snort-dev, add ajax alerts tab

author: robiscool <robrob2626@yahoo.com> 2009-12-19 17:42:34 -0800
committer: robiscool <robrob2626@yahoo.com> 2009-12-19 17:43:42 -0800
commit: f7a21ec39534b14fe3eb49f8925395ccb999ad12 (patch)
tree: 9e13f3d8c496e70440bd8b4eca45d14d7435ebbb /config/snort-dev/snort_alerts.php
parent: d3f4d86e26aa297416e85a8e99dd926e7e3a78af (diff)
download: pfsense-packages-f7a21ec39534b14fe3eb49f8925395ccb999ad12.tar.gz
pfsense-packages-f7a21ec39534b14fe3eb49f8925395ccb999ad12.tar.bz2
pfsense-packages-f7a21ec39534b14fe3eb49f8925395ccb999ad12.zip
1 files changed, 408 insertions, 33 deletions
diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php
index d260aee9..fe466f6d 100644
--- a/config/snort-dev/snort_alerts.php
+++ b/config/snort-dev/snort_alerts.php
@@ -7,6 +7,9 @@
 	Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
 	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
 	All rights reserved.
+	
+	Modified for the Pfsense snort package by
+	Copyright (C) 2003 Robert Zelaya
 
 	Redistribution and use in source and binary forms, with or without
 	modification, are permitted provided that the following conditions are met:
@@ -32,13 +35,8 @@
 
 require("globals.inc");
 require("guiconfig.inc");
-require("/usr/local/pkg/snort/snort.inc");
 
-$snort_logfile = "{$g['varlog_path']}/snort/alert";
-
-$nentries = $config['syslog']['nentries'];
-if (!$nentries)
-	$nentries = 50;
+$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
 
 if ($_POST['clear']) {
 	exec("killall syslogd");
@@ -49,11 +47,184 @@ if ($_POST['clear']) {
 	exec("/usr/bin/killall -HUP snort");
 }
 
+/* WARNING: took me forever to figure reg expression, dont lose */
+// $fileline = '12/09-18:12:02.086733  [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50';
+
+function get_snort_alert_date($fileline)
+{
+	/* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */
+	if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1))
+	{
+        $alert_date =  "$matches1[0]";
+	}
+
+return $alert_date;
+
+}
+
+function get_snort_alert_disc($fileline)
+{
+	/* disc */
+	if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+	{
+        $alert_disc =  "$matches[2]";
+	}
+
+return $alert_disc;
+
+}
+
+function get_snort_alert_class($fileline)
+{
+	/* class */
+	if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2))
+	{
+        $alert_class = "$matches2[0]";
+	}
+
+return $alert_class;
+
+}
+
+function get_snort_alert_priority($fileline)
+{
+	/* Priority */
+	if (preg_match('/Priority:\s\d/', $fileline, $matches3))
+	{
+        $alert_priority = "$matches3[0]";
+	}
+
+return $alert_priority;
+
+}
+
+function get_snort_alert_proto($fileline)
+{
+	/* Priority */
+	if (preg_match('/\{.+\}/', $fileline, $matches3))
+	{
+        $alert_proto = "$matches3[0]";
+	}
+
+return $alert_proto;
+
+}
+
+function get_snort_alert_proto_full($fileline)
+{
+		/* Protocal full */
+		if (preg_match('/.+\sTTL/', $fileline, $matches2))
+		{
+			$alert_proto_full = "$matches2[0]";
+		}
+
+return $alert_proto_full;
+
+}
+
+function get_snort_alert_ip_src($fileline)
+{
+	/* SRC IP */
+	$re1='.*?';   # Non-greedy match on filler
+	$re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
+
+	if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4))
+	{
+      $alert_ip_src = $matches4[1][0];
+	}
+
+return $alert_ip_src;
+
+}
+
+function get_snort_alert_src_p($fileline)
+{
+	/* source port */
+	if (preg_match('/:\d+\s/', $fileline, $matches5))
+	{
+        $alert_src_p = "$matches5[0]";
+	}
+
+return $alert_src_p;
+
+}
+
+function get_snort_alert_flow($fileline)
+{
+	/* source port */
+	if (preg_match('/(->|<-)/', $fileline, $matches5))
+	{
+        $alert_flow = "$matches5[0]";
+	}
+
+return $alert_flow;
+
+}
+
+function get_snort_alert_ip_dst($fileline)
+{
+	/* DST IP */
+	$re1dp='.*?';   # Non-greedy match on filler
+	$re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])';   # Uninteresting: ipaddress
+	$re3dp='.*?';   # Non-greedy match on filler
+	$re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
+
+	if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6))
+	{
+      $alert_ip_dst = $matches6[1][0];
+	}
+  
+return $alert_ip_dst;
+
+}
+  
+function get_snort_alert_dst_p($fileline)
+{ 
+	/* dst port */
+	if (preg_match('/:\d+$/', $fileline, $matches7))
+	{
+        $alert_dst_p = "$matches7[0]";
+	}
+
+return $alert_dst_p;
+
+}
+
+function get_snort_alert_dst_p_full($fileline)
+{ 
+	/* dst port full */
+	if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7))
+	{
+        $alert_dst_p = "$matches7[0]";
+	}
+
+return $alert_dst_p;
+
+}
+
+function get_snort_alert_sid($fileline)
+{ 
+	/* SID */
+	if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8))
+	{
+        $alert_sid = "$matches8[0]";
+	}
+
+return $alert_sid;
+
+}
+
+//
+
 $pgtitle = "Services: Snort: Snort Alerts";
 include("head.inc");
 
