filtrage des logs proxy : expurger les hotes surs ou connus

par **elarifr** » 12 Août 2004 22:31

ce thread remplace viewtopic.php?t=18917&highlight=

But : lors de la consultation des log du proxy mandataire (proxylog.dat) il est offert la possibilité pour chaque connection de valider l'adresse comme étant une url de confiance dont on peut se passer lors de la visualisation des log.

http://elari.free.fr/ipcop/hoststrusted/proxylog.jpg

il est ainsi plus facile de trouver la trace d'une connection sur un site sensible. les hotes "surs" sont soit ajoutés au fur et a mesure à partir de la consultation des log soit directement par le module hoststrusted.cgi.

Pour chaque site, il est possible de rajouter un commentaire (via proxylog = l'url, l'ip du poste et la date sont automatiquement proposés) ainsi qu'une classification de securite sur cinq niveau.
Le niveau de securité est naturellement utilisé lors de la consultation des log.

http://elari.free.fr/ipcop/hoststrusted/hoststrusted.jpg

par **elarifr** » 12 Août 2004 22:36

Step 1

creer dans //var/ipcop/main le fichier

hoststrusted - chmod 7777

Code: Tout sélectionner: 0,ixus.net,for fun,4 1,ipcop.org,,4

je modifierais par la suite pour utiliser un chmod 644....

par **elarifr** » 12 Août 2004 22:42

Step 2

Creer dans //etc/ un fichier

hoststrusted - chmod 777

Code: Tout sélectionner: 4=ixus.net|ipcop.org|

je modifierais par la suite pour utiliser un chmod 644....

