/** * @return bool|int */ public function logHit() { $liveTrafficEnabled = wfConfig::liveTrafficEnabled(); $action = $this->currentRequest->action; $logHitOK = $this->logHitOK(); if (!$logHitOK) { return false; } if (!$liveTrafficEnabled && !$action) { return false; } if ($this->currentRequest !== null) { if ($this->currentRequest->save()) { return $this->currentRequest->getPrimaryKey(); } } return false; }
public static function syncAttackData($exit = true) { global $wpdb; $waf = wfWAF::getInstance(); $lastAttackMicroseconds = $wpdb->get_var("SELECT MAX(attackLogTime) FROM {$wpdb->base_prefix}wfHits"); if ($waf->getStorageEngine()->hasNewerAttackData($lastAttackMicroseconds)) { $attackData = $waf->getStorageEngine()->getNewestAttackDataArray($lastAttackMicroseconds); if ($attackData) { foreach ($attackData as $request) { if (count($request) !== 9) { continue; } list($logTimeMicroseconds, $requestTime, $ip, $learningMode, $paramKey, $paramValue, $failedRules, $ssl, $requestString) = $request; // Skip old entries and hits in learning mode, since they'll get picked up anyways. if ($logTimeMicroseconds <= $lastAttackMicroseconds || $learningMode) { continue; } $hit = new wfRequestModel(); $hit->attackLogTime = $logTimeMicroseconds; $hit->statusCode = 403; $hit->ctime = $requestTime; $hit->IP = wfUtils::inet_pton($ip); if (preg_match('/user\\-agent:(.*?)\\n/i', $requestString, $matches)) { $hit->UA = trim($matches[1]); $hit->isGoogle = wfCrawl::isGoogleCrawler($hit->UA); } if (preg_match('/Referer:(.*?)\\n/i', $requestString, $matches)) { $hit->referer = trim($matches[1]); } if (preg_match('/^[a-z]+\\s+(.*?)\\s+/i', $requestString, $uriMatches) && preg_match('/Host:(.*?)\\n/i', $requestString, $hostMatches)) { $hit->URL = 'http' . ($ssl ? 's' : '') . '://' . trim($hostMatches[1]) . trim($uriMatches[1]); } if (preg_match('/cookie:(.*?)\\n/i', $requestString, $matches)) { $hit->newVisit = strpos($matches[1], 'wfvt_' . crc32(site_url())) !== false ? 1 : 0; $hasVerifiedHumanCookie = strpos($matches[1], 'wordfence_verifiedHuman') !== false; if ($hasVerifiedHumanCookie && preg_match('/wordfence_verifiedHuman=(.*?);/', $matches[1], $cookieMatches)) { $hit->jsRun = (int) wp_verify_nonce($cookieMatches[1], 'wordfence_verifiedHuman' . $hit->UA . $ip); } $hasLoginCookie = strpos($matches[1], $ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) !== false; if ($hasLoginCookie && preg_match('/' . ($ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) . '=(.*?);/', $matches[1], $cookieMatches)) { $authCookie = rawurldecode($cookieMatches[1]); $authID = $ssl ? wp_validate_auth_cookie($authCookie, 'secure_auth') : wp_validate_auth_cookie($authCookie, 'auth'); if ($authID) { $hit->userID = $authID; } } } $path = '/'; if (preg_match('/^[A-Z]+ (.*?) HTTP\\/1\\.1/', $requestString, $matches)) { if (($pos = strpos($matches[1], '?')) !== false) { $path = substr($matches[1], 0, $pos); } else { $path = $matches[1]; } } $hit->action = 'blocked:waf'; /** @var wfWAFRule $rule */ $ruleIDs = explode('|', $failedRules); $actionData = array('learningMode' => $learningMode, 'failedRules' => $failedRules, 'paramKey' => $paramKey, 'paramValue' => $paramValue, 'path' => $path); if ($ruleIDs && $ruleIDs[0]) { $rule = $waf->getRule($ruleIDs[0]); if ($rule) { $hit->actionDescription = $rule->getDescription(); $actionData['category'] = $rule->getCategory(); $actionData['ssl'] = $ssl; $actionData['fullRequest'] = base64_encode($requestString); } } $hit->actionData = wfRequestModel::serializeActionData($actionData); $hit->save(); self::scheduleSendAttackData(); } } $waf->getStorageEngine()->truncateAttackData(); } update_site_option('wordfence_syncingAttackData', 0); update_site_option('wordfence_syncAttackDataAttempts', 0); if ($exit) { exit; } }
public static function syncAttackData($exit = true) { global $wpdb; $waf = wfWAF::getInstance(); $lastAttackMicroseconds = $wpdb->get_var("SELECT MAX(attackLogTime) FROM {$wpdb->base_prefix}wfHits"); if ($waf->getStorageEngine()->hasNewerAttackData($lastAttackMicroseconds)) { $attackData = $waf->getStorageEngine()->getNewestAttackDataArray($lastAttackMicroseconds); if ($attackData) { foreach ($attackData as $request) { if (count($request) !== 9 && count($request) !== 10) { continue; } list($logTimeMicroseconds, $requestTime, $ip, $learningMode, $paramKey, $paramValue, $failedRules, $ssl, $requestString, $metadata) = $request; // Skip old entries and hits in learning mode, since they'll get picked up anyways. if ($logTimeMicroseconds <= $lastAttackMicroseconds || $learningMode) { continue; } $hit = new wfRequestModel(); $hit->attackLogTime = $logTimeMicroseconds; $hit->statusCode = 403; $hit->ctime = $requestTime; $hit->IP = wfUtils::inet_pton($ip); if (preg_match('/user\\-agent:(.