aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorErmal <eri@pfsense.org>2012-07-14 06:23:20 +0000
committerErmal <eri@pfsense.org>2012-07-14 06:23:20 +0000
commit9a4da8fc0de9f80f4a034d03506e8bfe9adceaaa (patch)
tree82699dc6a11ca1f12a838327560edabe463d3a0a
parente429e827397d76777de7e76c2ef9d95d53cf624b (diff)
downloadpfsense-packages-9a4da8fc0de9f80f4a034d03506e8bfe9adceaaa.tar.gz
pfsense-packages-9a4da8fc0de9f80f4a034d03506e8bfe9adceaaa.tar.bz2
pfsense-packages-9a4da8fc0de9f80f4a034d03506e8bfe9adceaaa.zip
Switch to output alert_csv to fix all issues with snort alerts/blocked descr
-rw-r--r--config/snort/snort.inc10
-rw-r--r--config/snort/snort_alerts.php482
-rw-r--r--config/snort/snort_blocked.php96
-rw-r--r--config/snort/snort_interfaces_edit.php6
-rw-r--r--config/snort/snort_interfaces_suppress_edit.php4
5 files changed, 180 insertions, 418 deletions
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index cc2cd3c6..e5ce43db 100644
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -1283,10 +1283,10 @@ EOD;
foreach($enabled_rulesets_array as $enabled_item) {
if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") {
$slib = substr($enabled_item, 6, -6);
- if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}"))
- $dynamic_rules_sections .= "dynamicdetection file {$snort_dirs['dynamicrules']}/{$slib}\n";
- }
- if (file_exists("{$snortcfgdir}/rules/{$enabled_item}"))
+ if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}") &&
+ file_exists("{$snortcfgdir}/rules/{$enabled_item}"))
+ $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n";
+ } else if (file_exists("{$snortcfgdir}/rules/{$enabled_item}"))
$selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n";
}
}
@@ -1332,7 +1332,7 @@ config event_queue: max_queue 8 log 3 order_events content_length
#Configure dynamic loaded libraries
dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']}
dynamicengine directory {$snort_dirs['dynamicengine']}
-{$dynamic_rules_sections}
+dynamicdetection directory {$snort_dirs['dynamicrules']}
# Flow and stream #
preprocessor frag3_global: max_frags 8192
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php
index 0c6334d9..ea96d673 100644
--- a/config/snort/snort_alerts.php
+++ b/config/snort/snort_alerts.php
@@ -37,10 +37,6 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/snort/snort.inc");
-/* load only javascript that is needed */
-$snort_load_sortabletable = 'yes';
-$snort_load_mootools = 'yes';
-
$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
if ($_GET['instance'])
@@ -66,8 +62,7 @@ if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) {
$pconfig['arefresh'] = 'off';
}
-if ($_POST['save'])
-{
+if ($_POST['save']) {
if (!is_array($config['installedpackages']['snortglobal']['alertsblocks']))
$config['installedpackages']['snortglobal']['alertsblocks'] = array();
$config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off';
@@ -79,22 +74,50 @@ if ($_POST['save'])
exit;
}
-if ($_GET['action'] == "clear" || $_POST['delete']) {
- if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
- conf_mount_rw();
- snort_post_delete_logs($snort_uuid);
- $fd = fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w");
- if ($fd) {
- @ftruncate($fd, 0);
- fclose($fd);
+if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) {
+ $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n";
+ if (!is_array($config['installedpackages']['snortglobal']['suppress']))
+ $config['installedpackages']['snortglobal']['suppress'] = array();
+ if (!is_array($config['installedpackages']['snortglobal']['suppress']['item']))
+ $config['installedpackages']['snortglobal']['suppress']['item'] = array();
+ $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item'];
+
+ if (empty($a_instance[$instanceid]['suppresslistname']) || $a_instance[$instanceid]['suppresslistname'] == 'default') {
+ $s_list = array();