par **elarifr** » 12 Août 2004 22:46

Step 3

Creer dans /home/http/cgi-bin/ le fichier

hoststrusted.cgi - chmod 755 - version : hoststrusted.cgi.2o0812.19h42.public

Code: Tout sélectionner: #!/usr/bin/perl # # (c) 2001 Jack Beglinger <jackb_guppy@yahoo.com> # # (c) 2003 Dave Roberts <countzerouk@hotmail.com> - colour coded netfilter/iptables rewrite for 1.3 # # (c) 2004 Elari http://elari.free.fr - add optional filtering report for 1.4 # # $Id: connections.cgi,v 1.6 2004/03/04 08:40:45 riddles Exp $ # # Setup GREEN, ORANGE, IPCOP, VPN CIDR networks, masklengths and colours only once my @network; my @masklen; my @colour; use Net::IPv4Addr qw( :all ); require '/var/ipcop/header.pl'; # Read various files my %netsettings; &readhash("${swroot}/ethernet/settings", \%netsettings); open (ACTIVE, "/proc/net/ip_conntrack"); my @active = <ACTIVE>; close (ACTIVE); open (ACTIVE, "/proc/net/ipsec_eroute"); my @vpn = <ACTIVE>; close (ACTIVE); my $aliasfile = "${swroot}/ethernet/aliases"; open(ALIASES, $aliasfile) or die 'Unable to open aliases file.'; my @aliases = <ALIASES>; close(ALIASES); # Add Green Firewall Interface push(@network, $netsettings{'GREEN_ADDRESS'}); push(@masklen, "255.255.255.255" ); push(@colour, $colourfw ); # Add Green Network to Array push(@network, $netsettings{'GREEN_NETADDRESS'}); push(@masklen, $netsettings{'GREEN_NETMASK'} ); push(@colour, $colourgreen ); # Add Green Routes to Array my @routes = `/sbin/route -n | /bin/grep $netsettings{'GREEN_DEV'}`; foreach $route (@routes) { chomp($route); my @temp = split(/[\t ]+/, $route); push(@network, $temp[0]); push(@masklen, $temp[2]); push(@colour, $colourgreen ); } # Add Firewall Localhost 127.0.0.1 push(@network, '127.0.0.1'); push(@masklen, '255.255.255.255' ); push(@colour, $colourfw ); # Add Orange Network if ($netsettings{'ORANGE_DEV'}) { push(@network, $netsettings{'ORANGE_NETADDRESS'}); push(@masklen, $netsettings{'ORANGE_NETMASK'} ); push(@colour, $colourorange ); # Add Orange Routes to Array @routes = `/sbin/route -n | /bin/grep $netsettings{'ORANGE_DEV'}`; foreach $route (@routes) { chomp($route); my @temp = split(/[\t ]+/, $route); push(@network, $temp[0]); push(@masklen, $temp[2]); push(@colour, $colourorange ); } } # Add Blue Network if ($netsettings{'BLUE_DEV'}) { push(@network, $netsettings{'BLUE_NETADDRESS'}); push(@masklen, $netsettings{'BLUE_NETMASK'} ); push(@colour, $colourblue ); # Add Blue Routes to Array @routes = `/sbin/route -n | /bin/grep $netsettings{'BLUE_DEV'}`; foreach $route (@routes) { chomp($route); my @temp = split(/[\t ]+/, $route); push(@network, $temp[0]); push(@masklen, $temp[2]); push(@colour, $colourblue ); } } # Add STATIC RED aliases if ($netsettings{'RED_DEV'}) { # We have a RED eth iface if ($netsettings{'RED_TYPE'} eq 'STATIC') { # We have a STATIC RED eth iface my $line; foreach $line (@aliases) { chomp($line); my @temp = split(/\,/,$line); } if ( $temp[0] ) { push(@network, $temp[0]); push(@masklen, $netsettings{'RED_NETMASK'} ); push(@colour, $colourfw ); } } } # Add VPNs foreach $line (@vpn) { @temp = split(/[\t ]+/,$line); @temp1 = split(/[\/:]+/,$temp[3]); push(@network, $temp1[0]); push(@masklen, ipv4_cidr2msk($temp1[1])); push(@colour, $colourvpn ); } if (open(IP, "${swroot}/red/local-ipaddress")) { my $redip = <IP>; close(IP); chomp $redip; push(@network, $redip); push(@masklen, '255.255.255.255' ); push(@colour, $colourfw ); } #elari read arp values and display menu to select client #http://elari.free.fr/ipcop 13 July 2004 my %cgiparams; $cgiparams{'ENABLED'} = 'off'; &getcgihash(\%cgiparams); if ($cgiparams{'SEE_PROTO'} eq '') { $cgiparams{'SEE_PROTO'}="***"; } if ($cgiparams{'SEE_STATE'} eq '') { $cgiparams{'SEE_STATE'}="ESTABLISHED"; } if ($cgiparams{'SEE_MARK'} eq '') { $cgiparams{'SEE_MARK'}= "[ASSURED]"; } my ($menu_form, $menu_form_submit, $menu_form_end); $menu_form = "<form method='post' action='$ENV{'SCRIPT_NAME'}'>"; $menu_form_submit = "<input type='submit' name='' value='Ok' />"; $menu_form_end = "</form>\n"; my ($menu_proto, $see_proto, $is_proto_all , $is_proto_udp , $is_proto_tcp); $see_proto = $cgiparams{'SEE_PROTO'}; if ($see_proto eq "***" ) {$is_proto_all="selected"} else {$is_proto_all=""}; if ($see_proto eq "tcp" ) {$is_proto_tcp="selected"} else {$is_proto_tcp=""}; if ($see_proto eq "udp" ) {$is_proto_udp="selected"} else {$is_proto_udp=""}; $menu_proto = "<select name='SEE_PROTO'><option