function Builsql($uri, $ip, $virus) { $virus = str_replace("+", " ", $virus); $virus = trim($virus); $md5 = md5(time() . "{$uri},{$ip},{$virus}"); $ip = GetComputerName($ip); $sql = "INSERT INTO `antivirus_events` (`zDate`, `TaskName`, `email`, `VirusName`, `InfectedPath`, `ComputerName`, `zmd5`) \n\tVALUES (NOW(), 'HTTP Scan', 0, '{$virus}', '{$uri}', '{$ip}', '{$md5}')"; $q = new mysql(); $q->QUERY_SQL($sql, "artica_events"); if (!$q->ok) { events($q->mysql_error); events($sql); return; } events("Virus {$virus} found from {$uri} to {$ip}"); }
function Builsql($CLIENT, $username = null, $uri, $code_error, $size = 0, $time, $cached, $mac = null) { $squid_error["100"] = "Continue"; $squid_error["101"] = "Switching Protocols"; $squid_error["102"] = "Processing"; $squid_error["200"] = "Pass"; $squid_error["201"] = "Created"; $squid_error["202"] = "Accepted"; $squid_error["203"] = "Non-Authoritative Information"; $squid_error["204"] = "No Content"; $squid_error["205"] = "Reset Content"; $squid_error["206"] = "Partial Content"; $squid_error["207"] = "Multi Status"; $squid_error["300"] = "Multiple Choices"; $squid_error["301"] = "Moved Permanently"; $squid_error["302"] = "Moved Temporarily"; $squid_error["303"] = "See Other"; $squid_error["304"] = "Not Modified"; $squid_error["305"] = "Use Proxy"; $squid_error["307"] = "Temporary Redirect"; $squid_error["400"] = "Bad Request"; $squid_error["401"] = "Unauthorized"; $squid_error["402"] = "Payment Required"; $squid_error["403"] = "Forbidden"; $squid_error["404"] = "Not Found"; $squid_error["405"] = "Method Not Allowed"; $squid_error["406"] = "Not Acceptable"; $squid_error["407"] = "Proxy Authentication Required"; $squid_error["408"] = "Request Timeout"; $squid_error["409"] = "Conflict"; $squid_error["410"] = "Gone"; $squid_error["411"] = "Length Required"; $squid_error["412"] = "Precondition Failed"; $squid_error["413"] = "Request Entity Too Large"; $squid_error["414"] = "Request URI Too Large"; $squid_error["415"] = "Unsupported Media Type"; $squid_error["416"] = "Request Range Not Satisfiable"; $squid_error["417"] = "Expectation Failed"; $squid_error["424"] = "Locked"; $squid_error["424"] = "Failed Dependency"; $squid_error["433"] = "Unprocessable Entity"; $squid_error["500"] = "Internal Server Error"; $squid_error["501"] = "Not Implemented"; $squid_error["502"] = "Bad Gateway"; $squid_error["503"] = "Service Unavailable"; $squid_error["504"] = "Gateway Timeout"; $squid_error["505"] = "HTTP Version Not Supported"; $squid_error["507"] = "Insufficient Storage"; $squid_error["600"] = "Squid header parsing error"; if (preg_match("#^(?:[^/]+://)?([^/:]+)#", $uri, $re)) { $sitename = $re[1]; if (preg_match("#^www\\.(.+)#", $sitename, $ri)) { $sitename = $ri[1]; } } else { events("dansguardian-stats2:: unable to extract domain name from {$uri}"); return false; } $TYPE = $squid_error[$code_error]; $REASON = $TYPE; $CLIENT = trim($CLIENT); $date = date('Y-m-d') . " " . $time; if ($username == null) { $username = GetComputerName($ip); } if ($size == null) { $size = 0; } if (trim($GLOBALS["IPs"][$sitename]) == null) { $site_IP = trim(gethostbyname($sitename)); $GLOBALS["IPs"][$sitename] = $site_IP; } else { $site_IP = $GLOBALS["IPs"][$sitename]; } if (count($_GET["IPs"]) > 5000) { unset($_GET["IPs"]); } if (count($_GET["COUNTRIES"]) > 5000) { unset($_GET["COUNTRIES"]); } if (trim($GLOBALS["COUNTRIES"][$site_IP]) == null) { if (function_exists("geoip_record_by_name")) { if ($site_IP == null) { $site_IP = $sitename; } $record = @geoip_record_by_name($site_IP); if ($record) { $Country = $record["country_name"]; $GLOBALS["COUNTRIES"][$site_IP] = $Country; } } else { $geoerror = "geoip_record_by_name no such function..."; } } else { $Country = $GLOBALS["COUNTRIES"][$site_IP]; } $zMD5 = md5("{$uri}{$date}{$CLIENT}{$username}{$TYPE}{$Country}{$site_IP}"); if (!is_dir("/var/log/artica-postfix/dansguardian-stats2")) { @mkdir("/var/log/artica-postfix/dansguardian-stats2", 600, true); } if (!is_dir("/var/log/artica-postfix/dansguardian-stats3")) { @mkdir("/var/log/artica-postfix/dansguardian-stats3", 600, true); } if (!$GLOBALS["SINGLE_SITE"][$sitename]) { $filewebsite = "/var/log/artica-postfix/dansguardian-stats3/" . md5($sitename); $filewebsite_array = array("sitename" => $sitename, "country" => $Country, "ipaddr" => $site_IP); $filecontent = serialize($filewebsite_array); if (!is_file($filewebsite)) { events("{$date} dansguardian-stats3:: " . basename($filewebsite) . " -> \"sitename\"=>{$sitename},\"country\"=>{$Country},\"ipaddr\"=>{$site_IP} (" . __LINE__ . ")"); @file_put_contents($filewebsite, $filecontent); if (is_file($filewebsite)) { $GLOBALS["SINGLE_SITE"][$sitename] = true; } events("{$date} dansguardian-stats3:: " . count($GLOBALS["SINGLE_SITE"]) . " analyzed websites"); } } if (count($GLOBALS["SINGLE_SITE"]) > 1500) { unset($GLOBALS["SINGLE_SITE"]); } events("{$date} dansguardian-stats2:: {$REASON}:: [{$mac}]{$CLIENT} ({$username}) -> {$sitename} ({$site_IP}) Country={$Country} ({$geoerror}) REASON:\"{$REASON}\" TYPE::\"{$TYPE}\" size={$size} (" . __LINE__ . ")"); $uri = addslashes($uri); $Country = addslashes($Country); $sql = "('{$sitename}','{$uri}','{$TYPE}','{$REASON}','{$CLIENT}','{$date}','{$zMD5}','{$site_IP}','{$Country}','{$size}','{$username}','{$cached}','{$mac}')"; @file_put_contents("/var/log/artica-postfix/dansguardian-stats2/{$zMD5}.sql", $sql); if (count($GLOBALS["RTIME"]) > 500) { unset($GLOBALS["RTIME"]); } $GLOBALS["RTIME"][] = array($sitename, $uri, $TYPE, $REASON, $CLIENT, $date, $zMD5, $site_IP, $Country, $size, $username, $mac); @file_put_contents("/etc/artica-postfix/squid-realtime.cache", base64_encode(serialize($GLOBALS["RTIME"]))); }
function parseURL($url) { $uri = null; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL():: Analyze [{$url}]"); } $md5 = md5($url); // 10.0.0.32 00:1e:8c:a5:39:19 - crash- // 10.0.0.76 00:25:22:73:31:d5 - // 10.0.0.60 00:1d:92:70:96:70 - fbexternal-a.akamaihd.net:443 if (preg_match("#([0-9\\.]+)\\s+([0-9\\:a-z]+)\\s+-(.+?):([0-9]+)\$#", $url, $re)) { $GLOBALS["CACHE_URI"][$md5]["LOGIN"] = null; $GLOBALS["CACHE_URI"][$md5]["IPADDR"] = $re[1]; $GLOBALS["CACHE_URI"][$md5]["MAC"] = $re[2]; $GLOBALS["CACHE_URI"][$md5]["HOST"] = GetComputerName($re[1]); $GLOBALS["CACHE_URI"][$md5]["URI"] = null; $GLOBALS["CACHE_URI"][$md5]["RHOST"] = $re[3]; return $GLOBALS["CACHE_URI"][$md5]; } if (preg_match("#([0-9\\.]