+ }
+ }
+
+}
+
+/*
+ * Update a single statistic for some object.
+ * If it does not yet exist, it will be created.
+ */
+
+function UpdateStatistic($objectid, $name, $value)
+{
+ global $dbms;
+
+ $result = $dbms->query("SELECT objectid FROM object_statistics WHERE
+ objectid='$objectid' AND statname='$name'");
+ if ($dbms->num_rows() == 0)
+ {
+ $dbms->query("INSERT INTO object_statistics VALUES
+ ('$objectid', '$name', '$value')");
+ }
+ else
+ {
+ $dbms->query("UPDATE object_statistics SET statvalue='$value' WHERE
+ statname='$name' AND objectid='$objectid'");
+ }
+}
+
+/*
+ * Gather the statistics for a single object ($objectid).
+ * We count the number of parameters, removed parameters, notifications
+ * closed notifications and log entries. The totals of these are
+ * maintained in a separate table: object_statistics.
+ */
+
+function GatherStatistics($objectid)
+{
+ global $dbms;
+
+ // Gather statistics on parameters
+
+ $r = $dbms->query("SELECT paramid FROM parameter WHERE objectid=CAST('"
+ . $objectid . "' AS BIGINT)");
+ $nr_parameters = $dbms->num_rows($r);
+
+ $removed_parameters = 0;
+ for ($p = 0; $p < $nr_parameters; $p++)
+ {
+ $param = pg_fetch_object($r, $p);
+ $qry ="select change_nature from history where paramid= CAST('";
+ $qry .= $param->paramid . "' AS BIGINT) order by modified desc";
+ $rhist = $dbms->query($qry);
+ if ($dbms->num_rows($rhist) == 0)
+ {
+ echo "ERROR: No history for parameter id " . $param->paramid . "\n";
+ }
+ else
+ {
+ $hist = $dbms->fetch_object($rhist, 0);
+ if ($hist->change_nature == "REMOVED")
+ {
+ $removed_parameters++;
+ }
+ }
+ }
+
+ UpdateStatistic($objectid, 'parameters', $nr_parameters);
+ UpdateStatistic($objectid, 'removed_parameters', $removed_parameters);
+
+ // Gather statistics on notifications
+
+ $r = $dbms->query("SELECT count(notificationid) FROM notification WHERE
+ objectid = CAST('" . $objectid . "' AS BIGINT)");
+ $cnt = $dbms->fetch_object($r, 0);
+ UpdateStatistic($objectid, 'notifications', $cnt->count);
+
+ $r = $dbms->query("SELECT count(notificationid) FROM notification WHERE
+ objectid = CAST('" . $objectid . "' AS BIGINT) AND statuscode ='cls'");
+ $cnt = $dbms->fetch_object($r, 0);
+ UpdateStatistic($objectid, 'closed_notifications', $cnt->count);
+
+ // Gather statistics on log entries
+
+ $r = $dbms->query("SELECT count(logid) FROM log WHERE
+ objectid = CAST('" . $objectid . "' AS BIGINT)");
+ $cnt = $dbms->fetch_object($r, 0);
+ UpdateStatistic($objectid, 'logs', $cnt->count);
+}
+
+function match_log_patterns($logstart)
+{
+ global $dbms;
+
+ $notifications = array();
+
+ $log_limit = $logstart + BATCHSIZE;
+ $noqueue_res = $dbms->query("select logid, objectid, servicecode, rawdata from log
+ where logid > $logstart and logid <= $log_limit
+ order by logid");
+ for ($row = 0; $row < $dbms->num_rows($noqueue_res); $row++)
+ {
+ $logentry = $dbms->fetch_object($noqueue_res, $row);
+ //echo "\n----------\n" . $logentry->rawdata . "\n----------\n";
+ $service = $logentry->servicecode;
+ $pattern_res = $dbms->query("select * from service_pattern where service='$service'
+ OR service='ANY' order by rank");
+
+ $match_found = false;
+ for ($patnr = 0; !$match_found && $patnr < $dbms->num_rows($pattern_res); $patnr++)
+ {
+ $srv_pat = $dbms->fetch_object($pattern_res, $patnr);
+ //echo " Checking with pattern " . $srv_pat->pattern . "\n";
+ if (ereg($srv_pat->pattern, $logentry->rawdata, $matches))
+ {
+ // Scan the argument for '$n' expressions and expand
+
+ $srv_pat->argument = expand_arguments($srv_pat->argument, $matches);
+ //echo " " . $srv_pat->pattern . " matches.\n";
+ //echo " Matched string: " . $matches[0] . "\n";
+ //echo " Action = " . $srv_pat->action . "(" . $srv_pat->argument . ")\n\n";
+ $match_found = true;
+
+ switch ($srv_pat->action)
+ {
+ case "ignore":
+ break;
+
+ case "notify":
+ $notif = $srv_pat->argument;
+ if (!isset($notifications[$logentry->objectid][$notif]))
+ {
+ //echo "Creating notification $notif for object " . $logentry->objectid . ".\n";
+ $remark = "Notification generated from Gnucomo pattern match.";
+ $notifications[$logentry->objectid][$notif] =
+ $dbms->new_notification($logentry->objectid, $notif, $remark);
+ }
+ if (isset($notifications[$logentry->objectid][$notif]))
+ {
+ //echo "Notification $notif for object " . $logentry->objectid . " already created.\n";
+ $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('";
+ $insertion .= $notifications[$logentry->objectid][$notif] . "', '";
+ $insertion .= $logentry->logid . "')";
+ $dbms->query($insertion);
+ }
+ break;
+
+ case "abuse":
+ //echo "Recording abuse for address ", $srv_pat->argument, "\n Log entry:\n ";
+ //echo $logentry->rawdata, "\n Pattern:\n ", $srv_pat->pattern, "\n\n";
+
+ if (record_abuse($logentry->logid, $logentry->objectid, $srv_pat->argument, 1) >= 32)
+ {
+ $source_ip = gethostbyname($srv_pat->argument);
+ $notif = 'abuses exceeded';
+ if (!isset($notifications[$logentry->objectid][$notif][$source_ip]))
+ {
+ echo "Creating notification $notif for object " . $logentry->objectid . ".\n";
+ $remark = "Abuses from IP address $source_ip exceeded the limit.";
+ $notifid = $dbms->new_notification($logentry->objectid, $notif, $remark);
+ $notifications[$logentry->objectid][$notif][$source_ip] = $notifid;
+
+ // Add log entries from previously detected abuses
+
+ echo " Add log entries from previously detected abuses\n";
+ $abuses = $dbms->query("SELECT logid FROM log_abuse WHERE objectid = '" .