value='***' $is_proto_all>***</option><option value='udp' $is_proto_udp>udp</option><option value='tcp' $is_proto_tcp>tcp</option></select>"; my ($menu_state, $see_state, $is_state_all, $is_state_est, $is_state_wait, $is_state_syn, $is_state_clos); $see_state = $cgiparams{'SEE_STATE'}; if ($see_state eq "***" ) {$is_state_all ="selected"} else {$is_state_all =""}; if ($see_state eq "ESTABLISHED" ){$is_state_est ="selected"} else {$is_state_est =""}; if ($see_state eq "TIME_WAIT" ) {$is_state_wait="selected"} else {$is_state_wait=""}; if ($see_state eq "SYN_RECV" ) {$is_state_syn ="selected"} else {$is_state_syn =""}; if ($see_state eq "CLOSE" ) {$is_state_clos="selected"} else {$is_state_clos=""}; $menu_state = "<select name='SEE_STATE'><option value='***' $is_state_all>***</option><option value='ESTABLISHED' $is_state_est>ESTABLISHED</option><option value='TIME_WAIT' $is_state_wait>TIME_WAIT</option><option value='SYN_RECV' $is_state_syn>SYN_RECV</option><option value='CLOSE' $is_state_clos>CLOSE</option></select>"; my ($menu_dest, $see_dest); $see_dest = $cgiparams{'SEE_DEST'}; $menu_dest = "<input type='text' name='SEE_DEST' value='$cgiparams{'SEE_DEST'}' />"; my ($menu_mark, $see_mark, $is_mark_all, $is_mark_ass, $is_mark_o1, $is_mark_o2); # elari 2o0713 i don't know which other mark state $see_mark = $cgiparams{'SEE_MARK'}; # o1 & o2 are just reserved ..... print $see_mark; if ($see_mark eq "***" ) {$is_mark_all ="selected"} else {$is_mark_all =""}; if ($see_mark eq "[ASSURED]" ) {$is_mark_ass ="selected"} else {$is_mark_est =""}; if ($see_mark eq "[UNREPLIED]" ){$is_mark_unr ="selected"} else {$is_mark_unr =""}; if ($see_mark eq "[other2]" ) {$is_mark_o2 ="selected"} else {$is_mark_o2 =""}; $menu_mark = "<select name='SEE_MARK'><option value='***' $is_mark_all>***</option><option value='[ASSURED]' $is_mark_ass>ASSURED</option><option value='[UNREPLIED]' $is_mark_unr>UNREPLIED</option><option value='[Other2]' $is_mark_o2>Reserve2</option></select>"; my ($menu_client, $see_client, $is_select_client); $see_client = $cgiparams{'SEE_CLIENT'}; open (ARP_ACTIVE, "/proc/net/arp") or die 'Elari: Unable to open arp file.'; $menu_client = "<select name='SEE_CLIENT'>"; while (<ARP_ACTIVE>) { chomp($_); my @temp = split(' '); $is_select_client= "" ; if ($temp[0] eq 'IP') { if ($see_client eq "") {$is_select_client = "SELECTED";} $menu_client = $menu_client . "<option value='' $is_select_client>*.*.*.*</option>\n"; } else { if ($see_client eq $temp[0]) {$is_select_client = "SELECTED";} $menu_client = $menu_client . "<option value='$temp[0]' $is_select_client>$temp[0]</option>\n"; } } close(ARP_ACTIVE); $menu_client = $menu_client . "</select>"; #elari end &showhttpheaders(); &openpage($tr{'connections'}, 1, ''); &openbigbox('100%', 'left'); &openbox('100%', 'left', $tr{'connection tracking'} . " : " . $see_client . " : " . $see_proto . " - State: " . $see_state . " : " . $see_mark ); #elari we display select menu print <<END <table width='60%'> <tr><td align='center'><b>$tr{'legend'} : </b></td> <td align='center' bgcolor='$colourgreen'><b><font color='#FFFFFF'>$tr{'lan'}</font></b></td> <td align='center' bgcolor='$colourred'><b><font color='#FFFFFF'>$tr{'internet'}</font></b></td> <td align='center' bgcolor='$colourorange'><b><font color='#FFFFFF'>$tr{'dmz'}</font></b></td> <td align='center' bgcolor='$colourblue'><b><font color='#FFFFFF'>$tr{'wireless'}</font></b></td> <td align='center' bgcolor='$colourfw'><b><font color='#FFFFFF'>IPCop</font></b></td> <td align='center' bgcolor='$colourvpn'><b><font color='#FFFFFF'>$tr{'vpn'}</font></b></td> </tr> </table> <br /> <table width='60%'> <tr><td align='center'><b>$tr{'protocol'}</b></td> <td align='center'><b>$tr{'expires'}($tr{'seconds'})</b></td> <td align='center'><b>$tr{'connection'}$tr{'status'}</b></td> <td align='center'><b>$tr{'original'}$tr{'source ip and port'}</b></td> <td align='center'><b>$tr{'original'}$tr{'dest ip and port'}</b></td> <td align='center'><b>$tr{'expected'}$tr{'source ip and port'}</b></td> <td align='center'><b>$tr{'expected'}$tr{'dest ip and port'}</b></td> <td align='center'><b>$tr{'marked'}</b></td> <td align='center'><b>$tr{'use'}</b></td> </tr> <tr><td align='center'>$menu_form $menu_proto</td> <td align='center'></td> <td align='center'>$menu_state</td> <td align='center'>$menu_client</td> <td align='center'>$menu_dest</td> <td align='center'></td> <td align='center'></td> <td