Mercurial > hg > maltfilter
comparison maltfilter @ 52:8cfb71b296da
Added colour-coded grouping of IP addresses in summary table.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 16 Aug 2009 03:36:27 +0300 |
parents | 13e6507ec1bb |
children | dc072a56f343 |
comparison
equal
deleted
inserted
replaced
51:d8d4d598903e | 52:8cfb71b296da |
---|---|
8 ############################################################################# | 8 ############################################################################# |
9 use strict; | 9 use strict; |
10 use Date::Parse; | 10 use Date::Parse; |
11 use Net::IP; | 11 use Net::IP; |
12 | 12 |
13 my $progversion = "0.12.2"; | 13 my $progversion = "0.12.3"; |
14 my $progbanner = | 14 my $progbanner = |
15 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". | 15 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
16 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". | 16 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
17 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; | 17 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
18 | 18 |
233 | 233 |
234 sub printTD | 234 sub printTD |
235 { | 235 { |
236 my $fh = $_[1]; | 236 my $fh = $_[1]; |
237 if ($_[0]) { | 237 if ($_[0]) { |
238 my $s = defined($_[3]) ? " class=\"$_[3]\"" : ""; | 238 my $s = defined($_[3]) ? " ".$_[3]." " : ""; |
239 print $fh "<td".$s.">".$_[2]."</td>"; | 239 print $fh "<td".$s.">".$_[2]."</td>"; |
240 } else { | 240 } else { |
241 print $fh $_[2]; | 241 print $fh $_[2]; |
242 } | 242 } |
243 } | 243 } |
332 } | 332 } |
333 printElem($m, $f, "</table>\n"); | 333 printElem($m, $f, "</table>\n"); |
334 printP($m, $f, bb($m).$ntotal.eb($m)." entries total.\n"); | 334 printP($m, $f, bb($m).$ntotal.eb($m)." entries total.\n"); |
335 } | 335 } |
336 | 336 |
337 sub cmp_ips($$$) | |
338 { | |
339 my @ipa = split(/\./, $_[1]); | |
340 my @ipb = split(/\./, $_[2]); | |
341 for (my $i = 0; $i < 4; $i++) { | |
342 return -1 if ($ipa[$i] > $ipb[$i]); | |
343 return 1 if ($ipa[$i] < $ipb[$i]); | |
344 } | |
345 return 0; | |
346 } | |
347 | |
348 sub test_ips($$) | |
349 { | |
350 my @ipa = split(/\./, $_[0]); | |
351 my @ipb = split(/\./, $_[1]); | |
352 for (my $i = 0; $i < 3; $i++) { | |
353 return $i if ($ipa[$i] != $ipb[$i]); | |
354 } | |
355 return 4; | |
356 } | |
357 | |
358 my @ipcolors = ( | |
359 "#666", | |
360 "#777", | |
361 ); | |
337 | 362 |
338 sub print_table2($$$$$$) | 363 sub print_table2($$$$$$) |
339 { | 364 { |
340 my ($m, $f, $table, $keys, $func, $class) = @_; | 365 my ($m, $f, $table, $keys, $func, $class) = @_; |
341 my $nhits = 0; | 366 my $nhits = 0; |
343 my $str2 = "IP-address | Hits | First hit | Latest hit | Class "; | 368 my $str2 = "IP-address | Hits | First hit | Latest hit | Class "; |
344 | 369 |
345 printElem($m, $f, | 370 printElem($m, $f, |
346 "<table class=\"".$class."\">\n<tr>". $str."<th> </th>".$str ."</tr>\n", | 371 "<table class=\"".$class."\">\n<tr>". $str."<th> </th>".$str ."</tr>\n", |
347 $str2." || ".$str2."\n"); | 372 $str2." || ".$str2."\n"); |
373 | |
374 my @previp = ("0.0.0.0", "0.0.0.0"); | |
375 my @ncolor = (0, 0); | |
348 | 376 |
349 my $printEntry = sub { | 377 my $printEntry = sub { |
350 my $blocked = defined($blocklist{$_[0]}) ? "blocked" : "unblocked"; | 378 my $blocked = "class=\"".(defined($blocklist{$_[0]}) ? "blocked" : "unblocked")."\""; |
351 printTD($m, $f, sprintf("%-15s", get_link($m, $_[0])), $blocked); | 379 if (test_ips($previp[$_[1]], $_[0]) < 3) { |
380 $ncolor[$_[1]]++; | |
381 } | |
