Editing Pfsense
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 6: | Line 6: | ||
pkg_add -r emacs-nox11 | pkg_add -r emacs-nox11 | ||
</source> | </source> | ||
== Snort Auto Block Email == | == Snort Auto Block Email == | ||
* SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will. | * SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will. | ||
Line 31: | Line 21: | ||
* Install CRON from the GUI Package Manger | * Install CRON from the GUI Package Manger | ||
* setup CRON to execute '''/usr/local/bin/snort_autoblock_notify.php''' every 5 minutes as '''root''' | * setup CRON to execute '''/usr/local/bin/snort_autoblock_notify.php''' every 5 minutes as '''root''' | ||
=== snort_autoblock_notify.php === | === snort_autoblock_notify.php === | ||
Line 57: | Line 35: | ||
* | * | ||
* Created: 2013-05-01 | * Created: 2013-05-01 | ||
* Modified: 2013- | * Modified: 2013-05-01 | ||
* | * | ||
* Version: 0.0. | * Version: 0.0.1 | ||
* | * | ||
* Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine. | * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine. | ||
* | * | ||
*/ | */ | ||
define(DEBUG, 0); // ghetto debugging... not really useful | define(DEBUG, 0); // ghetto debugging... not really useful | ||
// get snort alert logs | // get snort alert logs | ||
Line 98: | Line 67: | ||
} | } | ||
$is_blocked = array(); | $is_blocked = array(); | ||
$is_blocked = explode("\n", | $is_blocked = explode("\n",$contents); | ||
// Liste currently blocked IP's from snort - from the pf table (snort2c) | // Liste currently blocked IP's from snort - from the pf table (snort2c) | ||
$out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'"); | $out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'"); | ||
//$out = shell_exec("/sbin/pfctl -t snort2c -T show |"); | //$out = shell_exec("/sbin/pfctl -t snort2c -T show |"); | ||
$ips = explode("\n", | $ips = explode("\n",$out); | ||
$message_body; | $message_body; | ||
// notify on unblocked | // notify on unblocked | ||
foreach ($is_blocked as $ib) { | foreach ($is_blocked as $ib) { | ||
if (!in_array($ib, $ips | if (!in_array($ib, $ips)) { | ||
$ | $message_body .= " Unblocked: $ib\n"; | ||
// log to syslog | // log to syslog | ||
$log_cmd = "echo \"$ | $log_cmd = "echo \"$message_body\" | logger -P local0 -t snort2c"; | ||
shell_exec($log_cmd); | shell_exec($log_cmd); | ||
} | } | ||
Line 120: | Line 88: | ||
// iterate through IP blocks | // iterate through IP blocks | ||
if (is_array($ips)) { | if (is_array($ips)) { | ||
$fp = fopen($statusfile, 'w'); | $fp = fopen($statusfile, 'w'); | ||
foreach ($ips as $ip) { | foreach ($ips as $ip) { | ||
Line 129: | Line 96: | ||
// CheckIP - return info about IP if this is not currently blocked | // CheckIP - return info about IP if this is not currently blocked | ||
if (DEBUG) { print "Check Blocked IP: $ip \n"; } | if (DEBUG) { print "Check Blocked IP: $ip \n"; } | ||
$message_body .= CheckIP($ip,$fp); | |||
if (DEBUG && !$message_body) { print " no message_body for $ip \n"; } | |||
} | } | ||
} | } | ||
Line 146: | Line 104: | ||
// Notify if we had any results | // Notify if we had any results | ||
if (!empty($message_body)) { | if (!empty($message_body)) { | ||
$message_body .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n"; | |||
$ | if (DEBUG) { print $message_body . "\n"; } | ||
notify_via_smtp($message_body); | |||
notify_via_growl($message_body); | |||
if (DEBUG) { print $ | |||
notify_via_smtp($ | |||
notify_via_growl($ | |||
} | } | ||
} | } | ||
Line 168: | Line 118: | ||
// debug mode - send notifies even if old | // debug mode - send notifies even if old | ||
if (DEBUG) { | if (DEBUG) { $body = NotifyNewBlock($ip); } | ||
else { | else { | ||
Line 177: | Line 124: | ||
if (!in_array($ip,$is_blocked)) { | if (!in_array($ip,$is_blocked)) { | ||
// not in current block list - obtain IP info - whois/alert logs | // not in current block list - obtain IP info - whois/alert logs | ||
$body = NotifyNewBlock($ip,$body); | |||
} | } | ||
} | } | ||
} | } | ||
return $body; | |||
} | } | ||
Line 190: | Line 135: | ||
function NotifyNewBlock($ip) { | function NotifyNewBlock($ip) { | ||
global $alert_logs,$log_date; | global $alert_logs,$log_date; | ||