+)\\s+([0-9\\:a-z]+)\\s+-\$#", $url, $re)) { $GLOBALS["CACHE_URI"][$md5]["LOGIN"] = null; $GLOBALS["CACHE_URI"][$md5]["IPADDR"] = $re[1]; $GLOBALS["CACHE_URI"][$md5]["MAC"] = $re[2]; $GLOBALS["CACHE_URI"][$md5]["HOST"] = GetComputerName($re[1]); $GLOBALS["CACHE_URI"][$md5]["URI"] = null; $GLOBALS["CACHE_URI"][$md5]["RHOST"] = null; return $GLOBALS["CACHE_URI"][$md5]; } if (preg_match("#([0-9\\.]+)\\s+([0-9\\:a-z]+)\\s+-\\s+([a-z]+)-\$#", $url, $re)) { $GLOBALS["CACHE_URI"][$md5]["LOGIN"] = null; $GLOBALS["CACHE_URI"][$md5]["IPADDR"] = $re[1]; $GLOBALS["CACHE_URI"][$md5]["MAC"] = $re[2]; $GLOBALS["CACHE_URI"][$md5]["HOST"] = GetComputerName($re[1]); $GLOBALS["CACHE_URI"][$md5]["URI"] = null; $GLOBALS["CACHE_URI"][$md5]["RHOST"] = $re[3]; return $GLOBALS["CACHE_URI"][$md5]; } if (preg_match("#(http|ftp|https|ftps):\\/\\/(.*)#i", $url, $re)) { $uri = $re[1] . "://" . $re[2]; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("found uri {$uri}"); } $url = trim(str_replace($uri, "", $url)); if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("Analyze {$url}"); } } if ($uri == null) { if (preg_match("#([a-z0-9\\.]+):([0-9]+)\$#i", $url, $re)) { $uri = "http://" . $re[1] . ":" . $re[2]; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("found uri {$uri}"); } $url = trim(str_replace($re[1] . ":" . $re[2], "", $url)); if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("Analyze \"{$url}\""); } } } if ($uri != null) { $URLAR = parse_url($uri); if (isset($URLAR["host"])) { $rhost = $URLAR["host"]; } } if (isset($GLOBALS["CACHE_URI"][$md5])) { return $GLOBALS["CACHE_URI"][$md5]; } $tr = explode(" ", $url); if ($GLOBALS["DEBUG_LEVEL"] > 1) { while (list($index, $line) = each($tr)) { WLOG("tr[{$index}] = {$line}"); } } //max auth=4 if (count($tr) == 4) { WLOG("count --> 4"); $login = $tr[0]; $ipaddr = $tr[1]; $mac = $tr[2]; $forwarded = $tr[3]; if (isset($tr[4])) { $uri = $tr[4]; } if ($mac == "00:00:00:00:00:00") { $mac = null; } if (preg_match("#^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\$#", $forwarded)) { $ipaddr = $forwarded; } if ($mac == null) { $mac = GetMacFromIP($ipaddr); } if ($mac == "00:00:00:00:00:00") { $mac = null; } $GLOBALS["CACHE_URI"][$md5]["LOGIN"] = $login; $GLOBALS["CACHE_URI"][$md5]["IPADDR"] = $ipaddr; $GLOBALS["CACHE_URI"][$md5]["MAC"] = $mac; $GLOBALS["CACHE_URI"][$md5]["HOST"] = GetComputerName($ipaddr); $GLOBALS["CACHE_URI"][$md5]["URI"] = $uri; $GLOBALS["CACHE_URI"][$md5]["RHOST"] = $rhost; return $GLOBALS["CACHE_URI"][$md5]; } if (count($tr) == 3) { if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("count --> 3"); } if (preg_match("#^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\$#", $tr[0])) { //ip en premier donc mac=ok, pas de login $login = null; $ipaddr = $tr[0]; $mac = $tr[1]; $forwarded = $tr[2]; if (isset($tr[3])) { $uri = $tr[3]; } } else { //login en premier donc mac=bad $login = $tr[0]; $ipaddr = $tr[1]; $forwarded = $tr[2]; if (isset($tr[3])) { $uri = $tr[3]; } } if ($mac == "00:00:00:00:00:00") { $mac = null; } if (preg_match("#[0-9]+\\[0-9]+\\.[0-9]+\\.