diff options
author | jim-p <jim@pingle.org> | 2009-11-15 11:22:45 -0500 |
---|---|---|
committer | jim-p <jim@pingle.org> | 2009-11-15 11:22:45 -0500 |
commit | e390b503f503f48e656d91f61d933cc1fd7f7a3c (patch) | |
tree | 4e4505ac06f8eb99847a49c952279a1dc2beb526 /etc/inc/filter_log.inc | |
parent | 9c5637544acd10221d465030a430e39dcf92acdf (diff) | |
download | pfsense-e390b503f503f48e656d91f61d933cc1fd7f7a3c.zip pfsense-e390b503f503f48e656d91f61d933cc1fd7f7a3c.tar.gz |
Move two include files to /etc/inc instead of leaving them in the www dir. Move filterparser.php to /usr/local/bin since it's not meant to be used from the web interface.
Diffstat (limited to 'etc/inc/filter_log.inc')
-rw-r--r-- | etc/inc/filter_log.inc | 295 |
1 files changed, 295 insertions, 0 deletions
diff --git a/etc/inc/filter_log.inc b/etc/inc/filter_log.inc new file mode 100644 index 0000000..3dc00c8 --- /dev/null +++ b/etc/inc/filter_log.inc @@ -0,0 +1,295 @@ +<?php +/* $Id$ */ +/* + filter_log.inc + part of pfSesne by Scott Ullrich + originally based on m0n0wall (http://m0n0.ch/wall) + + Copyright (C) 2009 Jim Pingle <myfirstname>@<mylastname>.org + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_BUILDER_BINARIES: /usr/sbin/fifolog_reader /usr/bin/tail /usr/sbin/clog + pfSense_MODULE: filter +*/ + +/* format filter logs */ +function conv_log_filter($logfile, $nentries, $tail = 50, $filtertext = "") { + global $config, $g; + + /* Make sure this is a number before using it in a system call */ + if (!(is_numeric($tail))) + return; + + if ($filtertext) + $tail = 5000; + + /* FreeBSD 8 splits pf log lines into two lines, so we need to at least + * tail twice as many, plus some extra to account for unparseable lines */ + $tail = $tail * 2 + 50; + + /* Always do a reverse tail, to be sure we're grabbing the 'end' of the log. */ + $logarr = ""; + + if(isset($config['system']['usefifolog'])) + exec("/usr/sbin/fifolog_reader {$logfile} | /usr/bin/tail -r -n {$tail}", $logarr); + else + exec("/usr/sbin/clog {$logfile} | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail -r -n {$tail}", $logarr); + + $filterlog = array(); + $counter = 0; + + $logarr = array_reverse(collapse_filter_lines(array_reverse($logarr))); + + foreach ($logarr as $logent) { + if($counter >= $nentries) + break; + + $flent = parse_filter_line($logent); + if (($flent != "") && (match_filter_line($flent, $filtertext))) { + $counter++; + $filterlog[] = $flent; + } + } + /* Since the lines are in reverse order, flip them around if needed based on the user's preference */ + return isset($config['syslog']['reverse']) ? $filterlog : array_reverse($filterlog); +} + +function match_filter_line($flent, $filtertext = "") { + if (!$filtertext) + return true; + $filtertext = str_replace(' ', '\s+', $filtertext); + return preg_match("/{$filtertext}/i", implode(" ", array_values($flent))); +} + +function collapse_filter_lines($logarr) { + $lastline = ""; + $collapsed = array(); + foreach ($logarr as $logent) { + $line_split = ""; + preg_match("/.*\spf:\s(.*)/", $logent, $line_split); + if (substr($line_split[1], 0, 4) != " ") { + if (($lastline != "") && (substr($lastline, 0, 1) != " ")) { + $collapsed[] = $lastline; + } + $lastline = $logent; + } else { + $lastline .= substr($line_split[1], 3); + } + } + //print_r($collapsed); + return $collapsed; +} + +function parse_filter_line($line) { + global $config, $g; + $log_split = ""; + preg_match("/(.*)\s(.*)\spf:\s.*\srule\s(.*)\(match\)\:\s(.*)\s\w+\son\s(\w+)\:\s\((.*)\)\s(.*)\s>\s(.*)\:\s(.*)/", $line, $log_split); + + list($all, $flent['time'], $host, $rule, $flent['act'], $flent['realint'], $details, $src, $dst, $leftovers) = $log_split; + + list($flent['srcip'], $flent['srcport']) = parse_ipport($src); + list($flent['dstip'], $flent['dstport']) = parse_ipport($dst); + + $flent['src'] = $flent['srcip']; + $flent['dst'] = $flent['dstip']; + + if ($flent['srcport']) + $flent['src'] .= ':' . $flent['srcport']; + if ($flent['dstport']) + $flent['dst'] .= ':' . $flent['dstport']; + + $flent['interface'] = convert_log_interface_to_friendly_interface_name($flent['realint']); + + $tmp = split("/", $rule); + $flent['rulenum'] = $tmp[0]; + + $proto = array(" ", "(?)"); + /* Attempt to determine the protocol, based on several possible patterns. + * The value returned by strpos() must be strictly checkeded against the + * boolean FALSE because it could return a valid answer of 0 upon success. */ + if (!(strpos($details, 'proto ') === FALSE)) { + preg_match("/.*\sproto\s(.*)\s\(/", $details, $proto); + } elseif (!(strpos($details, 'proto: ') === FALSE)) { + preg_match("/.*\sproto\:(.*)\s\(/", $details, $proto); + } elseif (!(strpos($leftovers, 'sum ok] ') === FALSE)) { + preg_match("/.*\ssum ok]\s(.*)\,\s.*/", $leftovers, $proto); + } elseif (!(strpos($line, 'sum ok] ') === FALSE)) { + preg_match("/.*\ssum ok]\s(.*)\,\s.