align='center'>$menu_mark</td> <td align='center'>$menu_form_submit $menu_form_end</td> </tr> END ; my $line; my $protocol; my $expires; my $connstatus; my $orgsip; my $orgdip; my $orgsp; my $orgdp; my $exsip; my $exdip; my $exsp; my $exdp; my $marked; my $use; my $orgsipcolour; my $orgdipcolour; my $exsipcolour; my $exdipcolour; foreach $line (@active) { chomp($line); my @temp = split(' ',$line); #print "11:" . $temp[11] . "12: " . $temp[12]; my ($thedest, $theclient, $theproto, $thestate, $themark); if ($temp[0] eq 'udp') { $theproto = $temp[0]; $thestate = "***"; $theclient = substr $temp[3], 4; $thedest = $temp[4]; # substr $temp[4], 4; $themark = $temp[11]; } if ($temp[0] eq 'tcp') { $theproto = $temp[0]; $thestate = $temp[3]; $theclient = substr $temp[4], 4; $thedest = $temp[5]; # substr $temp[5], 4; $themark = $temp[12]; } if ($temp[0] eq 'unknown') { $theproto = "***"; $thestate = "***"; $theclient = substr $temp[3], 4; $thedest = $temp[4]; # substr $temp[4], 4; $themark = $temp[11]; } if( (($see_proto eq "***") || ($theproto eq $see_proto ) ) && (($see_state eq "***") || ($thestate eq $see_state ) ) && (($see_mark eq "***") || ($themark eq $see_mark ) ) && (($see_client eq "") || ($theclient eq $see_client ) ) && (($see_dest eq "") || ($thedest =~ /$see_dest/ ) ) ) { print "<tr bgcolor='$table1colour'>\n"; if ($temp[0] eq 'udp') { my $offset = 0; $marked = ''; $protocol = $temp[0] . " (" . $temp[1] . ")"; $expires = $temp[2]; $connstatus = ' '; $orgsip = substr $temp[3], 4; $orgdip = substr $temp[4], 4; $orgsp = substr $temp[5], 6; $orgdp = substr $temp[6], 6; if ($temp[7] eq '[UNREPLIED]') { $marked = $temp[7]; $offset = 1; } else { $connstatus = ' '; } $exsip = substr $temp[7 + $offset], 4; $exdip = substr $temp[8 + $offset], 4; $exsp = substr $temp[9 + $offset], 6; $exdp = substr $temp[10 + $offset], 6; if ($marked eq '[UNREPLIED]') { $use = substr $temp[11 + $offset], 4; } else { $marked = $temp[11 + $offset]; $use = substr $marked, 0, 3; if ($use eq 'use' ) { $marked = ''; $use = substr $temp[11 + $offset], 4; } else { $use = substr $temp[12 + $offset], 4; } } } if ($temp[0] eq 'tcp') { my $offset = 0; $protocol = $temp[0] . " (" . $temp[1] . ")"; $expires = $temp[2]; $connstatus = $temp[3]; $orgsip = substr $temp[4], 4; $orgdip = substr $temp[5], 4; $orgsp = substr $temp[6], 6; $orgdp = substr $temp[7], 6; if ($temp[8] eq '[UNREPLIED]') { $marked = $temp[8]; $offset = 1; $use = substr $temp[13], 4; } else { $marked = $temp[12]; $use = substr $temp[13], 4; } $exsip = substr $temp[8 + $offset], 4; $exdip = substr $temp[9 + $offset], 4; $exsp = substr $temp[10 + $offset], 6; $exdp = substr $temp[11 + $offset], 6; } if ($temp[0] eq 'unknown') { my $offset = 0; $protocol = "??? (" . $temp[1] . ")"; $protocol = "esp (" . $temp[1] . ")" if ($temp[1] == 50); $protocol = " ah (" . $temp[1] . ")" if ($temp[1] == 51); $expires = $temp[2]; $connstatus = ' '; $orgsip = substr $temp[3], 4; $orgdip = substr $temp[4], 4; $orgsp = ' '; $orgdp = ' '; $exsip = substr $temp[5], 4; $exdip = substr $temp[6], 4; $exsp = ' '; $exdp = ' '; $marked = ' '; $use = ' '; } $orgsipcolour = ipcolour($orgsip); $orgdipcolour = ipcolour($orgdip); $exsipcolour = ipcolour($exsip); $exdipcolour = ipcolour($exdip); print <<END <td align='center'>$protocol</td> <td align='center'>$expires</td> <td align='center'>$connstatus</td> <td align='center' bgcolor='$orgsipcolour'><a href='/cgi-bin/ipinfo.cgi?ip=$orgsip'><font color='#FFFFFF'>$orgsip</font></a><font color='#FFFFFF'>:$orgsp</font></td> <td align='center' bgcolor='$orgdipcolour'><a href='/cgi-bin/ipinfo.cgi?ip=$orgdip'><font color='#FFFFFF'>$orgdip</font></a><font color='#FFFFFF'>:$orgdp</font></td> <td align='center' bgcolor='$exsipcolour'><a href='/cgi-bin/ipinfo.cgi?ip=$exsip'><font color='#FFFFFF'>$exsip</font></a><font color='#FFFFFF'>:$exsp</font></td> <td align='center' bgcolor='$exdipcolour'><a href='/cgi-bin/ipinfo.cgi?ip=$exdip'><font color='#FFFFFF'>$exdip</font></a><font color='#FFFFFF'>:$exdp</font></td> <td align='center'>$marked</td><td align='center'>$use</td> </tr> END ; } } print "</table>\n"; &closebox(); &closebigbox(); &closepage(); sub ipcolour($) { my $id = 0; my $line; my $colour = $colourred; my ($ip) = $_[0]; my $found = 0; foreach $line (@network) { if (!$found && ipv4_in_network( $network[$id] , $masklen[$id], $ip) ) { $found = 1; $colour = $colour[$id]; } $id++; } return $colour }