[0-9]+#", $forwarded)) { $ipaddr = $forwarded; } if ($mac == null) { $mac = GetMacFromIP($ipaddr); } if ($mac == "00:00:00:00:00:00") { $mac = null; } $GLOBALS["CACHE_URI"][$md5]["LOGIN"] = $login; $GLOBALS["CACHE_URI"][$md5]["IPADDR"] = $ipaddr; $GLOBALS["CACHE_URI"][$md5]["MAC"] = $mac; $GLOBALS["CACHE_URI"][$md5]["HOST"] = GetComputerName($ipaddr); $GLOBALS["CACHE_URI"][$md5]["URI"] = $uri; $GLOBALS["CACHE_URI"][$md5]["RHOST"] = $rhost; return $GLOBALS["CACHE_URI"][$md5]; } if (count($tr) == 2) { if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("count --> 2"); } //pas de login et pas de MAC; $login = null; $ipaddr = $tr[0]; $mac = null; $forwarded = $tr[1]; if (isset($tr[2])) { $uri = $tr[2]; } if (preg_match("#[0-9]+\\[0-9]+\\.[0-9]+\\.[0-9]+#", $forwarded)) { $ipaddr = $forwarded; } } if ($mac == null) { $mac = GetMacFromIP($ipaddr); } else { if ($mac == "00:00:00:00:00:00") { $mac = null; $mac = GetMacFromIP($ipaddr); } } if ($mac == "00:00:00:00:00:00") { $mac = null; } $GLOBALS["CACHE_URI"][$md5]["LOGIN"] = $login; $GLOBALS["CACHE_URI"][$md5]["IPADDR"] = $ipaddr; $GLOBALS["CACHE_URI"][$md5]["MAC"] = $mac; $GLOBALS["CACHE_URI"][$md5]["HOST"] = GetComputerName($ipaddr); $GLOBALS["CACHE_URI"][$md5]["URI"] = $uri; $GLOBALS["CACHE_URI"][$md5]["RHOST"] = $rhost; return $GLOBALS["CACHE_URI"][$md5]; }
function ParseUsersSize() { return; $f = array(); $unix = new unix(); $hostname = $unix->hostname_g(); $php5 = $unix->LOCATE_PHP5_BIN(); if (function_exists("system_is_overloaded")) { if (system_is_overloaded()) { return; } } $q = new mysql_squid_builder(); $q->CreateUserSizeRTTTable(); if (!$q->TABLE_EXISTS("UserSizeRTT")) { ufdbguard_admin_events("Fatal:{$hostname} UserSizeRTT no such table, die();", __FUNCTION__, __FILE__, __LINE__, "stats"); return; } if (!($handle = opendir("/var/log/artica-postfix/squid-usersize"))) { @mkdir("/var/log/artica-postfix/squid-usersize", 0755, true); } if (!($handle = opendir("/var/log/artica-postfix/squid-usersize"))) { ufdbguard_admin_events("Fatal:{$hostname} /var/log/artica-postfix/squid-usersize no such directory", __FUNCTION__, __FILE__, __LINE__, "stats"); return; } $prefix = "INSERT IGNORE INTO UserSizeRTT (`zMD5`,`uid`,`zdate`,`ipaddr`,`hostname`,`account`,`MAC`,`UserAgent`,`size`) VALUES"; $countDeFiles = 0; while (false !== ($filename = readdir($handle))) { if ($filename == ".") { continue; } if ($filename == "..") { continue; } $targetFile = "/var/log/artica-postfix/squid-usersize/{$filename}"; $countDeFiles++; $account = 0; $array = unserialize(@file_get_contents($targetFile)); if (!is_array($array)) { @unlink($targetFile); continue; } $time = $array["TIME"]; $md5 = $array["MD5"]; if ($md5 == null) { @unlink($targetFile); continue; } if (!is_numeric($time)) { @unlink($targetFile); continue; } if ($time == 0) { @unlink($targetFile); continue; } $zdate = date("Y-m-d H:i:s", $time); $md5 = md5($md5 . $time); $uid = $array["uid"]; if ($uid == "-") { $uid = null; } $ipaddr = $array["IP"]; $MAC = $array["MAC"]; if (!__IsPhysicalAddress($MAC)) { $MAC = null; } $hostname = $array["HOSTNAME"]; $UserAgent = $array["UGNT"]; if (strlen($UserAgent) < 2) { $UserAgent = null; } $size = $array["SIZE"]; if ($size == 0) { @unlink($targetFile); continue; } if ($hostname == null) { $hostname = GetComputerName($ipaddr); } if (!is_numeric($account)) { $account = 0; } if ($MAC != null) { if ($uid == null) { $uid = $q->UID_FROM_MAC($MAC); } } if ($ipaddr != null) { if ($uid == null) { $uid = $q->UID_FROM_IP($ipaddr); } } if (strlen($UserAgent) < 3) { $UserAgent = null; } if (strlen($uid) < 3) { $uid = null; } if ($GLOBALS["VERBOSE"]) { echo "('{$md5}','{$uid}','{$zdate}','{$ipaddr}','{$hostname}','{$account}','{$MAC}','{$UserAgent}','{$size}')\n"; } $f[] = "('{$md5}','{$uid}','{$zdate}','{$ipaddr}','{$hostname}','{$account}','{$MAC}','{$UserAgent}','{$size}')"; @unlink($targetFile); } if (count($f) > 0) { $q->QUERY_SQL("{$prefix} " . @implode(",", $f)); shell_exec("{$php5} /usr/share/artica-postfix/exec.squid.quotasbuild.php"); if (!