aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2014-02-28 20:21:17 -0500
committerbmeeks8 <bmeeks8@bellsouth.net>2014-02-28 20:21:17 -0500
commitf0fd2cb8f5b76369a28467c93cc1c5b7c331191a (patch)
treecb0753d0df12fba4005757f2ed9cf4ed7733bef1 /config/suricata
parent0594cd5b8ba84362a091d1dc93352c62605a33ab (diff)
downloadpfsense-packages-f0fd2cb8f5b76369a28467c93cc1c5b7c331191a.tar.gz
pfsense-packages-f0fd2cb8f5b76369a28467c93cc1c5b7c331191a.tar.bz2
pfsense-packages-f0fd2cb8f5b76369a28467c93cc1c5b7c331191a.zip
Add built-in Dashboard Widget for Suricata and make it persistent.
Diffstat (limited to 'config/suricata')
-rw-r--r--config/suricata/suricata_alerts.js92
-rw-r--r--config/suricata/suricata_alerts.widget.php213
-rw-r--r--config/suricata/suricata_post_install.php10
-rw-r--r--config/suricata/suricata_uninstall.php25
-rw-r--r--config/suricata/widget-suricata.inc8
5 files changed, 346 insertions, 2 deletions
diff --git a/config/suricata/suricata_alerts.js b/config/suricata/suricata_alerts.js
new file mode 100644
index 00000000..7678656d
--- /dev/null
+++ b/config/suricata/suricata_alerts.js
@@ -0,0 +1,92 @@
+
+var suricatalines = Array();
+var suricatatimer;
+var suricataisBusy = false;
+var suricataisPaused = false;
+
+function suricata_alerts_fetch_new_rules() {
+
+ //get new alerts from suricata_alerts.widget.php
+ url = "/widgets/widgets/suricata_alerts.widget.php?getNewAlerts=1" + new Date().getTime();
+
+ jQuery.ajax(url, {
+ type: 'GET',
+ success: function(callback_data) {
+ var data_split;
+ var new_data_to_add = Array();
+ var data = callback_data;
+
+ data_split = data.split("\n");
+
+ // Loop through rows and generate replacement HTML
+ for(var x=0; x<data_split.length-1; x++) {
+ row_split = data_split[x].split("||");
+ var line = '';
+ line = '<td width="22%" class="listMRr" nowrap>' + row_split[0] + '<br/>' + row_split[1] + '</td>';
+ line += '<td width="39%" class="listMRr">' + row_split[2] + '<br/>' + row_split[3] + '</td>';
+ line += '<td width="39%" class="listMRr">' + 'Priority: ' + row_split[4] + '<br/>' + row_split[5] + '</td>';
+ new_data_to_add[new_data_to_add.length] = line;
+ }
+ suricata_alerts_update_div_rows(new_data_to_add);
+ suricataisBusy = false;
+ }
+ });
+}
+function suricata_alerts_update_div_rows(data) {
+ if(suricataisPaused)
+ return;
+
+ var isIE = navigator.appName.indexOf('Microsoft') != -1;
+ var isSafari = navigator.userAgent.indexOf('Safari') != -1;
+ var isOpera = navigator.userAgent.indexOf('Opera') != -1;
+
+ var rows = jQuery('#suricata-alert-entries>tr');
+
+ // Number of rows to move by
+ var move = rows.length + data.length - nentries;
+ if (move < 0)
+ move = 0;
+
+ for (var i = move; i < rows.length; i++) {
+ jQuery(rows[i - move]).html(jQuery(rows[i]).html());
+ }
+
+ var tbody = jQuery('#suricata-alert-entries');
+ for (var i = 0; i < data.length; i++) {
+ var rowIndex = rows.length - move + i;
+ if (rowIndex < rows.length) {
+ jQuery(rows[rowIndex]).html(data[i]);
+ } else {
+ jQuery(tbody).append('<tr>' + data[i] + '</tr>');
+ }
+ }
+
+ // Add the even/odd class to each of the rows now
+ // they have all been added.
