From e5154ea0bdc02cdb2f09486b13281bc620b841a9 Mon Sep 17 00:00:00 2001 From: arjen Date: Tue, 23 Oct 2007 11:23:52 +0000 Subject: [PATCH] Record the date when adding the number of abuses for an IP address in the abuse list. --- src/gcm_daemon/gcm_daemon.php | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/gcm_daemon/gcm_daemon.php b/src/gcm_daemon/gcm_daemon.php index 7003d95..278c29e 100755 --- a/src/gcm_daemon/gcm_daemon.php +++ b/src/gcm_daemon/gcm_daemon.php @@ -20,7 +20,11 @@ Gnucomo-0.0.8: September 4th 2003 $Log: gcm_daemon.php,v $ - Revision 1.21 2007-01-11 13:47:41 arjen + Revision 1.22 2007-10-23 11:23:52 arjen + Record the date when adding the number of abuses for an IP address + in the abuse list. + + Revision 1.21 2007/01/11 13:47:41 arjen Log_adv and derived tables removed. Create notifications from log entries with pattern matching. @@ -73,12 +77,12 @@ */ -// $Id: gcm_daemon.php,v 1.21 2007-01-11 13:47:41 arjen Exp $ +// $Id: gcm_daemon.php,v 1.22 2007-10-23 11:23:52 arjen Exp $ ini_set('include_path', '.:./classes:../phpclasses'); ini_set('html_errors', 'false'); -define("BATCHSIZE", 2000); +define("BATCHSIZE", 5000); //Tell the log that we're up. define_syslog_variables(); @@ -259,7 +263,7 @@ function purge_old_logs($purge_date) echo "Purging log entries before $purge_date\n"; - $dbms->query("CREATE TABLE gcm_deamon_old_log AS SELECT logid FROM log WHERE logid < $purge_date"); + $dbms->query("CREATE TABLE gcm_deamon_old_log AS SELECT logid FROM log WHERE timestamp < '$purge_date'"); $dbms->query("SELECT logid FROM gcm_deamon_old_log"); echo $dbms->num_rows() . " log entries found.\n"; $r = $dbms->query("select notificationid from log_notification where logid in @@ -633,6 +637,7 @@ function match_log_patterns($logstart) for ($patnr = 0; !$match_found && $patnr < $dbms->num_rows($pattern_res); $patnr++) { $srv_pat = $dbms->fetch_object($pattern_res, $patnr); + //echo " Checking with pattern " . $srv_pat->pattern . "\n"; if (ereg($srv_pat->pattern, $logentry->rawdata, $matches)) { // Scan the argument for '$n' expressions and expand @@ -668,7 +673,7 @@ function match_log_patterns($logstart) break; case "abuse": - if (record_abuse($logentry->logid, $logentry->objectid, $srv_pat->argument, 1) >= 6) + if (record_abuse($logentry->logid, $logentry->objectid, $srv_pat->argument, 1) >= 32) { $source_ip = $srv_pat->argument; $notif = 'abuses exceeded'; @@ -743,7 +748,8 @@ function record_abuse($logid, $objectid, $sourceip, $points) if (pg_numrows($abres) == 0 && $points > 0) { //echo "$sourceip is new.\n"; - $dbms->query("INSERT INTO object_abuse VALUES ('$objectid', '$sourceip', '$points')"); + $dbms->query("INSERT INTO object_abuse VALUES ('$objectid', '$sourceip', '$points', '', NOW())"); + $dbms->query("INSERT INTO log_abuse VALUES ('$logid', '$objectid', '$sourceip')"); } else if (pg_numrows($abres) != 0) { @@ -758,13 +764,13 @@ function record_abuse($logid, $objectid, $sourceip, $points) //echo $sourceip . " will get " . $abuse_points . " abuse points, "; //echo "Status was " . $abuse->status . "\n"; $dbms->query("UPDATE object_abuse SET nr_abuses='$abuse_points'" . - " WHERE objectid='$objectid' AND source='$sourceip'"); + ", last_change=NOW() WHERE objectid='$objectid' AND source='$sourceip'"); if ($points > 0) { $dbms->query("INSERT INTO log_abuse VALUES ('$logid', '$objectid', '$sourceip')"); } - if ($abuse_points >= 6) + if ($abuse_points >= 32) { //echo " BLOCK IP adrress $sourceip on the firewall.\n"; $dbms->query("UPDATE object_abuse SET status='dropped'" . -- 2.11.0