 ?>
 
+<link rel="stylesheet" href="/snort/style.css" type="text/css" media="all">
+<script type="text/javascript" src="/snort/mootools.js"></script>
+<script type="text/javascript" src="/snort/sortableTable.js"></script>
+
 <body link="#0000CC" vlink="#0000CC" alink="#0000CC">
 <?php include("fbegin.inc"); ?>
 <p class="pgtitle"><?=$pgtitle?></p>
@@ -76,40 +247,244 @@ include("head.inc");
 	<div id="mainarea">
 		<table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
 		  <tr>
-			<td colspan="2" class="listtopic">
+			<td colspan="1" class="listtopic">
+			<input name="clear" type="submit" class="formbtn" value="Clear log">
 			  Last <?=$nentries;?> Snort Alert entries</td>
 		  </tr>
-		  <?php dump_log_file($snort_logfile, $nentries); ?>
-			<tr><td><br><form action="snort_alerts.php" method="post">
-			<input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr>
 		</table>
 	</div>
-	</form>
 	</td>
   </tr>
 </table>
-<?php include("fend.inc"); ?>
-<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>">
-</body>
-</html>
-<!-- <?php echo $snort_logfile; ?> -->
-
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+	  <td width="100%">
+	  <br>
+			<div class="tableFilter">
+		  		<form id="tableFilter" onsubmit="myTable.filter(this.id); return false;">Filter: 
+					<select id="column">
+						<option value="1">PRIORITY</option>
+						<option value="2">PROTO</option>
+						<option value="3">DESCRIPTION</option>
+						<option value="4">CLASS</option>
+						<option value="5">SRC</option>
+						<option value="6">SRC PORT</option>
+						<option value="7">FLOW</option>
+						<option value="8">DST</option>
+						<option value="9">DST PORT</option>
+						<option value="10">SID</option>
+						<option value="11">Date</option>
+					</select>
+					<input type="text" id="keyword" />
+					<input type="submit" value="Submit" />
+					<input type="reset" value="Clear" />
+				</form>
+		  </div>
+<table class="allRow" id="myTable" width="100%" border="2" cellpadding="1" cellspacing="1">
+		  	<thead>
+				<th axis="number">#</th>
+				<th axis="string">PRI</th>
+				<th axis="string">PROTO</th>
+				<th axis="string">DESCRIPTION</th>
+				<th axis="string">CLASS</th>
+				<th axis="string">SRC</th>
+				<th axis="string">SPORT</th>
+				<th axis="string">FLOW</th>
+				<th axis="string">DST</th>
+				<th axis="string">DPORT</th>
+				<th axis="string">SID</th>
+				<th axis="date">Date</th>
+			</thead>
+			<tbody>
 <?php
+	
+	$alerts = file_get_contents('/var/log/snort/alert');
+	$logent = '50';
+	
+	/* detect the alert file type */
+	if ($snortalertlogt == 'full')
+	{
+		$alerts_array = array_reverse(array_filter(explode("\n\n", $alerts)));
+	}else{
+		$alerts_array = array_reverse(split("\n", $alerts));
+	}
+	
+	$counter = 0;
+	foreach($alerts_array as $fileline)
+	{
+	if($logent <= $counter)
+    continue;
+	
+		$counter++;
+		
+		/* Date */
+		$alert_date_str = get_snort_alert_date($fileline);
+		
+			if($alert_date_str != '')
+			{
+				$alert_date = $alert_date_str;
+			}else{			
+				$alert_date = 'empty';
+			}
 
