diff options
author | bmeeks8 <bmeeks8@bellsouth.net> | 2014-09-09 15:04:04 -0400 |
---|---|---|
committer | bmeeks8 <bmeeks8@bellsouth.net> | 2014-09-09 15:04:04 -0400 |
commit | 8c84e29191b2bf66d4ba8c389947032434f3f026 (patch) | |
tree | fe7c01c016e17cbe9180f39366660490b8ad55f6 /config/snort | |
parent | c389696337b68378965716fb75b9f15cf4fdc17b (diff) | |
download | pfsense-packages-8c84e29191b2bf66d4ba8c389947032434f3f026.tar.gz pfsense-packages-8c84e29191b2bf66d4ba8c389947032434f3f026.tar.bz2 pfsense-packages-8c84e29191b2bf66d4ba8c389947032434f3f026.zip |
Add filter dialog to ALERTS tab.
Diffstat (limited to 'config/snort')
-rwxr-xr-x | config/snort/snort_alerts.php | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index c04f4e31..241b43b3 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -42,6 +42,7 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; $supplist = array(); $snortlogdir = SNORTLOGDIR; +$filterlogentries = FALSE; function snort_is_alert_globally_suppressed($list, $gid, $sid) { @@ -133,6 +134,32 @@ function snort_add_supplist_entry($suppress) { return false; } +function snort_escape_filter_regex($filtertext) { + /* If the caller (user) has not already put a backslash before a slash, to escape it in the regex, */ + /* then this will do it. Take out any "\/" already there, then turn all ordinary "/" into "\/". */ + return str_replace('/', '\/', str_replace('\/', '/', $filtertext)); +} + +function snort_match_filter_field($flent, $fields) { + foreach ($fields as $key => $field) { + if ($field == null) + continue; + if ((strpos($field, '!') === 0)) { + $field = substr($field, 1); + $field_regex = snort_escape_filter_regex($field); + if (@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + else { + $field_regex = snort_escape_filter_regex($field); + if (!@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + } + return true; +} + + if (isset($_POST['instance']) && is_numericint($_POST['instance'])) $instanceid = $_POST['instance']; elseif (isset($_GET['instance']) && is_numericint($_GET['instance'])) @@ -180,6 +207,35 @@ if (isset($_POST['resolve'])) { } # --- AJAX REVERSE DNS RESOLVE End --- +if ($_POST['filterlogentries_submit']) { + // Set flag for filtering alert entries + $filterlogentries = TRUE; + + // -- IMPORTANT -- + // Note the order of these fields must match the order decoded from the alerts log + $filterfieldsarray = array(); + $filterfieldsarray[0] = $_POST['filterlogentries_time'] ? $_POST['filterlogentries_time'] : null; + $filterfieldsarray[1] = $_POST['filterlogentries_gid'] ? $_POST['filterlogentries_gid'] : null; + $filterfieldsarray[2] = $_POST['filterlogentries_sid'] ? $_POST['filterlogentries_sid'] : null; + $filterfieldsarray[3] = null; + $filterfieldsarray[4] = $_POST['filterlogentries_description'] ? $_POST['filterlogentries_description'] : null; + $filterfieldsarray[5] = $_POST['filterlogentries_protocol'] ? $_POST['filterlogentries_protocol'] : null; + // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation + $filterfieldsarray[6] = $_POST['filterlogentries_sourceipaddress'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_sourceipaddress']) : null; + $filterfieldsarray[7] = $_POST['filterlogentries_sourceport'] ? $_POST['filterlogentries_sourceport'] : null; + // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation + $filterfieldsarray[8] = $_POST['filterlogentries_destinationipaddress'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_destinationipaddress']) : null; + $filterfieldsarray[9] = $_POST['filterlogentries_destinationport'] ? $_POST['filterlogentries_destinationport'] : null; + $filterfieldsarray[10] = null; + $filterfieldsarray[11] = $_POST['filterlogentries_classification'] ? $_POST['filterlogentries_classification'] : null; + $filterfieldsarray[12] = $_POST['filterlogentries_priority'] ? $_POST['filterlogentries_priority'] : null; +} + +if ($_POST['filterlogentries_clear']) { + $filterlogentries = TRUE; + $filterfieldsarray = array(); +} + if ($_POST['save']) { if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $config['installedpackages']['snortglobal']['alertsblocks'] = array(); @@ -440,9 +496,97 @@ if ($savemsg) { </td> </tr> <tr> + <td colspan="2" class="listtopic"><?php echo gettext("Alert Log View Filter"); ?></td> + </tr> + <tr id="filter_enable_row" style="display:<?php if (!$filterlogentries) {echo "table-row;";} else {echo "none;";} ?>"> + <td width="22%" class="vncell"><?php echo gettext('Alert Log Filter Options'); ?></td> + <td width="78%" class="vtable"> + <input name="show_filter" id="show_filter" type="button" class="formbtns" value="<?=gettext("Show Filter");?>" onclick="enable_showFilter();" /> + <?=gettext("Click to display advanced filtering options dialog");?> + </td> + </tr> + <tr id="filter_options_row" style="display:<?php if (!$filterlogentries) {echo "none;";} else {echo "table-row;";} ?>"> + <td colspan="2"> + <table width="100%" border="0" cellpadding="0" cellspacing="1" summary="action"> + <tr> + <td valign="top"> + <div align="center"><?=gettext("Date");?></div> + <div align="center"><input id="filterlogentries_time" name="filterlogentries_time" class="formfld search" type="text" size="10" value="<?