Editing Pfsense

Jump to navigation Jump to search
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 6: Line 6:
pkg_add -r emacs-nox11
pkg_add -r emacs-nox11
</source>
</source>
=== PHP Mode ===
 
<source>
 
cat ~/.emacs
 
; make sure the target directory is on your load-path
(add-to-list 'load-path (expand-file-name "~/.emacs.d/lisp"))
(require 'php-mode)
</source>
<source>
cd ~/.emacs.d
wget http://php-mode.svn.sourceforge.net/svnroot/php-mode/tags/php-mode-1.5.0/php-mode.el
</source>


== Snort Auto Block Email ==
== Snort Auto Block Email ==
; this has been tested on pfsense 2.1-BETA1


* SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will.  
* SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will.  
Line 31: Line 21:
* Install CRON from the GUI Package Manger
* Install CRON from the GUI Package Manger
* setup CRON to execute '''/usr/local/bin/snort_autoblock_notify.php''' every 5 minutes as '''root'''
* setup CRON to execute '''/usr/local/bin/snort_autoblock_notify.php''' every 5 minutes as '''root'''
<source lang=text>
    min: */5
  hour: *
  mday: *
  month: *
  wday: *
    who: root
command: /usr/local/bin/snort_autoblock_notify.php  &> /dev/null
</source>


=== snort_autoblock_notify.php ===
=== snort_autoblock_notify.php ===
Line 57: Line 35:
  *
  *
  *  Created: 2013-05-01
  *  Created: 2013-05-01
  * Modified: 2013-06-18
  * Modified: 2013-05-01
  *
  *
  *  Version: 0.0.6
  *  Version: 0.0.1
  *
  *
  * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine.  
  * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine.  
  *
  *
* .0.0.6 - added $exclude_country -- will not notify if country is in the list
* .0.0.5 - whois function will check Parent block if reassigned
  */
  */
   
   
   
   
define(DEBUG, 0); // ghetto debugging... not really useful
define(DEBUG, 0); // ghetto debugging... not really useful
$exclude_country = array('CN','UA',);
// body header
$header = '';
$footer = __FILE__ . ' SNORT Auto Block Notifcation';
//$footer .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n";
   
   
// get snort alert logs
// get snort alert logs
Line 98: Line 67:
}
}
$is_blocked = array();
$is_blocked = array();
$is_blocked = explode("\n",trim($contents));
$is_blocked = explode("\n",$contents);
   
   
// Liste currently blocked IP's from snort - from the pf table (snort2c)
// Liste currently blocked IP's from snort - from the pf table (snort2c)
$out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'");
$out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'");
//$out = shell_exec("/sbin/pfctl -t snort2c -T show |");
//$out = shell_exec("/sbin/pfctl -t snort2c -T show |");
$ips = explode("\n",trim($out));     
$ips = explode("\n",$out);     
 
$message_body;
$message_body;
   
   
// notify on unblocked
// notify on unblocked
foreach ($is_blocked as $ib) {
foreach ($is_blocked as $ib) {
   if (!in_array($ib, $ips) && !empty($ib)) {
   if (!in_array($ib, $ips)) {
     $log = "* Unblocked: $ib";
     $message_body .= " Unblocked: $ib\n";
    $actions .= " $log\n";
     // log to syslog
     // log to syslog
     $log_cmd = "echo \"$log\" | logger -P local0 -t snort2c";
     $log_cmd = "echo \"$message_body\" | logger -P local0 -t snort2c";
     shell_exec($log_cmd);
     shell_exec($log_cmd);
   }
   }
Line 120: Line 88:
// iterate through IP blocks
// iterate through IP blocks
if (is_array($ips)) {         
if (is_array($ips)) {         
  global $header;
   $fp = fopen($statusfile, 'w');
   $fp = fopen($statusfile, 'w');
   
