-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathalerthandler.php
153 lines (130 loc) · 8.02 KB
/
alerthandler.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
<?php
## This code is written by Soren Isager @ sorenisager.com 2020
## This code is licenced under MIT License
## APP: AlertHandler
# Load Config & Function file
include_once("config.php");
include_once("functions.php");
# Check if we need to get ReverseLookupJsonFile.
if ($ReverseLookup)
{
try
{
$ReverseLookupJsonFileData = json_decode(file_get_contents($ReverseLookupJsonFilePath), true);
}
catch (\Throwable $th)
{
echo "ERROR: Could not load ReverseLookupJsonFile : " . $th;
die();
}
}
# Load inbound datalogs
$GetLogs = mysqli_query($MySQLConnection, "SELECT * from vrli_webhook_inbound WHERE state = 'new' LIMIT " . $NumberOfLogsToExecute);
while ($row = mysqli_fetch_assoc($GetLogs))
{
# Get data from database
$RawLogBundle = json_decode($row["data"], true);
# Foreach Log
foreach ($RawLogBundle["messages"] as $Log => $value)
{
$WebhookID = $row["id"];
$Hostname = FindFieldValue($value["fields"], "hostname");
$FWAction = FindFieldValue($value["fields"], "vmw_nsxt_firewall_action");
$FWDST = FindFieldValue($value["fields"], "vmw_nsxt_firewall_dst");
$FWProtocol = FindFieldValue($value["fields"], "vmw_nsx_firewall_protocol");
$FWSOURCE = FindFieldValue($value["fields"], "vmw_nsxt_firewall_src");
$FWDSTPort = FindFieldValue($value["fields"], "vmw_nsxt_firewall_dst_port");
$FWDSTIPPORT = FindFieldValue($value["fields"], "vmw_nsxt_firewall_dst_ip_port");
# Get Tag/TCP flag
switch ($FWProtocol)
{
case 'TCP':
$tmp = explode($FWDSTIPPORT, $value["text"])[1];
$tmp = explode(" ", $tmp);
$FWTCPFLAG = $tmp[1];
$FWTag = $tmp[2];
break;
case 'ICMP':
$FWTag = trim(explode("".$FWSOURCE."->".$FWDST."", $value["text"])[1]);
$FWTCPFLAG = "";
break;
case 'UDP':
$FWTag = trim(explode("->".$FWDSTIPPORT."", $value["text"])[1]);
$FWTCPFLAG = "";
break;
default:
$FWTag = "";
$FWTCPFLAG = "";
break;
}
# Check if reverse is enabled and if so, make reverselookup
if ($ReverseLookup)
{
$ReverseLookupSourceResult = ReverseLookup($FWSOURCE);
$ReverseLookupDestinationResult = ReverseLookup($FWDST);
}
else
{
$ReverseLookupSourceResult = "";
$ReverseLookupDestinationResult = "";
}
# Check if we need to duplicate alert or just merge:
if ($MergeDuplicateAlerts)
{
# We need to dethermine if there is already an active alert
$CheckLogs = mysqli_query($MySQLConnection, "SELECT id
FROM vrli_alerts
WHERE
vmw_nsxt_firewall_src = '".$FWSOURCE."' AND
vmw_nsxt_firewall_dst = '".$FWDST."' AND
vmw_nsxt_firewall_dst_port = '".$FWDSTPort."' AND
alert_status = 'new'
LIMIT 1");
# Check number
if (mysqli_num_rows($CheckLogs) > 0)
{
# Get ID of row, and make the new one duplicate
$AlertStatus = "duplicate";
$AlertParentID = mysqli_fetch_assoc($CheckLogs)["id"];
}
else
{
$AlertStatus = "new";
$AlertParentID = "0";
}
}
else
{
$AlertStatus = "new";
$AlertParentID = "0";
}
# Check if we need to ignore Highport
if ($IgnoreHighPorts)
{
# Check if the destination port is higher than 49152-65535
if ($FWDSTPort >= 49152 AND $FWDSTPort <= 65535)
{
$AlertStatus = "fixed";
}
}
# Insert into database
$NewLog = mysqli_query($MySQLConnection, "INSERT INTO vrli_alerts SET
hostname = '".$Hostname."',
alert_webhook_id = '".$WebhookID."',
vmw_nsxt_firewall_src = '".$FWSOURCE."',
reverse_src = '".$ReverseLookupSourceResult."',
vmw_nsxt_firewall_dst = '".$FWDST."',
reverse_dst = '".$ReverseLookupDestinationResult."',
vmw_nsx_firewall_protocol = '".$FWProtocol."',
vmw_nsxt_firewall_action = '".$FWAction."',
vmw_nsxt_firewall_dst_port = '".$FWDSTPort."',
vmw_nsxt_firewall_dst_ip_port = '".$FWDSTIPPORT."',
logging_tag = '".$FWTag."',
logging_tcp_flags = '".$FWTCPFLAG."',
alert_parent_id = '".$AlertParentID."',
alert_status = '".$AlertStatus."'");
}
# Set Webhook as finish
$UpdateQuery = mysqli_query($MySQLConnection, "UPDATE vrli_webhook_inbound SET state = 'fixed' WHERE id = '".$WebhookID."'");
}
?>