From pfSense Documentation
Jump to: navigation, search
This article is part of the How-To series.

PHP Service

The PHP Service package uses command line PHP designed to run PHP as a Service. The custom PHP code that is defined below is run over and over again inside a continuous loop. There are many possible uses such as monitoring CPU, Memory, File System Space, interacting with Snort, and many others uses that are yet to be discovered. It can send events to the syslog that will can be viewed from the system log or remote syslog server. example: exec("logger This is a test");

After installation add the desired PHP code and then start the service from Status > Services. When making any changes to the PHP code or enable/disable the entry, stop and start the PHPService to apply the changes.


PHP Service currently loops through the PHP code once per second. Please ensure the code is optimized and tested before putting it into production.

PHP Examples

The following example PHP code can be use in the PHP Service textarea box labeled as PHP.

Important30.png WARNING Important30.png
The following example is not necessary with the current snort package. It remains only as an example of a script that could be used with this package.

Snort Alert Disconnect Sessions

When a new alert is generated it processes the new alert and closes the offending source and destination session.

   if(file_exists("/var/log/snort/alert")) {
       //file line count
       $snort_alert_line_count = exec("wc -l /var/log/snort/alert");
       if (strlen($snort_alert_line_count_previous) == 0){
           $filename = '/tmp/phpmonitor.count.txt';
           $fp = fopen($filename, 'r');
           $snort_alert_line_count_previous = fread($fp, filesize($filename));
           fwrite($fp, $msg);
       if ($snort_alert_line_count == $snort_alert_line_count_previous) {
           //do nothing file hasn't changed
       else {
           $filename = '/tmp/phpmonitor.count.txt';
           $fp = fopen($filename, 'w');
           fwrite($fp, $snort_alert_line_count);
           $number_of_lines_changed = $snort_alert_line_count - $snort_alert_line_count_previous;
           echo "number_of_lines_changed ".$number_of_lines_changed."\n";
           $tmp = shell_exec("tail -n ".$number_of_lines_changed." /var/log/snort/alert");
           //echo $output."\n";
           $snort_alert_file_split = split("\n", $tmp);
           //$snort_alert_file_split = split("\n", file_get_contents("/var/log/snort/alert"));
           $i = 0;
           foreach($snort_alert_file_split as $fileline) {
                  //only process the line if it has length
                  if (strlen($fileline) > 0) {
                   	echo "previous: ".$snort_alert_line_count_previous." current line: ".$i."\n";
                   	echo "date: ".date('r')."\n";
                   	//-- begin close session --------------      
                   	if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
                   		$alert_title = $matches[2];
                   	if (preg_match_all("/(\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)/", $fileline, $matches))
                       $srcip = $matches[0][0];
                       $dstip = $matches[0][1];
                       unset ($matches);
                   	//  /sbin/pfctl -s state // show states
                   	//drop the current session
                   	if (strlen($srcip) > 0 && strlen($dstip) > 0 ) {
                 	     echo "/sbin/pfctl -k '{$srcip}' -k '{$dstip}'\n";
                 	     exec("/sbin/pfctl -k '{$srcip}' -k '{$dstip}'");
                   	//-- end close session --------------
                   	$fileline = str_replace(">", "", $fileline);
                  	$fileline = str_replace("(", "", $fileline);
                  	$fileline = str_replace(")", "", $fileline);
                   	$syslogmsg = "PHPService: ".$fileline;
                   	exec("logger ".$syslogmsg);
                   	//send_to_syslog($syslogaddress, $syslogport, $syslogmsg);
                     echo "\n";
                  } //if (strlen($fileline) > 0) {
           //set previous count
           $snort_alert_line_count_previous = $snort_alert_line_count;
   } //end if