maltfilter: maltfilter comparison

comparison maltfilter @ 65:d2e2b82dd2f2

Work on DroneBL support.

author	Matti Hamalainen <ccr@tnsp.org>
date	Tue, 18 Aug 2009 00:43:10 +0300
parents	6917de5b91be
children	42889eed0ce8

comparison

equal deleted inserted replaced

-:213e5204abea
+:d2e2b82dd2f2
 use Date::Parse;
 use Net::IP;
 use Net::DNS;
 use LWP::UserAgent;
-my $progversion = "0.14.0";
+my $progversion = "0.15.0";
 my $progbanner =
 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n".
 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n".
 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n";
 ### Default settings and configuration
 #############################################################################
 my %settings = (
 "VERBOSITY" => 3,
 "DRY_RUN" => 1,
-"WEED_BLOCK" => 168,
+"WEED_FILTER" => 168,  # in hours
-"WEED_GLOBAL" => 336,
+"WEED_GLOBAL" => 336,  # in hours
-"TRESHOLD" => 3,
+"THRESHOLD" => 3,
 "ACTION" => "DROP",
 "LOGFILE" => "",
 "IPTABLES" => "/sbin/iptables",
+"PASSWD"              => "/etc/passwd",
+"SYSACCT_MIN_UID"     => 1,
+"SYSACCT_MAX_UID"     => 100,
 "FULL_TIME"           => 1,
 "STATUS_FILE_PLAIN"   => "",
 "STATUS_FILE_HTML"    => "",
 "STATUS_FILE_CSS"     => "",
 "CHK_PROXY_SCAN"      => 1,
 "CHK_ROOT_SSH_PWD"    => 0,
 "CHK_SYSACCT_SSH_PWD" => 0,
 "CHK_GOOD_HOSTS"      => "",
-"PASSWD"              => "/etc/passwd",
-"SYSACCT_MIN_UID"     => 1,
-"SYSACCT_MAX_UID"     => 100,
 "EVIDENCE"            => 0,
 "EVIDENCE_DIR"        => "",
+"DRONEBL"             => 0,
+"DRONEBL_THRESHOLD"   => 5,
+"DRONEBL_MAX_AGE"     => 30, # in minutes
+"DRONEBL_RPC_URI"     => "http://dronebl.org/RPC2",
+"DRONEBL_RPC_KEY"     => "",
 );
 my @noblock_ips_def = (
 "127.0.0.1",
 );
 my %systemacct = ();
+sub check_add_hit($$$$$$);
 #############################################################################
 ### Check given logfile line for matches
 #############################################################################
 sub check_log_line($)
 # (3.1) Simple match for generic PHP XSS vulnerability scans
 if ($merr =~ /\.php\?\S*?=http:\/\/([^\/]+)/) {
 if (!check_hosts($settings{"CHK_GOOD_HOSTS"}, $1)) {
 if ($merr =~ /\.php\?\S*?=(http:\/\/[^\&\?]+\??)/) {
-check_add_evidence($mip, $1);
+check_add_evidence($mip, $1, $merr);
 }
 check_add_hit($mip, $mdate, "PHP XSS", $merr, $settings{"CHK_PHP_XSS"});
 }
 }
 # (3.2) Try to match proxy scanning attempts
 my @noblock_ips = ();    # IPs not to block
 my %filehandles = ();    # Global hash holding opened scanned log filehandles
 my $pid_file = "";       # Name of Maltfilter daemon pid file
 my @configfiles = ();    # Array of configuration file names
 my $LOGFILE;             # Maltfilter logfile handle
+my %dronebl = ();
 # IPs currently blocked in Netfilter $blocklist{$ip} = date
 my %blocklist = ();
 # Gathered information about hosts
 ($reportmode ? "complete logfile scan" : "a period of last $period").".\n");
 printP($m, $f, "The hit classes marked as 'IPTABLES' are a pseudo-class meaning an\n".
 "blocked IP that was in Netfilter before Maltfilter was started.\n");
-printH($m, $f, 2, "Currently blocked entries");
+printH($m, $f, 2, "Currently filtered entries");
-$period = get_period($settings{"WEED_BLOCK"});
+$period = get_period($settings{"WEED_FILTER"});
-printP($m, $f, "List of IPs that are currently blocked (or would be, if this is\n".
+printP($m, $f, "List of IPs that are currently filtered (or would be, if this is\n".
 "a report-only mode). Data from period of $period.\n");
 print_table1($m, $f, \%statlist, \%blocklist, \&cmp_hits, "blocked");
 printH($m, $f, 2, "Summary of non-ignored entries");
 printP($m, $f, "List of 'hits' of suspicious activity noticed by Maltfilter, but not\n".
 close(STATUS);
 }
 #############################################################################
+### DroneBL submission support
+#############################################################################
