aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata/suricata_alerts.widget.php
diff options
context:
space:
mode:
authorRenato Botelho <garga@FreeBSD.org>2014-12-18 10:34:23 -0200
committerRenato Botelho <garga@FreeBSD.org>2014-12-18 10:34:23 -0200
commit0ee05d2c4c649b542090c1bf7c5a19a489c87727 (patch)
tree66907c1f34c47f8fc0b9e2d5cf196ede8cc01255 /config/suricata/suricata_alerts.widget.php
parent890801af42cff66dbac8706f621256b8d454a234 (diff)
parenta2f13165124c996db817e75f9edc3087e756b840 (diff)
downloadpfsense-packages-0ee05d2c4c649b542090c1bf7c5a19a489c87727.tar.gz
pfsense-packages-0ee05d2c4c649b542090c1bf7c5a19a489c87727.tar.bz2
pfsense-packages-0ee05d2c4c649b542090c1bf7c5a19a489c87727.zip
Merge pull request #752 from bmeeks8/suricata-2.0.4-v2.1
Diffstat (limited to 'config/suricata/suricata_alerts.widget.php')
-rw-r--r--config/suricata/suricata_alerts.widget.php71
1 files changed, 37 insertions, 34 deletions
diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php
index bc7a0e2a..81d17c2e 100644
--- a/config/suricata/suricata_alerts.widget.php
+++ b/config/suricata/suricata_alerts.widget.php
@@ -81,7 +81,7 @@ if (isset($_GET['getNewAlerts'])) {
$counter = 0;
foreach ($suri_alerts as $a) {
$response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . "||";
- $response .= $a['dst'] . "||" . $a['priority'] . "||" . $a['category'] . "\n";
+ $response .= $a['dst'] . "||" . $a['msg'] . "\n";
$counter++;
if($counter >= $suri_nentries)
break;
@@ -116,7 +116,7 @@ function suricata_widget_get_alerts() {
/*************** FORMAT without CSV patch -- ALERT -- ***********************************************************************************/
/* Line format: timestamp action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} src:srcport -> dst:dstport */
- /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
+ /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
/****************************************************************************************************************************************/
/**************** FORMAT without CSV patch -- DECODER EVENT -- **************************************************************************/
@@ -134,37 +134,41 @@ function suricata_widget_get_alerts() {
$fields[0] = substr($buf, 0, strpos($buf, ' '));
// The regular expression match below returns an array as follows:
- // [1] => CLASSIFICATION, [2] = PRIORITY
- preg_match('/\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp);
- $fields[6] = trim($tmp[1]);
- $fields[7] = trim($tmp[2]);
+ // [2] => GID, [3] => SID, [4] => REV, [5] => MSG, [6] => CLASSIFICATION, [7] = PRIORITY
+ preg_match('/\[\*{2}\]\s\[((\d+):(\d+):(\d+))\]\s(.*)\[\*{2}\]\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp);
+ $fields['gid'] = trim($tmp[2]);
+ $fields['sid'] = trim($tmp[3]);
+ $fields['rev'] = trim($tmp[4]);
+ $fields['msg'] = trim($tmp[5]);
+ $fields['class'] = trim($tmp[6]);
+ $fields['priority'] = trim($tmp[7]);
// The regular expression match below looks for the PROTO, SRC and DST fields
// and returns an array as follows:
// [1] = PROTO, [2] => SRC:SPORT [3] => DST:DPORT
if (preg_match('/\{(.*)\}\s(.*)\s->\s(.*)/', $buf, $tmp)) {
// Get SRC
- $fields[9] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':')));
- if (is_ipaddrv6($fields[9]))
- $fields[9] = inet_ntop(inet_pton($fields[9]));
+ $fields['src'] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':')));
+ if (is_ipaddrv6($fields['src']))
+ $fields['src'] = inet_ntop(inet_pton($fields['src']));
// Get SPORT
- $fields[10] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1));
+ $fields['sport'] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1));
// Get DST
- $fields[11] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':')));
- if (is_ipaddrv6($fields[11]))
- $fields[11] = inet_ntop(inet_pton($fields[11]));
+ $fields['dst'] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':')));
+ if (is_ipaddrv6($fields['dst']))
+ $fields['dst'] = inet_ntop(inet_pton($fields['dst']));
// Get DPORT
- $fields[12] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1));
+ $fields['dport'] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1));
}
else {
// If no PROTO and IP ADDR, then this is a DECODER EVENT
- $fields[9] = gettext("Decoder Event");
- $fields[10] = "";
- $fields[11] = "";
- $fields[12] = "";
+ $fields['src'] = gettext("Decoder Event");
+ $fields['sport'] = "";
+ $fields['dst'] = "";
+ $fields['dport'] = "";
}
// Create a DateTime object from the event timestamp that
@@ -173,31 +177,30 @@ function suricata_widget_get_alerts() {
// Check the 'CATEGORY' field for the text "(null)" and
// substitute "No classtype defined".
