Pfsense: Difference between revisions

From RARForge
Jump to navigation Jump to search
 
(14 intermediate revisions by the same user not shown)
Line 5: Line 5:
<source>
<source>
pkg_add -r emacs-nox11
pkg_add -r emacs-nox11
</source>
=== PHP Mode ===
<source>
cat ~/.emacs
; make sure the target directory is on your load-path
(add-to-list 'load-path (expand-file-name "~/.emacs.d/lisp"))
(require 'php-mode)
</source>
<source>
cd ~/.emacs.d
wget http://php-mode.svn.sourceforge.net/svnroot/php-mode/tags/php-mode-1.5.0/php-mode.el
</source>
</source>


== Snort Auto Block Email ==


 
; this has been tested on pfsense 2.1-BETA1
 
== Snort Auto Block Email ==


* SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will.  
* SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will.  
Line 21: Line 31:
* Install CRON from the GUI Package Manger
* Install CRON from the GUI Package Manger
* setup CRON to execute '''/usr/local/bin/snort_autoblock_notify.php''' every 5 minutes as '''root'''
* setup CRON to execute '''/usr/local/bin/snort_autoblock_notify.php''' every 5 minutes as '''root'''
<source lang=text>
    min: */5
  hour: *
  mday: *
  month: *
  wday: *
    who: root
command: /usr/local/bin/snort_autoblock_notify.php  &> /dev/null
</source>


=== snort_autoblock_notify.php ===
=== snort_autoblock_notify.php ===
Line 35: Line 57:
  *
  *
  *  Created: 2013-05-01
  *  Created: 2013-05-01
  * Modified: 2013-05-01
  * Modified: 2013-06-18
  *
  *
  *  Version: 0.0.1
  *  Version: 0.0.6
  *
  *
  * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine.  
  * Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine.  
  *
  *
* .0.0.6 - added $exclude_country -- will not notify if country is in the list
* .0.0.5 - whois function will check Parent block if reassigned
  */
  */
   
   
   
   
define(DEBUG, 0); // ghetto debugging... not really useful
define(DEBUG, 0); // ghetto debugging... not really useful
$exclude_country = array('CN','UA',);
// body header
$header = '';
$footer = __FILE__ . ' SNORT Auto Block Notifcation';
//$footer .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n";
   
   
// get snort alert logs
// get snort alert logs
Line 67: Line 98:
}
}
$is_blocked = array();
$is_blocked = array();
$is_blocked = explode("\n",$contents);
$is_blocked = explode("\n",trim($contents));
   
   
// Liste currently blocked IP's from snort - from the pf table (snort2c)
// Liste currently blocked IP's from snort - from the pf table (snort2c)
$out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'");
$out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^[[:space:]]*//'");
//$out = shell_exec("/sbin/pfctl -t snort2c -T show |");
//$out = shell_exec("/sbin/pfctl -t snort2c -T show |");
$ips = explode("\n",$out);     
$ips = explode("\n",trim($out));     
 
$message_body;
$message_body;
   
   
// notify on unblocked
// notify on unblocked
foreach ($is_blocked as $ib) {
foreach ($is_blocked as $ib) {
   if (!in_array($ib, $ips)) {
   if (!in_array($ib, $ips) && !empty($ib)) {
     $message_body .= " Unblocked: $ib\n";
     $log = "* Unblocked: $ib";
    $actions .= " $log\n";
     // log to syslog
     // log to syslog
     $log_cmd = "echo \"$message_body\" | logger -P local0 -t snort2c";
     $log_cmd = "echo \"$log\" | logger -P local0 -t snort2c";
     shell_exec($log_cmd);
     shell_exec($log_cmd);
   }
   }
Line 88: Line 120:
// iterate through IP blocks
// iterate through IP blocks
if (is_array($ips)) {         
if (is_array($ips)) {         
  global $header;
  $fp = fopen($statusfile, 'w');
   
