Editing Pfsense
Jump to navigation
Jump to search
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 10: | Line 10: | ||
cat ~/.emacs | cat ~/.emacs | ||
; make sure the target directory is on your load-path | ; make sure the target directory is on your load-path | ||
(add-to-list 'load-path | (add-to-list 'load-path "~/.emacs.d") | ||
(require 'php-mode) | (require 'php-mode) | ||
</source> | </source> | ||
Line 57: | Line 57: | ||
* | * | ||
* Created: 2013-05-01 | * Created: 2013-05-01 | ||
* Modified: 2013- | * Modified: 2013-05-20 | ||
* | * | ||
* Version: 0.0. | * Version: 0.0.5 | ||
* | * | ||
* Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine. | * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine. | ||
* | * | ||
*/ | */ | ||
Line 70: | Line 68: | ||
define(DEBUG, 0); // ghetto debugging... not really useful | define(DEBUG, 0); // ghetto debugging... not really useful | ||
// body header | // body header | ||
$header = ''; | $header = ''; | ||
$footer = __FILE__ . ' SNORT Auto Block Notifcation'; | $footer = __FILE__ . ' SNORT Auto Block Notifcation'; | ||
//$footer .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n"; | //$footer .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n"; | ||
// get snort alert logs | // get snort alert logs | ||
$alert_logs = GetLogs(); | $alert_logs = GetLogs(); | ||
Line 104: | Line 100: | ||
//$out = shell_exec("/sbin/pfctl -t snort2c -T show |"); | //$out = shell_exec("/sbin/pfctl -t snort2c -T show |"); | ||
$ips = explode("\n",trim($out)); | $ips = explode("\n",trim($out)); | ||
$message_body; | $message_body; | ||
Line 122: | Line 118: | ||
global $header; | global $header; | ||
$fp = fopen($statusfile, 'w'); | $fp = fopen($statusfile, 'w'); | ||
foreach ($ips as $ip) { | foreach ($ips as $ip) { | ||
$ip= ltrim(rtrim($ip)); | $ip= ltrim(rtrim($ip)); | ||
Line 130: | Line 126: | ||
if (DEBUG) { print "Check Blocked IP: $ip \n"; } | if (DEBUG) { print "Check Blocked IP: $ip \n"; } | ||
list ($action,$tmp_body,$country,$netname,$inc_host) = CheckIP($ip,$fp); | list ($action,$tmp_body,$country,$netname,$inc_host) = CheckIP($ip,$fp); | ||
if ($action) { | if ($action) { | ||
$format = "%-26s [%-2s] %-15.15s [%s] \n"; | $format = "%-26s [%-2s] %-15.15s [%s] \n"; | ||
Line 143: | Line 135: | ||
} | } | ||
fclose($fp); | fclose($fp); | ||
// Notify if we had any results | // Notify if we had any results | ||
if (!empty($message_body)) { | if (!empty($message_body)) { | ||
$notify = $header; | $notify = $header; | ||
$notify .= "------- Actions -------\n\n"; | $notify .= "------- Actions -------\n\n"; | ||
$notify .= $actions . "\n"; | $notify .= $actions . "\n"; | ||
Line 168: | Line 160: | ||
// debug mode - send notifies even if old | // debug mode - send notifies even if old | ||
if (DEBUG) { | if (DEBUG) { | ||
list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip); | |||
return array ($action,$body,$country,$netname,$inc_host); | |||
} | } | ||
Line 182: | Line 174: | ||
} | } | ||
} | } | ||
} | } | ||
Line 191: | Line 183: | ||
global $alert_logs,$log_date; | global $alert_logs,$log_date; | ||
// reverse dns for ip | // reverse dns for ip | ||
$host = gethostbyaddr($ip); | $host = gethostbyaddr($ip); | ||
Line 200: | Line 192: | ||
$action = "* Blocked: $ip"; | $action = "* Blocked: $ip"; | ||
$body .= "\n$action [$inc_host]\n"; | $body .= "\n$action [$inc_host]\n"; | ||
// iterate through snort logs to find reason for block | // iterate through snort logs to find reason for block | ||
Line 220: | Line 212: | ||
$body .= $result; | $body .= $result; | ||
} | } | ||
} | } | ||
$body .= "\n ---------------- END LOGS for $ip $log_date ---------------------\n"; | $body .= "\n ---------------- END LOGS for $ip $log_date ---------------------\n"; | ||
// try to get whois info | // try to get whois info | ||
if ( list ($whois,$country,$netname) = get_whois($ip) ) { $body .= "\n" . $whois . "\n"; } | if ( list ($whois,$country,$netname) = get_whois($ip) ) { $body .= "\n" . $whois . "\n"; } | ||
Line 247: | Line 239: | ||
$whois_data = get_whois_from_server($whois_server , $ip); | $whois_data = get_whois_from_server($whois_server , $ip); | ||
$a = explode("\n",trim($whois_data)); | $a = explode("\n",trim($whois_data)); | ||
Line 273: | Line 258: | ||
StateProv: WA | StateProv: WA | ||
PostalCode: 98144 | PostalCode: 98144 | ||
inetnum: 111.72.0.0 - 111.79.255.255 | inetnum: 111.72.0.0 - 111.79.255.255 | ||
netname: CHINANET-JX | netname: CHINANET-JX | ||
Line 283: | Line 268: | ||
*/ | */ | ||
$wanted = array('NetRange', | $wanted = array('NetRange', | ||
'CIDR', | 'CIDR', | ||
Line 309: | Line 294: | ||
$whois .= " ------------------------ WHOIS -----------------------------\n"; | $whois .= " ------------------------ WHOIS -----------------------------\n"; | ||
$whois .= " whois server: $whois_server\n\n"; | $whois .= " whois server: $whois_server\n\n"; | ||
$seen = array(); | $seen = array(); | ||
$netname = ''; | $netname = ''; | ||
Line 322: | Line 307: | ||
} | } | ||
} | } | ||
// get netnamt for action line | // get netnamt for action line | ||
$p = preg_grep( "/^NetName/i" , $a ); | $p = preg_grep( "/^NetName/i" , $a ); | ||
Line 336: | Line 321: | ||
$netname = ltrim(rtrim($netname)); | $netname = ltrim(rtrim($netname)); | ||
$country = ltrim(rtrim($country)); | $country = ltrim(rtrim($country)); | ||
if (empty($seen)) { | if (empty($seen)) { | ||
foreach ($a as $l) { | foreach ($a as $l) { | ||
Line 344: | Line 329: | ||
} | } | ||
} | } | ||
$whois .= " ---------------------- END WHOIS ---------------------------\n"; | |||
return array ($whois,$country,$netname); | return array ($whois,$country,$netname); | ||
} | } | ||
Line 382: | Line 355: | ||
$alert_logs = array(); | $alert_logs = array(); | ||
$logs = `/usr/bin/find /var/log/snort/ -name alert`; | $logs = `/usr/bin/find /var/log/snort/ -name alert`; | ||
$alert_logs = explode("\n",trim($logs)); | $alert_logs = explode("\n",trim($logs)); | ||
Line 398: | Line 371: | ||
?> | ?> | ||
</source> | </source> | ||