$q->ok) { events("Fatal:{$hostname} {$q->mysql_error}"); ufdbguard_admin_events("Fatal:{$hostname} {$q->mysql_error}", __FUNCTION__, __FILE__, __LINE__, "stats"); } } events("Closing... /var/log/artica-postfix/squid-usersize/ ({$countDeFiles} files scanned)"); }
function parseURL($url, $return_rhost = false) { $uri = null; $md5 = md5($url); $MAIN_ARRAY = array(); if (isset($GLOBALS["CACHE_URI"][$md5])) { if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("MEMORY {$md5} " . strlen($GLOBALS["CACHE_URI"][$md5]) . " [" . __LINE__ . "]"); } if ($return_rhost) { $a = unserialize($GLOBALS["CACHE_URI"][$md5]); if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("RETURN MEMORY {$md5} [" . __LINE__ . "]"); } return $a["RHOST"]; } if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("RETURN MEMORY {$md5} [" . __LINE__ . "]"); } return unserialize($GLOBALS["CACHE_URI"][$md5]); } if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("\n -----------------------------------------------------\n"); } if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL():: Analyze {$url} /CATZ = {$GLOBALS["CATZ-EXTRN"]} [" . __LINE__ . "]"); } if ($GLOBALS["CATZ-EXTRN"] > 0) { $tr = explode(" ", $url); $MAIN_ARRAY["LOGIN"] = null; $MAIN_ARRAY["IPADDR"] = $tr[0]; $MAIN_ARRAY["MAC"] = $tr[1]; $MAIN_ARRAY["HOST"] = GetComputerName($tr[0]); $MAIN_ARRAY["URI"] = $tr[3]; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL():: Analyze RHOST = {$tr[3]} [" . __LINE__ . "]"); } if (preg_match("#^(.*?):([0-9]+)\$#i", $tr[3], $re)) { $MAIN_ARRAY["RHOST"] = $re[1]; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL():: FOUND RHOST = {$MAIN_ARRAY["RHOST"]} [" . __LINE__ . "]"); } if ($return_rhost) { return $re[1]; } $GLOBALS["CACHE_URI"][$md5] = serialize($MAIN_ARRAY); return $MAIN_ARRAY; } if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL():: {$tr[3]} != ^([a-z0-9\\.]+):([0-9]+) [" . __LINE__ . "]"); } if (preg_match("#^http.*?:#", $tr[3])) { $URLAR = parse_url($tr[3]); if (isset($URLAR["host"])) { $MAIN_ARRAY["RHOST"] = $URLAR["host"]; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL():: FOUND RHOST = {$MAIN_ARRAY["RHOST"]} [" . __LINE__ . "]"); } if ($return_rhost) { return $re[1]; } $GLOBALS["CACHE_URI"][$md5] = serialize($MAIN_ARRAY); return $MAIN_ARRAY; } } } if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL():: Analyze {$url} [" . __LINE__ . "]"); } if (preg_match("#-\\s+(.+?)\\s+ID([0-9]+)#", $url, $re)) { $GLOBALS["RULE_ID"] = $re[2]; $url = str_replace($re[0], "", $url); if (preg_match("#(.+?):([0-9]+)#", $re[1], $ri)) { $re[1] = $ri[1]; } $MAIN_ARRAY["RHOST"] = $re[1]; $MAIN_ARRAY["RULE_ID"] = $re[2]; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL()::found ID:{$GLOBALS["RULE_ID"]} remote host={$re[1]} [" . __LINE__ . "]"); } } if (preg_match("#-\\s+ID([0-9]+)#", $url, $re)) { $GLOBALS["RULE_ID"] = $re[1]; $MAIN_ARRAY["RULE_ID"] = $re[1]; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL()::found ID:{$GLOBALS["RULE_ID"]} [" . __LINE__ . "]"); } if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL()::Analyze {$re[0]} [" . __LINE__ . "]"); } $url = str_replace($re[0], "", $url); } if (preg_match("#(http|ftp|https|ftps):\\/\\/(.