mip})) { |
519 mlog(3, "* Deleting stale $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n"); | 536 mlog(3, "* Deleting stale $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n"); |
520 delete($statlist{$mip}); | 537 delete($statlist{$mip}); |
521 } | 538 } |
522 } | 539 } |
523 } | 540 } |
524 | 541 |
525 foreach my $mip (keys %ignorelist) { | 542 foreach my $mip (keys %ignorelist) { |
526 if (defined($ignorelist{$mip})) { | 543 if (defined($ignorelist{$mip})) { |
527 my $mtime = $ignorelist{$mip}{"date2"}; | 544 my $mtime = $ignorelist{$mip}{"date2"}; |
528 if (!check_time($mtime)) { | 545 if (!check_time2($mtime)) { |
529 mlog(3, "* Deleting stale ignored $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n"); | 546 mlog(3, "* Deleting stale ignored $mip (".($mtime >= 0 ? scalar localtime($mtime) : $mtime).")\n"); |
530 delete($ignorelist{$mip}); | 547 delete($ignorelist{$mip}); |
531 } | 548 } |
532 } | 549 } |
533 } | 550 } |
586 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason); | 603 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason); |
587 return; | 604 return; |
588 } | 605 } |
589 | 606 |
590 # Check if we have exceeded treshold etc. | 607 # Check if we have exceeded treshold etc. |
591 if ($cnt >= $settings{"TRESHOLD"} && check_time($mdate)) { | 608 if ($cnt >= $settings{"TRESHOLD"} && check_time1($mdate)) { |
592 # Add to blocklist, unless already there. | 609 # Add to blocklist, unless already there. |
593 if (!defined($blocklist{$mip})) { | 610 if (!defined($blocklist{$mip})) { |
594 mlog(1, "* Adding $mip ($mdate): [$mclass] $mreason\n"); | 611 mlog(1, "* Adding $mip ($mdate): [$mclass] $mreason\n"); |
595 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"}); | 612 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"}); |
596 } | 613 } |