• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Dshield sensor for 2.4

Scheduled Pinned Locked Moved Firewalling
2 Posts 2 Posters 743 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    nl
    last edited by Oct 24, 2017, 6:36 AM

    here it is the new script for dshield on 2.4 release :

    #!/usr/local/bin/php -q

/**
 *   DShield PFSense Client Version 0.000003
 *	 https://github.com/jullrich/dshieldpfsense
 *
 *   for questions, please email jullrich - at - sans.edu
 *
 *  Install:
 *
 *   -  copy this file to a location where it is not in the way. E.g. /root/bin/dshieldpfsense.php
 *   -  make the file executable chmod +x /root/bin/dshield.php
 *   -  create dshield.ini (see dshield.sample) in the same directory where you keep this file
 *   -  test run: /root/bin/dshield.php
 *   -  add to cron (crontab -e ... run twice an hour e.g. 11,41 * * * * /root/bin/dshield.php
 *
 *  In PFSense, you need to have a mail server configured for notifcations. See
 *    Systems->Advanced->Notifcations
 *
 */

#$config_dshield=parse_ini_file("dshield.ini",true);
#$config=array_merge($config, $config_dshield['dshield']);
$config=parse_ini_file("dshield.ini",true);
$config=$config['dshield'];

# for debugging, change the 'To' address or add a second address
$toaddr='reports@dshield.org';

$debug=(int)($config['debug']);
$interfaces=split(',',$config['interfaces']);

if ( $config['apikey'] === '' ) {
 print "An API Key is required. Check dshield.ini\n";
  exit();
}else{
	$apikey=$config['apikey'];
}

if ( $config['fromaddr'] === '' ) {
  print "A 'From Address' is required. Check dshield.ini\n";
}

if ($config['fromaddr'] === '' ) {
	$from = $config['notifications']['smtp']['fromaddress'];
} else {
	$from = $config['fromaddr'];
}

if ( $config['uid'] === '' ) {
  print "A DShield UID is required. Check dshield.ini\n";
  exit();
} else {
	$uid = $config['uid'];
}

if ( $debug===1 ) {
    print "interactive/debug mode

   API Key: $apikey
      From: $from 
       UID: $uid 
Interfaces: ".join(',',$interfaces)."
";
}

if (isset($config['notifications']['smtp']['disable'])) {
	print "SMTP is disabled under Systems->Advanced->Notifcations\n";
	exit();
}
if (isset($config['notifications']['smtp']['ipaddress'])) {
	print "No smpt server is defined under Systems->Advanced->Notifications\n";
	exit();
}

# include some standard libraries
require_once("globals.inc");
require_once("functions.inc");
require_once("filter_log.inc");

# figure out local timezone
$sTZ=date('P');
# assemble subject line
$sSubject="FORMAT DSHIELD USERID $uid TZ $sTZ AUTHKEY $apikey PFSENSE";

# initialize variables
$linecnt=0;
$lasttime=0;

if ( $debug===1 ) {
    print "
Subject: $sSubject\n";
}

# check when we ran last.
if ( file_exists('/var/run/dshieldlastts') ) {
    $lasttime=file_get_contents('/var/run/dshieldlastts');
    if ( $debug === 1 ) {
        print "Last time script ran: $lasttime\n";
    }
} else {
    if ( $debug === 1 ) {
        print "could not find /var/run/dshieldlastts . Running for the first time?\n";
    }
}

# read the log
$log=fopen("/var/log/filter.log","r");
$linesout='';
while(!feof($log)) {
    $line = fgets($log);
    $line = rtrim($line);
    if ( $debug===1 ) {
        print "Reading $line\n";
    }
# the name of this function changed in Pfsense 2.3
    if ( $config['version']>=15 ) {
        $flent = parse_firewall_log_line(trim($line));
    } else {
        $flent = parse_filter_line(trim($line));
    }

# eliminating ICMP (we don't log that) and TCP with FA and RA flags as these are usually false positives, as well as A and R

    if ($flent != "" && in_array($flent['interface'],$interfaces) && $flent['proto']!='ICMP' && $flent['tcpflags']!='FA' && $flent['tcpflags']!='RA'  && $flent['tcpflags'] != 'SA' && $flent['tcpflags']!='A'  && $flent['tcpflags']!='R' ) {
        $time=strtotime($flent['time']);

# check if this log line is newer then the last one we processesed.
        if ( $time>$lasttime) {
            $linesout.=date("Y-m-d H:i:s P",$time)."\t{$config['uid']}\t1\t{$flent['srcip']}\t{$flent['srcport']}\t{$flent['dstip']}\t{$flent['dstport']}\t{$flent['proto']}\t{$flent['tcpflags']}\n";
            $flent='';
            $linecnt++;
        } else {
	    if ( $debug === 1 ) {
	      print "Log is too old $time vs $lastime\n";
            }
        }
    } else {
        if ( $debug === 1 ) {
        	print "Log was rejected due to wrong interface or flags or because it is ICMP: protocol {$flent['proto']} interface {$flent['interface']} flags {$flent['tcpflags']}\n";
        } 
    }
}
fclose($log);