-function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") {
-	global $g, $config;
-    $logarr = "";
-	exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr);
-    foreach ($logarr as $logent) {
-            if(!logent)
-            	continue;
-            $ww_logent = $logent;
-			$ww_logent = str_replace("[", " [ ", $ww_logent);
-			$ww_logent = str_replace("]", " ] ", $ww_logent);
-            echo "<tr valign=\"top\">\n";
-            echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . "&nbsp;</td>\n";
-            echo "</tr>\n";
-    }
-}
+		/* Discription */
+		$alert_disc_str = get_snort_alert_disc($fileline);
+		
+			if($alert_disc_str != '')
+			{
+				$alert_disc = $alert_disc_str;
+			}else{			
+				$alert_disc = 'empty';
+			}		
+		
+		/* Classification */
+		$alert_class_str = get_snort_alert_class($fileline);
+		
+			if($alert_class_str != '')
+			{
+
+				$alert_class_match = array('[Classification:',']'); 
+				$alert_class = str_replace($alert_class_match, '', "$alert_class_str");
+			}else{			
+				$alert_class = 'Prep';
+			}
+			
+		/* Priority */
+		$alert_priority_str = get_snort_alert_priority($fileline);
+		
+			if($alert_priority_str != '')
+			{
+				$alert_priority_match = array('Priority: ',']'); 
+				$alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str");
+			}else{		
+				$alert_priority = 'empty';
+			}
+
+		/* Protocol */
+		/* Detect alert file type */
+	if ($snortalertlogt == 'full')
+	{
+		$alert_proto_str = get_snort_alert_proto_full($fileline);
+	}else{
+		$alert_proto_str = get_snort_alert_proto($fileline);
+	}
+
+			if($alert_proto_str != '')
+			{
+				$alert_proto_match = array(" TTL",'{','}'); 
+				$alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str");
+			}else{
+				$alert_proto = 'empty';
+			}
+			
+		/* IP SRC */
+		$alert_ip_src_str = get_snort_alert_ip_src($fileline);
+		
+		if($alert_ip_src_str != '')
+		{
+			$alert_ip_src = $alert_ip_src_str;
+		}else{
+			$alert_ip_src = 'empty';
+		}	
+			
+		/* IP SRC Port */
+		$alert_src_p_str = get_snort_alert_src_p($fileline);
+			
+			if($alert_src_p_str != '')
+			{
+				$alert_src_p_match = array(' ',':'); 
+				$alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str");
+			}else{			
+				$alert_src_p = 'empty';
+			}			
+		
+		/* Flow */
+		$alert_flow_str = get_snort_alert_flow($fileline);
+		
+			if($alert_flow_str != '')
+			{
+				$alert_flow = $alert_flow_str;
+			}else{			
+				$alert_flow = 'empty';
+			}		
+		
+		/* IP Destination */
+		$alert_ip_dst_str = get_snort_alert_ip_dst($fileline);
+		
+		if($alert_ip_dst_str != '')
+		{
+			$alert_ip_dst = $alert_ip_dst_str;
+		}else{
+			$alert_ip_dst = 'empty';
+		}
+				
+		/* IP DST Port */
+	if ($snortalertlogt == 'full')
+	{
+		$alert_dst_p_str = get_snort_alert_dst_p_full($fileline);
+	}else{
+		$alert_dst_p_str = get_snort_alert_dst_p($fileline);
+	}
+	
+			if($alert_dst_p_str != '')
+			{
+				$alert_dst_p_match = array(':',"\n"," TTL");
+				$alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str");
+				$alert_dst_p_match2 = array('/[A-Z]/');
+				$alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2");
+			}else{
+				$alert_dst_p = 'empty';
+			}
+
+		/* SID */
+		$alert_sid_str = get_snort_alert_sid($fileline);
+		
+			if($alert_sid_str != '')
+			{
+				$alert_sid_match = array('[',']'); 
+				$alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str");
+			}else{
+				$alert_sid_str = 'empty';	
+			}
+		
+		/* NOTE: using one echo improves performance by 2x */
+		echo "<tr id=\"{$counter}\">
+				<td class=\"centerAlign\">{$counter}</td>
+				<td class=\"centerAlign\">{$alert_priority}</td>
+				<td class=\"centerAlign\">{$alert_proto}</td>
+				<td>{$alert_disc}</td>
+				<td class=\"centerAlign\">{$alert_class}</td>
+				<td>{$alert_ip_src}</td>
+				<td class=\"centerAlign\">{$alert_src_p}</td>
+				<td class=\"centerAlign\">{$alert_flow}</td>
+				<td>{$alert_ip_dst}</td>
+				<td class=\"centerAlign\">{$alert_dst_p}</td>
+				<td class=\"centerAlign\">{$alert_sid}</td>
+				<td>{$alert_date}</td>
+				</tr>\n";		
+		
+//		<script type="text/javascript">
+//			var myTable = {};
+//			window.addEvent('domready', function(){
+//				myTable = new sortableTable('myTable', {overCls: 'over', onClick: function(){alert(this.id)}});
+//			});
+//		</script>
+		
+	}
 
-?>
-\ No newline at end of file
+?>
+			</tbody>	
+		</table>
+	</td>
+</table>
+
+<?php include("fend.inc"); ?>
+
+		<script type="text/javascript">
+			var myTable = {};
+			window.addEvent('domready', function(){
+				myTable = new sortableTable('myTable', {overCls: 'over'});
+			});
+		</script>
+
+</body>
+</html>
+\ No newline at end of file
author	robiscool <robrob2626@yahoo.com>	2009-12-19 17:42:34 -0800
committer	robiscool <robrob2626@yahoo.com>	2009-12-19 17:43:42 -0800
commit	f7a21ec39534b14fe3eb49f8925395ccb999ad12 (patch)
tree	9e13f3d8c496e70440bd8b4eca45d14d7435ebbb /config/snort-dev/snort_alerts.php
parent	d3f4d86e26aa297416e85a8e99dd926e7e3a78af (diff)
download	pfsense-packages-f7a21ec39534b14fe3eb49f8925395ccb999ad12.tar.gz pfsense-packages-f7a21ec39534b14fe3eb49f8925395ccb999ad12.tar.bz2 pfsense-packages-f7a21ec39534b14fe3eb49f8925395ccb999ad12.zip