Crude version

AUTHORS

@@ -0,0 +1,3 @@
+Henglei Li	<lihenglei@secrule.com>
+Vindong		<vindong@secrule.com>
+

INSTALL

@@ -0,0 +1,31 @@
+安装步骤
+*************************
+
+Copyright (C) 2012 Secrule co., Ltd.
+
+
+第一步，解压
+tar -zxvf falcon.tar.gz
+
+第二步，检查程序编译环境
+cd Release/
+./check.sh
+看到以下信息证明程序编译环境准备就绪 
+Found inotify success!
+Found mysql-dev environment success!
+
+第三步，安装Falcon控制中心
+vim ./falconconsole/public/config.inc.php
+修改配置文件中的数据库连接信息，如果控制中心与监控程序没有安装在同一台主机，请确保被监控主机能够有权访问到控制中心所在主机的Mysql数据库
+运行install.php安装控制中心
+
+第四步，修改监控程序配置文件并编译
+vim src/conf/global.conf
+make
+
+第五步，后台运行监控程序
+nohup ./falcon start >falcon.log 2>&1 &
+ps aux|grep "falcon"
+root      2981  0.2  0.3   9352  1848 pts/0    S    04:46   0:00 ./falcon start
+
+程序将在当前运行目录下生成日志文件falcon.log

README

@@ -0,0 +1,8 @@
+Falcon-Web服务器文件监控平台
+============================ 
+
+Falcon是一款基于inotify-tools 开发的Web服务器文件监控平台
+能够实时监控Web目录文件变化(新增，修改，删除)，判断文件内容是否包含恶意代码，自动隔离常见Webshell，保证Web目录文件安全
+
+BUG反馈或建议请联系:falcon@secrule.com
+公司主页:www.secrule.com

Release/check.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+if [ -f /usr/include/sys/inotify.h ]
+then
+	echo "Found inotify success!"
+else
+	echo "inotify not found!Plz update your linux kernel to 2.6.13 or later"
+	exit 1
+fi
+
+if [ -d /usr/include/mysql ] || [ -d /usr/lib/mysql ]
+then
+	echo "Found mysql-dev environment success!"
+else
+	echo "Plz install mysql-dev enviroment.use 'yum install mysql-devel or apt-get install libmysqlclient15-dev'"
+	exit 1
+fi
+

Release/makefile

@@ -0,0 +1,44 @@
+################################################################################
+# Automatically-generated file. Do not edit!
+################################################################################
+
+-include ../makefile.init
+
+RM := rm -rf
+
+# All of the sources participating in the build are defined here
+-include sources.mk
+-include src/subdir.mk
+-include subdir.mk
+-include objects.mk
+
+ifneq ($(MAKECMDGOALS),clean)
+ifneq ($(strip $(C_DEPS)),)
+-include $(C_DEPS)
+endif
+endif
+
+-include ../makefile.defs
+
+# Add inputs and outputs from these tool invocations to the build variables 
+
+# All Target
+all: falcon
+
+# Tool invocations
+falcon: $(OBJS) $(USER_OBJS)
+	@echo 'Building target: $@'
+	@echo 'Invoking: GCC C Linker'
+	gcc -L/usr/lib/mysql -o "falcon" $(OBJS) $(USER_OBJS) $(LIBS)
+	@echo 'Finished building target: $@'
+	@echo ' '
+
+# Other Targets
+clean:
+	-$(RM) $(OBJS)$(C_DEPS)$(EXECUTABLES) falcon
+	-@echo ' '
+
+.PHONY: all clean dependents
+.SECONDARY:
+
+-include ../makefile.targets

Release/objects.mk

@@ -0,0 +1,8 @@
+################################################################################
+# Automatically-generated file. Do not edit!
+################################################################################
+
+USER_OBJS :=
+
+LIBS := -linotifytools -lmysqlclient -lcurl -liconv
+

Release/sources.mk

@@ -0,0 +1,17 @@
+################################################################################
+# Automatically-generated file. Do not edit!
+################################################################################
+
+O_SRCS := 
+C_SRCS := 
+S_UPPER_SRCS := 
+OBJ_SRCS := 
+ASM_SRCS := 
+OBJS := 
+C_DEPS := 
+EXECUTABLES := 
+
+# Every subdirectory with source files must be described here
+SUBDIRS := \
+src \
+

