From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tim FitzGeorge To: development@lists.ipfire.org Subject: [PATCH 07/12] statusmail: Plugins for services Date: Fri, 05 Apr 2019 18:29:35 +0100 Message-ID: <20190405172940.13168-8-ipfr@tfitzgeorge.me.uk> In-Reply-To: <20190405172940.13168-1-ipfr@tfitzgeorge.me.uk> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4329531753225037999==" List-Id: --===============4329531753225037999== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Intrusion Prevention System plugin works with Suricata, but not Snort Signed-off-by: Tim FitzGeorge --- .../services_intrusion_prevention_system.pm | 239 ++++++++++++++++++ src/statusmail/plugins/services_urlfilter.pm | 275 +++++++++++++++++++= ++ 2 files changed, 514 insertions(+) create mode 100644 src/statusmail/plugins/services_intrusion_prevention_syst= em.pm create mode 100644 src/statusmail/plugins/services_urlfilter.pm diff --git a/src/statusmail/plugins/services_intrusion_prevention_system.pm b= /src/statusmail/plugins/services_intrusion_prevention_system.pm new file mode 100644 index 000000000..4ca174d4e --- /dev/null +++ b/src/statusmail/plugins/services_intrusion_prevention_system.pm @@ -0,0 +1,239 @@ +#!/usr/bin/perl + +############################################################################ +# # +# Send log and status emails for IPFire # +# # +# This is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# This is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2018 - 2019 The IPFire Team # +# # +############################################################################ + +use strict; +use warnings; + +require "${General::swroot}/lang.pl"; + +package Services_Intrusion_Prevention_System; + +use Time::Local; + +############################################################################ +# Function prototypes +############################################################################ + +sub get_log( $ ); + +############################################################################ +# Constants +############################################################################ + +use constant { SEC =3D> 0, + MIN =3D> 1, + HOUR =3D> 2, + MDAY =3D> 3, + MON =3D> 4, + YEAR =3D> 5, + WDAY =3D> 6, + YDAY =3D> 7, + ISDST =3D> 8, + MONSTR =3D> 9 }; + +############################################################################ +# BEGIN Block +# +# Register the log items available in this file +############################################################################ + +sub BEGIN +{ + main::add_mail_item( 'ident' =3D> 'services-ips-alerts', + 'section' =3D> $Lang::tr{'services'}, + 'subsection' =3D> $Lang::tr{'intrusion prevention sys= tem'}, + 'item' =3D> $Lang::tr{'statusmail ips alerts'}, + 'function' =3D> \&alerts, + 'option' =3D> { 'type' =3D> 'integer', + 'name' =3D> $Lang::tr{'statusmail= ips min priority'}, + 'min' =3D> 1, + 'max' =3D> 4 } ); +} + +############################################################################ +# Code +############################################################################ + +#---------------------------------------------------------------------------= --- +# sub get_log +# +# +#---------------------------------------------------------------------------= --- + +sub get_log( $ ) +{ + my ($this) =3D @_; + +# There's only one data item, so don't use the cache +# my $data =3D $this->cache( 'ips-alerts' ); +# return $data if (defined $data); + + my $name =3D '/var/log/suricata/fast.log'; + + my %info; + my $last_mon =3D 0; + my $last_day =3D 0; + my $last_hour =3D 0; + my $last_time =3D 0; + my $time =3D 0; + my $now =3D time(); + my $year =3D 0; + my $start_time =3D $this->get_period_start; + my $end_time =3D $this->get_period_end; + my @stats; + + for (my $filenum =3D $this->get_number_weeks ; $filenum >=3D 0 ; $filenum-= -) + { + my $filename =3D $filenum < 1 ? $name : "$name.