# done reading the log

# dealing with errors
if ( $lasttime>=$time ) {
    log_error("no new lines added to log since last run OK");
    exit();
}
if ( $linecnt==0 ){
    log_error("no new lines found to submit to dshield OK");
    exit();
}

# safe the "last run" time stamp for the next time we will run.

file_put_contents('/var/run/dshieldlastts',$time);

#
# sending log via email
#

	$headers = array(
		"From"    => $from,
		"To"      => $toaddr,
		"Subject" => $sSubject,
		"Date"    => date("r")
	);

if ( $config['ccaddr'] !='' ) {
    array_push($headers,'CC: '.$config['ccaddr']);
}

file_put_contents("/tmp/lastdshieldlog",$linesout);

if ( $config['version']>=16 ) {
		//pfsense 2.4
		if(send_smtp_message_24()) {
                log_error(sprintf(gettext("%d lines sent to DShield OK"), $linecnt));
		        print "send $linecnt lines to DShield OK\n";
		}
}else{
		//pfsense 2.3 and below
		send_smtp_message_23();
}
##### fork from /etc/inc/notices.inc		
function send_smtp_message_24() {
	global $config, $g, $from, $toaddr, $headers, $linesout ;
	require_once("Mail.php");

	if (empty($config['notifications']['smtp']['username']) ||
	    empty($config['notifications']['smtp']['password'])) {
		$auth = false;
		$username = '';
		$password = '';
	} else {
		$auth = isset($config['notifications']['smtp']['authentication_mechanism'])
		    ? $config['notifications']['smtp']['authentication_mechanism']
		    : 'PLAIN';
		$username = $config['notifications']['smtp']['username'];
		$password = $config['notifications']['smtp']['password'];
	}
	$params = array(
		'host' => (isset($config['notifications']['smtp']['ssl'])
		    ? 'ssl://'
		    : '')
		    . $config['notifications']['smtp']['ipaddress'],
		'port' => empty($config['notifications']['smtp']['port'])
		    ? 25
		    : $config['notifications']['smtp']['port'],
		'auth' => $auth,
		'username' => $username,
		'password' => $password,
		'localhost' => $config['system']['hostname'] . "." .
		    $config['system']['domain'],
		'timeout' => !empty($config['notifications']['smtp']['timeout'])
		    ? $config['notifications']['smtp']['timeout']
		    : 20,
		'debug' => false,
		'persist' => false
	);

			if ( $debug === 1 ) {
        		print_r($headers);
				print_r($params);	
        } 

	$smtp =& Mail::factory('smtp', $params);
	$mail = $smtp->send($toaddr, $headers, $linesout);
	if (PEAR::isError($mail)) {
		$err_msg = sprintf(gettext(
		    'Could not send the message to %1$s -- Error: %2$s'),
		    $toaddr, $mail->getMessage());
		print $err_msg;
		log_error($err_msg);
		return($err_msg);
	}

	return;

}

function send_smtp_message_23() {
	global $config, $g, $from, $toaddr, $headers, $linesout, $linecnt ;
	require_once("sasl.inc");
	require_once("smtp.inc");

	$smtp=new smtp_class;
	$smtp->host_name=$config['notifications']['smtp']['ipaddress'];
	$smtp->host_port = empty($config['notifications']['smtp']['port']) ? 25 : $config['notifications']['smtp']['port'];
	$smtp->direct_delivery = 0;
	$smtp->ssl = (isset($config['notifications']['smtp']['ssl'])) ? 1 : 0;
	$smtp->tls = (isset($config['notifications']['smtp']['tls'])) ? 1 : 0;
	$smtp->debug = 0;
	$smtp->html_debug = 0;
	$smtp->localhost=$config['system']['hostname'].".".$config['system']['domain'];
	if($config['notifications']['smtp']['username'] &&
		$config['notifications']['smtp']['password']) {
		if (isset($config['notifications']['smtp']['authentication_mechanism'])) {
			$smtp->authentication_mechanism = $config['notifications']['smtp']['authentication_mechanism'];
		} else {
			$smtp->authentication_mechanism = "PLAIN";
		}
		$smtp->user = $config['notifications']['smtp']['username'];
		$smtp->password = $config['notifications']['smtp']['password'];
	}

	if($smtp->SendMessage($from, $toaddr, $headers, $linesout)) {
		log_error(sprintf(gettext("%d lines sent to DShield OK"), $linecnt));
		print "send $linecnt lines to DShield OK\n";
	} else {
		log_error(sprintf(gettext('Could not send DShield logs to %1$s -- Error: %2$s'), $toaddr, $smtp->error));
		print "could not send $linecnt lines to DShield ERROR\n";
	}
}

?>

    Should be updated within next days in https://github.com/jullrich/dshieldpfsense repo.
    Regards

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Oct 24, 2017, 9:19 AM

      Nice thanks!

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received