Editing Pfsense
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 10: | Line 10: | ||
cat ~/.emacs | cat ~/.emacs | ||
; make sure the target directory is on your load-path | ; make sure the target directory is on your load-path | ||
(add-to-list 'load-path | (add-to-list 'load-path "~/.emacs.d") | ||
(require 'php-mode) | (require 'php-mode) | ||
</source> | </source> | ||
Line 57: | Line 57: | ||
* | * | ||
* Created: 2013-05-01 | * Created: 2013-05-01 | ||
* Modified: 2013- | * Modified: 2013-05-20 | ||
* | * | ||
* Version: 0.0. | * Version: 0.0.5 | ||
* | * | ||
* Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine. | * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine. | ||
* | * | ||
*/ | */ | ||
Line 70: | Line 68: | ||
define(DEBUG, 0); // ghetto debugging... not really useful | define(DEBUG, 0); // ghetto debugging... not really useful | ||
// body header | // body header | ||
$header = ''; | $header = ''; | ||
$footer = __FILE__ . ' SNORT Auto Block Notifcation'; | $footer = __FILE__ . ' SNORT Auto Block Notifcation'; | ||
//$footer .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n"; | //$footer .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n"; | ||
// get snort alert logs | // get snort alert logs | ||
$alert_logs = GetLogs(); | $alert_logs = GetLogs(); | ||
Line 104: | Line 100: | ||
//$out = shell_exec("/sbin/pfctl -t snort2c -T show |"); | //$out = shell_exec("/sbin/pfctl -t snort2c -T show |"); | ||
$ips = explode("\n",trim($out)); | $ips = explode("\n",trim($out)); | ||
$message_body; | $message_body; | ||
Line 122: | Line 118: | ||
global $header; | global $header; | ||
$fp = fopen($statusfile, 'w'); | $fp = fopen($statusfile, 'w'); | ||
foreach ($ips as $ip) { | foreach ($ips as $ip) { | ||
$ip= ltrim(rtrim($ip)); | $ip= ltrim(rtrim($ip)); | ||
Line 130: | Line 126: | ||
if (DEBUG) { print "Check Blocked IP: $ip \n"; } | if (DEBUG) { print "Check Blocked IP: $ip \n"; } | ||
list ($action,$tmp_body,$country,$netname,$inc_host) = CheckIP($ip,$fp); | list ($action,$tmp_body,$country,$netname,$inc_host) = CheckIP($ip,$fp); | ||
if ($action) { | if ($action) { | ||
$format = "%-26s [%-2s] %-15.15s [%s] \n"; | $format = "%-26s [%-2s] %-15.15s [%s] \n"; | ||
Line 143: | Line 135: | ||
} | } | ||
fclose($fp); | fclose($fp); | ||
// Notify if we had any results | // Notify if we had any results | ||
if (!empty($message_body)) { | if (!empty($message_body)) { | ||
$notify = $header; | $notify = $header; | ||
$notify .= "------- Actions -------\n\n"; | $notify .= "------- Actions -------\n\n"; | ||
$notify .= $actions . "\n"; | $notify .= $actions . "\n"; | ||
Line 168: | Line 160: | ||
// debug mode - send notifies even if old | // debug mode - send notifies even if old | ||
if (DEBUG) { | if (DEBUG) { list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip); } | ||
else { | else { | ||
Line 182: | Line 171: | ||
} | } | ||
} | } | ||
} | } | ||
Line 191: | Line 180: | ||
global $alert_logs,$log_date; | global $alert_logs,$log_date; | ||
// reverse dns for ip | // reverse dns for ip | ||
$host = gethostbyaddr($ip); | $host = gethostbyaddr($ip); | ||
Line 200: | Line 189: | ||
$action = "* Blocked: $ip"; | $action = "* Blocked: $ip"; | ||
$body .= "\n$action [$inc_host]\n"; | $body .= "\n$action [$inc_host]\n"; | ||
// iterate through snort logs to find reason for block | // iterate through snort logs to find reason for block | ||
Line 220: | Line 209: | ||
$body .= $result; | $body .= $result; | ||
} | } | ||
} | } | ||
$body .= "\n ---------------- END LOGS for $ip $log_date ---------------------\n"; | $body .= "\n ---------------- END LOGS for $ip $log_date ---------------------\n"; | ||
// try to get whois info | // try to get whois info | ||
if ( list ($whois,$country,$netname) = get_whois($ip) ) { $body .= "\n" . $whois . "\n"; } | if ( list ($whois,$country,$netname) = get_whois($ip) ) { $body .= "\n" . $whois . "\n"; } | ||
Line 247: | Line 236: | ||
$whois_data = get_whois_from_server($whois_server , $ip); | $whois_data = get_whois_from_server($whois_server , $ip); | ||
$a = explode("\n",trim($whois_data)); | $a = explode("\n",trim($whois_data)); | ||
Line 273: | Line 255: | ||
StateProv: WA | StateProv: WA | ||
PostalCode: 98144 | PostalCode: 98144 | ||
inetnum: 111.72.0.0 - 111.79.255.255 | inetnum: 111.72.0.0 - 111.79.255.255 | ||
netname: CHINANET-JX | netname: CHINANET-JX | ||
Line 283: | Line 265: | ||
*/ | */ | ||
$wanted = array('NetRange', | $wanted = array('NetRange', | ||
'CIDR', | 'CIDR', | ||
Line 309: | Line 291: | ||
$whois .= " ------------------------ WHOIS -----------------------------\n"; | $whois .= " ------------------------ WHOIS -----------------------------\n"; | ||
$whois .= " whois server: $whois_server\n\n"; | $whois .= " whois server: $whois_server\n\n"; | ||
$seen = array(); | $seen = array(); | ||
$netname = ''; | $netname = ''; | ||
Line 322: | Line 304: | ||
} | } | ||
} | } | ||
// get netnamt for action line | // get netnamt for action line | ||
$p = preg_grep( "/^NetName/i" , $a ); | $p = preg_grep( "/^NetName/i" , $a ); | ||
Line 336: | Line 318: | ||
$netname = ltrim(rtrim($netname)); | $netname = ltrim(rtrim($netname)); | ||
$country = ltrim(rtrim($country)); | $country = ltrim(rtrim($country)); | ||
if (empty($seen)) { | if (empty($seen)) { | ||
foreach ($a as $l) { | foreach ($a as $l) { | ||
Line 344: | Line 326: | ||
} | } | ||
} | } | ||
$whois .= " ---------------------- END WHOIS ---------------------------\n"; | |||
return array ($whois,$country,$netname); | return array ($whois,$country,$netname); | ||
} | } | ||
Line 382: | Line 352: | ||
$alert_logs = array(); | $alert_logs = array(); | ||
$logs = `/usr/bin/find /var/log/snort/ -name alert`; | $logs = `/usr/bin/find /var/log/snort/ -name alert`; | ||
$alert_logs = explode("\n",trim($logs)); | $alert_logs = explode("\n",trim($logs)); | ||
Line 398: | Line 368: | ||
?> | ?> | ||
</source> | </source> | ||
Line 473: | Line 444: | ||
----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ||
</source> | </source> | ||