382 $previp[$_[1]] = $_[0]; | |
383 my $str = "style=\"background: ".$ipcolors[$ncolor[$_[1]] % scalar @ipcolors].";\""; | |
384 | |
385 printTD($m, $f, sprintf("%-15s", get_link($m, $_[0])), $str); | |
352 printElem(!$m, $f, " | "); | 386 printElem(!$m, $f, " | "); |
353 printTD($m, $f, sprintf("%-8d ", $table->{$_[0]}{"hits"}), $blocked); | 387 printTD($m, $f, sprintf("%-8d ", $table->{$_[0]}{"hits"}), $blocked); |
354 printElem(!$m, $f, " | "); | 388 printElem(!$m, $f, " | "); |
355 printTD($m, $f, get_ago_str($table->{$_[0]}{"date1"}), $blocked); | 389 printTD($m, $f, get_ago_str($table->{$_[0]}{"date1"}), $blocked); |
356 printElem(!$m, $f, " | "); | 390 printElem(!$m, $f, " | "); |
362 }; | 396 }; |
363 | 397 |
364 my @mkeys = sort { $func->($table, $a, $b) } keys %{$keys}; | 398 my @mkeys = sort { $func->($table, $a, $b) } keys %{$keys}; |
365 my $nkeys = scalar @mkeys; | 399 my $nkeys = scalar @mkeys; |
366 my $kmax = $nkeys / 2; | 400 my $kmax = $nkeys / 2; |
401 | |
367 for (my $i = 0; $i <= $kmax; $i++) { | 402 for (my $i = 0; $i <= $kmax; $i++) { |
368 printElem($m, $f, " <tr>"); | 403 printElem($m, $f, " <tr>"); |
369 if ($i < $kmax) { | 404 if ($i < $kmax) { |
370 $printEntry->($mkeys[$i]); | 405 $printEntry->($mkeys[$i], 0); |
371 printElem($m, $f, "<th> </th>", " || "); | 406 printElem($m, $f, "<th> </th>", " || "); |
372 } | 407 } |
373 if ($i + $kmax + 1 < $nkeys) { $printEntry->($mkeys[$i + $kmax + 1]); } | 408 if ($i + $kmax + 1 < $nkeys) { $printEntry->($mkeys[$i + $kmax + 1], 1); } |
374 printElem($m, $f, "</tr>\n", "\n"); | 409 printElem($m, $f, "</tr>\n", "\n"); |
375 } | 410 } |
376 | 411 |
377 printElem($m, $f, "</table>\n"); | 412 printElem($m, $f, "</table>\n"); |
378 printP($m, $f, bb($m).$nkeys.eb($m)." entries total, ".bb($m).$nhits.eb($m)." hits total.\n"); | 413 printP($m, $f, bb($m).$nkeys.eb($m)." entries total, ".bb($m).$nhits.eb($m)." hits total.\n"); |
379 } | |
380 | |
381 sub cmp_ips($$$) | |
382 { | |
383 my @ipa = split(/\./, $_[1]); | |
384 my @ipb = split(/\./, $_[2]); | |
385 for (my $i = 0; $i < 4; $i++) { | |
386 return -1 if ($ipa[$i] > $ipb[$i]); | |
387 return 1 if ($ipa[$i] < $ipb[$i]); | |
388 } | |
389 return 0; | |
390 } | 414 } |
391 | 415 |
392 sub cmp_hits($$$) | 416 sub cmp_hits($$$) |
393 { | 417 { |
394 return $_[0]->{$_[2]}{"hits"} <=> $_[0]->{$_[1]}{"hits"}; | 418 return $_[0]->{$_[2]}{"hits"} <=> $_[0]->{$_[1]}{"hits"}; |
459 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n". | 483 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n". |
460 "necessarily acted upon. Sorted by descending IP address.\n"); | 484 "necessarily acted upon. Sorted by descending IP address.\n"); |
461 print_table2($m, $f, \%statlist, \%statlist, \&cmp_ips, "global"); | 485 print_table2($m, $f, \%statlist, \%statlist, \&cmp_ips, "global"); |
462 | 486 |
463 printH($m, $f, 2, "Ignored entries"); | 487 printH($m, $f, 2, "Ignored entries"); |
464 printP($m, $f, "List of hits that were ignored (not acted upon), because the test was disabled.\n"); | 488 printP($m, $f, "List of hits that were ignored (not acted upon), because the test was disabled.\n". |
489 "Notice that the entry may be blocked due to other checks, however.\n"); | |
465 print_table1($m, $f, \%ignorelist, \%ignorelist, \&cmp_hits, "ignored"); | 490 print_table1($m, $f, \%ignorelist, \%ignorelist, \&cmp_hits, "ignored"); |
466 | 491 |
467 printElem($m, $f, "</body>\n</html>\n"); | 492 printElem($m, $f, "</body>\n</html>\n"); |
468 close(STATUS); | 493 close(STATUS); |
469 } | 494 } |