Editing Pfsense

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 6: Line 6:
pkg_add -r emacs-nox11
pkg_add -r emacs-nox11
</source>
</source>
=== PHP Mode ===
 
<source>
 
cat ~/.emacs
 
; make sure the target directory is on your load-path
(add-to-list 'load-path (expand-file-name "~/.emacs.d/lisp"))
(require 'php-mode)
</source>
<source>
cd ~/.emacs.d
wget http://php-mode.svn.sourceforge.net/svnroot/php-mode/tags/php-mode-1.5.0/php-mode.el
</source>


== Snort Auto Block Email ==
== Snort Auto Block Email ==
; this has been tested on pfsense 2.1-BETA1


* SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will.  
* SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will.  
Line 31: Line 21:
* Install CRON from the GUI Package Manger
* Install CRON from the GUI Package Manger
* setup CRON to execute '''/usr/local/bin/snort_autoblock_notify.php''' every 5 minutes as '''root'''
* setup CRON to execute '''/usr/local/bin/snort_autoblock_notify.php''' every 5 minutes as '''root'''
<source lang=text>
    min: */5
  hour: *
  mday: *
  month: *
  wday: *
    who: root
command: /usr/local/bin/snort_autoblock_notify.php  &> /dev/null
</source>




<source lang=php>


=== snort_autoblock_notify.php ===
<source lang=php>
#!/usr/local/bin/php -f
#!/usr/local/bin/php -f
   <?php
   <?php
Line 57: Line 36:
  *
  *
  *  Created: 2013-05-01
  *  Created: 2013-05-01
  * Modified: 2013-06-18
  * Modified: 2013-05-01
*
*  Version: 0.0.6
  *
  *
  * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine.  
  * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine.  
  *
  *
* .0.0.6 - added $exclude_country -- will not notify if country is in the list
* .0.0.5 - whois function will check Parent block if reassigned
  */
  */
   
   
   
   
define(DEBUG, 0); // ghetto debugging... not really useful
define(DEBUG, 0); // ghetto debugging... not really useful
$exclude_country = array('CN','UA',);
// body header
$header = '';
$footer = __FILE__ . ' SNORT Auto Block Notifcation';
//$footer .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n";
   
   
// get snort alert logs
// get snort alert logs
Line 98: Line 66:
}
}
$is_blocked = array();
$is_blocked = array();
$is_blocked = explode("\n",trim($contents));
$is_blocked = explode("\n",$contents);
   
   
// Liste currently blocked IP's from snort - from the pf table (snort2c)
// Liste currently blocked IP's from snort - from the pf table (snort2c)
$out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'");
$out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'");
//$out = shell_exec("/sbin/pfctl -t snort2c -T show |");
$ips = explode("\n",$out);     
$ips = explode("\n",trim($out));     
   
   
$message_body;
$message_body;
Line 109: Line 77:
// notify on unblocked
// notify on unblocked
foreach ($is_blocked as $ib) {
foreach ($is_blocked as $ib) {
   if (!in_array($ib, $ips) && !empty($ib)) {
   if (!in_array($ib, $ips)) {
     $log = "* Unblocked: $ib";
     $message_body .= " Unblocked: $ib\n";
    $actions .= " $log\n";
     // log to syslog
     // log to syslog
     $log_cmd = "echo \"$log\" | logger -P local0 -t snort2c";
     $log_cmd = "echo \"$message_body\" | logger -P local0 -t snort2c";
     shell_exec($log_cmd);
     shell_exec($log_cmd);
   }
   }
Line 120: Line 87:
// iterate through IP blocks
// iterate through IP blocks
if (is_array($ips)) {         
if (is_array($ips)) {         
  global $header;
   $fp = fopen($statusfile, 'w');
   $fp = fopen($statusfile, 'w');
   