par **elarifr** » 12 Août 2004 22:50

Step 4

Modifier le fichier
proxylog.dat - version : proxylog.dat.2o0812-20h05.ok

dans /home/httpd/cgi-bin/logs.cgi/

Code: Tout sélectionner: #!/usr/bin/perl # # SmoothWall CGIs # # This code is distributed under the terms of the GPL # # (c) The SmoothWall Team # # $Id: proxylog.dat,v 1.4.2.3 2004/04/17 16:23:03 eoberlander Exp $ # require '/var/ipcop/header.pl'; my %cgiparams; my %logsettings; my %ips; my %save; my %selected; my %checked; my @log; my @shortmonths = ( 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec' ); my @longmonths = ( $tr{'january'}, $tr{'february'}, $tr{'march'}, $tr{'april'}, $tr{'may'}, $tr{'june'}, $tr{'july'}, $tr{'august'}, $tr{'september'}, $tr{'october'}, $tr{'november'}, $tr{'december'} ); my @now = localtime(); my $dow = $now[6]; my $doy = $now[7]; my $tdoy = $now[7]; my $year = $now[5]+1900; $cgiparams{'DAY'} = $now[3]; $cgiparams{'MONTH'} = $now[4]; $cgiparams{'SOURCE_IP'} = 'ALL'; $cgiparams{'FILTER'} = "[.](gif|jpeg|jpg|png|css|js)\$"; $cgiparams{'ENABLE_FILTER'} = 'off'; $cgiparams{'ACTION'} = ''; #Elari #$cgiparams{'ENABLE_FILTERTRUST'} = 'off'; $cgiparams{'DOMAINTRUSTLEVEL'} = '3'; $tr{'edithoststrusted'} = "Edit Trusted Hosts"; $tr{'enable hosts trusted'} = "Enable Filter Trusted Hosts"; #following translation are same as in hoststrusted.cgi and must be moved to language file $tr{'host trust level'} = "Trust level"; $tr{'host trust level0'} = "Not applied"; $tr{'host trust level1'} = "Lowest"; $tr{'host trust level2'} = "Low"; $tr{'host trust level3'} = "Medium"; $tr{'host trust level4'} = "High"; $tr{'host trust level5'} = "Highest"; my %hoststrustedhash; #&readhash("${swroot}/main/hoststrusted", \%hoststrustedhash); &readhash("//etc/hoststrusted", \%hoststrustedhash); #print $hoststrustedhash{'1'}; #print $hoststrustedhash{'2'}; #print $hoststrustedhash{'3'}; #print $hoststrustedhash{'4'}; #print $hoststrustedhash{'5'}; #finally using write & readhash is easiest :) #my $id = 1; #while ($id <= 5 ) { # my $filetrust = "//etc/hoststrusted$id"; # open(FILE, "$filetrust") or die 'Unable to open config file.'; # my @hoststrusted = <FILE>; # print @hoststrusted; # close(FILE); # $id++; #} #Elari &getcgihash(\%cgiparams); $logsettings{'LOGVIEW_REVERSE'} = 'off'; &readhash("${swroot}/logging/settings", \%logsettings); if ($cgiparams{'ACTION'} eq '') { $cgiparams{'ENABLE_FILTER'} = 'on'; } if ($cgiparams{'ACTION'} eq $tr{'restore defaults'}) { $cgiparams{'FILTER'} = "[.](gif|jpeg|jpg|png|css|js)\$"; $cgiparams{'ENABLE_FILTER'} = 'off'; } $save{'FILTER'} = $cgiparams{'FILTER'}; $save{'ENABLE_FILTER'} = $cgiparams{'ENABLE_FILTER'}; &writehash("${swroot}/proxy/viewersettings", \%save); &readhash("${swroot}/proxy/viewersettings", \%save); my $start = -1; if ($ENV{'QUERY_STRING'} && $cgiparams{'ACTION'} ne $tr{'update'}) { my @temp = split(',',$ENV{'QUERY_STRING'}); $start = $temp[0]; $cgiparams{'MONTH'} = $temp[1]; $cgiparams{'DAY'} = $temp[2]; $cgiparams{'SOURCE_IP'} = $temp[3]; } if (!($cgiparams{'MONTH'} =~ /^(0|1|2|3|4|5|6|7|8|9|10|11)$/) || !($cgiparams{'DAY'} =~ /^(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31)$/)) { $cgiparams{'DAY'} = $now[3]; $cgiparams{'MONTH'} = $now[4]; } elsif($cgiparams{'ACTION'} eq '>>') { my @temp_then; my @temp_now = localtime(time); $temp_now[4] = $cgiparams{'MONTH'}; $temp_now[3] = $cgiparams{'DAY'}; @temp_then = localtime(POSIX::mktime(@temp_now) + 86400); ## Retrieve the same time on the next day - ## 86400 seconds in a day $cgiparams{'MONTH'} = $temp_then[4]; $cgiparams{'DAY'} = $temp_then[3]; } elsif($cgiparams{'ACTION'} eq '<<') { my @temp_then; my @temp_now = localtime(time); $temp_now[4] = $cgiparams{'MONTH'}; $temp_now[3] = $cgiparams{'DAY'}; @temp_then = localtime(POSIX::mktime(@temp_now) - 86400); ## Retrieve the same time on the previous day - ## 86400 seconds in a day $cgiparams{'MONTH'} = $temp_then[4]; $cgiparams{'DAY'} = $temp_then[3]; } if (($cgiparams{'DAY'} ne $now[3]) || ($cgiparams{'MONTH'} ne $now[4])) { my @then = (); if ( ( $cgiparams{'MONTH'} eq $now[4]) && ($cgiparams{'DAY'} > $now[3]) || ( $cgiparams{'MONTH'} > $now[4] ) ) { @then = localtime(POSIX::mktime( 0, 0, 0, $cgiparams{'DAY'}, $cgiparams{'MONTH'}, $year - 1901 )); } else { @then = localtime(POSIX::mktime( 0, 0, 0, $cgiparams{'DAY'}, $cgiparams{'MONTH'}, $year - 1900 )); } $tdoy = $then[7]; my $lastleap=($year-1)%4; if ($tdoy>$doy) { if ($lastleap == 0 && $tdoy < 60) { $doy=$tdoy+366; } else { $doy=$doy+365; } } } my $datediff=0; my $dowd=0; my $multifile=0; if ($tdoy ne $doy) { $datediff=int(($doy-$tdoy)/7); $dowd=($doy-$tdoy)%7; if (($dow-$dowd)<1) { $datediff=$datediff+1; } if (($dow-$dowd)==0) { $multifile=1; } } ###my $monthstr = $shortmonths[$cgiparams{'MONTH'}]; my $longmonthstr = $longmonths[$cgiparams{'MONTH'}]; my $month = (($cgiparams{'MONTH'}) + 1); my $monthstr; if ($month <= 9) { $monthstr = " $month"; } else { $monthstr = $month; } if ($monthstr < 10) { $monthstr++; $monthstr--; $monthstr="0$monthstr"; } my $day = $cgiparams{'DAY'}; my $daystr; if ($day <= 9) { $daystr = " $day"; } else { $daystr = $day; } if ($daystr < 10) { $daystr++; $daystr--; $daystr="0$daystr"; } my $search_date = "$daystr/$monthstr"; my $lines = 0; my $linestotal = 0; my $filter; if ($cgiparams{'ENABLE_FILTER'} eq 'on') { $filter = $cgiparams{'FILTER'}; } else { $filter = ''; } my $sourceip = $cgiparams{'SOURCE_IP'}; my $sourceall; if ($cgiparams{'SOURCE_IP'} eq 'ALL') { $sourceall = 1; } else { $sourceall = 0; } #elari we define trusted hash depend on selected level my $trustedfilter= ''; my $levelid = 1; while ( $levelid <= 5 ) { if ($levelid >= $cgiparams{'DOMAINTRUSTLEVEL'}) { $trustedfilter .= $hoststrustedhash{"$levelid"};} $levelid++; } #we need to remove the last | in the filter to avoid to filter everything $trustedfilter =~ s/\|$//; #elari my $thiscode = '$temp =~ /$filter/;'; eval($thiscode); if ($@ ne '') { $errormessage = "$tr{'bad ignore filter'}.$@<P>"; $filter = ''; } else { my $skip=0; my $filestr; if ($datediff==0) { $filestr="/var/log/squid/access.log"; } else { $filestr="/var/log/squid/access.log.$datediff"; $filestr = "$filestr.gz" if -f "$filestr.gz"; } if (!(open (FILE,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) { $errormessage="$errormessage$tr{'date not in logs'}: $filestr $tr{'could not be opened'}<P>"; $skip=1; } if (!$skip) { while (<FILE>) { my ($datetime,$do,$ip,$ray,$me,$far,$url,$so) = split; my ($SECdt, $MINdt, $HOURdt, $DAYdt, $MONTHdt, $YEARdt) = localtime($datetime); $HOURdt = zeropad($HOURdt,2); $MINdt = zeropad($MINdt,2); $SECdt = zeropad($SECdt,2); $DAYdt = zeropad($DAYdt,2); $MONTHdt = zeropad($MONTHdt + 1,2); $YEARdt = $YEARdt + 1900; if (! $ips{$ip}) { $ips{$ip} = 1; } else { $ips{$ip}++; } $date_to_match = "$DAYdt/$MONTHdt"; if (($date_to_match =~ m|$search_date|) && !($url =~ /$filter/) && !($url =~ m/$trustedfilter/i) && ((($ip eq $sourceip) || $sourceall))) { my ($header,$urlsnip,$data)=split('/+',$url); $log[$lines] = "$HOURdt:$MINdt:$SECdt $ip $url"; $lines++; $linestotal++; } else { $linestotal++; } } close (FILE); } $skip=0; if ($multifile) { $datediff=$datediff-1; if ($datediff==0) { $filestr="/var/log/squid/access.log"; } else { $filestr="/var/log/squid/access.log.$datediff"; $filestr = "$filestr.gz" if -f "$filestr.gz"; } if (!(open (FILE,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) { $errormessage="$errormessage$tr{'date not in logs'}: $filestr $tr{'could not be opened'}"; $skip=1; } if (!$skip) { while (<FILE>) { my ($datetime,$do,$ip,$ray,$me,$far,$url,$so) = split; my ($SECdt, $MINdt, $HOURdt, $DAYdt, $MONTHdt, $YEARdt) = localtime($datetime); $HOURdt = zeropad($HOURdt,2); $MINdt = zeropad($MINdt,2); $SECdt = zeropad($SECdt,2); $DAYdt = zeropad($DAYdt,2); $MONTHdt = zeropad($MONTHdt + 1,2); $YEARdt = $YEARdt + 1900; print "$HOURdt:$MINdt:$SECdt $DAYdt/$MONTHdt/$YEARdt GMT\n"; if (! $ips{$ip}) { $ips{$ip} = 1; } else { $ips{$ip}++; } $date_to_match = "$DAYdt/$MONTHdt"; if (($date_to_match =~ m|$search_date|) && !($url =~ /$filter/) && ((($ip eq $sourceip) || $sourceall))) { my ($header,$urlsnip,$data)=split('/+',$url); $log[$lines] = "$HOURdt:$MINdt:$SECdt $ip $url"; $lines++; } } close (FILE); } } } if ($cgiparams{'ACTION'} eq $tr{'export'}) { print "Content-type: text/plain\n\n"; print "IPCop proxy log\r\n"; print "Date: $cgiparams{'DAY'} $longmonths[$cgiparams{'MONTH'}]\r\n"; print "Source IP: $cgiparams{'SOURCE_IP'}\r\n"; if ($cgiparams{'ENABLE_FILTER'} eq 'on') { print "Ignore filter: $cgiparams{'FILTER'}\r\n"; } print "\r\n"; if ($logsettings{'LOGVIEW_REVERSE'} eq 'on') { @log = reverse @log; } foreach $_ (@log) { print "$_\n"; } exit; } $selected{'SOURCE_IP'}{$cgiparams{'SOURCE_IP'}} = "selected='selected'"; $checked{'ENABLE_FILTER'}{'off'} = ''; $checked{'ENABLE_FILTER'}{'on'} = ''; $checked{'ENABLE_FILTER'}{$cgiparams{'ENABLE_FILTER'}} = "checked='checked'"; $selected{'DOMAINTRUSTLEVEL'}{$cgiparams{'DOMAINTRUSTLEVEL'}} = "selected='selected'"; &showhttpheaders(); &openpage($tr{'proxy log viewer'}, 1, ''); &openbigbox('100%', 'left'); if ($errormessage) { &openbox('100%', 'left', $tr{'error messages'}); print "<font class='base'>$errormessage </font>\n"; &closebox(); } &openbox('100%', 'left', "$tr{'settings'}:"); #print "Filter Hosts : "; #print $hoststrustedhash{'1'}; #print $hoststrustedhash{'2'}; #print $hoststrustedhash{'3'}; #print $hoststrustedhash{'4'}; #print $hoststrustedhash{'5'}; #print $trustedfilter ; print <<END <form