function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt) { global $pfb, $rule_list, $filterfieldsarray; $fields_array = array(); $logarr = ""; $denycnt = 0; $permitcnt = 0; $matchcnt = 0; if (file_exists($logfile)) { exec("/usr/local/sbin/clog " . escapeshellarg($logfile) . " | grep -v \"CLOG\" | grep -v \"\" | /usr/bin/grep 'filterlog:' | /usr/bin/tail -r -n {$tail}", $logarr); } else { return; } if (!empty($logarr) && !empty($rule_list['id'])) { foreach ($logarr as $logent) { $pfbalert = array(); $log_split = ""; if (!preg_match("/(.*)\\s(.*)\\sfilterlog:\\s(.*)\$/", $logent, $log_split)) { continue; } list($all, $pfbalert[99], $host, $rule) = $log_split; $rule_data = explode(",", $rule); $pfbalert[0] = $rule_data[0]; // Rulenum // Skip Alert if Rule is not a pfBNG Alert if (!in_array($pfbalert[0], $rule_list['id'])) { continue; } $pfbalert[1] = $rule_data[4]; // Realint $pfbalert[3] = $rule_data[6]; // Act $pfbalert[4] = $rule_data[8]; // Version if ($pfbalert[4] == "4") { $pfbalert[5] = $rule_data[15]; // Protocol ID $pfbalert[6] = $rule_data[16]; // Protocol $pfbalert[7] = $rule_data[18]; // SRC IP $pfbalert[8] = $rule_data[19]; // DST IP $pfbalert[9] = $rule_data[20]; // SRC Port $pfbalert[10] = $rule_data[21]; // DST Port $pfbalert[11] = $rule_data[23]; // TCP Flags } else { $pfbalert[5] = $rule_data[13]; // Protocol ID $pfbalert[6] = $rule_data[12]; // Protocol $pfbalert[7] = $rule_data[15]; // SRC IP $pfbalert[8] = $rule_data[16]; // DST IP $pfbalert[9] = $rule_data[17]; // SRC Port $pfbalert[10] = $rule_data[18]; // DST Port $pfbalert[11] = $rule_data[20]; // TCP Flags } if ($pfbalert[5] == "6" || $pfbalert[5] == "17") { // skip } else { $pfbalert[9] = ""; $pfbalert[10] = ""; $pfbalert[11] = ""; } // Skip Repeated Alerts if ($pfbalert[1] . $pfbalert[3] . $pfbalert[7] . $pfbalert[8] . $pfbalert[10] == $previous_alert) { continue; } $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name $pfbalert[6] = str_replace("TCP", "TCP-", strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11]; // Protocol Flags // If Alerts Filtering is selected, process Filters as required. if ($pfb['filterlogentries'] && !pfb_match_filter_field($pfbalert, $filterfieldsarray)) { continue; } if ($pfbalert[3] == "block") { if ($denycnt < $pfbdenycnt) { $fields_array['Deny'][] = $pfbalert; $denycnt++; } } elseif ($pfbalert[3] == "pass") { if ($permitcnt < $pfbpermitcnt) { $fields_array['Permit'][] = $pfbalert; $permitcnt++; } } elseif ($pfbalert[3] == "unkn(%u)" || $pfbalert[3] == "unkn(11)") { if ($matchcnt < $pfbmatchcnt) { $fields_array['Match'][] = $pfbalert; $matchcnt++; } } // Exit function if Sufficinet Matches found. if ($denycnt >= $pfbdenycnt && $permitcnt >= $pfbpermitcnt && $matchcnt >= $pfbmatchcnt) { unset($pfbalert, $logarr); return $fields_array; } // Collect Details for Repeated Alert Comparison $previous_alert = $pfbalert[1] . $pfbalert[3] . $pfbalert[7] . $pfbalert[8] . $pfbalert[10]; } unset($pfbalert, $logarr); return $fields_array; } }
