|
1
|
<?php
|
|
2
|
|
|
3
|
//set variables for log
|
|
4
|
$filter_logfile = "{$g['varlog_path']}/filter.log";
|
|
5
|
$nentries = 5;
|
|
6
|
$filterlog = conv_clog_filter($filter_logfile, $nentries);
|
|
7
|
|
|
8
|
/* AJAX related routines */
|
|
9
|
handle_ajax();
|
|
10
|
|
|
11
|
|
|
12
|
/* format filter logs */
|
|
13
|
function conv_clog_filter($logfile, $tail = 50) {
|
|
14
|
global $config, $nentries, $logfile;
|
|
15
|
|
|
16
|
$logfile = "/var/log/filter.log";
|
|
17
|
|
|
18
|
/* make interface/port table */
|
|
19
|
$iftable = array();
|
|
20
|
$iftable[$config['interfaces']['lan']['if']] = "LAN";
|
|
21
|
$iftable[get_real_wan_interface()] = "WAN";
|
|
22
|
for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++)
|
|
23
|
$iftable[$config['interfaces']['opt' . $i]['if']] = $config['interfaces']['opt' . $i]['descr'];
|
|
24
|
|
|
25
|
$sor = isset($config['syslog']['reverse']) ? "-r" : "";
|
|
26
|
|
|
27
|
$logarr = "";
|
|
28
|
exec("/usr/sbin/clog {$logfile} | /usr/bin/tail {$sor} -n {$tail}", $logarr);
|
|
29
|
|
|
30
|
$filterlog = array();
|
|
31
|
|
|
32
|
$counter = 0;
|
|
33
|
|
|
34
|
foreach ($logarr as $logent) {
|
|
35
|
|
|
36
|
if($counter > $nentries)
|
|
37
|
break;
|
|
38
|
|
|
39
|
$log_split = "";
|
|
40
|
|
|
41
|
preg_match("/(\b(?:\d{1,3}\.){3}\d{1,3}(\.\w+)?)\s.*\s(\b(?:\d{1,3}\.){3}\d{1,3}(\.\w+)?)/", $logent, $log_split);
|
|
42
|
|
|
43
|
$flent['src'] = convert_port_period_to_colon($log_split[1]);
|
|
44
|
$flent['dst'] = convert_port_period_to_colon($log_split[3]);
|
|
45
|
|
|
46
|
preg_match("/(.*)\s.*\spf:\s.*\srule\s(.*)\(match\)\:\s(.*)\s\w+\son\s(\w+)\:\s(.*)\s>\s(.*)\:\s.*/", $logent, $log_split);
|
|
47
|
|
|
48
|
$logent = strtoupper($logent);
|
|
49
|
|
|
50
|
$do_not_display = false;
|
|
51
|
|
|
52
|
if(stristr(strtoupper($logent), "UDP") == true)
|
|
53
|
$flent['proto'] = "UDP";
|
|
54
|
else if(stristr(strtoupper($logent), "TCP") == true)
|
|
55
|
$flent['proto'] = "TCP";
|
|
56
|
else if(stristr(strtoupper($logent), "ICMP") == true)
|
|
57
|
$flent['proto'] = "ICMP";
|
|
58
|
else if(stristr(strtoupper($logent), "HSRP") == true)
|
|
59
|
$flent['proto'] = "HSRP";
|
|
60
|
else if(stristr(strtoupper($logent), "ESP") == true)
|
|
61
|
$flent['proto'] = "ESP";
|
|
62
|
else if(stristr(strtoupper($logent), "AH") == true)
|
|
63
|
$flent['proto'] = "AH";
|
|
64
|
else if(stristr(strtoupper($logent), "GRE") == true)
|
|
65
|
$flent['proto'] = "GRE";
|
|
66
|
else if(stristr(strtoupper($logent), "IGMP") == true)
|
|
67
|
$flent['proto'] = "IGMP";
|
|
68
|
else if(stristr(strtoupper($logent), "CARP") == true)
|
|
69
|
$flent['proto'] = "CARP";
|
|
70
|
else if(stristr(strtoupper($logent), "PFSYNC") == true)
|
|
71
|
$flent['proto'] = "PFSYNC";
|
|
72
|
else
|
|
73
|
$flent['proto'] = "TCP";
|
|
74
|
|
|
75
|
$time_regex = "";
|
|
76
|
preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9])/", $log_split[1], $time_regex);
|
|
77
|
$row_time = strtotime($time_regex[1]);
|
|
78
|
|
|
79
|
$flent['time'] = $row_time;
|
|
80
|
$flent['act'] = $log_split[3];
|
|
81
|
|
|
82
|
$friendly_int = convert_real_interface_to_friendly_interface_name($log_split[4]);
|
|
83
|
|
|
84
|
$flent['interface'] = strtoupper($friendly_int);
|
|
85
|
|
|
86
|