+sub dronebl_process
+{
+#  return if ($reportmode);
+return unless ($settings{"DRONEBL"} > 0);
+# Create submission data
+my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n";
+my $entries = 0;
+while (my ($ip, $entry) = each(%dronebl)) {
+if ($entry->{"sent"} == 0) {
+$xml .= "<add ip=\"".$ip."\" type=\"".$entry->{"type"}."\" />\n";
+$entries++;
+}
+}
+$xml .= "</request>\n";
+mlog(1, "Trying to submit $entries entries to DroneBL.\n");
+print STDERR $xml;
+return;
+return unless ($entries > 0);
+# Submit via HTTP XML-RPC
+my $tmp = LWP::UserAgent->new;
+$tmp->agent("Maltfilter/".$progversion);
+$tmp->timeout(10);
+my $req = HTTP::Request->new(POST => $settings{"DRONEBL_RPC_URI"});
+$req->content_type("text/xml");
+$req->content($xml);
+$req->user_agent("Maltfilter/".$progversion);
+my $res = $tmp->request($req);
+if ($res->is_success) {
+while (my ($ip, $entry) = each(%dronebl)) {
+$entry->{"sent"} = 1;
+}
+} else {
+mlog(-1, "DroneBL submission failed: [".$res->code."] ".$res->message."\n");
+}
+# Remove submitted expired entries
+while (my ($ip, $entry) = each(%dronebl)) {
+print "$ip: ".$entry->{"sent"}."\n" unless check_time3($entry->{"date"});
+}
+}
+#############################################################################
 ### Evidence gathering
 #############################################################################
 my %evidence = ();
-sub check_add_evidence($$)
+sub check_add_evidence($$$)
 {
-my ($mip, $mdata) = @_;
+my ($mip, $mdata, $mfull) = @_;
 return unless ($settings{"EVIDENCE"});
 my $tmp = $mdata;
 $tmp =~ s/http:\/\///;
 $tmp =~ s/^\.+/_/;
 $tmp =~ s/[^A-Za-z0-9:\.]/_/g;
 $evidence{$mdata}{"coll"} = $tmp;
 $evidence{$mdata}{"hosts"}{$mip} = 1;
+$evidence{$mdata}{"full"}{$mfull} = 1;
 }
 sub http_fetch($$)
 {
 my $tmp = LWP::UserAgent->new;
 return unless ($settings{"EVIDENCE"});
 mdie("Evidence directory '$base' has disappeared.\n") unless (-e $base);
 foreach my $url (keys %evidence) {
-if (!$evidence{$url}{"done"}) {
+my $did_fetch = 0;
 my $filename = $base."/".$evidence{$url}{"coll"}.".data";
 my $filename2 = $base."/".$evidence{$url}{"coll"}.".hosts";
-my $code = 0;
+my $filename3 = $base."/".$evidence{$url}{"coll"}.".info";
-my $message = "";
+# Get data contents only once
-# Get data contents only once
+if (! -e $filename) {
-if (! -e $filename) {
+$did_fetch = 1;
 mlog(1, "Fetching evidence for $url\n");
 my $res = http_fetch($url, "");
-$code = $res->code;
+open(FILE, ">:raw", $filename) or mdie("Could not open '$filename' for writing.\n");
-$message = $res->message;
+binmode(FILE, ":raw");
-open(FILE, ">:raw", $filename) or mdie("Could not open '$filename' for writing.\n");
+if ($res->is_success && $res->code >= 200 && $res->code <= 201) {
-binmode(FILE, ":raw");
+print FILE $res->content;
-if ($res->code >= 200 && $res->code <= 201) {
+}
-print FILE $res->content;
+close(FILE);
-} else {
-print FILE "[$code] $message\n";
+open(FILE, ">:raw", $filename3) or mdie("Could not open '$filename3' for writing.\n");
-}
+binmode(FILE, ":raw");
-close(FILE);
+print FILE "XSS URI           : $url\n";
-}
+print FILE "Time of retrieval : ".get_time_str(time())."\n";
+print FILE "HTTP return code  : [".$res->code."] ".$res->message."\n";
-# Check if we are appending hosts to existing data
+print FILE "Content-Type      : ".($res->content_type ? $res->content_type : "?")."\n";
-if (-e $filename2) {
+print FILE "Last modified     : ".($res->last_modified ? $res->last_modified : "?")."\n";
-open(FILE, "<", $filename2) or mdie("Could not open '$filename2' for reading.\n");
+print FILE "------ HTTP Headers ------\n".$res->headers_as_string."\n";
-while (<FILE>) {
+print FILE "------ Requests ------\n";
-if (/^(\d+\.\d+\.\d+\.\d+) *\|/) {
+print FILE $_."\n" foreach (keys %{$evidence{$url}{"full"}});
-if (defined($evidence{$url}{"hosts"}{$1})) {
+close(FILE);
-delete($evidence{$url}{"hosts"}{$1});
+}
-}
+# Check if we are appending hosts to existing data