   
   foreach ($ips as $ip) {
   foreach ($ips as $ip) {
Line 129: Line 96:
       // CheckIP - return info about IP if this is not currently blocked
       // CheckIP - return info about IP if this is not currently blocked
       if (DEBUG) {    print "Check Blocked IP: $ip \n";  }
       if (DEBUG) {    print "Check Blocked IP: $ip \n";  }
       list ($action,$tmp_body,$country,$netname,$inc_host) = CheckIP($ip,$fp);
       $message_body .= CheckIP($ip,$fp);
      if (in_array(strtoupper($country),$exclude_country)) {
      if (DEBUG && !$message_body) {    print "  no message_body for $ip \n";  }
          if (DEBUG) {    print "Skipping notify on $ip -- $country is in the exclude_country list\n";  }
          continue;
      }
      if ($action) {
        $format = "%-26s [%-2s] %-15.15s [%s] \n";
        $actions .= sprintf($format, $action,  $country, $netname, $inc_host);
        $message_body .= $tmp_body;
        if (DEBUG && !$message_body) {    print "  no message_body for $ip \n";  }
      }
     }  
     }  
   }
   }
Line 146: Line 104:
   // Notify if we had any results
   // Notify if we had any results
   if (!empty($message_body)) {
   if (!empty($message_body)) {
     $message_body .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n";
     $notify = $header;
     if (DEBUG) {    print $message_body . "\n";  }
     notify_via_smtp($message_body);
    $notify .= "------- Actions -------\n\n";
     notify_via_growl($message_body);
    $notify .= $actions . "\n";
    $notify .= "-----------------------\n\n\n";
    $notify .= "------- Deatailed Info -------\n\n";
    $notify .= $message_body . "\n";
    $notify .= $footer;
     if (DEBUG) {    print $notify . "\n";  }
     notify_via_smtp($notify);
     notify_via_growl($notify);
   }
   }
}
}
Line 168: Line 118:
   
   
   // debug mode - send notifies even if old
   // debug mode - send notifies even if old
   if (DEBUG) {     
   if (DEBUG) {    $body = NotifyNewBlock($ip); }  
    list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip);  
    return array ($action,$body,$country,$netname,$inc_host);
  }  
   
   
   else {
   else {
Line 177: Line 124:
       if (!in_array($ip,$is_blocked)) {
       if (!in_array($ip,$is_blocked)) {
         // not in current block list - obtain IP info - whois/alert logs
         // not in current block list - obtain IP info - whois/alert logs
         list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip,$body);
         $body = NotifyNewBlock($ip,$body);
        return array ($action,$body,$country,$netname,$inc_host);
       }
       }
     }
     }
   }
   }
  return $body;
}
}
   
   
Line 190: Line 135:
function NotifyNewBlock($ip) {
function NotifyNewBlock($ip) {
   global $alert_logs,$log_date;
   global $alert_logs,$log_date;
   
   
   // reverse dns for ip
   // reverse dns for ip
   $host = gethostbyaddr($ip);
   $host = gethostbyaddr($ip);
   if ($host != $ip) {  $inc_host = "$host"; }
   if ($host != $ip) {  $inc_host = "[$host]"; }
   
   
   // start of body
   // start of body
   //$body = "\n\n-----------------------------------------------------------------------------------------------------------------------------------\n";
   $body = "\n\n-----------------------------------------------------------------------------------------------------------------------------------\n";
   $action = "* Blocked: $ip";
   $body .= "\n* Blocked: $ip $inc_host\n";
  $body .= "\n$action [$inc_host]\n";
   
   
  // try to get whois info
  if ( $whois = get_whois($ip) ) {    $body .= $whois; }
   
   
   // iterate through snort logs to find reason for block
   // iterate through snort logs to find reason for block
  $body .= "\n  ------------------ LOGS for $ip $log_date -----------------------\n";
   foreach ($alert_logs as $log) {
   foreach ($alert_logs as $log) {
     $cmd = 'grep ' . "$ip $log | grep $log_date " .  
     $cmd = 'grep ' . "$ip $log | grep $log_date " .  
Line 211: Line 154:
   
   
     if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";}
     if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";}
    $body .= "\n  ------------------ LOGS for $ip $log_date -----------------------\n";
     $result .= shell_exec ($cmd);
     $result .= shell_exec ($cmd);
     if ($result) {
     $tmp_log = explode("\n",$result);
      $body .= "LogFile: $log\n\n";
    $log_body = $tmp_log[0];  // only get on for logger - last one
      $tmp_log = explode("\n",trim($result));
    $body .= $result;
      if ($tmp_log[0]) {
     $body .= "  ---------------- END LOGS for $ip $log_date ---------------------\n";
        $log_body = $tmp_log[0];  // only get on for logger - last one
      }
    $body .= $result;
     }
  }
$body .= "\n ---------------- END LOGS for $ip $log_date ---------------------\n";
  // try to get whois info
if ( list ($whois,$country,$netname) = get_whois($ip) ) {    $body .= "\n" . $whois . "\n"; }
// log to syslog
if ($log_body) {
  $log_body = str_replace('"', "'", $log_body );
    $log_cmd = "echo \"Blocked=$ip $log_body\" | logger -P local0 -t snort2c";
   }
   }
  // log to syslog
  $log_body = str_replace('"', "'", $log_body );
  $log_cmd = "echo \"Blocked=$ip $log_body\" | logger -P local0 -t snort2c";
   shell_exec($log_cmd);
   shell_exec($log_cmd);
   
   
   return array ($action,$body,$country,$netname,$inc_host);
   return $body;
}
}
   
   
Line 247: Line 180:
   $whois_data = get_whois_from_server($whois_server , $ip);
   $whois_data = get_whois_from_server($whois_server , $ip);