if($config['interfaces'][$friendly_int]['descr'] <> "")
|
|
87
|
$flent['interface'] = "{$config['interfaces'][$friendly_int]['descr']}";
|
|
88
|
|
|
89
|
$flent['src'] = convert_port_period_to_colon($log_split[5]);
|
|
90
|
$flent['dst'] = convert_port_period_to_colon($log_split[6]);
|
|
91
|
|
|
92
|
$flent['dst'] = str_replace(": NBT UDP PACKET(137)", "", $flent['dst']);
|
|
93
|
|
|
94
|
$tmp = split("/", $log_split[2]);
|
|
95
|
$flent['rulenum'] = $tmp[0];
|
|
96
|
|
|
97
|
$counter++;
|
|
98
|
$filterlog[] = $flent;
|
|
99
|
|
|
100
|
}
|
|
101
|
|
|
102
|
return $filterlog;
|
|
103
|
}
|
|
104
|
|
|
105
|
function convert_port_period_to_colon($addr) {
|
|
106
|
$addr_split = split("\.", $addr);
|
|
107
|
if($addr_split[4] == "")
|
|
108
|
$newvar = $addr_split[0] . "." . $addr_split[1] . "." . $addr_split[2] . "." . $addr_split[3];
|
|
109
|
else
|
|
110
|
$newvar = $addr_split[0] . "." . $addr_split[1] . "." . $addr_split[2] . "." . $addr_split[3] . ":" . $addr_split[4];
|
|
111
|
if($newvar == "...")
|
|
112
|
return $addr;
|
|
113
|
return $newvar;
|
|
114
|
}
|
|
115
|
|
|
116
|
function format_ipf_ip($ipfip) {
|
|
117
|
list($ip,$port) = explode(",", $ipfip);
|
|
118
|
if (!$port)
|
|
119
|
return $ip;
|
|
120
|
|
|
121
|
return $ip . ", port " . $port;
|
|
122
|
}
|
|
123
|
|
|
124
|
/* AJAX specific handlers */
|
|
125
|
function handle_ajax() {
|
|
126
|
if($_GET['getrulenum'] or $_POST['getrulenum']) {
|
|
127
|
if($_GET['getrulenum'])
|
|
128
|
$rulenum = $_GET['getrulenum'];
|
|
129
|
if($_POST['getrulenum'])
|
|
130
|
$rulenum = $_POST['getrulenum'];
|
|
131
|
$rule = `pfctl -vvsr | grep @{$rulenum}`;
|
|
132
|
echo "The rule that triggered this action is:\n\n{$rule}";
|
|
133
|
exit;
|
|
134
|
}
|
|
135
|
|
|
136
|
if($_GET['lastsawtime'] or $_POST['lastsawtime']) {
|
|
137
|
global $filter_logfile,$filterent;
|
|
138
|
if($_GET['lastsawtime'])
|
|
139
|
$lastsawtime = $_GET['lastsawtime'];
|
|
140
|
if($_POST['lastsawtime'])
|
|
141
|
$lastsawtime = $_POST['lastsawtime'];
|
|
142
|
/* compare lastsawrule's time stamp to filter logs.
|
|
143
|
* afterwards return the newer records so that client
|
|
144
|
* can update AJAX interface screen.
|
|
145
|
*/
|
|
146
|
$new_rules = "";
|
|
147
|
$filterlog = conv_clog_filter($filter_logfile, 50);
|
|
148
|
foreach($filterlog as $log_row) {
|
|
149
|
$time_regex = "";
|
|
150
|
preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9])/", $log_row['time'], $time_regex);
|
|
151
|
$row_time = strtotime($time_regex[1]);
|
|
152
|
if (strstr(strtolower($log_row['act']), "p"))
|
|
153
|
$img = "<img border='0' src='/themes/metallic/images/icons/icon_pass.gif'>";
|
|
154
|
else if(strstr(strtolower($filterent['act']), "r"))
|
|
155
|
$img = "<img border='0' src='/themes/metallic/images/icons/icon_reject.gif'>";
|
|
156
|
else
|
|
157
|
$img = "<img border='0' src='/themes/metallic/images/icons/icon_block.gif'>";
|
|
158
|
//echo "{$time_regex[1]} - $row_time > $lastsawtime<p>";
|
|
159
|
if($row_time > $lastsawtime)
|
|
160
|
$new_rules .= "{$img}||{$log_row['time']}||{$log_row['interface']}||{$log_row['src']}||{$log_row['dst']}||{$log_row['proto']}||" . time() . "||\n";
|
|
161
|
}
|
|
162
|
echo $new_rules;
|
|
163
|
exit;
|
|
164
|
}
|
|
165
|
}
|
|
166
|
?>
|