Editing Pfsense
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 6: | Line 6: | ||
pkg_add -r emacs-nox11 | pkg_add -r emacs-nox11 | ||
</source> | </source> | ||
== Snort Auto Block Email == | == Snort Auto Block Email == | ||
* SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will. | * SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will. | ||
Line 40: | Line 30: | ||
command: /usr/local/bin/snort_autoblock_notify.php &> /dev/null | command: /usr/local/bin/snort_autoblock_notify.php &> /dev/null | ||
</source> | </source> | ||
=== snort_autoblock_notify.php === | === snort_autoblock_notify.php === | ||
Line 57: | Line 44: | ||
* | * | ||
* Created: 2013-05-01 | * Created: 2013-05-01 | ||
* Modified: 2013- | * Modified: 2013-05-01 | ||
* | * | ||
* Version: 0.0. | * Version: 0.0.1 | ||
* | * | ||
* Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine. | * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine. | ||
* | * | ||
*/ | */ | ||
define(DEBUG, 0); // ghetto debugging... not really useful | define(DEBUG, 0); // ghetto debugging... not really useful | ||
// get snort alert logs | // get snort alert logs | ||
Line 98: | Line 76: | ||
} | } | ||
$is_blocked = array(); | $is_blocked = array(); | ||
$is_blocked = explode("\n", | $is_blocked = explode("\n",$contents); | ||
// Liste currently blocked IP's from snort - from the pf table (snort2c) | // Liste currently blocked IP's from snort - from the pf table (snort2c) | ||
$out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'"); | $out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'"); | ||
//$out = shell_exec("/sbin/pfctl -t snort2c -T show |"); | //$out = shell_exec("/sbin/pfctl -t snort2c -T show |"); | ||
$ips = explode("\n", | $ips = explode("\n",$out); | ||
$message_body; | $message_body; | ||
// notify on unblocked | // notify on unblocked | ||
foreach ($is_blocked as $ib) { | foreach ($is_blocked as $ib) { | ||
if (!in_array($ib, $ips | if (!in_array($ib, $ips)) { | ||
$ | $message_body .= " Unblocked: $ib\n"; | ||
// log to syslog | // log to syslog | ||
$log_cmd = "echo \"$ | $log_cmd = "echo \"$message_body\" | logger -P local0 -t snort2c"; | ||
shell_exec($log_cmd); | shell_exec($log_cmd); | ||
} | } | ||
Line 120: | Line 97: | ||
// iterate through IP blocks | // iterate through IP blocks | ||
if (is_array($ips)) { | if (is_array($ips)) { | ||
$fp = fopen($statusfile, 'w'); | $fp = fopen($statusfile, 'w'); | ||
foreach ($ips as $ip) { | foreach ($ips as $ip) { | ||
Line 129: | Line 105: | ||
// CheckIP - return info about IP if this is not currently blocked | // CheckIP - return info about IP if this is not currently blocked | ||
if (DEBUG) { print "Check Blocked IP: $ip \n"; } | if (DEBUG) { print "Check Blocked IP: $ip \n"; } | ||
$message_body .= CheckIP($ip,$fp); | |||
if (DEBUG && !$message_body) { print " no message_body for $ip \n"; } | |||
} | } | ||
} | } | ||
Line 146: | Line 113: | ||
// Notify if we had any results | // Notify if we had any results | ||
if (!empty($message_body)) { | if (!empty($message_body)) { | ||
$message_body .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n"; | |||
$ | if (DEBUG) { print $message_body . "\n"; } | ||
notify_via_smtp($message_body); | |||
notify_via_growl($message_body); | |||
if (DEBUG) { print $ | |||
notify_via_smtp($ | |||
notify_via_growl($ | |||
} | } | ||
} | } | ||
Line 168: | Line 127: | ||
// debug mode - send notifies even if old | // debug mode - send notifies even if old | ||
if (DEBUG) { | if (DEBUG) { $body = NotifyNewBlock($ip); } | ||
else { | else { | ||
Line 177: | Line 133: | ||
if (!in_array($ip,$is_blocked)) { | if (!in_array($ip,$is_blocked)) { | ||
// not in current block list - obtain IP info - whois/alert logs | // not in current block list - obtain IP info - whois/alert logs | ||
$body = NotifyNewBlock($ip,$body); | |||
} | } | ||
} | } | ||
} | } | ||
return $body; | |||
} | } | ||
Line 190: | Line 144: | ||
function NotifyNewBlock($ip) { | function NotifyNewBlock($ip) { | ||
global $alert_logs,$log_date; | global $alert_logs,$log_date; | ||