*/", $line, $proto); + } + $proto = split(" ", trim($proto[1])); + $flent['proto'] = rtrim($proto[0], ","); + + /* If we're dealing with TCP, try to determine the flags/control bits */ + $flent['tcpflags'] = ""; + if ($flent['proto'] == "TCP") { + $flags = split('[\, ]', $leftovers); + $flent['tcpflags'] = str_replace(".", "A", substr($flags[1], 1, -1)); + } + + /* If there is a src, a dst, and a time, then the line should be usable/good */ + if (!((trim($flent['src']) == "") || (trim($flent['dst']) == "") || (trim($flent['time']) == ""))) { + return $flent; + } else { + if($g['debug']) { + log_error("There was a error parsing rule: $errline. Please report to mailing list or forum."); + } + return ""; + } +} + +function convert_log_interface_to_friendly_interface_name($int) { + global $config; + + $iflist = get_configured_interface_with_descr(); + foreach ($iflist as $if => $ifdesc) + $iftable[get_real_interface($if)] = $ifdesc; + + /* Check for WAN first, pppoe (ng0) doesn't return properly otherwise */ + if ($int == get_real_wan_interface($int)) + $int = 'wan'; + else + $int = empty($iftable[$int]) ? $int : $iftable[$int]; + + return $int; +} + +function parse_ipport($addr) { + $addr = rtrim($addr, ":"); + $port = ''; + if (substr_count($addr, '.') > 1) { + /* IPv4 */ + $addr_split = split("\.", $addr); + $ip = "{$addr_split[0]}.{$addr_split[1]}.{$addr_split[2]}.{$addr_split[3]}"; + + if ($ip == "...") + return array($addr, ''); + + if($addr_split[4] != "") { + $port_split = split("\:", $addr_split[4]); + $port = $port_split[0]; + } + } else { + /* IPv6 */ + $addr = split(" ", $addr); + $addr = rtrim($addr[0], ":"); + $addr_split = split("\.", $addr); + if (count($addr_split) > 1) { + $ip = $addr_split[0]; + $port = $addr_split[1]; + } else { + $ip = $addr; + } + } + + return array($ip, $port); +} + +function get_port_with_service($port, $proto) { + if (!$port) + return ''; + + $service = getservbyport($port, $proto); + $portstr = ""; + if ($service) { + $portstr = "<span title=\"Service {$port}/{$proto}: {$service}\">" . htmlspecialchars($port) . "</span>"; + } else { + $portstr = htmlspecialchars($port); + } + return ':' . $portstr; +} + +function find_rule_by_number($rulenum, $type="rules") { + /* Passing arbitrary input to grep could be a Very Bad Thing(tm) */ + if (!(is_numeric($rulenum))) + return; + /* At the moment, miniupnpd is the only thing I know of that + generates logging rdr rules */ + if ($type == "rdr") + return `pfctl -vvsn -a "miniupnpd" | grep '^@{$rulenum} '`; + else + return `pfctl -vvsr | grep '^@{$rulenum} '`; +} + +function find_action_image($action) { + global $g; + if ((strstr(strtolower($action), "p")) || (strtolower($action) == "rdr")) + return "/themes/{$g['theme']}/images/icons/icon_pass.gif"; + else if(strstr(strtolower($action), "r")) + return "/themes/{$g['theme']}/images/icons/icon_reject.gif"; + else + return "/themes/{$g['theme']}/images/icons/icon_block.gif"; +} + +function is_first_row($rownum, $totalrows) { + global $config; + if(isset($config['syslog']['reverse'])) { + /* Honor reverse logging setting */ + if($rownum == 0) + return " id=\"firstrow\""; + } else { + /* non-reverse logging */ + if($rownum == $totalrows - 1) + return " id=\"firstrow\""; + } + return ""; +} + +/* AJAX specific handlers */ +function handle_ajax($nentries, $tail = 50) { + global $config; + if($_GET['lastsawtime'] or $_POST['lastsawtime']) { + global $filter_logfile,$filterent; + if($_GET['lastsawtime']) + $lastsawtime = $_GET['lastsawtime']; + if($_POST['lastsawtime']) + $lastsawtime = $_POST['lastsawtime']; + /* compare lastsawrule's time stamp to filter logs. + * afterwards return the newer records so that client + * can update AJAX interface screen. + */ + $new_rules = ""; + $filterlog = conv_log_filter($filter_logfile, $nentries, $tail); + /* We need this to always be in forward order for the AJAX update to work properly */ + $filterlog = isset($config['syslog']['reverse']) ? array_reverse($filterlog) : $filterlog; + foreach($filterlog as $log_row) { + $time_regex = ""; + preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9])/", $log_row['time'], $time_regex); + $row_time = strtotime($time_regex[1]); + $img = "<img border='0' src='" . find_action_image($log_row['act']) . "' alt={$log_row['act']} title={$log_row['act']} />"; + //echo "{$time_regex[1]} - $row_time > $lastsawtime<p>"; + if($row_time > $lastsawtime) { + if ($log_row['proto'] == "TCP") + $log_row['proto'] .= ":{$log_row['tcpflags']}"; + + $img = "<a href=\"#\" onClick=\"javascript:getURL('diag_logs_filter.php?getrulenum={$log_row['rulenum']},{$log_row['rulenum']}', outputrule);\">{$img}</a>"; + $new_rules .= "{$img}||{$log_row['time']}||{$log_row['interface']}||{$log_row['src']}||{$log_row['dst']}||{$log_row['proto']}||" . time() . "||\n"; + } + } + echo $new_rules; + exit; + } +} + +?>
\ No newline at end of file |