   
  $fp = fopen($statusfile, 'w');
   
   
   foreach ($ips as $ip) {
   foreach ($ips as $ip) {
Line 96: Line 129:
       // CheckIP - return info about IP if this is not currently blocked
       // CheckIP - return info about IP if this is not currently blocked
       if (DEBUG) {    print "Check Blocked IP: $ip \n";  }
       if (DEBUG) {    print "Check Blocked IP: $ip \n";  }
       $message_body .= CheckIP($ip,$fp);
       list ($action,$tmp_body,$country,$netname,$inc_host) = CheckIP($ip,$fp);
      if (DEBUG && !$message_body) {    print "  no message_body for $ip \n";  }
      if (in_array(strtoupper($country),$exclude_country)) {
          if (DEBUG) {    print "Skipping notify on $ip -- $country is in the exclude_country list\n";  }
          continue;
      }
      if ($action) {
        $format = "%-26s [%-2s] %-15.15s [%s] \n";
        $actions .= sprintf($format, $action,  $country, $netname, $inc_host);
        $message_body .= $tmp_body;
        if (DEBUG && !$message_body) {    print "  no message_body for $ip \n";  }
      }
     }  
     }  
   }
   }
Line 104: Line 146:
   // Notify if we had any results
   // Notify if we had any results
   if (!empty($message_body)) {
   if (!empty($message_body)) {
     $message_body .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n";
     if (DEBUG) {    print $message_body . "\n";  }
    $notify = $header;
     notify_via_smtp($message_body);
     notify_via_growl($message_body);
     $notify .= "------- Actions -------\n\n";
    $notify .= $actions . "\n";
    $notify .= "-----------------------\n\n\n";
    $notify .= "------- Deatailed Info -------\n\n";
    $notify .= $message_body . "\n";
    $notify .= $footer;
     if (DEBUG) {    print $notify . "\n";  }
     notify_via_smtp($notify);
     notify_via_growl($notify);
   }
   }
}
}
Line 118: Line 168:
   
   
   // debug mode - send notifies even if old
   // debug mode - send notifies even if old
   if (DEBUG) {    $body = NotifyNewBlock($ip); }  
   if (DEBUG) {     
    list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip);  
    return array ($action,$body,$country,$netname,$inc_host);
  }  
   
   
   else {
   else {
Line 124: Line 177:
       if (!in_array($ip,$is_blocked)) {
       if (!in_array($ip,$is_blocked)) {
         // not in current block list - obtain IP info - whois/alert logs
         // not in current block list - obtain IP info - whois/alert logs
         $body = NotifyNewBlock($ip,$body);
         list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip,$body);
        return array ($action,$body,$country,$netname,$inc_host);
       }
       }
     }
     }
   }
   }
  return $body;
}
}
   
   
Line 135: Line 190:
function NotifyNewBlock($ip) {
function NotifyNewBlock($ip) {
   global $alert_logs,$log_date;
   global $alert_logs,$log_date;
   
   
   // reverse dns for ip
   // reverse dns for ip
   $host = gethostbyaddr($ip);
   $host = gethostbyaddr($ip);
   if ($host != $ip) {  $inc_host = "[$host]"; }
   if ($host != $ip) {  $inc_host = "$host"; }
   
   
   // start of body
   // start of body
   $body = "\n\n-----------------------------------------------------------------------------------------------------------------------------------\n";
   //$body = "\n\n-----------------------------------------------------------------------------------------------------------------------------------\n";
   $body .= "\n* Blocked: $ip $inc_host\n";
  $action = "* Blocked: $ip";
   $body .= "\n$action [$inc_host]\n";
   
   
  // try to get whois info
  if ( $whois = get_whois($ip) ) {    $body .= $whois; }
   
   
   // iterate through snort logs to find reason for block
   // iterate through snort logs to find reason for block
  $body .= "\n  ------------------ LOGS for $ip $log_date -----------------------\n";
   foreach ($alert_logs as $log) {
   foreach ($alert_logs as $log) {
     $cmd = 'grep ' . "$ip $log | grep $log_date " .  
     $cmd = 'grep ' . "$ip $log | grep $log_date " .  
Line 154: Line 211:
   
   
     if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";}
     if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";}
    $result .= shell_exec ($cmd);
    if ($result) {
      $body .= "LogFile: $log\n\n";
      $tmp_log = explode("\n",trim($result));
      if ($tmp_log[0]) {
        $log_body = $tmp_log[0];  // only get on for logger - last one
      }
    $body .= $result;
    }
   