Release/src/subdir.mk

@@ -0,0 +1,33 @@
+################################################################################
+# Automatically-generated file. Do not edit!
+################################################################################
+
+# Add inputs and outputs from these tool invocations to the build variables 
+C_SRCS += \
+../src/config_file.c \
+../src/db_mgr.c \
+../src/falcon.c \
+../src/nw_mgr.c 
+
+OBJS += \
+./src/config_file.o \
+./src/db_mgr.o \
+./src/falcon.o \
+./src/nw_mgr.o 
+
+C_DEPS += \
+./src/config_file.d \
+./src/db_mgr.d \
+./src/falcon.d \
+./src/nw_mgr.d 
+
+
+# Each subdirectory must supply rules for building sources it contributes
+src/%.o: ../src/%.c
+	@echo 'Building file: $<'
+	@echo 'Invoking: GCC C Compiler'
+	gcc -O3 -Wall -c -fmessage-length=0 -MMD -MP -MF"$(@:%.o=%.d)" -MT"$(@:%.o=%.d)" -o "$@" "$<"
+	@echo 'Finished building: $<'
+	@echo ' '
+
+

falconconsole/base.php

@@ -0,0 +1,15 @@
+<?php
+    require_once('./public/config.inc.php');
+    require_once('./public/mysql_class.php');
+    require_once('./public/page.php');
+    date_default_timezone_set("PRC");
+
+	$DB_site = new DB_Sql_vb; 
+	$DB_site -> database = $dbname;
+	$DB_site -> server = $dbhost;
+	$DB_site -> user = $dbuser;
+	$DB_site -> password = $dbpass;
+	$DB_site -> reporterror = 0;
+	$DB_site -> connect();
+	$error = $DB_site -> errno;
+?>

falconconsole/end.php

@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8" />
+<title>Falcon Installer</title>
+<link rel="stylesheet" type="text/css" href="html/style.css" />
+</head>
+<body>
+	<div class="wrap">
+    	<div class="step4">
+		<?php
+            require "base.php";
+            if(isset($_POST['login'])&&ctype_alnum($_POST['username'])){
+            $username = empty($_POST['username'])?'':trim($_POST['username']);
+            $password = empty($_POST['password'])?'':trim($_POST['password']);
+            $sql = "insert into $table1(username,password)values('$username','$password')";
+            $DB_site ->query($sql);
+            if(mysql_affected_rows()>0){
+            $_SESSION['username'] = $sid;
+			echo "<b>恭喜，安装成功！</b>";
+            echo "<a class=\"btn4\" href='login.php'>安装成功，请点击登录</a>";
+            }
+        }
+		?>
+        </div> 
+        <?php
+		include "footer.php" ;
+        ?>
+	</div>
+</body>
+</html>

falconconsole/footer.php

@@ -0,0 +1,8 @@
+<div class="footer">
+    	<div class="inner">
+        	<div class="info">
+            Copyright &copy; 2012 <a href="http://www.secrule.com">Secrule</a> Co.,Ltd. All Rights Reserved.
+            </div
+        </div>
+    </div>
+<div>

falconconsole/html/count.html

@@ -0,0 +1,6 @@
+<table width="100%" border="0" cellspacing="0" cellpadding="0">
+	<tr>	
+		<td>&nbsp;&nbsp;&nbsp;&nbsp;<img src='imgall.php?countnew={countkeyword+countvirus}&countdel={countdel}&countmodify={countmodify}'></td>
+		<td>&nbsp;&nbsp;&nbsp;&nbsp;<img src='imgcount.php?countNew={countnew}&countKeywords={countkeyword}&countVirus={countvirus}'></td>
+	</tr>
+        </table>

falconconsole/html/delete.html

@@ -0,0 +1,33 @@
+	<h3>当天被删除文件数：<font color=#D9773A>{countdel}</font></h3>
+	<table class="mtable" width="100%" border="0" cellspacing="0" cellpadding="0">
+        	<thead>
+            <tr>
+                <td width="102">ID</td>
+                <td width="140">服务器IP</td>
+                <td width="130">报警内容</td>
+                <td width="80">危险等级</td>
+                <td width="80">处理结果</td>
+                <td width="130">监控时间</td>
+                <td>文件详情</td>
+            </tr>
+            </thead>
+            {foreach:all,rowscountdel}
+			<tr>
+				   <td class="ftd">{rowscountdel['id']}</td>
+				   <td>{rowscountdel['ip']}</td>
+				   <td>{rowscountdel['content']}</td>
+				   <td>{rowscountdel['level']}</td>
+				{if:rowscountdel['remove']=="已处理"}
+				<td><font color=#D9773A>{color}{rowscountdel['remove']}</font></td>
+				{else}
+				<td>{rowscountdel['remove']}</td>
+				{end:}
+			    <td>{rowscountdel['date']}</td>
+			    <td><a href="javascript:;" class="viewbtn" onClick="showdiv('div_{rowscountdel['id']}');">查看源代码</a></td>
+            </tr>	
+			<tr id="div_{rowscountdel['id']}" style="display:none;">
+				<td class="ftd" colspan="7"><div class="codebox">{htmlspecialchars(rowscountdel['source'])}</div></td>
+			</tr>
+			{end}
+
+        </table>

