From e390b503f503f48e656d91f61d933cc1fd7f7a3c Mon Sep 17 00:00:00 2001 From: jim-p Date: Sun, 15 Nov 2009 11:22:45 -0500 Subject: Move two include files to /etc/inc instead of leaving them in the www dir. Move filterparser.php to /usr/local/bin since it's not meant to be used from the web interface. --- usr/local/bin/filterparser.php | 79 +++++++++++ usr/local/www/easyrule.inc | 254 ----------------------------------- usr/local/www/filter_log.inc | 295 ----------------------------------------- usr/local/www/filterparser.php | 79 ----------- 4 files changed, 79 insertions(+), 628 deletions(-) create mode 100644 usr/local/bin/filterparser.php delete mode 100644 usr/local/www/easyrule.inc delete mode 100644 usr/local/www/filter_log.inc delete mode 100644 usr/local/www/filterparser.php (limited to 'usr') diff --git a/usr/local/bin/filterparser.php b/usr/local/bin/filterparser.php new file mode 100644 index 0000000..d432419 --- /dev/null +++ b/usr/local/bin/filterparser.php @@ -0,0 +1,79 @@ +#!/usr/local/bin/php -q +@.org + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + + A quick CLI log parser. + Examples: + clog /var/log/filter.log | tail -50 | /usr/local/www/filterparser.php + clog -f /var/log/filter.log | /usr/local/www/filterparser.php +*/ +/* + pfSense_MODULE: logs +*/ + +include_once("functions.inc"); +include_once("filter_log.inc"); + +$log = fopen("php://stdin", "r"); +$lastline = ""; +while(!feof($log)) { + $line = fgets($log); + $line = rtrim($line); + $line_split = ""; + preg_match("/.*\spf:\s(.*)/", $line, $line_split); + if (substr($line_split[1], 0, 4) != " ") { + $flent = ""; + if (($lastline != "") && (substr($lastline, 0, 1) != " ")) { + $flent = parse_filter_line(trim($lastline)); + } + $lastline = $line; + } else { + $lastline .= substr($line_split[1], 3); + } + /* Available fields: + time - Time the packet was seen + rulenum - Rule number matched + act - Action (pass/block) + interface - Friendly interface name (WAN, LAN, etc) + realint - Real interface name (fxp0, em0, vr0, etc) + proto - Protocol (e.g. TCP, UDP, ICMP, etc) + tcpflags - TCP flags/control bits + src - Source address with port + srcip - Source IP + srcport - Source Port + dst - Destination address with port + dstip - Destination IP + dstport - Destination Port + */ + if ($flent != "") + echo "{$flent['time']} {$flent['act']} {$flent['realint']} {$flent['proto']} {$flent['src']} {$flent['dst']}\n"; +} +fclose($log); ?> \ No newline at end of file diff --git a/usr/local/www/easyrule.inc b/usr/local/www/easyrule.inc deleted file mode 100644 index 1747654..0000000 --- a/usr/local/www/easyrule.inc +++ /dev/null @@ -1,254 +0,0 @@ - $ifd) { - if (strtolower($int) == strtolower($ifd)) - return $if; - } - - return false; -} - -function easyrule_block_rule_exists($int = 'wan') { - global $blockaliasname, $config; - /* No rules, we we know it doesn't exist */ - if (!is_array($config['filter']['rule'])) { - return false; - } - - /* Search through the rules for one referencing our alias */ - foreach ($config['filter']['rule'] as $rule) - if ($rule['source']['address'] == $blockaliasname . strtoupper($int) && ($rule['interface'] == $int)) - return true; - return false; -} - -function easyrule_block_rule_create($int = 'wan') { - global $blockaliasname, $config; - /* If the alias doesn't exist, exit. - * Can't create an empty alias, and we don't know a host */ - if (easyrule_block_alias_getid($int) === false) - return false; - - /* If the rule already exists, no need to do it again */ - if (easyrule_block_rule_exists($int)) - return true; - - /* No rules, start a new array */ - if (!is_array($config['filter']['rule'])) { - $config['filter']['rule'] = array(); - } - - filter_rules_sort(); - $a_filter = &$config['filter']['rule']; - - /* Make up a new rule */ - $filterent = array(); - $filterent['type'] = 'block'; - $filterent['interface'] = $int; - $filterent['source']['address'] = $blockaliasname . strtoupper($int); - $filterent['destination']['any'] = ''; - $filterent['descr'] = "Easy Rule: Blocked from Firewall Log View"; - - $a_filter[] = $filterent; - - return true; -} - -function easyrule_block_alias_getid($int = 'wan') { - global $blockaliasname, $config; - if (!is_array($config['aliases'])) - return false; - - /* Hunt down an alias with the name we want, return its id */ - foreach ($config['aliases']['alias'] as $aliasid => $alias) - if ($alias['name'] == $blockaliasname . strtoupper($int)) - return $aliasid; - - return false; -} - -function easyrule_block_alias_add($host, $int = 'wan') { - global $blockaliasname, $config; - /* If the host isn't a valid IP address, bail */ - if (!is_ipaddr($host)) - return false; - - /* If there are no aliases, start an array */ - if (!is_array($config['aliases']['alias'])) - $config['aliases']['alias'] = array(); - - aliases_sort(); - $a_aliases = &$config['aliases']['alias']; - - /* Try to get the ID if the alias already exists */ - $id = easyrule_block_alias_getid($int); - if ($id === false) - unset($id); - - $alias = array(); - - if (isset($id) && $a_aliases[$id]) { - /* Make sure this IP isn't already in the list. */ - if (in_array($host.'/32', explode(" ", $a_aliases[$id]['address']))) - return true; - /* Since the alias already exists, just add to it. */ - $alias['name'] = $a_aliases[$id]['name']; - $alias['type'] = $a_aliases[$id]['type']; - $alias['descr'] = $a_aliases[$id]['descr']; - - $alias['address'] = $a_aliases[$id]['address'] . ' ' . $host . '/32'; - $alias['detail'] = $a_aliases[$id]['detail'] . 'Entry added ' . date('r') . '||'; - } else { - /* Create a new alias with all the proper information */ - $alias['name'] = $blockaliasname . strtoupper($int); - $alias['type'] = 'network'; - $alias['descr'] = mb_convert_encoding("Hosts blocked from Firewall Log view","HTML-ENTITIES","auto"); - - $alias['address'] = $host . '/32'; - $alias['detail'] = 'Entry added ' . date('r') . '||'; - } - - /* Replace the old alias if needed, otherwise tack it on the end */ - if (isset($id) && $a_aliases[$id]) - $a_aliases[$id] = $alias; - else - $a_aliases[] = $alias; - - return true; -} - -function easyrule_block_host_add($host, $int = 'wan') { - global $retval; - /* Bail if the supplied host is not a valid IP address */ - if (!is_ipaddr($host)) - return false; - - /* Flag whether or not we need to reload the filter */ - $dirty = false; - - /* Attempt to add this host to the alias */ - if (easyrule_block_alias_add($host, $int)) { - $dirty = true; - } else { - /* Couldn't add the alias, or adding the host failed. */ - return false; - } - - /* Attempt to add the firewall rule if it doesn't exist. - * Failing to add the rule isn't necessarily an error, it may - * have been modified by the user in some way. Adding to the - * Alias is what's important. - */ - if (!easyrule_block_rule_exists($int)) { - if (easyrule_block_rule_create($int)) { - $dirty = true; - } else { - return false; - } - } - - /* If needed, write the config and reload the filter */ - if ($dirty) { - write_config(); - $retval = filter_configure(); - header("Location: firewall_aliases.php"); - exit; - } else { - return false; - } -} - -function easyrule_pass_rule_add($int, $proto, $srchost, $dsthost, $dstport) { - global $config; - - /* No rules, start a new array */ - if (!is_array($config['filter']['rule'])) { - $config['filter']['rule'] = array(); - } - - filter_rules_sort(); - $a_filter = &$config['filter']['rule']; - - /* Make up a new rule */ - $filterent = array(); - $filterent['type'] = 'pass'; - $filterent['interface'] = $int; - $filterent['descr'] = "Easy Rule: Passed from Firewall Log View"; - - if ($proto != "any") - $filterent['protocol'] = $proto; - else - unset($filterent['protocol']); - - /* Default to only allow echo requests, since that's what most people want and - * it should be a safe choice. */ - if ($proto == "icmp") - $filterent['icmptype'] = 'echoreq'; - - pconfig_to_address($filterent['source'], $srchost, 32); - pconfig_to_address($filterent['destination'], $dsthost, 32, '', $dstport, $dstport); - - $a_filter[] = $filterent; - - write_config(); - $retval = filter_configure(); - header("Location: firewall_rules.php?if={$int}"); - exit; -} -?> diff --git a/usr/local/www/filter_log.inc b/usr/local/www/filter_log.inc deleted file mode 100644 index 3dc00c8..0000000 --- a/usr/local/www/filter_log.inc +++ /dev/null @@ -1,295 +0,0 @@ -@.org - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ -/* - pfSense_BUILDER_BINARIES: /usr/sbin/fifolog_reader /usr/bin/tail /usr/sbin/clog - pfSense_MODULE: filter -*/ - -/* format filter logs */ -function conv_log_filter($logfile, $nentries, $tail = 50, $filtertext = "") { - global $config, $g; - - /* Make sure this is a number before using it in a system call */ - if (!(is_numeric($tail))) - return; - - if ($filtertext) - $tail = 5000; - - /* FreeBSD 8 splits pf log lines into two lines, so we need to at least - * tail twice as many, plus some extra to account for unparseable lines */ - $tail = $tail * 2 + 50; - - /* Always do a reverse tail, to be sure we're grabbing the 'end' of the log. */ - $logarr = ""; - - if(isset($config['system']['usefifolog'])) - exec("/usr/sbin/fifolog_reader {$logfile} | /usr/bin/tail -r -n {$tail}", $logarr); - else - exec("/usr/sbin/clog {$logfile} | grep -v \"CLOG\" | grep -v \"\033\" | /usr/bin/tail -r -n {$tail}", $logarr); - - $filterlog = array(); - $counter = 0; - - $logarr = array_reverse(collapse_filter_lines(array_reverse($logarr))); - - foreach ($logarr as $logent) { - if($counter >= $nentries) - break; - - $flent = parse_filter_line($logent); - if (($flent != "") && (match_filter_line($flent, $filtertext))) { - $counter++; - $filterlog[] = $flent; - } - } - /* Since the lines are in reverse order, flip them around if needed based on the user's preference */ - return isset($config['syslog']['reverse']) ? $filterlog : array_reverse($filterlog); -} - -function match_filter_line($flent, $filtertext = "") { - if (!$filtertext) - return true; - $filtertext = str_replace(' ', '\s+', $filtertext); - return preg_match("/{$filtertext}/i", implode(" ", array_values($flent))); -} - -function collapse_filter_lines($logarr) { - $lastline = ""; - $collapsed = array(); - foreach ($logarr as $logent) { - $line_split = ""; - preg_match("/.*\spf:\s(.*)/", $logent, $line_split); - if (substr($line_split[1], 0, 4) != " ") { - if (($lastline != "") && (substr($lastline, 0, 1) != " ")) { - $collapsed[] = $lastline; - } - $lastline = $logent; - } else { - $lastline .= substr($line_split[1], 3); - } - } - //print_r($collapsed); - return $collapsed; -} - -function parse_filter_line($line) { - global $config, $g; - $log_split = ""; - preg_match("/(.*)\s(.*)\spf:\s.*\srule\s(.*)\(match\)\:\s(.*)\s\w+\son\s(\w+)\:\s\((.*)\)\s(.*)\s>\s(.*)\:\s(.*)/", $line, $log_split); - - list($all, $flent['time'], $host, $rule, $flent['act'], $flent['realint'], $details, $src, $dst, $leftovers) = $log_split; - - list($flent['srcip'], $flent['srcport']) = parse_ipport($src); - list($flent['dstip'], $flent['dstport']) = parse_ipport($dst); - - $flent['src'] = $flent['srcip']; - $flent['dst'] = $flent['dstip']; - - if ($flent['srcport']) - $flent['src'] .