$filenum"; + + if (-r "$filename.gz") + { + @stats =3D stat( _ ); + next if ($stats[9] < $start_time); + + open IN, "gzip -dc $filename.gz |" or next; + } + elsif (-r $filename) + { + @stats =3D stat( _ ); + open IN, '<', $filename or next; + } + else + { + next; + } + + foreach my $line () + { + chomp $line; + + # Alerts have the format: + # + # mm/dd/yyyy-hh:mm:ss.uuuuuu [Action] [**] [gid:sid:prio] message [**= ] [Classification: type] [Priority: prio] {protocol} src-ip:src-port -> dest-= ip:dest-port + + $line =3D~ s/^\s+//; + $line =3D~ s/\s+$//; + + next unless ($line); + + my ($mon, $day, $year, $hour, $min, $sec, $gid, $sid, $message, $prio,= $src, $dest) =3D + $line =3D~ m|(\d+)/(\d+)/(\d+)-(\d+):(\d+):(\d+)\.\d+\s+\[\w+\]\s+\[= \*\*\]\s+\[(\d+):(\d+):\d+\]\s*(.*)\s+\[\*\*\].*\[Priority:\s(\d+)\].*?\s+(\d= +\.\d+\.\d+\.\d+(?::\d+)?) -> (\d+\.\d+\.\d+\.\d+(?::\d+)?)|; + + $sid =3D "$gid-$sid"; + + if ($mon !=3D $last_mon or $day !=3D $last_day or $hour !=3D $last_hou= r) + { + # Hour, day or month changed. Convert to unix time so we can work o= ut + # whether the message time falls between the limits we're interested= in. + + my @time; + + $time[YEAR] =3D $year; + + ($time[MON], $time[MDAY], $time[HOUR], $time[MIN], $time[SEC]) =3D (= $mon - 1, $day, $hour, $min, $sec); + + $time =3D timelocal( @time ); + + ($last_mon, $last_day, $last_hour) =3D ($mon, $day, $hour); + } + + # Check to see if we're within the specified limits. + # Note that the minutes and seconds may be incorrect, but since we onl= y deal + # in hour boundaries this doesn't matter. + + next if ($time < $start_time); + last if ($time > $end_time); + + my $timestr =3D "$mon/$day $hour:$min:$sec"; + + $info{total}++; + + if (exists $info{by_sid}{$sid}) + { + $info{by_sid}{$sid}{count}++; + $info{by_sid}{$sid}{last} =3D $timestr; + } + else + { + $info{by_sid}{$sid}{count} =3D 1; + $info{by_sid}{$sid}{priority} =3D $prio; + $info{by_sid}{$sid}{message} =3D $message; + $info{by_sid}{$sid}{first} =3D $timestr; + $info{by_sid}{$sid}{last} =3D $timestr; + } + } + + close IN; + } + +# $this->cache( 'ids-alerts', \%info ); + + return \%info; + +} + + +#---------------------------------------------------------------------------= --- + +sub alerts( $$ ) +{ + my ($self, $min_priority) =3D @_; + my @table; + + use Sort::Naturally; + + push @table, ['|', '|', '<', '|', '|', '|', '|']; + push @table, [ 'SID', $Lang::tr{'priority'}, $Lang::tr{'name'}, $Lang::tr{= 'count'}, $Lang::tr{'percentage'}, $Lang::tr{'first'}, $Lang::tr{'last'} ]; + + my $stats =3D get_log( $self ); + + foreach my $sid (sort { $$stats{by_sid}{$a}{priority} <=3D> $$stats{by_sid= }{$b}{priority} || + $$stats{by_sid}{$b}{count} <=3D> $$stats{by_sid}{$= a}{count}} keys %{ $$stats{by_sid} } ) + { + my $message =3D $$stats{by_sid}{$sid}{message}; + my $priority =3D $$stats{by_sid}{$sid}{priority}; + my $count =3D $$stats{by_sid}{$sid}{count}; + my $first =3D $$stats{by_sid}{$sid}{first}; + my $last =3D $$stats{by_sid}{$sid}{last}; + my $percent =3D int( 100 * $count / $$stats{total} + 0.5); + + last if ($priority > $min_priority); + =20 + $message =3D $self->split_string( $message, 40 ); + + push @table, [ $sid, $priority, $message, $count, $percent, $first, $las= t ]; + } + + if (@table > 2) + { + $self->add_table( @table ); + =20 + return 1; + } + =20 + return 0; +} + + +1; diff --git a/src/statusmail/plugins/services_urlfilter.pm b/src/statusmail/pl= ugins/services_urlfilter.pm new file mode 100644 index 000000000..620dc1e20 --- /dev/null +++ b/src/statusmail/plugins/services_urlfilter.pm @@ -0,0 +1,275 @@ +#!