function conv_log_filter_lite($logfile, $nentries, $tail, $pfbdenycnt, $pfbpermitcnt, $pfbmatchcnt) { global $pfb, $rule_list, $filterfieldsarray; $fields_array = array(); $denycnt = $permitcnt = $matchcnt = 0; $logarr = ''; if (file_exists($logfile)) { // Collect filter.log entries exec("/usr/local/sbin/clog {$logfile} | {$pfb['grep']} -v '\"CLOG\"\\|\"\"' | {$pfb['grep']} 'filterlog:' | /usr/bin/tail -r -n {$tail}", $logarr); } else { return; } if (!empty($logarr) && !empty($rule_list['id'])) { foreach ($logarr as $logent) { $pfbalert = array(); $flog = explode(' ', $logent); // Remove 'extra space' from single date entry (days 1-9) if (empty($flog[1])) { array_splice($flog, 1, 1); } $rule_data = explode(',', $flog[5]); // Skip alert if rule is not a pfBNG alert if (!in_array($rule_data[3], $rule_list['id'])) { continue; } $pfbalert[0] = $rule_data[3]; // Rulenum $pfbalert[1] = $rule_data[4]; // Realint $pfbalert[3] = $rule_data[6]; // Act $pfbalert[4] = $rule_data[8]; // Version if ($pfbalert[4] == 4) { $pfbalert[5] = $rule_data[15]; // Protocol ID $pfbalert[6] = $rule_data[16]; // Protocol $pfbalert[7] = $rule_data[18]; // SRC IP $pfbalert[8] = $rule_data[19]; // DST IP $pfbalert[9] = $rule_data[20]; // SRC Port $pfbalert[10] = $rule_data[21]; // DST Port $pfbalert[11] = $rule_data[23]; // TCP Flags } else { $pfbalert[5] = $rule_data[13]; // Protocol ID $pfbalert[6] = $rule_data[12]; // Protocol $pfbalert[7] = $rule_data[15]; // SRC IP $pfbalert[8] = $rule_data[16]; // DST IP $pfbalert[9] = $rule_data[17]; // SRC Port $pfbalert[10] = $rule_data[18]; // DST Port $pfbalert[11] = $rule_data[20]; // TCP Flags } if ($pfbalert[5] == 6 || $pfbalert[5] == 17) { // skip } else { $pfbalert[9] = $pfbalert[10] = $pfbalert[11] = ''; } $pfbalert[99] = "{$flog[0]} {$flog[1]} {$flog[2]}"; // Date/Timestamp // Skip repeated alerts if ("{$pfbalert[1]}{$pfbalert[3]}{$pfbalert[7]}{$pfbalert[8]}{$pfbalert[10]}" == $previous_alert) { continue; } $pfbalert[2] = convert_real_interface_to_friendly_descr($rule_data[4]); // Friendly Interface Name $pfbalert[6] = str_replace('TCP', 'TCP-', strtoupper($pfbalert[6]), $pfbalert[6]) . $pfbalert[11]; // Protocol Flags // If alerts filtering is selected, process filters as required. if ($pfb['filterlogentries'] && !pfb_match_filter_field($pfbalert, $filterfieldsarray)) { continue; } if ($pfbalert[3] == 'block') { if ($denycnt < $pfbdenycnt) { $fields_array['Deny'][] = $pfbalert; $denycnt++; } } elseif ($pfbalert[3] == 'pass') { if ($permitcnt < $pfbpermitcnt) { $fields_array['Permit'][] = $pfbalert; $permitcnt++; } } elseif ($pfbalert[3] == 'unkn(%u)') { if ($matchcnt < $pfbmatchcnt) { $fields_array['Match'][] = $pfbalert; $matchcnt++; } } // Exit function if sufficinet matches found. if ($denycnt >= $pfbdenycnt && $permitcnt >= $pfbpermitcnt && $matchcnt >= $pfbmatchcnt) { unset($pfbalert, $logarr); return $fields_array; } // Collect details for repeated alert comparison $previous_alert = "{$pfbalert[1]}{$pfbalert[3]}{$pfbalert[7]}{$pfbalert[8]}{$pfbalert[10]}"; } unset($pfbalert, $logarr); return $fields_array; } }