+ $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress";
+ $s_list['uuid'] = uniqid();
+ $s_list['descr'] = "Auto generted list for suppress";
+ $s_list['suppresspassthru'] = base64_encode($suppress);
+ $a_suppress[] = $s_list;
+ $a_instance[$instanceid]['suppresslistname'] = $s_list['name'];
+ } else {
+ foreach ($a_suppress as $a_id => $alist) {
+ if ($alist['name'] == $a_instance[$instanceid]['suppresslistname']) {
+ if (!empty($alist['suppresspassthru'])) {
+ $tmplist = base64_decode($alist['suppresspassthru']);
+ $tmplist .= "\n{$suppress}";
+ $alist['suppresspassthru'] = base64_encode($tmplist);
+ $a_suppress[$a_id] = $alist;
+ }
+ }
}
- conf_mount_ro();
- /* XXX: This is needed is snort is run as snort user */
- //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true);
- mwexec('/bin/chmod 660 /var/log/snort/*', true);
- if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"))
- mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a");
}
+ write_config();
+ sync_snort_package_config();
+}
+
+if ($_GET['action'] == "clear" || $_POST['delete']) {
+ conf_mount_rw();
+ snort_post_delete_logs($snort_uuid);
+ $fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+");
+ if ($fd)
+ fclose($fd);
+ conf_mount_ro();
+ /* XXX: This is needed is snort is run as snort user */
+ //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true);
+ mwexec('/bin/chmod 660 /var/log/snort/*', true);
+ if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid"))
+ mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a");
header("Location: /snort/snort_alerts.php?instance={$instanceid}");
exit;
}
@@ -114,140 +137,13 @@ if ($_POST['download']) {
header("Content-length: ".filesize($file));
header("Content-disposition: attachment; filename = {$file_name}");
readfile("$file");
- exec("/bin/rm /tmp/{$file_name}");
+ @unlink("/tmp/{$file_name}");
}
header("Location: /snort/snort_alerts.php?instance={$instanceid}");
exit;
}
-/* WARNING: took me forever to figure reg expression, dont lose */
-// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50';
-function get_snort_alert_date($fileline)
-{
- /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */
- if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches))
- $alert_date = "$matches[0]";
-
- return $alert_date;
-}
-
-function get_snort_alert_disc($fileline)
-{
- /* disc */
- if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
- $alert_disc = "$matches[2]";
-
- return $alert_disc;
-}
-
-function get_snort_alert_class($fileline)
-{
- /* class */
- if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches))
- $alert_class = "$matches[0]";
-
- return $alert_class;
-}
-
-function get_snort_alert_priority($fileline)
-{
- /* Priority */
- if (preg_match('/Priority:\s\d/', $fileline, $matches))
- $alert_priority = "$matches[0]";
-
- return $alert_priority;
-}
-
-function get_snort_alert_proto($fileline)
-{
- /* Priority */
- if (preg_match('/\{.+\}/', $fileline, $matches))
- $alert_proto = "$matches[0]";
-
- return $alert_proto;
-}
-
-function get_snort_alert_proto_full($fileline)
-{
- /* Protocal full */
- if (preg_match('/.+\sTTL/', $fileline, $matches))
- $alert_proto_full = "$matches[0]";
-
- return $alert_proto_full;
-}
-
-function get_snort_alert_ip_src($fileline)
-{
- /* SRC IP */
- $re1='.*?'; # Non-greedy match on filler
- $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
-
- if (preg_match_all ("/".$re1.$re2."/is", $fileline, $matches))
- $alert_ip_src = $matches[1][0];
-
- return $alert_ip_src;
-}
-
-function get_snort_alert_src_p($fileline)
-{
- /* source port */
- if (preg_match('/:\d+\s-/', $fileline, $matches))
- $alert_src_p = "$matches[0]";
-
- return $alert_src_p;
-}
-
-function get_snort_alert_flow($fileline)
-{
- /* source port */
- if (preg_match('/(->|<-)/', $fileline, $matches))
- $alert_flow = "$matches[0]";
-
- return $alert_flow;
