+// Check for spam and other abuses in the log_adv tables.
+
+function abuse_check($logstart)
+{
+return; // This function is obsolete
+ global $dbms;
+
+ // notification: 'abuses exceeded'.
+
+ $noqueue_res = $dbms->query("select logid, source_ip from log_adv_daemon_email
+ where event='NOQUEUE' and logid > " . $logstart);
+ echo "NOQUEUE abuses:\n\n";
+ for ($row = 0; $row < $dbms->num_rows($noqueue_res); $row++)
+ {
+ $noqueue = $dbms->fetch_object($noqueue_res, $row);
+ if ($noqueue->source_ip != '')
+ {
+ $obj = $dbms->fetch_object(
+ $dbms->query("SELECT objectid FROM log WHERE logid = '" . $noqueue->logid . "'"),0);
+ record_abuse(0, $obj->objectid, $noqueue->source_ip, 2);
+
+ // TODO: Create notification
+ }
+ }
+ $dbms->Free($noqueue_res);
+
+ $noqueue_res = $dbms->query("select logid, source_ip, relay from log_adv_daemon_email
+ where event='SPAM' and logid > " . $logstart);
+ echo "SPAM abuses:\n\n";
+ for ($row = 0; $row < $dbms->num_rows($noqueue_res); $row++)
+ {
+ $noqueue = $dbms->fetch_object($noqueue_res, $row);
+ $source = $noqueue->source_ip;
+ if ($source == '')
+ {
+ $source = $noqueue->relay;
+ }
+ if ($source != '')
+ {
+ $obj = $dbms->fetch_object(
+ $dbms->query("SELECT objectid FROM log WHERE logid = '" . $noqueue->logid . "'"),0);
+ record_abuse(0, $obj->objectid, $source, 1);
+
+ // TODO: Create notification
+ }
+ }
+ $dbms->Free($noqueue_res);
+
+ echo "HTTP abuses:\n\n";
+ $abuse_res = $dbms->query("select logid, objectid, rawdata from log
+ where servicecode='httpd' and logid > " . $logstart);
+ for ($row = 0; $row < $dbms->num_rows($abuse_res); $row++)
+ {
+ $source = '';
+ $abuse = $dbms->fetch_object($abuse_res, $row);
+ if (ereg("\[error\] \[client ([0-9.]+)\] request failed: URI too long", $abuse->rawdata, $parts))
+ {
+ echo $abuse->rawdata . "\n";
+ echo "Abuse on object " . $abuse->objectid . " from IP address " . $parts[1] . "\n";
+ $source = $parts[1];
+ }
+ if (ereg("\[error\] \[client ([0-9.]+)\] File does not exist: .+/MSADC",
+ $abuse->rawdata, $parts))
+ {
+ echo $abuse->rawdata . "\n";
+ echo "Abuse on object " . $abuse->objectid . " from IP address " . $parts[1] . "\n";
+ $source = $parts[1];
+ }
+ if ($source != '')
+ {
+ record_abuse(0, $abuse->objectid, $source, 2);
+
+ // TODO: Create notification
+ }
+ }
+ $dbms->Free($abuse_res);
+}
+
+function match_log_patterns($logstart)
+{
+ global $dbms;
+
+ $notifications = array();
+
+ // notification: 'abuses exceeded'.