*)#i", $url, $re)) { $uri = $re[1] . "://" . $re[2]; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL()::found uri {$uri} [" . __LINE__ . "]"); } $url = trim(str_replace($uri, "", $url)); if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL()::Analyze {$url} [" . __LINE__ . "]"); } } if ($uri == null) { if (preg_match("#^(.*?):([0-9]+)\$#i", $url, $re)) { $uri = "http://" . $re[1]; if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL()::found uri {$uri} [" . __LINE__ . "]"); } $url = trim(str_replace($re[1] . ":" . $re[2], "", $url)); if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL()::Analyze \"{$url}\" [" . __LINE__ . "]"); } } } if ($uri != null) { $URLAR = parse_url($uri); if (isset($URLAR["host"])) { $rhost = $URLAR["host"]; } } $tr = explode(" ", $url); if ($GLOBALS["DEBUG_LEVEL"] > 1) { while (list($index, $line) = each($tr)) { WLOG("parseURL()::tr[{$index}] = {$line}"); } } //max auth=4 if (count($tr) == 4) { $login = $tr[0]; $ipaddr = $tr[1]; $mac = $tr[2]; $forwarded = $tr[3]; if (isset($tr[4])) { $uri = $tr[4]; } if ($mac == "00:00:00:00:00:00") { $mac = null; } if (preg_match("#^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\$#", $forwarded)) { $ipaddr = $forwarded; } if ($mac == null) { $mac = GetMacFromIP($ipaddr); } if ($mac == "00:00:00:00:00:00") { $mac = null; } $MAIN_ARRAY["LOGIN"] = $login; $MAIN_ARRAY["IPADDR"] = $ipaddr; $MAIN_ARRAY["MAC"] = $mac; $MAIN_ARRAY["HOST"] = GetComputerName($ipaddr); $MAIN_ARRAY["URI"] = $uri; $MAIN_ARRAY["RHOST"] = $rhost; $GLOBALS["CACHE_URI"][$md5] = serialize($MAIN_ARRAY); return $MAIN_ARRAY; } if (count($tr) == 3) { if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL()::count --> 3"); } if (preg_match("#^[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+\$#", $tr[0])) { //ip en premier donc mac=ok, pas de login $login = null; $ipaddr = $tr[0]; $mac = $tr[1]; $forwarded = $tr[2]; if (isset($tr[3])) { $uri = $tr[3]; } } else { //login en premier donc mac=bad $login = $tr[0]; $ipaddr = $tr[1]; $forwarded = $tr[2]; if (isset($tr[3])) { $uri = $tr[3]; } } if ($mac == "00:00:00:00:00:00") { $mac = null; } if (preg_match("#[0-9]+\\[0-9]+\\.[0-9]+\\.[0-9]+#", $forwarded)) { $ipaddr = $forwarded; } if ($mac == null) { $mac = GetMacFromIP($ipaddr); } if ($mac == "00:00:00:00:00:00") { $mac = null; } $MAIN_ARRAY["LOGIN"] = $login; $MAIN_ARRAY["IPADDR"] = $ipaddr; $MAIN_ARRAY["MAC"] = $mac; $MAIN_ARRAY["HOST"] = GetComputerName($ipaddr); $MAIN_ARRAY["URI"] = $uri; $MAIN_ARRAY["RHOST"] = $rhost; $GLOBALS["CACHE_URI"][$md5] = serialize($MAIN_ARRAY); return $MAIN_ARRAY; } if (count($tr) == 2) { if ($GLOBALS["DEBUG_LEVEL"] > 1) { WLOG("parseURL()::count --> 2"); } //pas de login et pas de MAC; $login = null; $ipaddr = $tr[0]; $mac = null; $forwarded = $tr[1]; if (isset($tr[2])) { $uri = $tr[2]; } if (preg_match("#[0-9]+\\[0-9]+\\.[0-9]+\\.[0-9]+#", $forwarded)) { $ipaddr = $forwarded; } } if ($mac == null) { $mac = GetMacFromIP($ipaddr); } else { if ($mac == "00:00:00:00:00:00") { $mac = null; $mac = GetMacFromIP($ipaddr); } } if ($mac == "00:00:00:00:00:00") { $mac = null; } $MAIN_ARRAY["LOGIN"] = $login; $MAIN_ARRAY["IPADDR"] = $ipaddr; $MAIN_ARRAY["MAC"] = $mac; $MAIN_ARRAY["HOST"] = GetComputerName($ipaddr); $MAIN_ARRAY["URI"] = $uri; $MAIN_ARRAY["RHOST"] = $rhost; $GLOBALS["CACHE_URI"][$md5] = serialize($MAIN_ARRAY); return $MAIN_ARRAY; }