= $filterfieldsarray[0] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Source IP Address");?></div> + <div align="center"><input id="filterlogentries_sourceipaddress" name="filterlogentries_sourceipaddress" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[6] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Source Port");?></div> + <div align="center"><input id="filterlogentries_sourceport" name="filterlogentries_sourceport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[7] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Description");?></div> + <div align="center"><input id="filterlogentries_description" name="filterlogentries_description" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[4] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("GID");?></div> + <div align="center"><input id="filterlogentries_gid" name="filterlogentries_gid" class="formfld search" type="text" size="6" value="<?= $filterfieldsarray[1] ?>" /></div> + </td> + </tr> + <tr> + <td valign="top"> + <div align="center"><?=gettext("Priority");?></div> + <div align="center"><input id="filterlogentries_priority" name="filterlogentries_priority" class="formfld search" type="text" size="10" value="<?= $filterfieldsarray[12] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Destination IP Address");?></div> + <div align="center"><input id="filterlogentries_destinationipaddress" name="filterlogentries_destinationipaddress" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[8] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Destination Port");?></div> + <div align="center"><input id="filterlogentries_destinationport" name="filterlogentries_destinationport" class="formfld search" type="text" size="5" value="<?= $filterfieldsarray[9] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("Classification");?></div> + <div align="center"><input id="filterlogentries_classification" name="filterlogentries_classification" class="formfld search" type="text" size="28" value="<?= $filterfieldsarray[11] ?>" /></div> + </td> + <td valign="top"> + <div align="center"><?=gettext("SID");?></div> + <div align="center"><input id="filterlogentries_sid" name="filterlogentries_sid" class="formfld search" type="text" size="6" value="<?= $filterfieldsarray[2] ?>" /></div> + </td> + </tr> + <tr> + <td valign="top"> + <div align="center"><?=gettext("Protocol");?></div> + <div align="center"><input id="filterlogentries_protocol" name="filterlogentries_protocol" class="formfld search" type="text" size="10" value="<?= $filterfieldsarray[5] ?>" /></div> + </td> + <td valign="top"> + </td> + <td valign="top"> + </td> + <td colspan="2" style="vertical-align:bottom"> + <div align="right"><input id="filterlogentries_submit" name="filterlogentries_submit" type="submit" class="formbtns" value="<?=gettext("Filter");?>" title="<?=gettext("Apply filter"); ?>" /> + <input id="filterlogentries_clear" name="filterlogentries_clear" type="submit" class="formbtns" value="<?=gettext("Clear");?>" title="<?=gettext("Remove filter");?>" /> + <input id="filterlogentries_hide" name="filterlogentries_hide" type="button" class="formbtns" value="<?=gettext("Hide");?>" onclick="enable_hideFilter();" title="<?=gettext("Hide filter options");?>" /></div> + </td> + </tr> + <tr> + <td colspan="5" style="vertical-align:bottom"> + <?printf(gettext('Matches %1$s regular expression%2$s.'), '<a target="_blank" href="http://www.php.net/manual/en/book.pcre.php">', '</a>');?> + <?=gettext("Precede with exclamation (!) as first character to exclude match.");?> + </td> + </tr> + </table> + </td> + </tr> + <?php if ($filterlogentries) : ?> + <tr> + <td colspan="2" class="listtopic"><?php printf(gettext("Last %s Alert Entries"), $anentries); ?> + <?php echo gettext("(Most recent listed first) ** FILTERED VIEW ** clear filter to see all entries"); ?></td> + </tr> + <?php else: ?> + <tr> <td colspan="2" class="listtopic"><?php printf(gettext("Last %s Alert Entries"), $anentries); ?> <?php echo gettext("(Most recent entries are listed first)"); ?></td> </tr> + <?php endif; ?> <tr> <td width="100%" colspan="2"> <table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="0" cellpadding="0" cellspacing="0"> @@ -488,6 +632,10 @@ if (file_exists("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/alert")) { if(count($fields) < 13) continue; + if ($filterlogentries && !snort_match_filter_field($fields, $filterfieldsarray)) { + continue; + } + /* Time */ $alert_time = substr($fields[0], strpos($fields[0], '-')+1, -8); /* Date */ @@ -629,6 +777,17 @@ function encRuleSig(rulegid,rulesid,srcip,ruledescr) { document.getElementById("ip").value = srcip; document.getElementById("descr").value = ruledescr; } + +function enable_showFilter() { + document.getElementById("filter_enable_row").style.display="none"; + document.getElementById("filter_options_row").style.display="table-row"; +} + +function enable_hideFilter() { + document.getElementById("filter_enable_row").style.display="table-row"; + document.getElementById("filter_options_row").style.display="none"; +} + </script> <!-- The following AJAX code was borrowed from the diag_logs_filter.php --> |