-}
-
-function get_snort_alert_ip_dst($fileline)
-{
- /* DST IP */
- $re1dp='.*?'; # Non-greedy match on filler
- $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress
- $re3dp='.*?'; # Non-greedy match on filler
- $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
-
- if (preg_match_all("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches))
- $alert_ip_dst = $matches[1][0];
-
- return $alert_ip_dst;
-}
-
-function get_snort_alert_dst_p($fileline)
-{
- /* dst port */
- if (preg_match('/:\d+$/', $fileline, $matches))
- $alert_dst_p = "$matches[0]";
-
- return $alert_dst_p;
-}
-
-function get_snort_alert_dst_p_full($fileline)
-{
- /* dst port full */
- if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches))
- $alert_dst_p = "$matches[0]";
-
- return $alert_dst_p;
-}
-
-function get_snort_alert_sid($fileline)
-{
- /* SID */
- if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches))
- $alert_sid = "$matches[0]";
-
- return $alert_sid;
-}
-
$pgtitle = "Services: Snort: Snort Alerts";
include_once("head.inc");
@@ -263,7 +159,12 @@ if ($pconfig['arefresh'] == 'on')
echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n";
?>
-<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?>
+<?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}
+ /* Display Alert message */
+ if ($input_errors) {
+ print_input_errors($input_errors); // TODO: add checks
+ }
+?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
<?php
@@ -280,9 +181,9 @@ if ($pconfig['arefresh'] == 'on')
</td></tr>
<tr>
<td>
- <div id="mainarea2">
- <table class="tabcont" width="100%" border="1" cellspacing="0" cellpadding="0">
- <form action="/snort/snort_alerts.php" method="post" id="formalert">
+ <div id="mainarea">
+ <form action="/snort/snort_alerts.php" method="post" id="formalert">
+ <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="22%" colspan="0" class="listtopic">Last <?=$anentries;?> Alert Entries.</td>
<td width="78%" class="listtopic">Latest Alert Entries Are Listed First.</td>
@@ -322,207 +223,120 @@ if ($pconfig['arefresh'] == 'on')
Enter the number of log entries to view. <strong>Default</strong> is <strong>250</strong>.
</td>
</tr>
- </form>
</table>
- </div>
+ </form>
</td>
</tr>
-</table>
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
- <td width="100%"><br>
+ <tr>
+ <td width="100%" colspan="2">
<div class="tableFilter">
- <form id="tableFilter"
- onsubmit="myTable.filter(this.id); return false;">Filter: <select
- id="column">
- <option value="1">PRIORITY</option>
- <option value="2">PROTO</option>
+ <form id="tableFilter" onsubmit="myTable.filter(this.id); return false;">
+ <br/>
+ Filter: <select id="column">
+ <option value="1">PRIORITY</option>
+ <option value="2">PROTO</option>
<option value="3">DESCRIPTION</option>
<option value="4">CLASS</option>
<option value="5">SRC</option>
<option value="6">SRC PORT</option>
- <option value="7">FLOW</option>
<option value="8">DST</option>
<option value="9">DST PORT</option>
<option value="10">SID</option>
<option value="11">Date</option>
- </select> <input type="text" id="keyword" /> <input type="submit"
+ </select>
+ <input type="text" id="keyword" /> <input type="submit"
value="Submit" /> <input type="reset" value="Clear" /></form>
- </div>
- <table class="allRow" id="myTable" width="100%" border="2"
- cellpadding="1" cellspacing="1">
- <thead>
- <th axis="number">#</th>
- <th axis="string">PRI</th>
- <th axis="string">PROTO</th>
- <th axis="string">DESCRIPTION</th>
- <th axis="string">CLASS</th>
- <th axis="string">SRC</th>
- <th axis="string">SPORT</th>
- <th axis="string">FLOW</th>
- <th axis="string">DST</th>
- <th axis="string">DPORT</th>
- <th axis="string">SID</th>
- <th axis="date">Date</th>
- </thead>
- <tbody>
- <?php
-
- /* make sure alert file exists */
- if (!file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert"))