method='post' action='$ENV{'SCRIPT_NAME'}'> <table width='100%'> <tr> <td width='10%' class='base'>$tr{'month'}</td> <td width='20%'> <select name='MONTH'> END ; for ($month = 0; $month < 12; $month++) { print "\t<option "; if ($month == $cgiparams{'MONTH'}) { print "selected='selected' "; } print "value='$month'>$longmonths[$month]</option>\n"; } print <<END </select> </td> <td width='10%' class='base'>$tr{'day'}:</td> <td width='10%'> <select name='DAY'> END ; for ($day = 1; $day <= 31; $day++) { print "\t<option "; if ($day == $cgiparams{'DAY'}) { print "selected='selected' "; } print "value='$day'>$day</option>\n"; } print <<END </select> </td> <td width='5%' align='center'><input type='submit' name='ACTION' title='$tr{'day before'}' value='<<' /></td> <td width='5%' align='center'><input type='submit' name='ACTION' title='$tr{'day after'}' value='>>' /></td> <td width='25%' class='base'>$tr{'source ip'}:</td> <td width='15%'> <select name='SOURCE_IP'> <option value='ALL' $selected{'SOURCE_IP'}{'ALL'}>$tr{'caps all'}</option> END ; my $ip; foreach $ip (keys %ips) { print "<option value='$ip' $selected{'SOURCE_IP'}{$ip}>$ip</option>\n"; } print <<END </select> </td> </tr> <tr> <td class='base'>$tr{'ignore filter'}:</td> <td colspan='5'><input type='text' name='FILTER' value='$cgiparams{'FILTER'}' size='40' /></td> <td class='base'>$tr{'enable ignore filter'}:</td> <td><input type='checkbox' name='ENABLE_FILTER' value='on' $checked{'ENABLE_FILTER'}{'on'} /></td> </tr> </table> <div align='center'> <table width='80%'> <tr> <td class='base'>$tr{'host trust level'}: <select name='DOMAINTRUSTLEVEL'> END ; my $trustlevel = 0; while ($trustlevel <= 5 ) { print "<option value='$trustlevel' $selected{'DOMAINTRUSTLEVEL'}{$trustlevel}>$tr{'host trust level' . $trustlevel}</option>\n"; $trustlevel ++; } print <<END </select> </td> <td align='center'><input type='submit' name='ACTION' value='$tr{'restore defaults'}' /></td> <td align='center'><input type='submit' name='ACTION' value='$tr{'update'}' /></td> <td align='center'><input type='submit' name='ACTION' value='$tr{'export'}' /></td> </tr> </table> </div> </form> END ; &closebox(); &openbox('100%', 'left', $tr{'log'}); if ($start == -1) { $start = $lines - $viewsize; } if ($start >= $lines - $viewsize) { $start = $lines - $viewsize; }; if ($start < 0) { $start = 0; } my $prev = $start - $viewsize; my $next = $start + $viewsize; if ($prev < 0) { $prev = 0; } if ($next >= $lines) { $next = -1 } if ($start == 0) { $prev = -1; } my @slice = splice(@log, $start, $viewsize); if ($logsettings{'LOGVIEW_REVERSE'} eq 'on') { @slice = reverse @slice; } print "<p><b>$tr{'web hits'} $longmonthstr $daystr: $lines</b> (total : $linestotal)</p>"; if ($lines != 0) { &oldernewer(); } print <<END <table width='100%'> <tr> <td width='10%' align='center' class='boldbase'><b>$tr{'time'}</b></td> <td width='15%' align='center' class='boldbase'><b>$tr{'source ip'}</b></td> <td width='75%' align='center' class='boldbase'><b>$tr{'website'}</b></td> </tr> END ; $lines = 0; foreach $_ (@slice) { if ($lines % 2) { print "<tr bgcolor='$table1colour'>\n"; } else { print "<tr bgcolor='$table2colour'>\n"; } my ($time,$ip,$url) = split; $url =~ /(^.{0,60})/; my $part = $1; unless (length($part) < 60) { $part = "${part}..."; } print <<END <td align='center'>$time</td> <td align='center'>$ip</td> <td align='left'><a href='$url' title='$url' target='_new'>$part</a></td> <td align='right' width='10%' class='boldbase'><form method='post' action='/cgi-bin/hoststrusted.cgi'> <input type='image' name='$tr{'edit'}' src='/images/edit.gif' alt='$tr{'edit'}' title='$tr{'edit'}' /> <input type='hidden' name='DOMAINNAME' value='$part' /><input type='hidden' name='DOMAININFO' value='$part . " " . $ip . " " . $time' /> </form></td> </tr> END ; $lines++; } print "</table>"; &oldernewer(); &closebox(); &closebigbox(); &closepage(); sub zeropad($$) { my $NUM = shift; my $LEN = shift; return $NUM if ($LEN < length($NUM)); my $PAD = $LEN - length($NUM); return $NUM if ($PAD == 0); my $i; my $OUT = ''; for ($i = 1; $i <= $PAD; $i++) { $OUT = "0$OUT"; } undef $i; $OUT = "$OUT$NUM"; return $OUT; } sub oldernewer { print <<END <table width='100%'> <tr> END ; print "<td align='center' width='50%'>"; if ($prev != -1) { print "<a href='/cgi-bin/logs.cgi/proxylog.dat?$prev,$cgiparams{'MONTH'},$cgiparams{'DAY'},$cgiparams{'SOURCE_IP'}'>$tr{'older'}</a>"; } else { print "$tr{'older'}"; } print "</td>\n"; print "<td align='center' width='50%'>"; if ($next != -1) { print "<a href='/cgi-bin/logs.cgi/proxylog.dat?$next,$cgiparams{'MONTH'},$cgiparams{'DAY'},$cgiparams{'SOURCE_IP'}'>$tr{'newer'}</a>"; } else { print "$tr{'newer'}"; } print "</td>\n"; print <<END </tr> </table> END ; }

