Update BLOCKED tab to accept new block.log file formatting.

1 files changed, 60 insertions, 12 deletions

diff --git a/config/suricata/suricata_blocked.php b/config/suricata/suricata_blocked.php
index c3a0c1e3..a091835d 100644
--- a/config/suricata/suricata_blocked.php
+++ b/config/suricata/suricata_blocked.php
@@ -259,19 +259,67 @@ if ($savemsg) {
 			foreach (glob("{$suricatalogdir}*/block.log*") as $alertfile) {
 				$fd = fopen($alertfile, "r");
 				if ($fd) {
-					/*	       0         1      2             3      4       5   6              7        8     9  10   */
-					/* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,ip,port */
-					while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
-						if(count($fields) != 11) {
-							log_error("[suricata] ERROR: block.log entry failed to parse correctly with too many or not enough CSV entities, skipping this entry...");
-							log_error("[suricata] Failed block.log entry fields are: " . print_r($fields, true));
-							continue;
+
+					/*************** FORMAT for file -- BLOCK -- **************************************************************************/
+					/* Line format: timestamp  action [**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} ip:port */
+					/*              0          1            2   3   4    5                         6                 7     8      9  10   */
+					/**********************************************************************************************************************/
+
+					$buf = "";
+					while (($buf = fgets($fd)) !== FALSE) {
+						$fields = array();
+						$tmp = array();
+
+						/***************************************************************/
+						/* Parse block log entry to find the parts we want to display. */
+						/* We parse out all the fields even though we currently use    */
+						/* just a few of them.                                         */
+						/***************************************************************/
+
+						// Field 0 is the event timestamp
+						$fields['time'] = substr($buf, 0, strpos($buf, '  '));
+
+						// Field 1 is the action
+						if (strpos($buf, '[') !== FALSE && strpos($buf, ']') !== FALSE)
+							$fields['action'] = substr($buf, strpos($buf, '[') + 1, strpos($buf, ']') - strpos($buf, '[') - 1);
+						else
+							$fields['action'] = null;
+
+						// The regular expression match below returns an array as follows:
+						// [2] => GID, [3] => SID, [4] => REV, [5] => MSG, [6] => CLASSIFICATION, [7] = PRIORITY
+						preg_match('/\[\*{2}\]\s\[((\d+):(\d+):(\d+))\]\s(.*)\[\*{2}\]\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp);
+						$fields['gid'] = trim($tmp[2]);
+						$fields['sid'] = trim($tmp[3]);
+						$fields['rev'] = trim($tmp[4]);
+						$fields['msg'] = trim($tmp[5]);
+						$fields['class'] = trim($tmp[6]);
+						$fields['priority'] = trim($tmp[7]);
+
+						// The regular expression match below looks for the PROTO, IP and PORT fields
+						// and returns an array as follows:
+						// [1] = PROTO, [2] => IP:PORT
+						if (preg_match('/\{(.*)\}\s(.*)/', $buf, $tmp)) {
+							// Get PROTO
+							$fields['proto'] = trim($tmp[1]);
+
+							// Get IP
+							$fields['ip'] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':')));
+							if (is_ipaddrv6($fields['ip']))
+								$fields['ip'] = inet_ntop(inet_pton($fields['ip']));
+
+							// Get PORT
+							$fields['port'] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1));
 						}
-						$fields[9] = inet_pton($fields[9]);
-						if (isset($tmpblocked[$fields[9]])) {
-							if (!is_array($src_ip_list[$fields[9]]))
-								$src_ip_list[$fields[9]] = array();
-							$src_ip_list[$fields[9]][$fields[5]] = "{$fields[5]} - " . substr($fields[0], 0, -7);
+
+						// In the unlikely event we read an old log file and fail to parse
+						// out an IP address, just skip the record since we can't use it.
+						if (empty($fields['ip']))
+							continue;
+						$fields['ip'] = inet_pton($fields['ip']);
+						if (isset($tmpblocked[$fields['ip']])) {
+							if (!is_array($src_ip_list[$fields['ip']]))
+								$src_ip_list[$fields['ip']] = array();
+							$src_ip_list[$fields['ip']][$fields['msg']] = "{$fields['msg']} - " . substr($fields['time'], 0, -7);
 						}
 					}
 					fclose($fd);