/usr/bin/perl + +############################################################################ +# # +# Send log and status emails for IPFire # +# # +# This is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# This is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2018 - 2019 The IPFire Team # +# # +############################################################################ + +require "${General::swroot}/lang.pl"; + +use strict; +use warnings; + +package Services_Urlfilter; + +use Time::Local; + +############################################################################ +# BEGIN Block +# +# Register the log items available in this file +############################################################################ + +sub BEGIN +{ + main::add_mail_item( 'ident' =3D> 'services-urlfilter-client', + 'section' =3D> $Lang::tr{'services'}, + 'subsection' =3D> $Lang::tr{'urlfilter url filter'}, + 'item' =3D> $Lang::tr{'urlfilter client'}, + 'function' =3D> \&clients, + 'option' =3D> { 'type' =3D> 'integer', + 'name' =3D> $Lang::tr{'statusmail= urlfilter min count'}, + 'min' =3D> 1, + 'max' =3D> 1000 } ); + + main::add_mail_item( 'ident' =3D> 'services-urlfilter-destination', + 'section' =3D> $Lang::tr{'services'}, + 'subsection' =3D> $Lang::tr{'urlfilter url filter'}, + 'item' =3D> $Lang::tr{'destination'}, + 'function' =3D> \&destinations, + 'option' =3D> { 'type' =3D> 'integer', + 'name' =3D> $Lang::tr{'statusmail= urlfilter min count'}, + 'min' =3D> 1, + 'max' =3D> 1000 } ); +} + +############################################################################ +# Constants +############################################################################ + +use constant { SEC =3D> 0, + MIN =3D> 1, + HOUR =3D> 2, + MDAY =3D> 3, + MON =3D> 4, + YEAR =3D> 5, + WDAY =3D> 6, + YDAY =3D> 7, + ISDST =3D> 8, + MONSTR =3D> 9 }; + + +############################################################################ +# Functions +############################################################################ + +sub get_log( $ ); + +#---------------------------------------------------------------------------= --- +# sub get_log( this ) +# +# Gets messages from the log files that relate to the URL filter. The data = is +# cached sot hat a second call does not process the logs again. +# +# Parameters: +# this message object +#---------------------------------------------------------------------------= --- + +sub get_log( $ ) +{ + my ($this) =3D @_; + + my $data =3D $this->cache( 'urlfilter' ); + return $data if (defined $data); + + my %info; + my $weeks =3D $this->get_number_weeks; + my @start_time =3D $this->get_period_start;; + my @end_time =3D $this->get_period_end; + + # Iterate over the log files + + foreach my $name (glob '/var/log/squidGuard/*\.log') + { + next if ($name =3D~ m/squidGuard.log/); + + # Iterate over old versions of the file + + for (my $filenum =3D $weeks ; $filenum >=3D 0 ; $filenum--) + { + my $filename =3D $filenum < 1 ? $name : "$name.