function haproxy_events() { $qs = new mysql_squid_builder(); $q = new mysql_haproxy_builder(); if (!($handle = opendir("{$GLOBALS["ARTICALOGDIR"]}/haproxy-rtm"))) { @mkdir("{$GLOBALS["ARTICALOGDIR"]}/haproxy-rtm", 0755, true); return; } $hash = array(); $prefixMid = " (sitename,uri,td,http_code,client,hostname,familysite,service,backend,zDate,size,MAC,zMD5,statuslb)"; while (false !== ($filename = readdir($handle))) { if ($filename == ".") { continue; } if ($filename == "..") { continue; } $targetFile = "{$GLOBALS["ARTICALOGDIR"]}/haproxy-rtm/{$filename}"; $countDeFiles++; $ARRAY = unserialize(@file_get_contents($targetFile)); while (list($key, $value) = each($ARRAY)) { $ARRAY[$key] = trim(addslashes($value)); } $ARRAY["MAC"] = GetMacFromIP($ARRAY["SOURCE"]); $hostname = GetComputerName($ARRAY["SOURCE"]); $dayhour = date("YmdH", $ARRAY["TIME"]); $time = date("H:i:s", $ARRAY["TIME"]); $fulldate = date('Y-m-d H:i:s', $ARRAY["TIME"]); $table = "hour_{$dayhour}"; if (preg_match("#(.+?)\\s+(.*?)#", $ARRAY["SERVICE"], $ri)) { $ARRAY["SERVICE"] = $ri[1]; } if (preg_match("#(.+?)\\s+(.*?)#", $ARRAY["BACKEND"], $ri)) { $ARRAY["BACKEND"] = $ri[1]; } $uri = $ARRAY["URI"]; $md5 = md5(serialize($ARRAY)); if (preg_match("#^(?:[^/]+://)?([^/:]+)#", $uri, $re)) { $sitename = $re[1]; if (preg_match("#^www\\.(.+)#", $sitename, $ri)) { $sitename = $ri[1]; } $familysite = $qs->GetFamilySites($sitename); } $linsql = "('{$sitename}','{$uri}','{$ARRAY["TD"]}','{$ARRAY["HTTP_CODE"]}','{$ARRAY["SOURCE"]}','{$hostname}','{$familysite}','{$ARRAY["SERVICE"]}','{$ARRAY["BACKEND"]}','{$fulldate}','{$ARRAY["BYTES"]}','{$ARRAY["MAC"]}','{$md5}','{$ARRAY["STATUSLB"]}')"; $hash[$table][] = $linsql; if ($GLOBALS["VERBOSE"]) { echo "Remove: {$targetFile}\n"; } @unlink($targetFile); if (system_is_overloaded()) { break; } } while (list($table, $tr) = each($hash)) { if (trim($table) == null) { continue; } if (!$q->create_TableHour($table)) { @mkdir("{$GLOBALS["ARTICALOGDIR"]}/haproxy-errors", 0755, true); @file_put_contents("{$GLOBALS["ARTICALOGDIR"]}/haproxy-errors/" . md5(serialize($hash)), serialize($hash)); return; } $sql = "INSERT IGNORE INTO {$table} {$prefixMid} VALUES " . @implode(",", $tr); $q->QUERY_SQL($sql); if (!$q->ok) { WriteMyLogs($q->mysql_error, __FUNCTION__, __FILE__, __LINE__); @mkdir("{$GLOBALS["ARTICALOGDIR"]}/haproxy-errors", 0755, true); @file_put_contents("{$GLOBALS["ARTICALOGDIR"]}/haproxy-errors/" . md5(serialize($hash)), serialize($hash)); return; } } haproxy_errors(); }