- @touch("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert");
-
- /* detect the alert file type */
- if ($snortalertlogt == 'full')
- $alerts_array = array_reverse(explode("\n\n", file_get_contents("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")));
- else
- $alerts_array = array_reverse(explode("\n", file_get_contents("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")));
-
- if (is_array($alerts_array)) {
- foreach($alerts_array as $counter => $fileline) {
- if (empty($fileline))
- continue;
- if ($counter > $anentries)
- break;
-
- /* Date */
- $alert_date_str = get_snort_alert_date($fileline);
- if($alert_date_str != '')
- $alert_date = $alert_date_str;
- else
- $alert_date = 'empty';
-
- /* Discription */
- $alert_disc_str = get_snort_alert_disc($fileline);
- if(empty($alert_disc_str))
- $alert_disc = 'empty';
- else
- $alert_disc = $alert_disc_str;
-
- /* Classification */
- $alert_class_str = get_snort_alert_class($fileline);
- if($alert_class_str != '')
- {
- $alert_class_match = array('[Classification:',']');
- $alert_class = str_replace($alert_class_match, '', "$alert_class_str");
- }else{
- $alert_class = 'Prep';
- }
-
- /* Priority */
- $alert_priority_str = get_snort_alert_priority($fileline);
- if($alert_priority_str != '')
- {
- $alert_priority_match = array('Priority: ',']');
- $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str");
- }else{
- $alert_priority = 'empty';
- }
-
- /* Protocol */
- /* Detect alert file type */
- if ($snortalertlogt == 'full')
- {
- $alert_proto_str = get_snort_alert_proto_full($fileline);
- }else{
- $alert_proto_str = get_snort_alert_proto($fileline);
- }
-
- if($alert_proto_str != '')
- {
- $alert_proto_match = array(" TTL",'{','}');
- $alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str");
- }else{
- $alert_proto = 'empty';
- }
-
- /* IP SRC */
- $alert_ip_src_str = get_snort_alert_ip_src($fileline);
- if($alert_ip_src_str != '')
- {
- $alert_ip_src = $alert_ip_src_str;
- }else{
- $alert_ip_src = 'empty';
- }
-
- /* IP SRC Port */
- $alert_src_p_str = get_snort_alert_src_p($fileline);
- if($alert_src_p_str != '')
- {
- $alert_src_p_match = array(' -',':');
- $alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str");
- }else{
- $alert_src_p = 'empty';
- }
-
- /* Flow */
- $alert_flow_str = get_snort_alert_flow($fileline);
- if($alert_flow_str != '')
- {
- $alert_flow = $alert_flow_str;
- }else{
- $alert_flow = 'empty';
- }
-
- /* IP Destination */
- $alert_ip_dst_str = get_snort_alert_ip_dst($fileline);
- if($alert_ip_dst_str != '')
- {
- $alert_ip_dst = $alert_ip_dst_str;
- }else{
- $alert_ip_dst = 'empty';
- }
-
- /* IP DST Port */
- if ($snortalertlogt == 'full')
- {
- $alert_dst_p_str = get_snort_alert_dst_p_full($fileline);
- }else{
- $alert_dst_p_str = get_snort_alert_dst_p($fileline);
- }
-
- if($alert_dst_p_str != '')
- {
- $alert_dst_p_match = array(':',"\n"," TTL");
- $alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str");
- $alert_dst_p_match2 = array('/[A-Z]/');
- $alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2");
- }else{
- $alert_dst_p = 'empty';
- }
-
- /* SID */
- $alert_sid_str = get_snort_alert_sid($fileline);
-
- if($alert_sid_str != '')
- {
- $alert_sid_match = array('[',']');
- $alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str");
- }else{
- $alert_sid_str = 'empty';
- }
-
- /* NOTE: using one echo improves performance by 2x */
- echo "<tr id=\"{$counter}\">
- <td class=\"centerAlign\">{$counter}</td>
- <td class=\"centerAlign\">{$alert_priority}</td>
- <td class=\"centerAlign\">{$alert_proto}</td>
- <td>{$alert_disc}</td>
- <td class=\"centerAlign\">{$alert_class}</td>
- <td>{$alert_ip_src}</td>
- <td class=\"centerAlign\">{$alert_src_p}</td>
- <td class=\"centerAlign\">{$alert_flow}</td>
- <td>{$alert_ip_dst}</td>
- <td class=\"centerAlign\">{$alert_dst_p}</td>