   
    $body .= "\n  ------------------ LOGS for $ip $log_date -----------------------\n";
    $result .= shell_exec ($cmd);
    $tmp_log = explode("\n",$result);
    $log_body = $tmp_log[0];  // only get on for logger - last one
    $body .= $result;
    $body .= "  ---------------- END LOGS for $ip $log_date ---------------------\n";
   }
   }
 
$body .= "\n  ---------------- END LOGS for $ip $log_date ---------------------\n";
   // log to syslog
  $log_body = str_replace('"', "'", $log_body );
  $log_cmd = "echo \"Blocked=$ip $log_body\" | logger -P local0 -t snort2c";
   // try to get whois info
if ( list ($whois,$country,$netname) = get_whois($ip) ) {    $body .= "\n" . $whois . "\n"; }
// log to syslog
if ($log_body) {
  $log_body = str_replace('"', "'", $log_body );
    $log_cmd = "echo \"Blocked=$ip $log_body\" | logger -P local0 -t snort2c";
  }
   shell_exec($log_cmd);
   shell_exec($log_cmd);
   
   
   return $body;
   return array ($action,$body,$country,$netname,$inc_host);
}
}
   
   
Line 180: Line 247:
   $whois_data = get_whois_from_server($whois_server , $ip);
   $whois_data = get_whois_from_server($whois_server , $ip);


   $a = explode("\n",$whois_data);
  // if there is now Country info -- lets get the Parent Block info (hack - works for comcast.. not sure of others)
  if (!preg_match("/Country/",$whois_data) && preg_match("/NET-([\d\-]+)/",$whois_data, $matches) ) {
    $whois_old = $whois_data;
    $whois_data = get_whois_from_server($whois_server , $matches[0]);
  }
 
   $a = explode("\n",trim($whois_data));
   
   
   /* wanted info  
   /* wanted info  
Line 199: Line 273:
     StateProv:      WA
     StateProv:      WA
     PostalCode:    98144
     PostalCode:    98144
 
     inetnum:        111.72.0.0 - 111.79.255.255
     inetnum:        111.72.0.0 - 111.79.255.255
     netname:        CHINANET-JX
     netname:        CHINANET-JX
Line 209: Line 283:
   */
   */
   
   
 
 
   $wanted = array('NetRange',
   $wanted = array('NetRange',
                   'CIDR',
                   'CIDR',
Line 235: Line 309:
   $whois .= "  ------------------------ WHOIS -----------------------------\n";
   $whois .= "  ------------------------ WHOIS -----------------------------\n";
   $whois .= "  whois server: $whois_server\n\n";
   $whois .= "  whois server: $whois_server\n\n";
 
   $seen = array();
   $seen = array();
  $netname = '';
   foreach ($wanted as $w) {
   foreach ($wanted as $w) {
     $p = preg_grep( "/^$w/i" , $a );
     $p = preg_grep( "/^$w/i" , $a );
Line 247: Line 322:
     }
     }
   }  
   }  
 
 
  // get netnamt for action line
  $p = preg_grep( "/^NetName/i" , $a );
  foreach ($p as $l) {
    if (preg_match('/netname:\s+(.*)/i' , $l , $m)) { $netname = $m[1]; }
  }
  // get country too
  $p = preg_grep( "/^country/i" , $a );
  foreach ($p as $l) {
    if (preg_match('/country:\s+(.*)/i' , $l , $m)) { $country = $m[1]; }
  }
  $netname = ltrim(rtrim($netname));
  $country = ltrim(rtrim($country));
   if (empty($seen)) {
   if (empty($seen)) {
     foreach ($a as $l) {
     foreach ($a as $l) {
    if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
      if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
      $whois .= $l . "\n";
        $whois .= $l . "\n";
    }
      }
    }
  }
 
  // show the original info if it exist..
  if ($whois_old) {
    $o = explode("\n",trim($whois_old));
    foreach ($o as $l) {
      if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
        $whois .= "\t" . $l . "\n";
      }
     }
     }
   }
   }
  $whois .= "  ---------------------- END WHOIS ---------------------------\n";




   return $whois;
  $whois .= "  ---------------------- END WHOIS ---------------------------\n";
   return array ($whois,$country,$netname);
}
}
   