- if ($fields[6] == "(null)")
- $fields[6] = "No classtype assigned";
+ if ($fields['class'] == "(null)")
+ $fields['class'] = "No classtype assigned";
$suricata_alerts[$counter]['instanceid'] = strtoupper(convert_friendly_interface_to_friendly_descr($a_instance[$instanceid]['interface']));
$suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm));
$suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s");
$suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d");
+ $suricata_alerts[$counter]['msg'] = $fields['msg'];
// Add square brackets around any IPv6 address
- if (is_ipaddrv6($fields[9]))
- $suricata_alerts[$counter]['src'] = "[" . $fields[9] . "]";
+ if (is_ipaddrv6($fields['src']))
+ $suricata_alerts[$counter]['src'] = "[" . $fields['src'] . "]";
else
- $suricata_alerts[$counter]['src'] = $fields[9];
+ $suricata_alerts[$counter]['src'] = $fields['src'];
// Add the SRC PORT if not null
- if (!empty($fields[10]) || $fields[10] == '0')
- $suricata_alerts[$counter]['src'] .= ":" . $fields[10];
+ if (!empty($fields['sport']) || $fields['sport'] == '0')
+ $suricata_alerts[$counter]['src'] .= ":" . $fields['sport'];
// Add square brackets around any IPv6 address
- if (is_ipaddrv6($fields[11]))
- $suricata_alerts[$counter]['dst'] = "[" . $fields[11] . "]";
+ if (is_ipaddrv6($fields['dst']))
+ $suricata_alerts[$counter]['dst'] = "[" . $fields['dst'] . "]";
else
- $suricata_alerts[$counter]['dst'] = $fields[11];
+ $suricata_alerts[$counter]['dst'] = $fields['dst'];
// Add the DST PORT if not null
- if (!empty($fields[12]) || $fields[12] == '0')
- $suricata_alerts[$counter]['dst'] .= ":" . $fields[12];
- $suricata_alerts[$counter]['priority'] = $fields[7];
- $suricata_alerts[$counter]['category'] = $fields[6];
+ if (!empty($fields['dport']) || $fields['dport'] == '0')
+ $suricata_alerts[$counter]['dst'] .= ":" . $fields['dport'];
$counter++;
};
fclose($fd);
@@ -238,7 +241,7 @@ function suricata_widget_get_alerts() {
<tr>
<th class="listhdrr"><?=gettext("IF/Date");?></th>
<th class="listhdrr"><?=gettext("Src/Dst Address");?></th>
- <th class="listhdrr"><?=gettext("Priority/Class");?></th>
+ <th class="listhdrr"><?=gettext("Description");?></th>
</tr>
</thead>
<tbody id="suricata-alert-entries">
@@ -251,7 +254,7 @@ function suricata_widget_get_alerts() {
echo(" <tr class='" . $evenRowClass . "'>
<td class='listMRr'>" . $alert['instanceid'] . " " . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td>
<td class='listMRr ellipsis' nowrap><div style='display:inline;' title='" . $alert['src'] . "'>" . $alert['src'] . "</div><br/><div style='display:inline;' title='" . $alert['dst'] . "'>" . $alert['dst'] . "</div></td>
- <td class='listMRr'>Pri: " . $alert['priority'] . " " . $alert['category'] . "</td></tr>");
+ <td class='listMRr'><div style='display: fixed; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; line-height: 1.2em; max-height: 2.4em; overflow: hidden; text-overflow: ellipsis;' title='{$alert['msg']}'>" . $alert['msg'] . "</div></td></tr>");
$counter++;
if($counter >= $suri_nentries)
break;