   
   foreach ($ips as $ip) {
   foreach ($ips as $ip) {
Line 128: Line 94:
     if (preg_match("/\d+\./",$ip)) {
     if (preg_match("/\d+\./",$ip)) {
       // CheckIP - return info about IP if this is not currently blocked
       // CheckIP - return info about IP if this is not currently blocked
       if (DEBUG) {    print "Check Blocked IP: $ip \n";  }
       $message_body = CheckIP($ip,$fp,$message_body);
      list ($action,$tmp_body,$country,$netname,$inc_host) = CheckIP($ip,$fp);
      if (in_array(strtoupper($country),$exclude_country)) {
          if (DEBUG) {    print "Skipping notify on $ip -- $country is in the exclude_country list\n";  }
          continue;
      }
      if ($action) {
        $format = "%-26s [%-2s] %-15.15s [%s] \n";
        $actions .= sprintf($format, $action, $country, $netname, $inc_host);
        $message_body .= $tmp_body;
        if (DEBUG && !$message_body) {    print "  no message_body for $ip \n";   }
      }
     }  
     }  
   }
   }
Line 146: Line 101:
   // Notify if we had any results
   // Notify if we had any results
   if (!empty($message_body)) {
   if (!empty($message_body)) {
     if (DEBUG) {    print $message_body . "\n";  }
    $notify = $header;
     notify_via_smtp($message_body);
     notify_via_growl($message_body);
    $notify .= "------- Actions -------\n\n";
    $notify .= $actions . "\n";
    $notify .= "-----------------------\n\n\n";
    $notify .= "------- Deatailed Info -------\n\n";
    $notify .= $message_body . "\n";
    $notify .= $footer;
     if (DEBUG) {    print $notify . "\n";  }
     notify_via_smtp($notify);
     notify_via_growl($notify);
   }
   }
}
}
Line 168: Line 114:
   
   
   // debug mode - send notifies even if old
   // debug mode - send notifies even if old
   if (DEBUG) {     
   if (DEBUG) {    $body = NotifyNewBlock($ip); }  
    list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip);  
    return array ($action,$body,$country,$netname,$inc_host);
  }  
   
   
   else {
   else {
Line 177: Line 120:
       if (!in_array($ip,$is_blocked)) {
       if (!in_array($ip,$is_blocked)) {
         // not in current block list - obtain IP info - whois/alert logs
         // not in current block list - obtain IP info - whois/alert logs
         list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip,$body);
         $body = NotifyNewBlock($ip,$body);
        return array ($action,$body,$country,$netname,$inc_host);
       }
       }
     }
     }
   }
   }
  return $body;
}
}
   
   
Line 190: Line 131:
function NotifyNewBlock($ip) {
function NotifyNewBlock($ip) {
   global $alert_logs,$log_date;
   global $alert_logs,$log_date;
   
   
   // reverse dns for ip
   // reverse dns for ip
   $host = gethostbyaddr($ip);
   $host = gethostbyaddr($ip);
   if ($host != $ip) {  $inc_host = "$host"; }
   if ($host != $ip) {  $inc_host = "[$host]"; }
   
   
   // start of body
   // start of body
   //$body = "\n\n-----------------------------------------------------------------------------------------------------------------------------------\n";
   $body = "\n* Blocked: $ip [$inc_host]\n";
  $action = "* Blocked: $ip";
  $body .= "\n$action [$inc_host]\n";
   
   
  // try to get whois info
  if ( $whois = get_whois($ip) ) {    $body .= $whois; }
   
   
   // iterate through snort logs to find reason for block
   // iterate through snort logs to find reason for block
  $body .= "\n  ------------------ LOGS for $ip $log_date -----------------------\n";
   foreach ($alert_logs as $log) {
   foreach ($alert_logs as $log) {
     $cmd = 'grep ' . "$ip $log | grep $log_date " .  
     $cmd = 'grep ' . "$ip $log | grep $log_date " .  
Line 211: Line 149:
   
   
     if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";}
     if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";}
    $body .= "\n  LOGS for $ip $log_date\n";;
     $result .= shell_exec ($cmd);
     $result .= shell_exec ($cmd);
     if ($result) {
     $tmp_log = explode("\n",$result);
      $body .= "LogFile: $log\n\n";
    $log_body = $tmp_log[0];  // only get on for logger - last one
      $tmp_log = explode("\n",trim($result));
    $body .= $result;
      if ($tmp_log[0]) {
     $body .= "\n";
        $log_body = $tmp_log[0];  // only get on for logger - last one
      }
    $body .= $result;
     }
  }
$body .= "\n  ---------------- END LOGS for $ip $log_date ---------------------\n";
  // try to get whois info
if ( list ($whois,$country,$netname) = get_whois($ip) ) {    $body .= "\n" . $whois . "\n"; }
// log to syslog
if ($log_body) {
  $log_body = str_replace('"', "'", $log_body );
    $log_cmd = "echo \"Blocked=$ip $log_body\" | logger -P local0 -t snort2c";
   }
   }
  // log to syslog
  $log_body = str_replace('"', "'", $log_body );
  $log_cmd = "echo \"Blocked=$ip $log_body\" | logger -P local0 -t snort2c";
   shell_exec($log_cmd);
   shell_exec($log_cmd);
   