+if (-e $filename2) {
+open(FILE, "<", $filename2) or mdie("Could not open '$filename2' for reading.\n");
+while (<FILE>) {
+if (/^(\d+\.\d+\.\d+\.\d+) *\|/) {
+if (defined($evidence{$url}{"hosts"}{$1})) {
+delete($evidence{$url}{"hosts"}{$1});
 }
 }
-close(FILE);
+}
-open(FILE, ">>", $filename2) or mdie("Could not open '$filename2' for appending.\n");
+close(FILE);
-} else {
+open(FILE, ">>", $filename2) or mdie("Could not open '$filename2' for appending.\n");
-open(FILE, ">", $filename2) or mdie("Could not open '$filename2' for writing.\n");
+} else {
-print FILE "# HTTP request result: [$code] $message\n";
+open(FILE, ">", $filename2) or mdie("Could not open '$filename2' for writing.\n");
-print FILE "# Hosts which requested $url\n\n";
+}
-}
+foreach my $host (sort keys %{$evidence{$url}{"hosts"}}) {
+my $query = $dns->search($host);
-foreach my $host (sort keys %{$evidence{$url}{"hosts"}}) {
+my @names = ();
-print "lol: $host\n";
+undef(@names);
-my $query = $dns->search($host);
+if ($query) {
-my @names = ();
+foreach my $rr ($query->answer) {
-undef(@names);
+push(@names, $rr->{"ptrdname"}) if defined($rr->{"ptrdname"});
-if ($query) {
-foreach my $rr ($query->answer) {
-push(@names, $rr->{"ptrdname"}) if defined($rr->{"ptrdname"});
-}
 }
-printf FILE "%-15s | %s\n", $host, join(" | ", @names);
+}
-}
+printf FILE "%-15s | %s\n", $host, join(" | ", @names);
-close(FILE);
+}
+close(FILE);
-delete($evidence{$url});
+# This entry has been handled, delete it
-return unless $reportmode;
+delete($evidence{$url});
-}
+# If not in report mode, handle only one fetched entry
+return unless ($reportmode || !$did_fetch);
 }
 }
 #############################################################################
 ### Check if given timestamp is _newer_ than weedperiod threshold.
 ### Returns false if timestamp is over weed period, e.g. needs weeding.
 sub check_time1($)
 {
-return ($_[0] >= time() - ($settings{"WEED_BLOCK"} * 60 * 60));
+return ($_[0] > time() - ($settings{"WEED_FILTER"} * 60 * 60));
 }
 sub check_time2($)
 {
-return ($_[0] >= time() - ($settings{"WEED_GLOBAL"} * 60 * 60));
+return ($_[0] > time() - ($settings{"WEED_GLOBAL"} * 60 * 60));
+}
+sub check_time3($)
+{
+return ($_[0] > time() - ($settings{"DRONEBL_MAX_AGE"} * 60));
 }
 ### Weed out old entries
 sub weed_do($)
 {
 update_date($reason, $mdate);
 return $entry->{"hits"};
 }
-### Check if given "try count" exceeds treshold and if entry
+### Check if given "try count" exceeds threshold and if entry
 ### is NOT in Netfilter already, then add it if so.
-sub check_add_hit($$$$$)
+sub check_add_hit($$$$$$)
 {
 my $mip = $_[0];
 my $mdate = str2time($_[1]);
 my $mclass = $_[2];
 my $mreason = $_[3];
-my $mcond = $_[4];
+my $mtype = $_[4];
+my $mcond = $_[5];
 my $cnt;
 if (check_hosts_array(\@noblock_ips, $mip)) {
 mlog(3, "Hit to NOBLOCK_IPS($mip): [$mclass] $mreason\n");
 return;
 # This is an ignored hit (for disabled test), add to ignorelist
 update_entry(\%ignorelist, $mip, $mdate, $mclass, $mreason, 1);
 return;
 }
-# Check if we have exceeded treshold etc.
+# Check if we have exceeded threshold etc.
-if ($cnt >= $settings{"TRESHOLD"} && check_time1($mdate)) {
+if ($cnt >= $settings{"THRESHOLD"} && check_time1($mdate)) {
 # Add to blocklist, unless already there.
 if (!defined($blocklist{$mip})) {
 mlog(1, "* Adding $mip ($mdate): [$mclass] $mreason\n");
 exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"ACTION"});
 }
 # Update date of last hit
 $blocklist{$mip} = $mdate;
+}
+# Separate check for DroneBL
+if ($settings{"DRONEBL"} > 0 && $mtype > 0 && $cnt >= $settings{"DRONEBL_THRESHOLD"} && check_time3($mdate)) {
+$dronebl{$mip}{"type"} = $mtype;
+$dronebl{$mip}{"date"} = $mdate;
+$dronebl{$mip}{"sent"} = 0 unless defined($dronebl{$mip}{"sent"});
 }
 }
 #############################################################################

Mercurial > hg > maltfilter

comparison maltfilter @ 65:d2e2b82dd2f2