+ $logentry->objectid . "' AND source = '$source_ip'");
+ for ($abusenr = 0; $abusenr < $dbms->num_rows($abuses); $abusenr++)
+ {
+ $log_abuse = $dbms->fetch_object($abuses, $abusenr);
+ if ($log_abuse->logid != $logentry->logid)
+ {
+ $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('";
+ $insertion .= $notifid . "', '";
+ $insertion .= $log_abuse->logid . "')";
+ $dbms->query($insertion);
+ }
+ }
+ }
+ if (isset($notifications[$logentry->objectid][$notif][$source_ip]))
+ {
+ //echo "Notification $notif for object " . $logentry->objectid . " already created.\n";
+ $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('";
+ $insertion .= $notifications[$logentry->objectid][$notif][$source_ip] . "', '";
+ $insertion .= $logentry->logid . "')";
+ $dbms->query($insertion);
+ }
+ }
+ break;
+ case "forgive":
+ record_abuse($logentry->logid, $logentry->objectid, $srv_pat->argument, -4);
+ break;
+ default:
+ echo "Error: unrecognized action in service pattern: " . $srv_pat->action . "\n";
+ break;
+ }
+ }
+ else
+ {
+ // echo " " . $srv_pat->pattern . " does not match.\n";
+ }
+ }
+
+ }
+}
+
+/*
+ * Some IP address abused us. Record the event.
+ * Return the number of abuse points recorded so far for the address
+ */
+
+function record_abuse($logid, $objectid, $sourceip, $points)
+{
+ global $dbms;
+
+ $abuse_points = $points;
+
+ $ipaddress = gethostbyname($sourceip);
+ //echo " IP address for $sourceip is $ipaddress.\n";
+ $sourceip = $ipaddress;
+
+ $abres = $dbms->query("SELECT * FROM object_abuse WHERE objectid='$objectid' AND source='$sourceip'");
+
+ if (pg_numrows($abres) == 0 && $points > 0)
+ {
+ //echo "$sourceip is new.\n";
+ $dbms->query("INSERT INTO object_abuse VALUES ('$objectid', '$sourceip', '$points', '', NOW())");
+ $dbms->query("INSERT INTO log_abuse VALUES ('$logid', '$objectid', '$sourceip')");
+ }
+ else if (pg_numrows($abres) != 0)
+ {
+ $abuse = $dbms->fetch_object($abres, 0);
+ if ($abuse->status == '' || $abuse->status == 'dropped')
+ {
+ $abuse_points = $abuse->nr_abuses + $points;
+ if ($abuse_points < 0)
+ {
+ $abuse_points = 0;
+ }
+ //echo $sourceip . " will get " . $abuse_points . " abuse points, ";
+ //echo "Status was " . $abuse->status . "\n";
+ $dbms->query("UPDATE object_abuse SET nr_abuses='$abuse_points'" .
+ ", last_change=NOW() WHERE objectid='$objectid' AND source='$sourceip'");
+
+ if ($points > 0)
+ {
+ $dbms->query("INSERT INTO log_abuse VALUES ('$logid', '$objectid', '$sourceip')");
+ }
+ if ($abuse_points >= 32)
+ {
+ //echo " BLOCK IP adrress $sourceip on the firewall.\n";
+ $dbms->query("UPDATE object_abuse SET status='dropped'" .
+ " WHERE objectid='$objectid' AND source='$sourceip'");
+ }
+ }
+ }
+
+ return $abuse_points;
+}
+
+
+/*
+ * Service_check - Check the log entries if there are any unknown
+ * services.
+ */
+
+function service_check()
+{
+ global $dbms;
+
+ $unknown_notification = array();
+ $unused_notification = array();
+ $last_log = 0;
+
+ // How far did we get last time ?
+
+ $lastlogres = $dbms->query("SELECT setting_value FROM db_value
+ WHERE setting = 'log_servicecheck'");
+
+ if ($dbms->num_rows($lastlogres) == 1)
+ {
+ $last_log = $dbms->Field($lastlogres, 0, 'setting_value');
+ }
+ else
+ {
+ $dbms->query("INSERT INTO db_value (setting, setting_value)
+ VALUES ('log_servicecheck', '0')");