- <td class=\"centerAlign\">{$alert_sid}</td>
- <td>{$alert_date}</td>
+ <br/>
+ </td>
+</tr>
+<tr>
+ <td colspan="2">
+ <table id="myTable" width="100%" border="1" cellpadding="0" cellspacing="0">
+ <thead>
+ <th class='listhdrr' width='5%' axis="number">#</th>
+ <th class='listhdrr' width='5%' axis="number">PRI</th>
+ <th class='listhdrr' width='3%' axis="string">PROTO</th>
+ <th class='listhdrr' width='20%' axis="string">DESCRIPTION</th>
+ <th class='listhdrr' width='7%' axis="string">CLASS</th>
+ <th class='listhdrr' width='15%' axis="string">SRC</th>
+ <th class='listhdrr' width='5%' axis="string">SPORT</th>
+ <th class='listhdrr' width='15%' axis="string">DST</th>
+ <th class='listhdrr' width='5%' axis="string">DPORT</th>
+ <th class='listhdrr' width='5%' axis="string">SID</th>
+ <th class='listhdr' width='10%' axis="date">Date</th>
+ </thead>
+ <tbody>
+ <?php
+
+/* make sure alert file exists */
+if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
+ $fd = fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "r");
+ if ($fd) {
+ $counter = 0;
+ /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
+ /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */
+ while(($fileline = @fgets($fd))) {
+ if (empty($fileline))
+ continue;
+ if ($counter > $anentries)
+ break;
+ $fields = explode(",", $fileline);
+
+ /* Date */
+ $alert_date = $fields[0];
+ /* Description */
+ $alert_descr = $fields[4];
+ /* Priority */
+ $alert_priority = $fields[12];
+ /* Protocol */
+ $alert_proto = $fields[5];
+ /* IP SRC */
+ $alert_ip_src = $fields[6];
+ /* IP SRC Port */
+ $alert_src_p = $fields[7];
+ /* IP Destination */
+ $alert_ip_dst = $fields[8];
+ /* IP DST Port */
+ $alert_dst_p = $fields[9];
+ /* SID */
+ $alert_sid_str = "{$fields[1]}:{$fields[2]}:{$fields[3]}";
+ $alert_class = $fields[10];
+
+ echo "<tr id=\"{$counter}\">
+ <td class='listr' width='5%' >{$counter}</td>
+ <td class='listr' width='5%' >{$alert_priority}</td>
+ <td class='listr' width='3%'>{$alert_proto}</td>
+ <td class='listr' width='20%'>{$alert_descr}</td>
+ <td class='listr' width='7%' >{$alert_class}</td>
+ <td class='listr' width='15%'>{$alert_ip_src}</td>
+ <td class='listr' width='5%' >{$alert_src_p}</td>
+ <td class='listr' width='15%'>{$alert_ip_dst}</td>
+ <td class='listr' width='5%' >{$alert_dst_p}</td>
+ <td class='listr' width='5%' >
+ {$alert_sid_str}
+ <a href='?instance={$instanceid}&act=addsuppress&sidid={$fields[2]}&gen_id={$fields[1]}'>
+ <img src='../themes/{$g['theme']}/images/icons/icon_plus.gif'
+ width='10' height='10' border='0'
+ title='click to add to suppress list'></a>
+ </td>
+ <td class='listr' width='10%'>{$alert_date}</td>
</tr>\n";
- }
+
+ $counter++;
}
- ?>
+ fclose($fd);
+ }
+}
+?>
</tbody>
</table>
</td>
+</tr>
+ </form>
+ </div>
</table>
+</div>
+</td></tr></table>
<?php
include("fend.inc");
?>
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php
index ddeae784..1ff7972c 100644
--- a/config/snort/snort_blocked.php
+++ b/config/snort/snort_blocked.php
@@ -38,7 +38,6 @@ if (!is_array($config['installedpackages']['snortglobal']['alertsblocks']))
$pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
$pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
-$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
if (empty($pconfig['blertnumber']))
$bnentries = '500';
@@ -115,62 +114,6 @@ if ($_POST['save'])
}
-/* build filter funcs */
-function get_snort_alert_ip_src($fileline)
-{
- /* SRC IP */
- $re1='.*?'; # Non-greedy match on filler
- $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
-
- if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4))
- return $matches4[1][0];
-
- return "";
-}
-
-function get_snort_alert_disc($fileline)
-{
- /* disc */
- if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
- return "{$matches[2]}";
-
- return "";
-}
-
-/* tell the user what settings they have */