falconconsole/html/index.html

@@ -0,0 +1,7 @@
+<frameset rows="70,*"  frameborder="yes" framespacing="30" bordercolor="#cccccc" >
+    <frame  src="top.html" name="topframe" scrolling="no" noresize /> 
+      <frame src="left.html" name="leftFrame" id="leftFrame" frameborder="0"  scrolling="yes" noresize />
+      <frame src="main.html" name="mainFrame" id="mainFrame" frameborder="0" />
+    </frameset>
+</frameset>
+<noframes></noframes>

falconconsole/html/keyword.html

@@ -0,0 +1,33 @@
+	<h3>当天发现新增可疑文件数：<font color=#D9773A>{countkeyword}</font></h3>
+	<table class="mtable" width="100%" border="0" cellspacing="0" cellpadding="0">
+        	<thead>
+            <tr>
+                <td width="102">ID</td>
+                <td width="140">服务器IP</td>
+                <td width="130">报警内容</td>
+                <td width="80">危险等级</td>
+                <td width="80">处理结果</td>
+                <td width="130">监控时间</td>
+                <td>文件详情</td>
+            </tr>
+            </thead>
+            {foreach:all,rowskeyword}
+			<tr>
+				   <td class="ftd">{rowskeyword['id']}</td>
+				   <td>{rowskeyword['ip']}</td>
+				   <td>{rowskeyword['content']}</td>
+				   <td>{rowskeyword['level']}</td>
+				{if:rowskeyword['remove']=="已处理"}
+				<td><font color=#D9773A>{color}{rowskeyword['remove']}</font></td>
+				{else}
+				<td>{rowskeyword['remove']}</td>
+				{end:}
+			    <td>{rowskeyword['date']}</td>
+			    <td><a href="javascript:;" class="viewbtn" onClick="showdiv('div_{rowskeyword['id']}');">查看源代码</a></td>
+            </tr>	
+			<tr id="div_{rowskeyword['id']}" style="display:none;">
+				<td class="ftd" colspan="7"><div class="codebox">{htmlspecialchars(rowskeyword['source'])}</div></td>
+			</tr>
+			{end}
+
+        </table>

falconconsole/html/left.html

@@ -0,0 +1,44 @@
+<div class="menu" id="menu">
+    	<div class="mtop"></div>
+        <ul>
+
+        	<?php if(trim($_GET['action']) ==''){?>
+            	<li class="on"><span>监控主页</span></li>
+            <?php }else{ ?>
+            	<li><a href="index.php"><span>监控主页</span></a></li>
+            <?php }?>
+
+            <?php if(trim($_GET['action']) =='count'){?>
+            	<li class="on"><span>监控统计图</span></li>
+            <?php }else{ ?>
+            <li><a href="?action=count"><span>监控统计图</span></a></li>
+            <?php }?>
+
+            <?php if(trim($_GET['action']) =='virus'){?>
+            	<li class="on"><span>查看后门文件</span></li>
+            <?php }else{ ?>
+             	<li><a href="?action=virus"><span>查看后门文件</span></a></li>
+            <?php }?>
+
+            <?php if(trim($_GET['action']) =='keyword'){?>
+            	<li class="on"<span>查看可疑文件</span></li>
+            <?php }else{ ?>
+             	<li><a href="?action=keyword"><span>查看可疑文件</span></a></li>
+		<?php }?>
+
+	    <?php if(trim($_GET['action']) =='countdel'){?>
+                <li class="on"<span>查看被删除文件</span></li>
+		<?php }else{ ?>
+		<li><a href="?action=countdel"><span>查看被删除文件</span></a></li>
+		<?php }?>
+
+	    <?php if(trim($_GET['action']) =='countmodify'){?>
+	        <li class="on"<span>查看被修改文件</span></li>
+	        <?php }else{ ?>
+	        <li><a href="?action=countmodify"><span>查看被修改文件</span></a></li>
+		<?php }?>
+
+            <li><a href="?action=exit"><span>退&nbsp;&nbsp;出</a></span></li>
+        </ul>
+        <div class="mbtm"></div>
+</div>

falconconsole/html/login.html

@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>Falcon-用户登录</title>
+<link rel="stylesheet" type="text/css" href="html/style.css" />
+</head>
+<body>
+<div class="wrap">
+	<form action="./login.php" method="POST">
+  <div class="loginbox">
+    <div class="name">
+      <input type="text" name="username" id="username"/>
+    </div>
+    <div class="pass">
+      <input type="password" name="password" id="password"/>
+    </div>
+    <div class="login">
+      <input type="submit" name="submit" value="登陆" id="sub"/>
+      <input type="reset" name="reset" value="重置" id="ret"/>
+    </div>
+  </div>
+  </form>
+  <div class="loginfo">{message}</div>