= ':' . $flent['srcport']; - if ($flent['dstport']) - $flent['dst'] .= ':' . $flent['dstport']; - - $flent['interface'] = convert_log_interface_to_friendly_interface_name($flent['realint']); - - $tmp = split("/", $rule); - $flent['rulenum'] = $tmp[0]; - - $proto = array(" ", "(?)"); - /* Attempt to determine the protocol, based on several possible patterns. - * The value returned by strpos() must be strictly checkeded against the - * boolean FALSE because it could return a valid answer of 0 upon success. */ - if (!(strpos($details, 'proto ') === FALSE)) { - preg_match("/.*\sproto\s(.*)\s\(/", $details, $proto); - } elseif (!(strpos($details, 'proto: ') === FALSE)) { - preg_match("/.*\sproto\:(.*)\s\(/", $details, $proto); - } elseif (!(strpos($leftovers, 'sum ok] ') === FALSE)) { - preg_match("/.*\ssum ok]\s(.*)\,\s.*/", $leftovers, $proto); - } elseif (!(strpos($line, 'sum ok] ') === FALSE)) { - preg_match("/.*\ssum ok]\s(.*)\,\s.*/", $line, $proto); - } - $proto = split(" ", trim($proto[1])); - $flent['proto'] = rtrim($proto[0], ","); - - /* If we're dealing with TCP, try to determine the flags/control bits */ - $flent['tcpflags'] = ""; - if ($flent['proto'] == "TCP") { - $flags = split('[\, ]', $leftovers); - $flent['tcpflags'] = str_replace(".", "A", substr($flags[1], 1, -1)); - } - - /* If there is a src, a dst, and a time, then the line should be usable/good */ - if (!((trim($flent['src']) == "") || (trim($flent['dst']) == "") || (trim($flent['time']) == ""))) { - return $flent; - } else { - if($g['debug']) { - log_error("There was a error parsing rule: $errline. Please report to mailing list or forum."); - } - return ""; - } -} - -function convert_log_interface_to_friendly_interface_name($int) { - global $config; - - $iflist = get_configured_interface_with_descr(); - foreach ($iflist as $if => $ifdesc) - $iftable[get_real_interface($if)] = $ifdesc; - - /* Check for WAN first, pppoe (ng0) doesn't return properly otherwise */ - if ($int == get_real_wan_interface($int)) - $int = 'wan'; - else - $int = empty($iftable[$int]) ? $int : $iftable[$int]; - - return $int; -} - -function parse_ipport($addr) { - $addr = rtrim($addr, ":"); - $port = ''; - if (substr_count($addr, '.') > 1) { - /* IPv4 */ - $addr_split = split("\.", $addr); - $ip = "{$addr_split[0]}.{$addr_split[1]}.{$addr_split[2]}.{$addr_split[3]}"; - - if ($ip == "...") - return array($addr, ''); - - if($addr_split[4] != "") { - $port_split = split("\:", $addr_split[4]); - $port = $port_split[0]; - } - } else { - /* IPv6 */ - $addr = split(" ", $addr); - $addr = rtrim($addr[0], ":"); - $addr_split = split("\.", $addr); - if (count($addr_split) > 1) { - $ip = $addr_split[0]; - $port = $addr_split[1]; - } else { - $ip = $addr; - } - } - - return array($ip, $port); -} - -function get_port_with_service($port, $proto) { - if (!$port) - return ''; - - $service = getservbyport($port, $proto); - $portstr = ""; - if ($service) { - $portstr = "" . htmlspecialchars($port) . ""; - } else { - $portstr = htmlspecialchars($port); - } - return ':' . $portstr; -} - -function find_rule_by_number($rulenum, $type="rules") { - /* Passing arbitrary input to grep could be a Very Bad Thing(tm) */ - if (!