   
   return array ($action,$body,$country,$netname,$inc_host);
   return $body;
}
}
   
   
Line 246: Line 174:
   //now get actual whois data
   //now get actual whois data
   $whois_data = get_whois_from_server($whois_server , $ip);
   $whois_data = get_whois_from_server($whois_server , $ip);
 
   $a = explode("\n",$whois_data);
  // if there is now Country info -- lets get the Parent Block info (hack - works for comcast.. not sure of others)
  if (!preg_match("/Country/",$whois_data) && preg_match("/NET-([\d\-]+)/",$whois_data, $matches) ) {
    $whois_old = $whois_data;
    $whois_data = get_whois_from_server($whois_server , $matches[0]);
  }
 
   $a = explode("\n",trim($whois_data));
   
   
   /* wanted info  
   /* wanted info  
Line 273: Line 193:
     StateProv:      WA
     StateProv:      WA
     PostalCode:    98144
     PostalCode:    98144
    inetnum:        111.72.0.0 - 111.79.255.255
    netname:        CHINANET-JX
    descr:          CHINANET JIANGXI PROVINCE NETWORK
    descr:          China Telecom
    descr:          No.31,jingrong street
    descr:          Beijing 100032
    country:        CN
   */
   */
   
   
   $wanted = array('NetRange',
   $wanted = array('NetRange',
Line 300: Line 210:
                   'StateProv',
                   'StateProv',
                   'PostalCode',
                   'PostalCode',
                  'inetnum',
                  'descr',
                  'country'
                   );
                   );
   
   
Line 308: Line 215:
   
   
   $whois .= "  ------------------------ WHOIS -----------------------------\n";
   $whois .= "  ------------------------ WHOIS -----------------------------\n";
  $whois .= "  whois server: $whois_server\n\n";
  $seen = array();
  $netname = '';
   foreach ($wanted as $w) {
   foreach ($wanted as $w) {
     $p = preg_grep( "/^$w/i" , $a );
     $p = preg_grep( "/^$w/i" , $a );
     foreach ($p as $l) {
     foreach ($p as $l) {
       $tmp = "\t" . $l . "\n";
       $whois .= "\t" . $l . "\n";
      if (!in_array($tmp,$seen)) {
            $whois .= $tmp;
      }
      $seen[] = $tmp;
     }
     }
   }  
   }  
  // get netnamt for action line
  $p = preg_grep( "/^NetName/i" , $a );
  foreach ($p as $l) {
    if (preg_match('/netname:\s+(.*)/i' , $l , $m)) { $netname = $m[1]; }
  }
  // get country too
  $p = preg_grep( "/^country/i" , $a );
  foreach ($p as $l) {
    if (preg_match('/country:\s+(.*)/i' , $l , $m)) { $country = $m[1]; }
  }
  $netname = ltrim(rtrim($netname));
  $country = ltrim(rtrim($country));
  if (empty($seen)) {
    foreach ($a as $l) {
      if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
        $whois .= $l . "\n";
      }
    }
  }
  // show the original info if it exist..
  if ($whois_old) {
    $o = explode("\n",trim($whois_old));
    foreach ($o as $l) {
      if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
        $whois .= "\t" . $l . "\n";
      }
    }
  }
   $whois .= "  ---------------------- END WHOIS ---------------------------\n";
   $whois .= "  ---------------------- END WHOIS ---------------------------\n";
   return $whois;
   return array ($whois,$country,$netname);
}
}
   