   
Line 281: Line 381:
function GetLogs() {
function GetLogs() {
   $alert_logs = array();
   $alert_logs = array();
   $ps_logs = `ps auxw | grep snort | grep "\-l " | grep -v grep`;
   $logs = `/usr/bin/find /var/log/snort/ -name alert`;
   $psa = explode("\n",$ps_logs);
  if (!empty($psa)) {
   $alert_logs = explode("\n",trim($logs));
    foreach ($psa as $ps) {
      if (preg_match( "/\s-l\s+([^\s]+)/i" , $ps, $m)) {
        array_push ($alert_logs,$m[1] . "/alert");
      }
    }
  }
   
   
   if (!empty($alert_logs)) {
   if (!empty($alert_logs)) {
     return $alert_logs;
     return $alert_logs;
   } else {
   } else {
     $notificationmsg = "failed to locate alert logs - snort running?\n";
     $notificationmsg = "failed to locate alert logs - is snort installed?\n";
     print $notificationmsg;
     print $notificationmsg;
     notify_via_smtp($notificationmsg);
     notify_via_smtp($notificationmsg);
Line 301: Line 395:
   }
   }
}
}
?>
?>
</source>
</source>


=== Example Output ===
=== Example Output ===
* Email on Blocked
* Email on Unblocked and/or Blocked
<source lang=text>
<source lang=text>
  Unblocked: 8.8.8.8
  Unblocked: 8.8.8.8
Line 377: Line 473:
-----------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------
</source>
</source>
[[Category:How-to]]
[[Category:Networking]]

Latest revision as of 18:43, 2 July 2015

  • just some things to remember...


Install Emacs[edit]

<source> pkg_add -r emacs-nox11 </source>

PHP Mode[edit]

<source> cat ~/.emacs

make sure the target directory is on your load-path

(add-to-list 'load-path (expand-file-name "~/.emacs.d/lisp")) (require 'php-mode) </source> <source> cd ~/.emacs.d wget http://php-mode.svn.sourceforge.net/svnroot/php-mode/tags/php-mode-1.5.0/php-mode.el </source>

Snort Auto Block Email[edit]

this has been tested on pfsense 2.1-BETA1
  • SNORT does not have any way to notify (as I know of) when it blocks/unblocks an IP automatically. Below is a PHP script that will.
  • It will notify email/growl -- using the default notification list from pfsense (i.e. system / advanced / notifications )
  • It will log to syslog snort2c on Blocked/Unblocked events
Install
  • copy code below into: /usr/local/bin/snort_autoblock_notify.php
  • chmod +x /usr/local/bin/snort_autoblock_notify.php
  • Install CRON from the GUI Package Manger
  • setup CRON to execute /usr/local/bin/snort_autoblock_notify.php every 5 minutes as root

<source lang=text>

   min: */5
  hour: *
  mday: *
 month: *
  wday: *
   who: root

command: /usr/local/bin/snort_autoblock_notify.php &> /dev/null </source>



snort_autoblock_notify.php[edit]

<source lang=php>

  1. !/usr/local/bin/php -f
  <?php

require_once("functions.inc"); require_once("config.inc"); require_once("notices.inc");


/* Rob Reed

*
*  Created: 2013-05-01
* Modified: 2013-06-18
*
*  Version: 0.0.6
*
* Notify when snort autoblocks - run this on a cron. Every 5 minutes should be fine. 
*
* .0.0.6 - added $exclude_country -- will not notify if country is in the list
* .0.0.5 - whois function will check Parent block if reassigned
*/


define(DEBUG, 0); // ghetto debugging... not really useful

$exclude_country = array('CN','UA',);

// body header $header = ; $footer = __FILE__ . ' SNORT Auto Block Notifcation'; //$footer .= "\n-----------------------------------------------------------------------------------------------------------------------------------\n";

// get snort alert logs $alert_logs = GetLogs();

// date stuff $log_date = `date "+%m/%d/%y"`; $log_date = preg_replace( "/\r|\n/", "", $log_date ); $today = date("F j, Y H:i:s");

// sadly th built in pfsense notification do not allow for a custom subject.. maybe later $subject = "Snort Autoblock: $today";

// status file of current blocks $statusfile = '/tmp/blocked.status';

// read in current blocks if (file_exists($statusfile) && filesize($statusfile) > 0) {

 $read = fopen($statusfile, "r");
 $contents = fread($read, filesize($statusfile));
 fclose($read);