$filenum"; + + if (-r "$filename.gz") + { + open IN, "gzip -dc $filename.gz |" or next; + } + elsif (-r $filename) + { + open IN, '<', $filename or next; + } + else + { + next; + } + + # Scan the file + + foreach my $line () + { + my ($year, $mon, $day, $hour) =3D split /[\s:-]+/, $line; + + # Check to see if we're within the specified limits. + # Note that the minutes and seconds may be incorrect, but since we o= nly deal + # in hour boundaries this doesn't matter. + + next if (($year < ($start_time[YEAR]+1900)) or + ($year =3D=3D ($start_time[YEAR]+1900) and $mon < ($start_t= ime[MON]+1)) or + ($year =3D=3D ($start_time[YEAR]+1900) and $mon =3D=3D ($sta= rt_time[MON]+1) and $day < $start_time[MDAY]) or + ($year =3D=3D ($start_time[YEAR]+1900) and $mon =3D=3D ($sta= rt_time[MON]+1) and $day =3D=3D $start_time[MDAY] and $hour < $start_time[HOU= R])); + + last if (($year > ($end_time[YEAR]+1900)) or + ($year =3D=3D ($end_time[YEAR]+1900) and $mon > ($end_time[= MON]+1)) or + ($year =3D=3D ($end_time[YEAR]+1900) and $mon =3D=3D ($end_t= ime[MON]+1) and $day > $end_time[MDAY]) or + ($year =3D=3D ($end_time[YEAR]+1900) and $mon =3D=3D ($end_t= ime[MON]+1) and $day =3D=3D $end_time[MDAY] and $hour > $end_time[HOUR])); + + # Is it an entry we're interested in? + + next unless ($line =3D~ m/Request/); + + # Process the entry + + if (my ($date, $time, $pid, $type, $destination, $client) =3D split = / /, $line) + { + $destination =3D~ s#^http://|^https://##; + $destination =3D~ s/\/.*$//; + $destination =3D~ s/:\d+$//; + my $site =3D substr( $destination, 0, 69 ); + $site .=3D "..." if (length( $destination ) > 69); + + my @category =3D split /\//, $type; + + my ($address, $name) =3D split "/", $client; + + $this->set_host_name( $address, $name ) unless ($address eq $name); + + $info{'client'}{$address}++; + $info{'destination'}{"$site||$category[1]"}++; + $info{'count'}++; + } + } + + close IN; + } + } + + $this->cache( 'urlfilter', \%info ); + + return \%info; +} + + +#---------------------------------------------------------------------------= --- +# sub clients( this, min_count ) +# +# Output information on the systems trying to access forbidden destinations. +# +# Parameters: +# this message object +# min_count don't output information on clients accessing less than this +# number of destinations +#---------------------------------------------------------------------------= --- + +sub clients( $$ ) +{ + my ($self, $min_count) =3D @_; + my @table; + + use Sort::Naturally; + + push @table, [ $Lang::tr{'urlfilter client'}, $Lang::tr{'count'} ]; + + my $stats =3D get_log( $self ); + + foreach my $client (sort { $$stats{'client'}{$b} <=3D> $$stats{'client'}{$= a} } keys %{ $$stats{'client'} } ) + { + my $count =3D $$stats{'client'}{$client}; + last if ($count < $min_count); + + my $host =3D $self->lookup_ip_address( $client ); + + $client .=3D "\n$host" if ($host); + + push @table, [ $client, $count ]; + } + + if (@table > 1) + { + $self->add_table( @table ); + + return 1; + } + + return 0; +} + + +#---------------------------------------------------------------------------= --- +# sub destinations( this, min_count ) +# +# Output information on the forbidden destinations being accessed. +# +# Parameters: +# this message object +# min_count don't output information on destinations accessed less than t= his +# number of times. +#---------------------------------------------------------------------------= --- + +sub destinations( $$ ) +{ + my ($self, $min_count) =3D @_; + my @table; + + use Sort::Naturally; + + push @table, [ $Lang::tr{'destination'}, $Lang::tr{'urlfilter category'}, = $Lang::tr{'count'} ]; + + my $stats =3D get_log( $self ); + + foreach my $key (sort { $$stats{'destination'}{$b} <=3D> $$stats{'destinat= ion'}{$a} } keys %{ $$stats{'destination'} } ) + { + my $count =3D $$stats{'destination'}{$key}; + last if ($count < $min_count); + + my ($destination, $category) =3D split /\|\|/, $key; + + push @table, [ $destination, $category, $count ]; + } + + if (@table > 1) + { + $self->add_table( @table ); + + return 1; + } + + return 0; +} + +1; --=20 2.16.4 --===============4329531753225037999==--