(is_numeric($rulenum))) - return; - /* At the moment, miniupnpd is the only thing I know of that - generates logging rdr rules */ - if ($type == "rdr") - return `pfctl -vvsn -a "miniupnpd" | grep '^@{$rulenum} '`; - else - return `pfctl -vvsr | grep '^@{$rulenum} '`; -} - -function find_action_image($action) { - global $g; - if ((strstr(strtolower($action), "p")) || (strtolower($action) == "rdr")) - return "/themes/{$g['theme']}/images/icons/icon_pass.gif"; - else if(strstr(strtolower($action), "r")) - return "/themes/{$g['theme']}/images/icons/icon_reject.gif"; - else - return "/themes/{$g['theme']}/images/icons/icon_block.gif"; -} - -function is_first_row($rownum, $totalrows) { - global $config; - if(isset($config['syslog']['reverse'])) { - /* Honor reverse logging setting */ - if($rownum == 0) - return " id=\"firstrow\""; - } else { - /* non-reverse logging */ - if($rownum == $totalrows - 1) - return " id=\"firstrow\""; - } - return ""; -} - -/* AJAX specific handlers */ -function handle_ajax($nentries, $tail = 50) { - global $config; - if($_GET['lastsawtime'] or $_POST['lastsawtime']) { - global $filter_logfile,$filterent; - if($_GET['lastsawtime']) - $lastsawtime = $_GET['lastsawtime']; - if($_POST['lastsawtime']) - $lastsawtime = $_POST['lastsawtime']; - /* compare lastsawrule's time stamp to filter logs. - * afterwards return the newer records so that client - * can update AJAX interface screen. - */ - $new_rules = ""; - $filterlog = conv_log_filter($filter_logfile, $nentries, $tail); - /* We need this to always be in forward order for the AJAX update to work properly */ - $filterlog = isset($config['syslog']['reverse']) ? array_reverse($filterlog) : $filterlog; - foreach($filterlog as $log_row) { - $time_regex = ""; - preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9])/", $log_row['time'], $time_regex); - $row_time = strtotime($time_regex[1]); - $img = "{$log_row['act']}"; - //echo "{$time_regex[1]} - $row_time > $lastsawtime

"; - if($row_time > $lastsawtime) { - if ($log_row['proto'] == "TCP") - $log_row['proto'] .= ":{$log_row['tcpflags']}"; - - $img = "{$img}"; - $new_rules .= "{$img}||{$log_row['time']}||{$log_row['interface']}||{$log_row['src']}||{$log_row['dst']}||{$log_row['proto']}||" . time() . "||\n"; - } - } - echo $new_rules; - exit; - } -} - -?> \ No newline at end of file diff --git a/usr/local/www/filterparser.php b/usr/local/www/filterparser.php deleted file mode 100644 index d432419..0000000 --- a/usr/local/www/filterparser.php +++ /dev/null @@ -1,79 +0,0 @@ -#!/usr/local/bin/php -q -@.org - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - - A quick CLI log parser. - Examples: - clog /var/log/filter.log | tail -50 | /usr/local/www/filterparser.php - clog -f /var/log/filter.log | /usr/local/www/filterparser.php -*/ -/* - pfSense_MODULE: logs -*/ - -include_once("functions.inc"); -include_once("filter_log.inc"); - -$log = fopen("php://stdin", "r"); -$lastline = ""; -while(!feof($log)) { - $line = fgets($log); - $line = rtrim($line); - $line_split = ""; - preg_match("/.*\spf:\s(.*)/", $line, $line_split); - if (substr($line_split[1], 0, 4) != " ") { - $flent = ""; - if (($lastline != "") && (substr($lastline, 0, 1) != " ")) { - $flent = parse_filter_line(trim($lastline)); - } - $lastline = $line; - } else { - $lastline .= substr($line_split[1], 3); - } - /* Available fields: - time - Time the packet was seen - rulenum - Rule number matched - act - Action (pass/block) - interface - Friendly interface name (WAN, LAN, etc) - realint - Real interface name (fxp0, em0, vr0, etc) - proto - Protocol (e.g. TCP, UDP, ICMP, etc) - tcpflags - TCP flags/control bits - src - Source address with port - srcip - Source IP - srcport - Source Port - dst - Destination address with port - dstip - Destination IP - dstport - Destination Port - */ - if ($flent != "") - echo "{$flent['time']} {$flent['act']} {$flent['realint']} {$flent['proto']} {$flent['src']} {$flent['dst']}\n"; -} -fclose($log); ?> \ No newline at end of file -- cgit v1.1