} $is_blocked = array(); $is_blocked = explode("\n",trim($contents));

// Liste currently blocked IP's from snort - from the pf table (snort2c) $out = shell_exec("/sbin/pfctl -t snort2c -T show | sed -e 's/^space:*//'"); //$out = shell_exec("/sbin/pfctl -t snort2c -T show |"); $ips = explode("\n",trim($out));

$message_body;

// notify on unblocked foreach ($is_blocked as $ib) {

 if (!in_array($ib, $ips) && !empty($ib)) {
   $log = "* Unblocked: $ib";
   $actions .= " $log\n";
   // log to syslog
   $log_cmd = "echo \"$log\" | logger -P local0 -t snort2c";
   shell_exec($log_cmd);
 }

}

// iterate through IP blocks if (is_array($ips)) {

 global $header; 
 $fp = fopen($statusfile, 'w');


 foreach ($ips as $ip) {
   $ip= ltrim(rtrim($ip));
   if (preg_match("/\d+\./",$ip)) {
     // CheckIP - return info about IP if this is not currently blocked
     if (DEBUG) {     print "Check Blocked IP: $ip \n";   }
     list ($action,$tmp_body,$country,$netname,$inc_host) = CheckIP($ip,$fp);
     if (in_array(strtoupper($country),$exclude_country)) {
          if (DEBUG) {     print "Skipping notify on $ip -- $country is in the exclude_country list\n";   }
          continue;
     }
     if ($action) {
       $format = "%-26s [%-2s] %-15.15s [%s] \n";
       $actions .= sprintf($format, $action,  $country, $netname, $inc_host);
       $message_body .= $tmp_body;
       if (DEBUG && !$message_body) {     print "  no message_body for $ip \n";   }
     }
   } 
 }
 fclose($fp);

 // Notify if we had any results
 if (!empty($message_body)) {

   $notify = $header;

   $notify .= "------- Actions -------\n\n";
   $notify .= $actions . "\n";
   $notify .= "-----------------------\n\n\n";
   $notify .= "------- Deatailed Info -------\n\n";
   $notify .= $message_body . "\n";
   $notify .= $footer;
   if (DEBUG) {     print $notify . "\n";   }
   notify_via_smtp($notify);
   notify_via_growl($notify);
 }

}

/************* FUNCTIONS **************************/

function CheckIP($ip,$fp) {

 global $is_blocked;
 fwrite($fp, $ip . "\n");

 // debug mode - send notifies even if old
 if (DEBUG) {    
    list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip); 
    return array ($action,$body,$country,$netname,$inc_host);
 } 

 else {
   if (is_array($is_blocked)) {
     if (!in_array($ip,$is_blocked)) {
       // not in current block list - obtain IP info - whois/alert logs
       list ($action,$body,$country,$netname,$inc_host) = NotifyNewBlock($ip,$body);
       return array ($action,$body,$country,$netname,$inc_host);
     }
   }
 }


}


// generate the data for the notification - whois info, alert log info, etc.. function NotifyNewBlock($ip) {

 global $alert_logs,$log_date;


 // reverse dns for ip
 $host = gethostbyaddr($ip);
 if ($host != $ip) {   $inc_host = "$host"; }

 // start of body
 //$body = "\n\n-----------------------------------------------------------------------------------------------------------------------------------\n";
 $action = "* Blocked: $ip";
 $body .= "\n$action [$inc_host]\n";



 // iterate through snort logs to find reason for block
 $body .= "\n  ------------------ LOGS for $ip $log_date -----------------------\n";
 foreach ($alert_logs as $log) {
   $cmd = 'grep ' . "$ip $log | grep $log_date " . 
     ' | awk -F, \'{ print "SID="$2":"$3":"$4" PRI="$13" CLASS="$12" DESC="$5" SRC_IP="$7" SRC_PORT="$8" DST_IP="$9" DST_PORT="$10" PROTO="$6}\' ' .
     ' | sort | uniq ';

   if (DEBUG) { print "\tDEBUG: " . $cmd . "\n\n";}
   $result .= shell_exec ($cmd);
   if ($result) {
     $body .= "LogFile: $log\n\n";
     $tmp_log = explode("\n",trim($result));
     if ($tmp_log[0]) {
       $log_body = $tmp_log[0];  // only get on for logger - last one
     }
    $body .= $result;
   }