function Builsql($CLIENT, $username = null, $uri, $code_error, $size = 0, $time) { $squid_error["100"] = "Continue"; $squid_error["101"] = "Switching Protocols"; $squid_error["102"] = "Processing"; $squid_error["200"] = "Pass"; $squid_error["201"] = "Created"; $squid_error["202"] = "Accepted"; $squid_error["203"] = "Non-Authoritative Information"; $squid_error["204"] = "No Content"; $squid_error["205"] = "Reset Content"; $squid_error["206"] = "Partial Content"; $squid_error["207"] = "Multi Status"; $squid_error["300"] = "Multiple Choices"; $squid_error["301"] = "Moved Permanently"; $squid_error["302"] = "Moved Temporarily"; $squid_error["303"] = "See Other"; $squid_error["304"] = "Not Modified"; $squid_error["305"] = "Use Proxy"; $squid_error["307"] = "Temporary Redirect"; $squid_error["400"] = "Bad Request"; $squid_error["401"] = "Unauthorized"; $squid_error["402"] = "Payment Required"; $squid_error["403"] = "Forbidden"; $squid_error["404"] = "Not Found"; $squid_error["405"] = "Method Not Allowed"; $squid_error["406"] = "Not Acceptable"; $squid_error["407"] = "Proxy Authentication Required"; $squid_error["408"] = "Request Timeout"; $squid_error["409"] = "Conflict"; $squid_error["410"] = "Gone"; $squid_error["411"] = "Length Required"; $squid_error["412"] = "Precondition Failed"; $squid_error["413"] = "Request Entity Too Large"; $squid_error["414"] = "Request URI Too Large"; $squid_error["415"] = "Unsupported Media Type"; $squid_error["416"] = "Request Range Not Satisfiable"; $squid_error["417"] = "Expectation Failed"; $squid_error["424"] = "Locked"; $squid_error["424"] = "Failed Dependency"; $squid_error["433"] = "Unprocessable Entity"; $squid_error["500"] = "Internal Server Error"; $squid_error["501"] = "Not Implemented"; $squid_error["502"] = "Bad Gateway"; $squid_error["503"] = "Service Unavailable"; $squid_error["504"] = "Gateway Timeout"; $squid_error["505"] = "HTTP Version Not Supported"; $squid_error["507"] = "Insufficient Storage"; $squid_error["600"] = "Squid header parsing error"; if (preg_match("#^(?:[^/]+://)?([^/:]+)#", $uri, $re)) { $sitename = $re[1]; } else { events("unable to extract domain name from {$uri}"); return false; } $TYPE = $squid_error[$code_error]; $REASON = $TYPE; $CLIENT = trim($CLIENT); $date = date('Y-m-d') . " " . $time; if ($username == null) { $username = GetComputerName($ip); } if ($size == null) { $size = 0; } if (trim($GLOBALS["IPs"][$sitename]) == null) { $site_IP = trim(gethostbyname($sitename)); $GLOBALS["IPs"][$sitename] = $site_IP; } else { $site_IP = $GLOBALS["IPs"][$sitename]; } if (count($_GET["IPs"]) > 5000) { unset($_GET["IPs"]); } if (count($_GET["COUNTRIES"]) > 5000) { unset($_GET["COUNTRIES"]); } if (trim($GLOBALS["COUNTRIES"][$site_IP]) == null) { if (function_exists("geoip_record_by_name")) { if ($site_IP == null) { $site_IP = $sitename; } $record = geoip_record_by_name($site_IP); if ($record) { $Country = $record["country_name"]; $GLOBALS["COUNTRIES"][$site_IP] = $Country; } } } else { $Country = $GLOBALS["COUNTRIES"][$site_IP]; } $zMD5 = md5("{$uri}{$date}{$CLIENT}{$username}{$TYPE}{$Country}{$site_IP}"); events("{$date} {$REASON}:: {$CLIENT} ({$username}) -> {$sitename} ({$site_IP}) Country={$Country} REASON:\"{$REASON}\" TYPE::\"{$TYPE}\" size={$size}"); $uri = addslashes($uri); $sql = "INSERT INTO dansguardian_events (`sitename`,`uri`,`TYPE`,`REASON`,`CLIENT`,`zDate`,`zMD5`,`remote_ip`,`country`,`QuerySize`,`uid`) \n\tVALUES('{$sitename}','{$uri}','{$TYPE}','{$REASON}','{$CLIENT}','{$date}','{$zMD5}','{$site_IP}','{$Country}','{$size}','{$username}');"; @file_put_contents("/var/log/artica-postfix/dansguardian-stats/{$zMD5}.sql", $sql); }