-$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked'];
-if ($blockedtab_msg_chk == "1h_b") {
- $blocked_msg = "hour";
-}
-if ($blockedtab_msg_chk == "3h_b") {
- $blocked_msg = "3 hours";
-}
-if ($blockedtab_msg_chk == "6h_b") {
- $blocked_msg = "6 hours";
-}
-if ($blockedtab_msg_chk == "12h_b") {
- $blocked_msg = "12 hours";
-}
-if ($blockedtab_msg_chk == "1d_b") {
- $blocked_msg = "day";
-}
-if ($blockedtab_msg_chk == "4d_b") {
- $blocked_msg = "4 days";
-}
-if ($blockedtab_msg_chk == "7d_b") {
- $blocked_msg = "7 days";
-}
-if ($blockedtab_msg_chk == "28d_b") {
- $blocked_msg = "28 days";
-}
-
-if ($blockedtab_msg_chk != "never_b")
-{
- $blocked_msg_txt = "Hosts are removed every <strong>$blocked_msg</strong>.";
-}else{
- $blocked_msg_txt = "Settings are set to never <strong>remove</strong> hosts.";
-}
-
$pgtitle = "Services: Snort Blocked Hosts";
include_once("head.inc");
@@ -272,28 +215,31 @@ if ($pconfig['brefresh'] == 'on')
$blocked_ips_array[] = trim($blocked_ip, " \n\t");
}
}
- $input = array();
- $alert_ip_src_array = array();
- foreach (glob("/var/log/snort/*/alert") as $alert) {
- if ($pconfig['snortalertlogtype'] == 'full')
- $alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
- else
- $alerts_array = array_reverse(file($alert));
- /* build the list and compare blocks to alerts */
- foreach($alerts_array as $counter => $fileline) {
- if (empty($fileline))
- continue;
-
- $alert_ip_src = get_snort_alert_ip_src($fileline);
- $alert_ip_disc = get_snort_alert_disc($fileline);
- $alert_ip_src_array[] = $alert_ip_src;
- if (!empty($blocked_ips_array) && in_array("$alert_ip_src", $blocked_ips_array)) {
- if (!isset($input[$alert_ip_src]))
- $input[$alert_ip_src] = "{$alert_ip_disc}\n";
+ $src_ip_list = array();
+ /* make sure alert file exists */
+ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
+ $fd = fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "r");
+ if ($fd) {
+ /* 0 1 2 3 4 5 6 7 8 9 10 11 12
+ /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */
+ while(($fileline = @fgets($fd))) {
+ if (empty($fileline))
+ continue;
+ $fields = explode(",", $fileline);
+
+ $src_ip_list[$fields[6]] = "{$fields[4]} - {$fields[0]}";;
+ $src_ip_list[$fields[8]] = "{$fields[4]} - {$fields[0]}";;
}
+ fclose($fd);
}
}
+ $input = array();
+ foreach ($blocked_ips_array as $blocked_ip) {
+ if (isset($src_ip_list[$blocked_ip]))
+ $input[$blocked_ip] = $src_ip_list[$blocked_ip];
+ }
+
foreach($blocked_ips_array as $blocked_ip) {
if (is_ipaddr($blocked_ip) && !isset($input[$blocked_ip]))
$input[$blocked_ip] = "N\A\n";
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index dc9c4601..50340853 100644
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -106,8 +106,10 @@ if ($_POST["Submit"]) {
$if_real = snort_get_real_interface($natent['interface']);
if (isset($id) && $a_rule[$id]) {
- if ($natent['interface'] != $a_rule[$id]['interface'])
- snort_stop($a_rule[$id], $if_real);
+ if ($natent['interface'] != $a_rule[$id]['interface']) {
+ $oif_real = snort_get_real_interface($a_rule[$id]['interface']);
+ snort_stop($a_rule[$id], $oif_real);
+ }
$a_rule[$id] = $natent;
} else
$a_rule[] = $natent;
diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php
index 8a7e29ef..7dfe5d74 100644
--- a/config/snort/snort_interfaces_suppress_edit.php
+++ b/config/snort/snort_interfaces_suppress_edit.php
@@ -105,7 +105,7 @@ if ($_POST['submit']) {
if (!$input_errors) {
$s_list = array();
$s_list['name'] = $_POST['name'];
- $s_list['uuid'] = $suppress_uuid;
+ $s_list['uuid'] = uniqid();
$s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto");
if ($_POST['suppresspassthru'])
$s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']);
@@ -123,7 +123,7 @@ if ($_POST['submit']) {
}
}
-$pgtitle = "Services: Snort: Suppression: Edit $suppress_uuid";
+$pgtitle = "Services: Snort: Suppression: Edit";
include_once("head.inc");
?>