 }
$body .= "\n  ---------------- END LOGS for $ip $log_date ---------------------\n";


 // try to get whois info
if ( list ($whois,$country,$netname) = get_whois($ip) ) {    $body .= "\n" . $whois . "\n"; }

// log to syslog
if ($log_body) {
  $log_body = str_replace('"', "'", $log_body );
   $log_cmd = "echo \"Blocked=$ip $log_body\" | logger -P local0 -t snort2c";
 }
 shell_exec($log_cmd);

 return array ($action,$body,$country,$netname,$inc_host);

}


// whois function - work in progress function get_whois($ip) {

 $w = get_whois_from_server('whois.iana.org' , $ip);
 preg_match('/whois:\s+([\w\.\-]+)/' , $w , $data);
 $whois_server = $data[1];
 //now get actual whois data
 $whois_data = get_whois_from_server($whois_server , $ip);
 // if there is now Country info -- lets get the Parent Block info (hack - works for comcast.. not sure of others)
 if (!preg_match("/Country/",$whois_data) && preg_match("/NET-([\d\-]+)/",$whois_data, $matches) ) {
   $whois_old = $whois_data;
   $whois_data = get_whois_from_server($whois_server , $matches[0]);
 }


 $a = explode("\n",trim($whois_data));

 /* wanted info 
   NetRange:       50.16.0.0 - 50.19.255.255
   CIDR:           50.16.0.0/14
   OriginAS:       
   NetName:        AMAZON-EC2-8
   NetHandle:      NET-50-16-0-0-1
   Parent:         NET-50-0-0-0-0
   NetType:        Direct Assignment
   Ref:            http://whois.arin.net/rest/net/NET-50-16-0-0-1

   OrgName:        Amazon.com, Inc.
   OrgId:          AMAZO-4
   Address:        Amazon Web Services, Elastic Compute Cloud, EC2
   Address:        1200 12th Avenue South
   City:           Seattle
   StateProv:      WA
   PostalCode:     98144

   inetnum:        111.72.0.0 - 111.79.255.255
   netname:        CHINANET-JX
   descr:          CHINANET JIANGXI PROVINCE NETWORK
   descr:          China Telecom
   descr:          No.31,jingrong street
   descr:          Beijing 100032
   country:        CN
 */



 $wanted = array('NetRange',
                 'CIDR',
                 'OriginAS',
                 'NetName',
                 'NetHandle',
                 'Parent',
                 'NetType',
                 'Ref',
                 'OrgName',
                 'OrgId',
                 'Address',
                 'Address',
                 'City',
                 'StateProv',
                 'PostalCode',
                 'inetnum',
                 'descr',
                 'country'
                 );



 $whois .= "  ------------------------ WHOIS -----------------------------\n";
 $whois .= "  whois server: $whois_server\n\n";

 $seen = array();
 $netname = ;
 foreach ($wanted as $w) {
   $p = preg_grep( "/^$w/i" , $a );
   foreach ($p as $l) {
     $tmp = "\t" . $l . "\n";
     if (!in_array($tmp,$seen)) {
           $whois .= $tmp;
     }
     $seen[] = $tmp;
   }
 } 


 // get netnamt for action line
 $p = preg_grep( "/^NetName/i" , $a );
 foreach ($p as $l) {
   if (preg_match('/netname:\s+(.*)/i' , $l , $m)) { $netname = $m[1]; }
 }
 // get country too
 $p = preg_grep( "/^country/i" , $a );
 foreach ($p as $l) {
   if (preg_match('/country:\s+(.*)/i' , $l , $m)) { $country = $m[1]; }
 }
 $netname = ltrim(rtrim($netname));
 $country = ltrim(rtrim($country));

 if (empty($seen)) {
   foreach ($a as $l) {
     if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
       $whois .= $l . "\n";
     }
   }
 }
 // show the original info if it exist..
  if ($whois_old) {
   $o = explode("\n",trim($whois_old));
   foreach ($o as $l) {
     if (!preg_match("/^#/",$l) && preg_match("/\w/",$l)) {
       $whois .= "\t" . $l . "\n";
     }
   }
 }


 $whois .= "  ---------------------- END WHOIS ---------------------------\n";


 return array ($whois,$country,$netname);

