diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-12-18 10:34:23 -0200 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-12-18 10:34:23 -0200 |
commit | 0ee05d2c4c649b542090c1bf7c5a19a489c87727 (patch) | |
tree | 66907c1f34c47f8fc0b9e2d5cf196ede8cc01255 /config/suricata/suricata_alerts.widget.php | |
parent | 890801af42cff66dbac8706f621256b8d454a234 (diff) | |
parent | a2f13165124c996db817e75f9edc3087e756b840 (diff) | |
download | pfsense-packages-0ee05d2c4c649b542090c1bf7c5a19a489c87727.tar.gz pfsense-packages-0ee05d2c4c649b542090c1bf7c5a19a489c87727.tar.bz2 pfsense-packages-0ee05d2c4c649b542090c1bf7c5a19a489c87727.zip |
Merge pull request #752 from bmeeks8/suricata-2.0.4-v2.1
Diffstat (limited to 'config/suricata/suricata_alerts.widget.php')
-rw-r--r-- | config/suricata/suricata_alerts.widget.php | 71 |
1 files changed, 37 insertions, 34 deletions
diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index bc7a0e2a..81d17c2e 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -81,7 +81,7 @@ if (isset($_GET['getNewAlerts'])) { $counter = 0; foreach ($suri_alerts as $a) { $response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . "||"; - $response .= $a['dst'] . "||" . $a['priority'] . "||" . $a['category'] . "\n"; + $response .= $a['dst'] . "||" . $a['msg'] . "\n"; $counter++; if($counter >= $suri_nentries) break; @@ -116,7 +116,7 @@ function suricata_widget_get_alerts() { /*************** FORMAT without CSV patch -- ALERT -- ***********************************************************************************/ /* Line format: timestamp action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} src:srcport -> dst:dstport */ - /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ + /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ /****************************************************************************************************************************************/ /**************** FORMAT without CSV patch -- DECODER EVENT -- **************************************************************************/ @@ -134,37 +134,41 @@ function suricata_widget_get_alerts() { $fields[0] = substr($buf, 0, strpos($buf, ' ')); // The regular expression match below returns an array as follows: - // [1] => CLASSIFICATION, [2] = PRIORITY - preg_match('/\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp); - $fields[6] = trim($tmp[1]); - $fields[7] = trim($tmp[2]); + // [2] => GID, [3] => SID, [4] => REV, [5] => MSG, [6] => CLASSIFICATION, [7] = PRIORITY + preg_match('/\[\*{2}\]\s\[((\d+):(\d+):(\d+))\]\s(.*)\[\*{2}\]\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp); + $fields['gid'] = trim($tmp[2]); + $fields['sid'] = trim($tmp[3]); + $fields['rev'] = trim($tmp[4]); + $fields['msg'] = trim($tmp[5]); + $fields['class'] = trim($tmp[6]); + $fields['priority'] = trim($tmp[7]); // The regular expression match below looks for the PROTO, SRC and DST fields // and returns an array as follows: // [1] = PROTO, [2] => SRC:SPORT [3] => DST:DPORT if (preg_match('/\{(.*)\}\s(.*)\s->\s(.*)/', $buf, $tmp)) { // Get SRC - $fields[9] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':'))); - if (is_ipaddrv6($fields[9])) - $fields[9] = inet_ntop(inet_pton($fields[9])); + $fields['src'] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':'))); + if (is_ipaddrv6($fields['src'])) + $fields['src'] = inet_ntop(inet_pton($fields['src'])); // Get SPORT - $fields[10] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1)); + $fields['sport'] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1)); // Get DST - $fields[11] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':'))); - if (is_ipaddrv6($fields[11])) - $fields[11] = inet_ntop(inet_pton($fields[11])); + $fields['dst'] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':'))); + if (is_ipaddrv6($fields['dst'])) + $fields['dst'] = inet_ntop(inet_pton($fields['dst'])); // Get DPORT - $fields[12] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1)); + $fields['dport'] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1)); } else { // If no PROTO and IP ADDR, then this is a DECODER EVENT - $fields[9] = gettext("Decoder Event"); - $fields[10] = ""; - $fields[11] = ""; - $fields[12] = ""; + $fields['src'] = gettext("Decoder Event"); + $fields['sport'] = ""; + $fields['dst'] = ""; + $fields['dport'] = ""; } // Create a DateTime object from the event timestamp that @@ -173,31 +177,30 @@ function suricata_widget_get_alerts() { // Check the 'CATEGORY' field for the text "(null)" and // substitute "No classtype defined". - if ($fields[6] == "(null)") - $fields[6] = "No classtype assigned"; + if ($fields['class'] == "(null)") + $fields['class'] = "No classtype assigned"; $suricata_alerts[$counter]['instanceid'] = strtoupper(convert_friendly_interface_to_friendly_descr($a_instance[$instanceid]['interface'])); $suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm)); $suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s"); $suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d"); + $suricata_alerts[$counter]['msg'] = $fields['msg']; // Add square brackets around any IPv6 address - if (is_ipaddrv6($fields[9])) - $suricata_alerts[$counter]['src'] = "[" . $fields[9] . "]"; + if (is_ipaddrv6($fields['src'])) + $suricata_alerts[$counter]['src'] = "[" . $fields['src'] . "]"; else - $suricata_alerts[$counter]['src'] = $fields[9]; + $suricata_alerts[$counter]['src'] = $fields['src']; // Add the SRC PORT if not null - if (!empty($fields[10]) || $fields[10] == '0') - $suricata_alerts[$counter]['src'] .= ":" . $fields[10]; + if (!empty($fields['sport']) || $fields['sport'] == '0') + $suricata_alerts[$counter]['src'] .= ":" . $fields['sport']; // Add square brackets around any IPv6 address - if (is_ipaddrv6($fields[11])) - $suricata_alerts[$counter]['dst'] = "[" . $fields[11] . "]"; + if (is_ipaddrv6($fields['dst'])) + $suricata_alerts[$counter]['dst'] = "[" . $fields['dst'] . "]"; else - $suricata_alerts[$counter]['dst'] = $fields[11]; + $suricata_alerts[$counter]['dst'] = $fields['dst']; // Add the DST PORT if not null - if (!empty($fields[12]) || $fields[12] == '0') - $suricata_alerts[$counter]['dst'] .= ":" . $fields[12]; - $suricata_alerts[$counter]['priority'] = $fields[7]; - $suricata_alerts[$counter]['category'] = $fields[6]; + if (!empty($fields['dport']) || $fields['dport'] == '0') + $suricata_alerts[$counter]['dst'] .= ":" . $fields['dport']; $counter++; }; fclose($fd); @@ -238,7 +241,7 @@ function suricata_widget_get_alerts() { <tr> <th class="listhdrr"><?=gettext("IF/Date");?></th> <th class="listhdrr"><?=gettext("Src/Dst Address");?></th> - <th class="listhdrr"><?=gettext("Priority/Class");?></th> + <th class="listhdrr"><?=gettext("Description");?></th> </tr> </thead> <tbody id="suricata-alert-entries"> @@ -251,7 +254,7 @@ function suricata_widget_get_alerts() { echo(" <tr class='" . $evenRowClass . "'> <td class='listMRr'>" . $alert['instanceid'] . " " . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td> <td class='listMRr ellipsis' nowrap><div style='display:inline;' title='" . $alert['src'] . "'>" . $alert['src'] . "</div><br/><div style='display:inline;' title='" . $alert['dst'] . "'>" . $alert['dst'] . "</div></td> - <td class='listMRr'>Pri: " . $alert['priority'] . " " . $alert['category'] . "</td></tr>"); + <td class='listMRr'><div style='display: fixed; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; line-height: 1.2em; max-height: 2.4em; overflow: hidden; text-overflow: ellipsis;' title='{$alert['msg']}'>" . $alert['msg'] . "</div></td></tr>"); $counter++; if($counter >= $suri_nentries) break; |