+
+ $noqueue_res = $dbms->query("select logid, objectid, servicecode, rawdata from log where logid > " . $logstart
+ . " order by logid limit " . BATCHSIZE);
+ for ($row = 0; $row < $dbms->num_rows($noqueue_res); $row++)
+ {
+ $logentry = $dbms->fetch_object($noqueue_res, $row);
+ echo "\n----------\n" . $logentry->rawdata . "\n----------\n";
+ $service = $logentry->servicecode;
+ $pattern_res = $dbms->query("select * from service_pattern where service='$service'
+ OR service='ANY' order by rank");
+
+ $match_found = false;
+ for ($patnr = 0; !$match_found && $patnr < $dbms->num_rows($pattern_res); $patnr++)
+ {
+ $srv_pat = $dbms->fetch_object($pattern_res, $patnr);
+ if (ereg($srv_pat->pattern, $logentry->rawdata, $matches))
+ {
+ // Scan the argument for '$n' expressions and expand
+
+ $srv_pat->argument = expand_arguments($srv_pat->argument, $matches);
+ echo " " . $srv_pat->pattern . " matches.\n";
+ echo " Matched string: " . $matches[0] . "\n";
+ echo " Action = " . $srv_pat->action . "(" . $srv_pat->argument . ")\n\n";
+ $match_found = true;
+
+ switch ($srv_pat->action)
+ {
+ case "ignore":
+ break;
+
+ case "notify":
+ $notif = $srv_pat->argument;
+ if (!isset($notifications[$logentry->objectid][$notif]))
+ {
+ echo "Creating notification $notif for object " . $logentry->objectid . ".\n";
+ $remark = "Notification generated from Gnucomo pattern match.";
+ $notifications[$logentry->objectid][$notif] =
+ $dbms->new_notification($logentry->objectid, $notif, $remark);
+ }
+ if (isset($notifications[$logentry->objectid][$notif]))
+ {
+ echo "Notification $notif for object " . $logentry->objectid . " already created.\n";
+ $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('";
+ $insertion .= $notifications[$logentry->objectid][$notif] . "', '";
+ $insertion .= $logentry->logid . "')";
+ $dbms->query($insertion);
+ }
+ break;
+
+ case "abuse":
+ if (record_abuse($logentry->logid, $logentry->objectid, $srv_pat->argument, 1) >= 6)
+ {
+ $source_ip = $srv_pat->argument;
+ $notif = 'abuses exceeded';
+ if (!isset($notifications[$logentry->objectid][$notif][$source_ip]))
+ {
+ echo "Creating notification $notif for object " . $logentry->objectid . ".\n";
+ $remark = "Abuses from IP address $source_ip exceeded the limit.";
+ $notifications[$logentry->objectid][$notif][$source_ip] =
+ $dbms->new_notification($logentry->objectid, $notif, $remark);
+ }
+ if (isset($notifications[$logentry->objectid][$notif][$source_ip]))
+ {
+ echo "Notification $notif for object " . $logentry->objectid . " already created.\n";
+ $insertion = "INSERT INTO log_notification (notificationid, logid) VALUES ('";
+ $insertion .= $notifications[$logentry->objectid][$notif][$source_ip] . "', '";
+ $insertion .= $logentry->logid . "')";
+ $dbms->query($insertion);
+ }
+ }
+ break;
+ default:
+ echo "Error: unrecognized action in service pattern: " . $srv_pat->action . "\n";
+ break;
+ }
+ }
+ else
+ {
+ echo " " . $srv_pat->pattern . " does not match.\n";
+ }
+ }
+
+ }
+}
+
+/*
+ * Some IP address abused us. Record the event.
+ * Return the number of abuse points recorded so far for the address
+ */
+
+function record_abuse($logid, $objectid, $sourceip, $points)
+{
+ global $dbms;
+
+ $abuse_points = $points;
+
+ $ipaddress = gethostbyname($sourceip);
+ echo " IP address for $sourceip is $ipaddress.\n";
+ $sourceip = $ipaddress;
+
+ $abres = $dbms->query("SELECT * FROM object_abuse WHERE objectid='$objectid' AND source='$sourceip'");
+
+ if (pg_numrows($abres) == 0)
+ {
+ echo "$sourceip is new.\n";
+ $dbms->query("INSERT INTO object_abuse VALUES ('$objectid', '$sourceip', '$points')");
+ }
+ else
+ {
+ $abuse = $dbms->fetch_object($abres, 0);
+ if ($abuse->status == '' || $abuse->status == 'dropped')
+ {
+ $abuse_points = $abuse->nr_abuses + $points;
+ echo $sourceip . " will get " . $abuse_points . " abuse points, ";
+ echo "Status was " . $abuse->status . "\n";
+ $dbms->query("UPDATE object_abuse SET nr_abuses='$abuse_points'" .
+ " WHERE objectid='$objectid' AND source='$sourceip'");
+
+ $dbms->query("INSERT INTO log_abuse VALUES ('$logid', '$objectid', '$sourceip')");
+ if ($abuse_points >= 6)
+ {
+ echo " BLOCK IP adrress $sourceip on the firewall.\n";
+ $dbms->query("UPDATE object_abuse SET status='dropped'" .
+ " WHERE objectid='$objectid' AND source='$sourceip'");
+ }
+ }
+ }
+
+ return $abuse_points;
+}
+
+