function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt)
{
global $pfb, $rule_list, $filterfieldsarray;
$fields_array = array();
$logarr = "";
$denycnt = 0;
$permitcnt = 0;
$matchcnt = 0;
if (file_exists($logfile)) {
exec("/usr/local/sbin/clog " . escapeshellarg($logfile) . " | grep -v \"CLOG\" | grep -v \"\" | /usr/bin/grep 'filterlog:' | /usr/bin/tail -r -n {$tail}", $logarr);
} else {
return;
}
if (!empty($logarr) && !empty($rule_list['id'])) {
foreach ($logarr as $logent) {
$pfbalert = array();
$log_split = "";
if (!preg_match("/(.*)\\s(.*)\\sfilterlog:\\s(.*)\$/", $logent, $log_split)) {
continue;
}
list($all, $pfbalert[99], $host, $rule) = $log_split;
$rule_data = explode(",", $rule);
$pfbalert[0] = $rule_data[0];
// Rulenum
// Skip Alert if Rule is not a pfBNG Alert
if (!in_array($pfbalert[0], $rule_list['id'])) {
continue;
}
$pfbalert[1] = $rule_data[4];
// Realint
$pfbalert[3] = $rule_data[6];
// Act
$pfbalert[4] = $rule_data[8];
// Version
if ($pfbalert[4] == "4") {
$pfbalert[5] = $rule_data[15];
// Protocol ID
$pfbalert[6] = $rule_data[16];
// Protocol
$pfbalert[7] = $rule_data[18];
// SRC IP
$pfbalert[8] = $rule_data[19];
// DST IP
$pfbalert[9] = $rule_data[20];
// SRC Port
$pfbalert[10] = $rule_data[21];
// DST Port
$pfbalert[11] = $rule_data[23];
// TCP Flags
} else {
$pfbalert[5] = $rule_data[13];
// Protocol ID
$pfbalert[6] = $rule_data[12];
// Protocol
$pfbalert[7] = $rule_data[15];
// SRC IP
$pfbalert[8] = $rule_data[16];
// DST IP
$pfbalert[9] = $rule_data[17];
// SRC Port
$pfbalert[10] = $rule_data[18];
// DST Port
$pfbalert[11] = $rule_data[20];
// TCP Flags
}
if ($pfbalert[5] == "6" || $pfbalert[5] == "17") {
// skip
} else {
$pfbalert[9] = "";
$pfbalert[10] = "";
$pfbalert[11] = "";
}
// Skip Repeated Alerts
if ($pfbalert[1] . $pfbalert[3] . $pfbalert[7] . $pfbalert[8] . $pfbalert[10] == $previous_alert) {
continue;
}
$pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]);
// Friendly Interface Name
$pfbalert[6] = str_replace("TCP", "TCP-", strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11];
// Protocol Flags
// If Alerts Filtering is selected, process Filters as required.
if ($pfb['filterlogentries'] && !pfb_match_filter_field($pfbalert, $filterfieldsarray)) {
continue;
}
if ($pfbalert[3] == "block") {
if ($denycnt < $pfbdenycnt) {
$fields_array['Deny'][] = $pfbalert;
$denycnt++;
}
} elseif ($pfbalert[3] == "pass") {
if ($permitcnt < $pfbpermitcnt) {
$fields_array['Permit'][] = $pfbalert;
$permitcnt++;
}
} elseif ($pfbalert[3] == "unkn(%u)" || $pfbalert[3] == "unkn(11)") {
if ($matchcnt < $pfbmatchcnt) {
$fields_array['Match'][] = $pfbalert;
$matchcnt++;
}
}
// Exit function if Sufficinet Matches found.