  // if there is now Country info -- lets get the Parent Block info (hack - works for comcast.. not sure of others)
   $a = explode("\n",$whois_data);
  if (!preg_match("/Country/",$whois_data) && preg_match("/NET-([\d\-]+)/",$whois_data, $matches) ) {
    $whois_old = $whois_data;
    $whois_data = get_whois_from_server($whois_server , $matches[0]);
  }
 
   $a = explode("\n",trim($whois_data));
   
   
   /* wanted info  
   /* wanted info  
Line 273: Line 199:
     StateProv:      WA
     StateProv:      WA
     PostalCode:    98144
     PostalCode:    98144
 
     inetnum:        111.72.0.0 - 111.79.255.255
     inetnum:        111.72.0.0 - 111.79.255.255
     netname:        CHINANET-JX
     netname:        CHINANET-JX
Line 283: Line 209:
   */
   */
   
   
 
 
   $wanted = array('NetRange',
   $wanted = array('NetRange',
                   'CIDR',
                   'CIDR',
Line 309: Line 235:
   $whois .= "  ------------------------ WHOIS -----------------------------\n";
   $whois .= "  ------------------------ WHOIS -----------------------------\n";
   $whois .= "  whois server: $whois_server\n\n";
   $whois .= "  whois server: $whois_server\n\n";
 
   $seen = array();
   $seen = array();
  $netname = '';
   foreach ($wanted as $w) {
   foreach ($wanted as $w) {
     $p = preg_grep( "/^$w/i" , $a );
     $p = preg_grep( "/^$w/i" , $a );
Line 322: Line 247:
     }
     }
   }  
   }  
 
 
  // get netnamt for action line
  $p = preg_grep( "/^NetName/i" , $a );
  foreach ($p as $l) {
    if (preg_match('/netname:\s+(.*)/i' , $l , $m)) { $netname = $m[1]; }
  }
  // get country too
  $p = preg_grep( "/^country/i" , $a );
  foreach ($p as $l) {
    if (preg_match('/country:\s+(.*)/i' , $l , $m)) { $country = $m[1]; }
  }
  $netname = ltrim(rtrim($netname));
  $country = ltrim(rtrim($country));
   if (empty($seen)) {
   if (empty($seen)) {
     foreach ($a as $l) {
     foreach ($a as $l) {
      if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
    if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
        $whois .= $l . "\n";
      $whois .= $l . "\n";
      }
    }
    }
  }
 
  // show the original info if it exist..
  if ($whois_old) {
    $o = explode("\n",trim($whois_old));
    foreach ($o as $l) {
      if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
        $whois .= "\t" . $l . "\n";
      }
     }
     }
   }
   }
  $whois .= "  ---------------------- END WHOIS ---------------------------\n";




  $whois .= "  ---------------------- END WHOIS ---------------------------\n";
   return $whois;
   return array ($whois,$country,$netname);
}
}
   
   
Line 381: Line 281:
function GetLogs() {
function GetLogs() {
   $alert_logs = array();
   $alert_logs = array();
   $logs = `/usr/bin/find /var/log/snort/ -name alert`;
   $ps_logs = `ps auxw | grep snort | grep "\-l " | grep -v grep`;
   $psa = explode("\n",$ps_logs);
   $alert_logs = explode("\n",trim($logs));
  if (!empty($psa)) {
    foreach ($psa as $ps) {
      if (preg_match( "/\s-l\s+([^\s]+)/i" , $ps, $m)) {
        array_push ($alert_logs,$m[1] . "/alert");
      }
    }
  }
   
   
   if (!empty($alert_logs)) {
   if (!empty($alert_logs)) {
     return $alert_logs;
     return $alert_logs;
   } else {
   } else {
     $notificationmsg = "failed to locate alert logs - is snort installed?\n";
     $notificationmsg = "failed to locate alert logs - snort running?\n";
     print $notificationmsg;
     print $notificationmsg;
     notify_via_smtp($notificationmsg);
     notify_via_smtp($notificationmsg);
Line 395: Line 301:
   }
   }
}
}
?>
?>
</source>
</source>


=== Example Output ===
=== Example Output ===
* Email on Unblocked and/or Blocked
* Email on Blocked
<source lang=text>
<source lang=text>
  Unblocked: 8.8.8.8
  Unblocked: 8.8.8.8
Line 473: Line 377:
-----------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------
</source>
</source>
[[Category:How-to]]
[[Category:Networking]]
Please note that all contributions to RARForge may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see RARForge:Copyrights for details). Do not submit copyrighted work without permission!
Cancel Editing help (opens in new window)
Retrieved from "https://rarforge.com/w/index.php/Pfsense"