function table()
{
$page = CurrentPageName();
$tpl = new templates();
$t = time();
$dnsmasq_address_text = $tpl->_ENGINE_parse_body("{dnsmasq_address_text}");
$hosts = $tpl->_ENGINE_parse_body("{hosts}");
$addr = $tpl->_ENGINE_parse_body("{addr}");
$new_interface = $tpl->_ENGINE_parse_body("{new_interface}");
$rulename = $tpl->_ENGINE_parse_body("{signature}");
$explain = $tpl->javascript_parse_text("{rule}");
$title = $tpl->_ENGINE_parse_body("{signatures}: {firewall}");
$category = $tpl->_ENGINE_parse_body("{category}");
$enabled = $tpl->_ENGINE_parse_body("{enabled}");
$firewall = $tpl->_ENGINE_parse_body("{firewall}");
$zdate = $tpl->_ENGINE_parse_body("date");
$delete = $tpl->_ENGINE_parse_body("{delete}");
$q = new postgres_sql();
$q->suricata_tables();
$src_ip = $tpl->javascript_parse_text("src_ip");
$apply = $tpl->javascript_parse_text("{apply}");
$buttons = "\n\tbuttons : [\n\t\n\t{name: '<strong style=font-size:18px>{$apply}</strong>', bclass: 'Apply', onpress : Apply{$t}},\n\t],";
$buttons = null;
$html = "\n\t\n\t\n\t<table class='TABLE_SURICATA_MAIN_FIREWALL_ZOOM' style='display: none' id='TABLE_SURICATA_MAIN_FIREWALL_ZOOM'\n\tstyle='width:100%'></table>\n\t<script>\n\t\$(document).ready(function(){\n\tvar md5H='';\n\t\$('#TABLE_SURICATA_MAIN_FIREWALL_ZOOM').flexigrid({\n\turl: '{$page}?list=yes&sig={$_GET["sig"]}',\n\tdataType: 'json',\n\tcolModel : [\n\t{display: '<span style=font-size:22px>{$zdate}</span>', name : 'zdate', width : 200, sortable : true, align: 'left'},\n\t{display: '<span style=font-size:22px>{$explain}</span>', name : 'src_ip', width : 491, sortable : true, align: 'left'},\n\t{display: '<span style=font-size:22px>{$delete}</span>', name : 'none', width : 90, sortable : false, align: 'center'},\n\t\n\n\t],\n\t{$buttons}\nsearchitems : [\n\t\t{display: '{$rulename}', name : 'signature'},\n\t\t{display: '{$src_ip}', name : 'src_ip'},\n\t\t\n\n\t],\t\n\tsortname: 'zdate',\n\tsortorder: 'desc',\n\tusepager: true,\n\ttitle: '<span style=font-size:30px>{$title}</span>',\n\tuseRp: true,\n\trp: 50,\n\tshowTableToggleBtn: false,\n\twidth: '99%',\n\theight: 550,\n\tsingleSelect: true,\n\trpOptions: [10, 20, 30, 50,100,200]\n\t\n\t});\n\t});\n\t\n\t\nfunction Add{$t}(){\n\tLoadjs('{$page}?add-interface-js=yes&t={$t}');\n}\nvar xSuricataFwDelete= function (obj) {\n\tvar results=obj.responseText;\n\tif(results.length>0){alert(results);return;}\n\t\$('#TABLE_SURICATA_MAIN_FIREWALL_ZOOM').flexReload();\n}\n\t\nfunction SuricataSignatureEnabled(filename){\n\tvar XHR = new XHRConnection();\n\tXHR.appendData('filename',filename);\n\tXHR.sendAndLoad('{$page}', 'POST',xSuricataSignatureEnabled);\n}\n\nfunction SuricataFwDelete(sig){\n\tvar XHR = new XHRConnection();\n\tXHR.appendData('delete',sig);\n\tXHR.sendAndLoad('{$page}', 'POST',xSuricataFwDelete);\n}\n\nfunction Apply{$t}(){\n\tLoadjs('suricata.progress.php');\n}\n</script>\n\t\n\t";
echo $tpl->_ENGINE_parse_body($html);
}
function migrate()
{
$q = new mysql();
$unix = new unix();
$pidfile = "/etc/artica-postfix/pids/" . basename(__FILE__) . "." . __FUNCTION__ . ".pid";
$pidtime = "/etc/artica-postfix/pids/exec.suricata.hourly.migrate.time";
$pid = $unix->get_pid_from_file($pidfile);