if ($denycnt >= $pfbdenycnt && $permitcnt >= $pfbpermitcnt && $matchcnt >= $pfbmatchcnt) {
unset($pfbalert, $logarr);
return $fields_array;
}
// Collect Details for Repeated Alert Comparison
$previous_alert = $pfbalert[1] . $pfbalert[3] . $pfbalert[7] . $pfbalert[8] . $pfbalert[10];
}
unset($pfbalert, $logarr);
return $fields_array;
}
}
function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt)
{
global $pfb, $rule_list, $filterfieldsarray;
$fields_array = array();
$denycnt = $permitcnt = $matchcnt = 0;
$logarr = '';
if (file_exists($logfile)) {
// Collect filter.log entries
exec("/usr/local/sbin/clog {$logfile} | {$pfb['grep']} -v '\"CLOG\"\\|\"\"' | {$pfb['grep']} 'filterlog:' | /usr/bin/tail -r -n {$tail}", $logarr);
} else {
return;
}
if (!empty($logarr) && !empty($rule_list['id'])) {
foreach ($logarr as $logent) {
$pfbalert = array();
$flog = explode(' ', $logent);
// Remove 'extra space' from single date entry (days 1-9)
if (empty($flog[1])) {
array_splice($flog, 1, 1);
}
$rule_data = explode(',', $flog[5]);
// Skip alert if rule is not a pfBNG alert
if (!in_array($rule_data[3], $rule_list['id'])) {
continue;
}
$pfbalert[0] = $rule_data[3];
// Rulenum
$pfbalert[1] = $rule_data[4];
// Realint
$pfbalert[3] = $rule_data[6];
// Act
$pfbalert[4] = $rule_data[8];
// Version
if ($pfbalert[4] == 4) {
$pfbalert[5] = $rule_data[15];
// Protocol ID
$pfbalert[6] = $rule_data[16];
// Protocol
$pfbalert[7] = $rule_data[18];
// SRC IP
$pfbalert[8] = $rule_data[19];
// DST IP
$pfbalert[9] = $rule_data[20];
// SRC Port
$pfbalert[10] = $rule_data[21];
// DST Port
$pfbalert[11] = $rule_data[23];
// TCP Flags
} else {
$pfbalert[5] = $rule_data[13];
// Protocol ID
$pfbalert[6] = $rule_data[12];
// Protocol
$pfbalert[7] = $rule_data[15];
// SRC IP
$pfbalert[8] = $rule_data[16];
// DST IP
$pfbalert[9] = $rule_data[17];
// SRC Port
$pfbalert[10] = $rule_data[18];
// DST Port
$pfbalert[11] = $rule_data[20];
// TCP Flags
}
if ($pfbalert[5] == 6 || $pfbalert[5] == 17) {
// skip
} else {
$pfbalert[9] = $pfbalert[10] = $pfbalert[11] = '';
}
$pfbalert[99] = "{$flog[0]} {$flog[1]} {$flog[2]}";
// Date/Timestamp
// Skip repeated alerts
if ("{$pfbalert[1]}{$pfbalert[3]}{$pfbalert[7]}{$pfbalert[8]}{$pfbalert[10]}" == $previous_alert) {
continue;
}
$pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]);
// Friendly Interface Name
$pfbalert[6] = str_replace('TCP', 'TCP-', strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11];
// Protocol Flags
// If alerts filtering is selected, process filters as required.
if ($pfb['filterlogentries'] && !pfb_match_filter_field($pfbalert, $filterfieldsarray)) {
continue;
}
if ($pfbalert[3] == 'block') {
if ($denycnt < $pfbdenycnt) {
$fields_array['Deny'][] = $pfbalert;
$denycnt++;
}
} elseif ($pfbalert[3] == 'pass') {
if ($permitcnt < $pfbpermitcnt) {
$fields_array['Permit'][] = $pfbalert;
$permitcnt++;
}
} elseif ($pfbalert[3] == 'unkn(%u)') {
if ($matchcnt < $pfbmatchcnt) {
$fields_array['Match'][] = $pfbalert;
$matchcnt++;
}
}
// Exit function if sufficinet matches found.
if ($denycnt >= $pfbdenycnt && $permitcnt >= $pfbpermitcnt && $matchcnt >= $pfbmatchcnt) {
unset($pfbalert, $logarr);
return $fields_array;
}
// Collect details for repeated alert comparison
$previous_alert = "{$pfbalert[1]}{$pfbalert[3]}{$pfbalert[7]}{$pfbalert[8]}{$pfbalert[10]}";
}
unset($pfbalert, $logarr);
return $fields_array;
}
}