}


// whois server loookup function get_whois_from_server($server , $ip) {

 $fp = fsockopen("tcp://$server", 43, $errno, $errstr);
 if (!$fp) {
   echo "ERROR: $errno - $errstr
\n"; } else { fwrite($fp, "$ip\n"); while (!feof($fp)) $result .= fread($fp,32000); fclose($fp); return $result; }

}


// lists all sensors - return array of sensor alert files function GetLogs() {

 $alert_logs = array();
 $logs = `/usr/bin/find /var/log/snort/ -name alert`;

 $alert_logs = explode("\n",trim($logs));

 if (!empty($alert_logs)) {
   return $alert_logs;
 } else {
   $notificationmsg = "failed to locate alert logs - is snort installed?\n";
   print $notificationmsg;
   notify_via_smtp($notificationmsg);
   notify_via_growl($notificationmsg);
   exit;
 }

}


?> </source>

Example Output[edit]

  • Email on Unblocked and/or Blocked

<source lang=text>

Unblocked: 8.8.8.8
Unblocked: 4.4.4.2

  • Blocked: 61.156.238.56
 ------------------------ WHOIS -----------------------------
 whois server: whois.apnic.net

netname: UNICOM-SD address: No.21,Jin-Rong Street address: Beijing,100033 address: P.R.China address: Jinan,Shandong P.R China inetnum: 61.156.0.0 - 61.156.255.255 descr: China Unicom Shandong province network descr: China Unicom descr: CNC Group CHINA169 Shandong Province Network country: CN

 ---------------------- END WHOIS ---------------------------
 ------------------ LOGS for 61.156.238.56 05/01/13 -----------------------

SID=1:2001219:18 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Potential SSH Scan" SRC_IP=61.156.238.56 SRC_PORT=5920 DST_IP={hidden} DST_PORT=22 PROTO=TCP SID=1:2500088:2849 PRI=2 CLASS=Misc Attack DESC="ET COMPROMISED Known Compromised or Hostile Host Traffic TCP (45)" SRC_IP=61.156.238.56 SRC_PORT=5920 DST_IP={hidden} DST_PORT=22 PROTO=TCP

 ---------------- END LOGS for 61.156.238.56 05/01/13 ---------------------



  • Blocked: 111.74.238.58
 ------------------------ WHOIS -----------------------------
 whois server: whois.apnic.net

netname: CHINANET-JX address: Jiangxi telecom network operation support department address: No.2009, Beijing East Road , nanchang,jiangxi province inetnum: 111.72.0.0 - 111.79.255.255 descr: CHINANET JIANGXI PROVINCE NETWORK descr: China Telecom descr: No.31,jingrong street descr: Beijing 100032 country: CN

 ---------------------- END WHOIS ---------------------------
 ------------------ LOGS for 111.74.238.58 05/01/13 -----------------------

SID=1:2001219:18 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Potential SSH Scan" SRC_IP=111.74.238.58 SRC_PORT=31091 DST_IP={hidden} DST_PORT=22 PROTO=TCP

 ---------------- END LOGS for 111.74.238.58 05/01/13 ---------------------



  • Blocked: 173.167.52.169 [173-167-52-169-ip-static.hfc.comcastbusiness.net]
 ------------------------ WHOIS -----------------------------
 whois server: whois.arin.net

Comcast Business Communications, LLC CBC-CM-4 (NET-173-160-0-0-1) 173.160.0.0 - 173.167.255.255 CONCEPT MINING INC CONCEPTMININGINC (NET-173-167-52-168-1) 173.167.52.168 - 173.167.52.175 Comcast Business Communications, LLC CBC-RICHMOND-17 (NET-173-167-52-0-1) 173.167.52.0 - 173.167.55.255

 ---------------------- END WHOIS ---------------------------
 ------------------ LOGS for 173.167.52.169 05/01/13 -----------------------

SID=1:2008578:6 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious Scan" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP SID=1:2011716:4 PRI=2 CLASS=Attempted Information Leak DESC="ET SCAN Sipvicious User-Agent Detected (friendly-scanner)" SRC_IP=173.167.52.169 SRC_PORT=5067 DST_IP={hidden} DST_PORT=5060 PROTO=UDP

 ---------------- END LOGS for 173.167.52.169 05/01/13 ---------------------

</source>