par **elarifr** » 12 Août 2004 22:55

les fichiers sont en principe dispo et mis a jour sur

http://elari.free.fr/ipcop/hoststrusted/

elari

par **elarifr** » 15 Nov 2004 10:19

suite à un pbr rencontré par elcasa dans le thread viewtopic.php?p=159513#159513

Code: Tout sélectionner: Copier collé de tes données Ne pas oublier de faire fonctionner Ipcop en Proxy Mandataire...... Sans cela le menu Journaux du serveur mandataire n'apparait pas. Par contre il me reste un souci, quand je veux consulter ce journal j'ai le résultat suivant: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log. Donc je suppose que j'ai du oblier quelque chose, mais je ne sais pas ou

par **elarifr** » 15 Nov 2004 10:30

salut elcasa

j'ai regarde rapidement et j'ai le même message d'erreur si je renomme le fichier du step2 :

Step 2

Creer dans //etc/ un fichier

hoststrusted <----- verifie bien le nom du fichier; pas d'espaces....

Code:
4=ixus.net|ipcop.org| <------ verifie le contenu :
il n'y a pas d'espace à la fin, ne pas oublier le dernier | non plus

je ne peux te garantir que ton pbr soit à ce niveau, mais c'est à 100% un pbr d'un nom de fichier mal place / orthografie

en effet les erreurs ne sont pas visibles dans le journal systeme mais dans un fichier log qu'il faut pecher en direct avec winscp;

a voir dans /var/log/httpd/error_log tu devrais trouver un truc du genre

Code: Tout sélectionner: Unable to read file //etc/hoststrusted at /var/ipcop/header.pl line 484. [Mon Nov 15 09:43:35 2004] [error] [client 192.168.12.101] Premature end of script headers: /home/httpd/cgi-bin/logs.cgi/proxylog.dat

ce qui devrais te permettre de voir d'ou vient le probleme

par **elcasa** » 15 Nov 2004 22:21

Bonjour Elarifr

Merci pour le coup de main
c'est vrai que je me suis un peu perdu dans mes demandes,et je ne suis pas allé voir là où tu m'as fait la réponse.

Bon dés demain je vérifie mes écritures de fichiers et te confirme dés que je trouve l'erreur.

@ bientot

Elcasa

par **elarifr** » 17 Nov 2004 22:43

pas de soucis elcasa

j'attend de tes nouvelles

PS / j'utilise encore un IPCOP 1.4 b7
je m'occuppe de passer a jour courant de semaine prochaine si je trouve une journée de dispo...

par **elcasa** » 18 Nov 2004 19:22

Bonjour Elarifr

J'ai donc vérifié mon Log là ou tu me l'as conseillé

J'y trouve ceci:

[Sun Nov 14 00:01:04 2004] [notice] Apache configured -- resuming normal operations
[Sun Nov 14 00:01:04 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
Can't find string terminator "END" anywhere before EOF at /home/httpd/cgi-bin/logs.cgi/proxylog.dat line 371.
[Mon Nov 15 07:29:59 2004] [error] [client xxx.0.22] Premature end of script headers: /home/httpd/cgi-bin/logs.cgi/proxylog.dat
Can't find string terminator "END" anywhere before EOF at /home/httpd/cgi-bin/logs.cgi/proxylog.dat line 371.
[Tue Nov 16 16:35:26 2004] [error] [client xxx.0.22] Premature end of script headers: /home/httpd/cgi-bin/logs.cgi/proxylog.dat
Can't find string terminator "END" anywhere before EOF at /home/httpd/cgi-bin/logs.cgi/proxylog.dat line 371.
[Tue Nov 16 16:35:34 2004] [error] [client xxx.0.22] Premature end of script headers: /home/httpd/cgi-bin/logs.cgi/proxylog.dat
Can't find string terminator "END" anywhere before EOF at /home/httpd/cgi-bin/logs.cgi/proxylog.dat line 371.
[Thu Nov 18 18:09:45 2004] [error] [client xxx.0.22] Premature end of script headers: /home/httpd/cgi-bin/logs.cgi/proxylog.dat

Aujourdh'ui à la date du 18, j'ai essayé de modifier ton script dés la ligne 371 aprés End le ; était à la ligne suivante, et je l'ai remonté à la suite de End, mais ce n'est pas cela ....
Qu'en penses tu ???

Merci

par **elarifr** » 23 Nov 2004 22:03

as tu lu et relu la ligne 371 ?

a priori ca doit être

#print $trustedfilter ;

print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
<tr>
<td width='10%' class='base'>$tr{'month'}</td>
<td width='20%'>
<select name='MONTH'>
END
;

je pense que tu dois avoir un espace qui traine quelque part....?
ou au niveau du END ligne 378 puisque tes messages d'erreur semblent dire qu'il ne trouve pas le END de la ligne 378 avant la fin du fichier.... ca peut être aussi un pbr de { ( mal fermées....
quel editeur de texte utilises tu ? prend en un qui fait une coloration syntaxique pour y voir plus clair
(j'utilise Context et Script Edit qui sont free)
je ne suis pas moi même assez specialiste de perl pour te repondre

bonne chance

par **elcasa** » 02 Déc 2004 18:08

Bonjour Elarifr

J'ai en vain essayé de voir d'où pouvait venir l'erreur.

Ne pourrais tu pas me faire une copie de ton script pour que je le compare.

En fait moi je n'ai fait déjà, qu'un copié collé de celui que tu avais proposé....

Je veux bien refaire la meme manip avec clui que tu utilises....

Merci

par **elarifr** » 06 Déc 2004 15:05

salut elcasa

je t'ai envoyé le code de la version qui tourne sur mon ipcop. tiens moi au courant que je mette a jour le thread si ca resoud ton pbr ?????

concernant la faille relevé pour proxylog.dat sur ipcop 1.4.1 ou .2 je n'ai pas encore pu voir si les modifs a apporter necessitent une modif de ma part ?

si qqun à fait la maj de la faille et utilise le script merci de m'en faire part

elari

par **elcasa** » 14 Jan 2005 08:55

Bonjour Elarifr

Je ne t'avais pas oublié.

Aprés divers vains essais sur le script, j'ai effectué une mise à jour d'ipcop.

Je suis donc passé sur la version 1.4.2 et là mon journal fonctionne à merveille....

Donc fin de cet incident. Je vais continuer d'aprofondir.

Merci encore et à bientot...

filtrage des logs proxy : expurger les hotes surs ou connus

filtrage des logs proxy : expurger les hotes surs ou connus

Analyse des logs

Erreur du log

Encore de l'aide

proxylog faille secu....?

Enfin la solution

Qui est en ligne ?