if ($unix->process_exists($pid, basename(__FILE__))) {
$time = $unix->PROCCESS_TIME_MIN($pid);
echo "Starting......: " . date("H:i:s") . " [INIT]: Already Artica task running PID {$pid} since {$time}mn\n";
return;
}
@file_put_contents($pidfile, getmypid());
$timeExec = $unix->file_time_min($pidtime);
if ($timeExec < 60) {
return;
}
@unlink($pidtime);
@file_put_contents($pidtime, time());
$hostname = $unix->hostname_g();
if (!$q->TABLE_EXISTS("suricata_events", "artica_events")) {
return;
}
$results = $q->QUERY_SQL("SELECT * FROM suricata_events", "artica_events");
$postgres = new postgres_sql();
$postgres->suricata_tables();
while ($ligne = mysql_fetch_assoc($results)) {
$src_ip = $ligne["src_ip"];
$zDate = $ligne["zDate"];
$dst_ip = $ligne["dst_ip"];
$dst_port = $ligne["dst_port"];
$proto = $ligne["proto"];
$signature = $ligne["signature"];
$xcount = $ligne["xcount"];
$severity = $ligne["severity"];
$f[] = "('{$zDate}','{$src_ip}','{$dst_ip}','{$proto}','{$dst_port}','{$signature}','{$severity}','{$xcount}','{$hostname}')";
}
if (count($f) > 0) {
$prefix = "INSERT INTO suricata_events (zDate,src_ip,dst_ip,proto,dst_port,signature,severity,xcount,proxyname) VALUES ";
$postgres->QUERY_SQL($prefix . @implode(",", $f));
if (!$postgres->ok) {
return;
}
$q->QUERY_SQL("DROP TABLE suricata_events", "artica_events");
}
}
function BlockIPs()
{
$ipClass = new IP();
$unix = new unix();
$tmpdir = $unix->TEMP_DIR();
$curl = new ccurl("https://rules.emergingthreatspro.com/fwrules/emerging-Block-IPs.txt");
$targetpath = "{$tmpdir}/emerging-Block-IPs.txt";
if (!$curl->GetFile($targetpath)) {
echo "{$targetpath} failed\n";
artica_update_event(0, "Unable to download emerging-Block-IPs.txt", $curl->errors, __FILE__, __LINE__);
return;
}
$f = explode("\n", @file_get_contents($targetpath));
$proxyname = $unix->hostname_g();
$q = new postgres_sql();
$q->suricata_tables();
$tr = array();
while (list($num, $ligne) = each($f)) {
$ligne = trim($ligne);
if ($ligne == null) {
continue;
}
if (strpos(" {$ligne}", "#") > 0) {
continue;
}
if (!$ipClass->isIPAddressOrRange($ligne)) {
continue;
}
$zdate = date("Y-m-d H:i:s");
$proto = "TCP";
$dest_port = 0;
$src_ip = $ligne;
$uduniq = md5("0,{$src_ip},{$dest_port},{$proto}");
if ($GLOBALS["VERBOSE"]) {
echo "0,{$src_ip},{$dest_port},{$proto}\n";
}
$tr[] = "('{$zdate}','{$uduniq}','0','{$src_ip}','{$dest_port}','{$proto}','{$proxyname}',1)";
}
if (count($tr) > 0) {
$q->QUERY_SQL("DELETE FROM suricata_firewall WHERE xauto=1");
}
$content = @implode(",", $tr);
$prefix = "INSERT INTO suricata_firewall (zdate,uduniq,signature,src_ip,dst_port,proto,proxyname,xauto) VALUES ";
$q->QUERY_SQL("{$prefix} {$content} ON CONFLICT DO NOTHING");
if (!$q->ok) {
echo $q->mysql_error . "\n";
return;
}
$php = $unix->LOCATE_PHP5_BIN();
shell_exec("{$php} /usr/share/artica-postfix/exec.suricata-fw.php --run");
}
function load_classifications()
{
$postgres = new postgres_sql();
$postgres->suricata_tables();
$results = $postgres->QUERY_SQL("SELECT * FROM suricata_classifications");
while ($ligne = @pg_fetch_assoc($results)) {
$ID = $ligne["id"];
$uduniq = $ligne["uduniq"];
$description = $ligne["description"];