   
Line 381: Line 244:
function GetLogs() {
function GetLogs() {
   $alert_logs = array();
   $alert_logs = array();
   $logs = `/usr/bin/find /var/log/snort/ -name alert`;
   $ps_logs = `ps auxw | grep snort | grep "\-l " | grep -v grep`;
   $psa = explode("\n",$ps_logs);
   $alert_logs = explode("\n",trim($logs));
  if (!empty($psa)) {
    foreach ($psa as $ps) {
      if (preg_match( "/\s-l\s+([^\s]+)/i" , $ps, $m)) {
        array_push ($alert_logs,$m[1] . "/alert");
      }
    }
  }
   
   
   if (!empty($alert_logs)) {
   if (!empty($alert_logs)) {
     return $alert_logs;
     return $alert_logs;
   } else {
   } else {
     $notificationmsg = "failed to locate alert logs - is snort installed?\n";
     $notificationmsg = "failed to locate alert logs - snort running?\n";
     print $notificationmsg;
     print $notificationmsg;
     notify_via_smtp($notificationmsg);
     notify_via_smtp($notificationmsg);
Line 399: Line 268:
?>
?>
</source>
</source>
=== Example Output ===
* Email on Unblocked and/or Blocked
<source lang=text>
Unblocked: 8.8.8.8
Unblocked: 4.4.4.2
-----------------------------------------------------------------------------------------------------------------------------------
* Blocked: 61.156.238.56
  ------------------------ WHOIS -----------------------------
  whois server: whois.apnic.net
netname:        UNICOM-SD
address:        No.21,Jin-Rong Street
address:        Beijing,100033
address:        P.R.China
address:        Jinan,Shandong P.R China
inetnum:        61.156.0.0 - 61.156.255.255
descr:          China Unicom Shandong province network
descr:          China Unicom
descr:          CNC Group CHINA169 Shandong Province Network
country:        CN
  ---------------------- END WHOIS ---------------------------
  ------------------ LOGS for 61.156.238.56 05/01/13 -----------------------
SID=1:2001219:18 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Potential SSH Scan" SRC_IP=61.156.238.56 SRC_PORT=5920 DST_IP={hidden} DST_PORT=22 PROTO=TCP
SID=1:2500088:2849 PRI=2 CLASS=Misc Attack DESC="ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (45)" SRC_IP=61.156.238.56 SRC_PORT=5920 DST_IP={hidden} DST_PORT=22 PROTO=TCP
  ---------------- END LOGS for 61.156.238.56 05/01/13 ---------------------
-----------------------------------------------------------------------------------------------------------------------------------
* Blocked: 111.74.238.58
  ------------------------ WHOIS -----------------------------
  whois server: whois.apnic.net
netname:        CHINANET-JX
address:        Jiangxi telecom network operation support department
address:        No.2009, Beijing East Road , nanchang,jiangxi province
inetnum:        111.72.0.0 - 111.79.255.255
descr:          CHINANET JIANGXI PROVINCE NETWORK
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN
  ---------------------- END WHOIS ---------------------------
  ------------------ LOGS for 111.74.238.58 05/01/13 -----------------------
SID=1:2001219:18 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Potential SSH Scan" SRC_IP=111.74.238.58 SRC_PORT=31091 DST_IP={hidden} DST_PORT=22 PROTO=TCP
  ---------------- END LOGS for 111.74.238.58 05/01/13 ---------------------
-----------------------------------------------------------------------------------------------------------------------------------
* Blocked: 173.167.52.169 [173-167-52-169-ip-static.hfc.comcastbusiness.net]
  ------------------------ WHOIS -----------------------------
  whois server: whois.arin.net
Comcast Business Communications, LLC CBC-CM-4 (NET-173-160-0-0-1) 173.160.0.0 - 173.167.255.255
CONCEPT MINING INC CONCEPTMININGINC (NET-173-167-52-168-1) 173.167.52.168 - 173.167.52.175
Comcast Business Communications, LLC CBC-RICHMOND-17 (NET-173-167-52-0-1) 173.167.52.0 - 173.167.55.255
  ---------------------- END WHOIS ---------------------------
  ------------------ LOGS for 173.167.52.169 05/01/13 -----------------------
SID=1:2008578:6 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious Scan" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP
SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP
SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP
SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP
SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP
SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP
  ---------------- END LOGS for 173.167.52.169 05/01/13 ---------------------
-----------------------------------------------------------------------------------------------------------------------------------
</source>
[[Category:How-to]]
[[Category:Networking]]
Please note that all contributions to RARForge may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see RARForge:Copyrights for details). Do not submit copyrighted work without permission!
Cancel Editing help (opens in new window)
Retrieved from "https://rarforge.com/w/index.php/Pfsense"