Upgrade Suricata to 2.0.3 and GUI package to v2.0

author: bmeeks8 <bmeeks8@bellsouth.net> 2014-08-26 21:39:21 -0400
committer: bmeeks8 <bmeeks8@bellsouth.net> 2014-08-26 21:39:21 -0400
commit: 6c0d365bdb5f4e4fdc2bf57561178573be5a36cc (patch)
tree: 852a5adf349b2bfd0d0d10eb78d0ccdc27cb96e2 /config/suricata/suricata_alerts.widget.php
parent: b14db5bbe8bb9aef91ad642943bb9d0b31b27064 (diff)
download: pfsense-packages-6c0d365bdb5f4e4fdc2bf57561178573be5a36cc.tar.gz
pfsense-packages-6c0d365bdb5f4e4fdc2bf57561178573be5a36cc.tar.bz2
pfsense-packages-6c0d365bdb5f4e4fdc2bf57561178573be5a36cc.zip
1 files changed, 59 insertions, 13 deletions
diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php
index 21fad03d..776cead9 100644
--- a/config/suricata/suricata_alerts.widget.php
+++ b/config/suricata/suricata_alerts.widget.php
@@ -42,8 +42,8 @@ if (!is_array($config['installedpackages']['suricata']['rule']))
 $a_instance = &$config['installedpackages']['suricata']['rule'];
 
 /* array sorting */
-function sksort(&$array, $subkey="id", $sort_ascending=false) {
-        /* an empty array causes sksort to fail - this test alleviates the error */
+function suricata_sksort(&$array, $subkey="id", $sort_ascending=false) {
+        /* an empty array causes suricata_sksort to fail - this test alleviates the error */
 	if(empty($array))
 	        return false;
 	if (count($array)){
@@ -114,12 +114,58 @@ function suricata_widget_get_alerts() {
 			exec("tail -{$suri_nentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/surialerts_{$suricata_uuid}");
 			if (file_exists("/tmp/surialerts_{$suricata_uuid}")) {
 
-				/*              0         1      2             3      4       5   6              7        8     9   10      11  12      */
-				/* File format: timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */
+				/*************** FORMAT without CSV patch -- ALERT -- ***********************************************************************************/
+				/* Line format: timestamp  action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} src:srcport -> dst:dstport */
+				/*             0          1           2   3   4    5                         6                 7     8      9   10         11  12       */
+				/****************************************************************************************************************************************/
+
+				/**************** FORMAT without CSV patch -- DECODER EVENT -- **************************************************************************/
+				/* Line format: timestamp  action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] [**] [Raw pkt: ...]                */
+				/*              0          1           2   3   4    5                         6                 7                                       */
+				/************** *************************************************************************************************************************/
+
 				$fd = fopen("/tmp/surialerts_{$suricata_uuid}", "r");
-				while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
-					if(count($fields) < 13)
-						continue;
+				$buf = "";
+				while (($buf = fgets($fd)) !== FALSE) {
+					$fields = array();
+					$tmp = array();
+
+					// Parse alert log entry to find the parts we want to display
+					$fields[0] = substr($buf, 0, strpos($buf, '  '));
+
+					// The regular expression match below returns an array as follows:
+					// [1] => CLASSIFICATION, [2] = PRIORITY
+					preg_match('/\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp);
+					$fields[6] = trim($tmp[1]);
+					$fields[7] = trim($tmp[2]);
+
+					// The regular expression match below looks for the PROTO, SRC and DST fields
+					// and returns an array as follows:
+					// [1] = PROTO, [2] => SRC:SPORT [3] => DST:DPORT
+					if (preg_match('/\{(.*)\}\s(.*)\s->\s(.*)/', $buf, $tmp)) {
+						// Get SRC
+						$fields[9] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':')));
+						if (is_ipaddrv6($fields[9]))
+							$fields[9] = inet_ntop(inet_pton($fields[9]));
+
+						// Get SPORT
+						$fields[10] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1));
+
+						// Get DST
+						$fields[11] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':')));
+						if (is_ipaddrv6($fields[11]))
+							$fields[11] = inet_ntop(inet_pton($fields[11]));
+
+						// Get DPORT
+						$fields[12] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1));
+					}
+					else {
+						// If no PROTO and IP ADDR, then this is a DECODER EVENT
+						$fields[9] = gettext("Decoder Event");
+						$fields[10] = "";
+						$fields[11] = "";
+						$fields[12] = "";
+					}
 
 					// Create a DateTime object from the event timestamp that
 					// we can use to easily manipulate output formats.
@@ -130,7 +176,7 @@ function suricata_widget_get_alerts() {
 					if ($fields[6] == "(null)")
 						$fields[6] = "No classtype assigned";
 
-					$suricata_alerts[$counter]['instanceid'] = strtoupper($a_instance[$instanceid]['interface']);
+					$suricata_alerts[$counter]['instanceid'] = strtoupper(convert_friendly_interface_to_friendly_descr($a_instance[$instanceid]['interface']));
 					$suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm));
 					$suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s");
 					$suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d");
@@ -140,15 +186,15 @@ function suricata_widget_get_alerts() {
 					else
 						$suricata_alerts[$counter]['src'] = $fields[9];
 					// Add the SRC PORT if not null
-					if (!empty($fields[10]))					
+					if (!empty($fields[10]) || $fields[10] == '0')					
 						$suricata_alerts[$counter]['src'] .= ":" . $fields[10];
 					// Add square brackets around any IPv6 address
 					if (is_ipaddrv6($fields[11]))
 						$suricata_alerts[$counter]['dst'] = "[" . $fields[11] . "]";
 					else
 						$suricata_alerts[$counter]['dst'] = $fields[11];
-					// Add the SRC PORT if not null
-					if (!empty($fields[12]))
+					// Add the DST PORT if not null
+					if (!empty($fields[12]) || $fields[12] == '0')
 						$suricata_alerts[$counter]['dst'] .= ":" . $fields[12];
 					$suricata_alerts[$counter]['priority'] = $fields[7];
 					$suricata_alerts[$counter]['category'] = $fields[6];
@@ -162,9 +208,9 @@ function suricata_widget_get_alerts() {
 
 	// Sort the alerts array
 	if (isset($config['syslog']['reverse'])) {
-		sksort($suricata_alerts, 'timestamp', false);
+		suricata_sksort($suricata_alerts, 'timestamp', false);
 	} else {
-		sksort($suricata_alerts, 'timestamp', true);
+		suricata_sksort($suricata_alerts, 'timestamp', true);
 	}
 
 	return $suricata_alerts;
author	bmeeks8 <bmeeks8@bellsouth.net>	2014-08-26 21:39:21 -0400
committer	bmeeks8 <bmeeks8@bellsouth.net>	2014-08-26 21:39:21 -0400
commit	6c0d365bdb5f4e4fdc2bf57561178573be5a36cc (patch)
tree	852a5adf349b2bfd0d0d10eb78d0ccdc27cb96e2 /config/suricata/suricata_alerts.widget.php
parent	b14db5bbe8bb9aef91ad642943bb9d0b31b27064 (diff)
download	pfsense-packages-6c0d365bdb5f4e4fdc2bf57561178573be5a36cc.tar.gz pfsense-packages-6c0d365bdb5f4e4fdc2bf57561178573be5a36cc.tar.bz2 pfsense-packages-6c0d365bdb5f4e4fdc2bf57561178573be5a36cc.zip