*?)\\n/i', $requestString, $matches)) { $hit->UA = trim($matches[1]); $hit->isGoogle = wfCrawl::isGoogleCrawler($hit->UA); } if (preg_match('/Referer:(.*?)\\n/i', $requestString, $matches)) { $hit->referer = trim($matches[1]); } if (preg_match('/^[a-z]+\\s+(.*?)\\s+/i', $requestString, $uriMatches) && preg_match('/Host:(.*?)\\n/i', $requestString, $hostMatches)) { $hit->URL = 'http' . ($ssl ? 's' : '') . '://' . trim($hostMatches[1]) . trim($uriMatches[1]); } if (preg_match('/cookie:(.*?)\\n/i', $requestString, $matches)) { $hit->newVisit = strpos($matches[1], 'wfvt_' . crc32(site_url())) !== false ? 1 : 0; $hasVerifiedHumanCookie = strpos($matches[1], 'wordfence_verifiedHuman') !== false; if ($hasVerifiedHumanCookie && preg_match('/wordfence_verifiedHuman=(.*?);/', $matches[1], $cookieMatches)) { $hit->jsRun = (int) wp_verify_nonce($cookieMatches[1], 'wordfence_verifiedHuman' . $hit->UA . $ip); } $hasLoginCookie = strpos($matches[1], $ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) !== false; if ($hasLoginCookie && preg_match('/' . ($ssl ? SECURE_AUTH_COOKIE : AUTH_COOKIE) . '=(.*?);/', $matches[1], $cookieMatches)) { $authCookie = rawurldecode($cookieMatches[1]); $authID = $ssl ? wp_validate_auth_cookie($authCookie, 'secure_auth') : wp_validate_auth_cookie($authCookie, 'auth'); if ($authID) { $hit->userID = $authID; } } } $path = '/'; if (preg_match('/^[A-Z]+ (.*?) HTTP\\/1\\.1/', $requestString, $matches)) { if (($pos = strpos($matches[1], '?')) !== false) { $path = substr($matches[1], 0, $pos); } else { $path = $matches[1]; } } $metadata = $metadata != null ? (array) $metadata : array(); if (isset($metadata['finalAction']) && $metadata['finalAction']) { // The request was blocked/redirected because of its IP based on the plugin's blocking settings. WAF blocks should be reported but not shown in live traffic with that as a reason. $action = $metadata['finalAction']['action']; $actionDescription = $action; if (class_exists('wfWAFIPBlocksController')) { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_UAREFIPRANGE) { $id = $metadata['finalAction']['id']; $wpdb->query($wpdb->prepare("UPDATE {$wpdb->base_prefix}wfBlocksAdv SET totalBlocked = totalBlocked + 1, lastBlocked = %d WHERE id = %d", $requestTime, $id)); wfActivityReport::logBlockedIP($ip); } else { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY_REDIR) { $actionDescription .= ' (' . wfConfig::get('cbl_redirURL') . ')'; wfConfig::inc('totalCountryBlocked'); wfActivityReport::logBlockedIP($ip); } else { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_COUNTRY) { wfConfig::inc('totalCountryBlocked'); wfActivityReport::logBlockedIP($ip); } else { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_WFSN) { wordfence::wfsnReportBlockedAttempt($ip, 'login'); } } } } } if (strlen($actionDescription) == 0) { $actionDescription = 'Blocked by Wordfence'; } if (empty($failedRules)) { // Just a plugin block $hit->action = 'blocked:wordfence'; if (class_exists('wfWAFIPBlocksController')) { if ($action == wfWAFIPBlocksController::WFWAF_BLOCK_WFSN) { $hit->action = 'blocked:wfsnrepeat'; } } $hit->actionDescription = $actionDescription; } else { if ($failedRules == 'logged') { $hit->action = 'logged:waf'; } else { // Blocked by the WAF but would've been blocked anyway by the plugin settings so that message takes priority $hit->action = 'blocked:waf-always'; $hit->actionDescription = $actionDescription; } } } else { if ($failedRules == 'logged') { $hit->action = 'logged:waf'; } else { $hit->action = 'blocked:waf'; } } /** @var wfWAFRule $rule */ $ruleIDs = explode('|', $failedRules); $actionData = array('learningMode' => $learningMode, 'failedRules' => $failedRules, 'paramKey' => $paramKey, 'paramValue' => $paramValue, 'path' => $path); if ($ruleIDs && $ruleIDs[0]) { $rule = $waf->getRule($ruleIDs[0]); if ($rule) { if ($hit->action == 'logged:waf' || $hit->action == 'blocked:waf') { $hit->actionDescription = $rule->getDescription(); } $actionData['category'] = $rule->getCategory(); $actionData['ssl'] = $ssl; $actionData['fullRequest'] = base64_encode($requestString); } else { if ($ruleIDs[0] == 'logged') { if ($hit->action == 'logged:waf' || $hit->action == 'blocked:waf') { $hit->actionDescription = 'Watched IP Traffic: ' . $ip; } $actionData['category'] = 'logged'; $actionData['ssl'] = $ssl; $actionData['fullRequest'] = base64_encode($requestString); } } } $hit->actionData = wfRequestModel::serializeActionData($actionData); $hit->save(); self::scheduleSendAttackData(); } } $waf->getStorageEngine()->truncateAttackData(); } update_site_option('wordfence_syncingAttackData', 0); update_site_option('wordfence_syncAttackDataAttempts', 0); update_site_option('wordfence_lastSyncAttackData', time()); if ($exit) { exit; } }