// reverse dns for ip | // reverse dns for ip | ||
$host = gethostbyaddr($ip); | $host = gethostbyaddr($ip); | ||
if ($host != $ip) { $inc_host = "$host"; } | if ($host != $ip) { $inc_host = "[$host]"; } | ||
// start of body | // start of body | ||
$body = "\n\n-----------------------------------------------------------------------------------------------------------------------------------\n"; | |||
$ | $body .= "\n* Blocked: $ip $inc_host\n"; | ||
// try to get whois info | |||
if ( $whois = get_whois($ip) ) { $body .= $whois; } | |||
// iterate through snort logs to find reason for block | // iterate through snort logs to find reason for block | ||
foreach ($alert_logs as $log) { | foreach ($alert_logs as $log) { | ||
$cmd = 'grep ' . "$ip $log | grep $log_date " . | $cmd = 'grep ' . "$ip $log | grep $log_date " . | ||
Line 211: | Line 154: | ||
if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";} | if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";} | ||
$body .= "\n ------------------ LOGS for $ip $log_date -----------------------\n"; | |||
$result .= shell_exec ($cmd); | $result .= shell_exec ($cmd); | ||
$tmp_log = explode("\n",$result); | |||
$log_body = $tmp_log[0]; // only get on for logger - last one | |||
$body .= $result; | |||
$body .= " ---------------- END LOGS for $ip $log_date ---------------------\n"; | |||
} | } | ||
// log to syslog | |||
$log_body = str_replace('"', "'", $log_body ); | |||
$log_cmd = "echo \"Blocked=$ip $log_body\" | logger -P local0 -t snort2c"; | |||
shell_exec($log_cmd); | shell_exec($log_cmd); | ||
return | return $body; | ||
} | } | ||
Line 247: | Line 180: | ||
$whois_data = get_whois_from_server($whois_server , $ip); | $whois_data = get_whois_from_server($whois_server , $ip); | ||
$a = explode("\n",$whois_data); | |||
$a = explode("\n", | |||
/* wanted info | /* wanted info | ||
Line 273: | Line 199: | ||
StateProv: WA | StateProv: WA | ||
PostalCode: 98144 | PostalCode: 98144 | ||
inetnum: 111.72.0.0 - 111.79.255.255 | inetnum: 111.72.0.0 - 111.79.255.255 | ||
netname: CHINANET-JX | netname: CHINANET-JX | ||
Line 283: | Line 209: | ||
*/ | */ | ||
$wanted = array('NetRange', | $wanted = array('NetRange', | ||
'CIDR', | 'CIDR', | ||
Line 309: | Line 235: | ||
$whois .= " ------------------------ WHOIS -----------------------------\n"; | $whois .= " ------------------------ WHOIS -----------------------------\n"; | ||
$whois .= " whois server: $whois_server\n\n"; | $whois .= " whois server: $whois_server\n\n"; | ||
$seen = array(); | $seen = array(); | ||
foreach ($wanted as $w) { | foreach ($wanted as $w) { | ||
$p = preg_grep( "/^$w/i" , $a ); | $p = preg_grep( "/^$w/i" , $a ); | ||
Line 322: | Line 247: | ||
} | } | ||
} | } | ||
if (empty($seen)) { | if (empty($seen)) { | ||
foreach ($a as $l) { | foreach ($a as $l) { | ||
if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) { | |||
$whois .= $l . "\n"; | |||
} | |||
} | } | ||
} | } | ||
$whois .= " ---------------------- END WHOIS ---------------------------\n"; | |||
return $whois; | |||
return | |||
} | } | ||
Line 381: | Line 281: | ||
function GetLogs() { | function GetLogs() { | ||
$alert_logs = array(); | $alert_logs = array(); | ||
$ | $ps_logs = `ps auxw | grep snort | grep "\-l " | grep -v grep`; | ||
$psa = explode("\n",$ps_logs); | |||
$ | if (!empty($psa)) { | ||
foreach ($psa as $ps) { | |||
if (preg_match( "/\s-l\s+([^\s]+)/i" , $ps, $m)) { | |||
array_push ($alert_logs,$m[1] . "/alert"); | |||
} | |||
} | |||
} | |||
if (!empty($alert_logs)) { | if (!empty($alert_logs)) { | ||
return $alert_logs; | return $alert_logs; | ||
} else { | } else { | ||
$notificationmsg = "failed to locate alert logs - | $notificationmsg = "failed to locate alert logs - snort running?\n"; | ||
print $notificationmsg; | print $notificationmsg; | ||
notify_via_smtp($notificationmsg); | notify_via_smtp($notificationmsg); | ||
Line 395: | Line 301: | ||
} | } | ||
} | } | ||
?> | ?> | ||
</source> | </source> | ||
=== Example Output === | === Example Output === | ||
* Email on | * Email on Blocked | ||
<source lang=text> | <source lang=text> | ||
Unblocked: 8.8.8.8 | Unblocked: 8.8.8.8 | ||
Line 473: | Line 377: | ||
----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ||
</source> | </source> | ||