// reverse dns for ip | // reverse dns for ip | ||
$host = gethostbyaddr($ip); | $host = gethostbyaddr($ip); | ||
if ($host != $ip) { $inc_host = "$host"; } | if ($host != $ip) { $inc_host = "[$host]"; } | ||
// start of body | // start of body | ||
$body = "\n\n-----------------------------------------------------------------------------------------------------------------------------------\n"; | |||
$ | $body .= "\n* Blocked: $ip $inc_host\n"; | ||
// try to get whois info | |||
if ( $whois = get_whois($ip) ) { $body .= $whois; } | |||
// iterate through snort logs to find reason for block | // iterate through snort logs to find reason for block | ||
foreach ($alert_logs as $log) { | foreach ($alert_logs as $log) { | ||
$cmd = 'grep ' . "$ip $log | grep $log_date " . | $cmd = 'grep ' . "$ip $log | grep $log_date " . | ||
Line 211: | Line 163: | ||
if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";} | if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";} | ||
$body .= "\n ------------------ LOGS for $ip $log_date -----------------------\n"; | |||
$result .= shell_exec ($cmd); | $result .= shell_exec ($cmd); | ||
$tmp_log = explode("\n",$result); | |||
$log_body = $tmp_log[0]; // only get on for logger - last one | |||
$body .= $result; | |||
$body .= " ---------------- END LOGS for $ip $log_date ---------------------\n"; | |||
} | } | ||
// log to syslog | |||
$log_body = str_replace('"', "'", $log_body ); | |||
$log_cmd = "echo \"Blocked=$ip $log_body\" | logger -P local0 -t snort2c"; | |||
shell_exec($log_cmd); | shell_exec($log_cmd); | ||
return | return $body; | ||
} | } | ||
Line 247: | Line 189: | ||
$whois_data = get_whois_from_server($whois_server , $ip); | $whois_data = get_whois_from_server($whois_server , $ip); | ||
$a = explode("\n",$whois_data); | |||
$a = explode("\n", | |||
/* wanted info | /* wanted info | ||
Line 273: | Line 208: | ||
StateProv: WA | StateProv: WA | ||
PostalCode: 98144 | PostalCode: 98144 | ||
inetnum: 111.72.0.0 - 111.79.255.255 | inetnum: 111.72.0.0 - 111.79.255.255 | ||
netname: CHINANET-JX | netname: CHINANET-JX | ||
Line 283: | Line 218: | ||
*/ | */ | ||
$wanted = array('NetRange', | $wanted = array('NetRange', | ||
'CIDR', | 'CIDR', | ||
Line 309: | Line 244: | ||
$whois .= " ------------------------ WHOIS -----------------------------\n"; | $whois .= " ------------------------ WHOIS -----------------------------\n"; | ||
$whois .= " whois server: $whois_server\n\n"; | $whois .= " whois server: $whois_server\n\n"; | ||
$seen = array(); | $seen = array(); | ||
foreach ($wanted as $w) { | foreach ($wanted as $w) { | ||
$p = preg_grep( "/^$w/i" , $a ); | $p = preg_grep( "/^$w/i" , $a ); | ||
Line 322: | Line 256: | ||
} | } | ||
} | } | ||
if (empty($seen)) { | if (empty($seen)) { | ||
foreach ($a as $l) { | foreach ($a as $l) { | ||
if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) { | |||
$whois .= $l . "\n"; | |||
} | |||
} | } | ||
} | } | ||
$whois .= " ---------------------- END WHOIS ---------------------------\n"; | |||
return $whois; | |||
return | |||
} | } | ||
Line 381: | Line 290: | ||
function GetLogs() { | function GetLogs() { | ||
$alert_logs = array(); | $alert_logs = array(); | ||
$ | $ps_logs = `ps auxw | grep snort | grep "\-l " | grep -v grep`; | ||
$psa = explode("\n",$ps_logs); | |||
$ | if (!empty($psa)) { | ||
foreach ($psa as $ps) { | |||
if (preg_match( "/\s-l\s+([^\s]+)/i" , $ps, $m)) { | |||
array_push ($alert_logs,$m[1] . "/alert"); | |||
} | |||
} | |||
} | |||
if (!empty($alert_logs)) { | if (!empty($alert_logs)) { | ||
return $alert_logs; | return $alert_logs; | ||
} else { | } else { | ||
$notificationmsg = "failed to locate alert logs - | $notificationmsg = "failed to locate alert logs - snort running?\n"; | ||
print $notificationmsg; | print $notificationmsg; | ||
notify_via_smtp($notificationmsg); | notify_via_smtp($notificationmsg); | ||
Line 395: | Line 310: | ||
} | } | ||
} | } | ||
?> | ?> | ||
</source> | </source> | ||
Line 473: | Line 386: | ||
----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ||
</source> | </source> | ||