$description = strtolower($description);
events("load_classifications {$uduniq} {$ligne["description"]} = {$ID}");
$GLOBALS["CLASSIFICATIONS"][$uduniq] = $ID;
$GLOBALS["CLASSIFICATIONS"][$description] = $ID;
}
events("Starting " . count($GLOBALS["CLASSIFICATIONS"]) . " classifications");
if (count($GLOBALS["CLASSIFICATIONS"]) == 0) {
parse_classifications();
$results = $postgres->QUERY_SQL("SELECT * FROM suricata_classifications");
while ($ligne = @pg_fetch_assoc($results)) {
$ID = $ligne["id"];
$uduniq = $ligne["uduniq"];
$description = $ligne["description"];
$description = strtolower($description);
events("load_classifications {$uduniq} {$ligne["description"]} = {$ID}");
$GLOBALS["CLASSIFICATIONS"][$uduniq] = $ID;
$GLOBALS["CLASSIFICATIONS"][$description] = $ID;
}
events("Starting (2) " . count($GLOBALS["CLASSIFICATIONS"]) . " classifications");
}
}
function save()
{
$q = new postgres_sql();
$sock = new sockets();
$sig = intval($_POST["sig"]);
if ($sig == 0) {
echo "No signature ID\n";
return;
}
$q->suricata_tables();
$q->QUERY_SQL("UPDATE suricata_sig SET enabled='{$_POST["enabled"]}',firewall='{$_POST["firewall"]}' WHERE signature='{$_POST["sig"]}'");
if (!$q->ok) {
echo $q->mysql_error;
return;
}
if ($_POST["enabled"] == 0) {
$q->QUERY_SQL("DELETE FROM suricata_events WHERE signature='{$_POST["sig"]}'");
if (!$q->ok) {
echo $q->mysql_error;
return;
}
$sock->getFrameWork("suricata.php?disable-sid=yes&sig={$_POST["sig"]}");
} else {
$sock->getFrameWork("suricata.php?enable-sid=yes&sig={$_POST["sig"]}");
if ($_POST["firewall"] == 1) {
$sock->getFrameWork("suricata.php?firewall-sid=yes&sig={$_POST["sig"]}");
}
}
$sock->getFrameWork("suricata.php?restart-tail=yes");
}
function build_classification()
{
$q = new mysql();
$f = explode("\n", @file_get_contents("/etc/suricata/rules/classification.config"));
$postgres = new postgres_sql();
$postgres->suricata_tables();
$q = new mysql();
$t = array();
if ($q->TABLE_EXISTS("suricata_classifications", "artica_backup")) {
$results = $q->QUERY_SQL("SELECT * FROM suricata_classifications");
while ($ligne = mysql_fetch_assoc($results)) {
$uduniq = $ligne["uduniq"];
$shortname = pg_escape_string2($ligne["shortname"]);
$description = pg_escape_string2($ligne["description"]);
$priority = $ligne["priority"];
$t[] = "('{$uduniq}','{$shortname}','{$description}','{$priority}')";
}
$q->QUERY_SQL("DROP TABLE suricata_classifications", "artica_backup");
}
while (list($num, $val) = each($f)) {
$val = trim($val);
if (trim($val) == null) {
continue;
}
if (substr($val, 0, 1) == "#") {
continue;
}
if (!preg_match("#^config classification:\\s+(.+?),(.+?),([0-9]+)#", $val, $re)) {
continue;
}
$uduniq = md5($re[2]);
$shortname = mysql_real_escape_string($re[1]);
$description = mysql_real_escape_string($re[2]);
$priority = $re[3];
$t[] = "('{$uduniq}','{$shortname}','{$description}','{$priority}')";
}
if (count($t) > 0) {
$sql = "INSERT INTO suricata_classifications (uduniq,shortname,description,priority) VALUES " . @implode(",", $t) . " ON CONFLICT DO NOTHING";
$postgres->QUERY_SQL($sql);
if (!$postgres->ok) {
echo $postgres->mysql_error . "\n";
}
}
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} classifications done\n";
}
}