+ rows = jQuery('#suricata-alert-entries>tr');
+ for (var i = 0; i < rows.length; i++) {
+ rows[i].className = i % 2 == 0 ? 'listMRodd' : 'listMReven';
+ }
+}
+
+function fetch_new_surialerts() {
+ if(suricataisPaused)
+ return;
+ if(suricataisBusy)
+ return;
+
+ //get new alerts from suricata_alerts.widget.php
+ suricataisBusy = true;
+ suricata_alerts_fetch_new_rules();
+}
+
+function suricata_alerts_toggle_pause() {
+ if(suricataisPaused) {
+ suricataisPaused = false;
+ fetch_new_surialerts();
+ } else {
+ suricataisPaused = true;
+ }
+}
+/* start local AJAX engine */
+suricatatimer = setInterval('fetch_new_surialerts()', suricataupdateDelay);
diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php
new file mode 100644
index 00000000..fabb9314
--- /dev/null
+++ b/config/suricata/suricata_alerts.widget.php
@@ -0,0 +1,213 @@
+<?php
+/*
+ suricata_alerts.widget.php
+ Copyright (C) 2009 Jim Pingle
+ mod 24-07-2012
+ mod 28-02-2014 for use with Suricata by Bill Meeks
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+$nocsrf = true;
+
+require_once("guiconfig.inc");
+require_once("/usr/local/www/widgets/include/widget-suricata.inc");
+
+global $config, $g;
+
+/* Retrieve Suricata configuration */
+if (!is_array($config['installedpackages']['suricata']['rule']))
+ $config['installedpackages']['suricata']['rule'] = array();
+$a_instance = &$config['installedpackages']['suricata']['rule'];
+
+/* array sorting */
+function sksort(&$array, $subkey="id", $sort_ascending=false) {
+ /* an empty array causes sksort to fail - this test alleviates the error */
+ if(empty($array))
+ return false;
+ if (count($array)){
+ $temp_array[key($array)] = array_shift($array);
+ };
+ foreach ($array as $key => $val){
+ $offset = 0;
+ $found = false;
+ foreach ($temp_array as $tmp_key => $tmp_val) {
+ if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) {
+ $temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset));
+ $found = true;
+ };
+ $offset++;
+ };
+ if (!$found) $temp_array = array_merge($temp_array, array($key => $val));
+ };
+
+ if ($sort_ascending) {
+ $array = array_reverse($temp_array);
+ } else $array = $temp_array;
+ /* below is the complement for empty array test */
+ return true;
+};
+
+/* check if firewall widget variable is set */
+$nentries = $config['widgets']['widget_suricata_display_lines'];
+if (!isset($nentries) || $nentries < 0)
+ $nentries = 5;
+
+// Called by Ajax to update alerts table contents
+if (isset($_GET['getNewAlerts'])) {
+ $response = "";
+ $suri_alerts = suricata_widget_get_alerts();
+ $counter = 0;
+ foreach ($suri_alerts as $a) {
+ $response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . ":" . $a['srcport'] . "||";
+ $response .= $a['dst'] . ":" . $a['dstport'] . "||" . $a['priority'] . "||" . $a['category'] . "\n";
+ $counter++;
+ if($counter >= $nentries)
+ break;
+ }
+ echo $response;
+ return;
+}
+
+if(isset($_POST['widget_suricata_display_lines'])) {
+ $config['widgets']['widget_suricata_display_lines'] = $_POST['widget_suricata_display_lines'];
+ write_config("Saved Suricata Alerts Widget Displayed Lines Parameter via Dashboard");
+ header("Location: ../../index.php");
+}
+
+// Read "$nentries" worth of alerts from the top of the alerts.log file
+function suricata_widget_get_alerts() {
+
+ global $config, $a_instance, $nentries;
+ $suricata_alerts = array();
+
+ /* read log file(s) */
+ $counter=0;
+ foreach ($a_instance as $instanceid => $instance) {
+ $suricata_uuid = $a_instance[$instanceid]['uuid'];
+ $if_real = get_real_interface($a_instance[$instanceid]['interface']);
+
+ // make sure alert file exists, then grab the most recent {$nentries} from it
+ // and write them to a temp file.
+ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log")) {
+ exec("tail -{$nentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/surialerts_{$suricata_uuid}");
+ if (file_exists("/tmp/surialerts_{$suricata_uuid}")) {
+
+ /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
+ /* File format: timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */
+ $fd = fopen("/tmp/surialerts_{$suricata_uuid}", "r");
+ while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
+ if(count($fields) < 12)
+ continue;
+
+ // Create a DateTime object from the event timestamp that
+ // we can use to easily manipulate output formats.
+ $event_tm = date_create_from_format("m/d/Y-H:i:s.u", $fields[0]);
+
+ // Check the 'CATEGORY' field for the text "(null)" and
+ // substitute "No classtype defined".
+ if ($fields[6] == "(null)")
+ $fields[6] = "No classtype assigned";
+
+ $suricata_alerts[$counter]['instanceid'] = strtoupper($a_instance[$instanceid]['interface']);
+ $suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm));
+ $suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s");
+ $suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d");
+ $suricata_alerts[$counter]['src'] = inet_ntop(inet_pton($fields[9]));
+ $suricata_alerts[$counter]['srcport'] = $fields[10];
+ $suricata_alerts[$counter]['dst'] = inet_ntop(inet_pton($fields[11]));
+ $suricata_alerts[$counter]['dstport'] = $fields[12];
+ $suricata_alerts[$counter]['priority'] = $fields[7];
+ $suricata_alerts[$counter]['category'] = $fields[6];
+ $counter++;
+ };
+ fclose($fd);
+ @unlink("/tmp/surialerts_{$suricata_uuid}");
+ };
+ };
+ };
+
+ // Sort the alerts in descending order
+ sksort($suricata_alerts, 'timestamp', false);
+
+ return $suricata_alerts;
+}
+
+/* display the result */
+?>
+
+<script type="text/javascript">
+//<![CDATA[
+var suricataupdateDelay = 20000;
+var isBusy = false;
+var isPaused = false;
+var nentries = <?php echo $nentries; ?>;
+//]]>
+</script>
+
+<input type="hidden" id="suricata_alerts-config" name="suricata_alerts-config" value=""/>
+<div id="suricata_alerts-settings" class="widgetconfigdiv" style="display:none;">
+ <form action="/widgets/widgets/suricata_alerts.widget.php" method="post" name="iformd">
+ Enter number of recent alerts to display (default is 5)<br/>
+ <input type="text" size="5" name="widget_suricata_display_lines" class="formfld unknown" id="widget_suricata_display_lines" value="<?= $config['widgets']['widget_suricata_display_lines'] ?>" />
+ &nbsp;&nbsp;<input id="submitd" name="submitd" type="submit" class="formbtn" value="Save" />
+ </form>
+</div>
+
+<table width="100%" border="0" cellspacing="0" cellpadding="0">
+ <thead>
+ <tr class="suricata-alert-header">
+ <td width="22%" class="widgetsubheader" align="center">IF/Date</td>
+ <td width="39%" class="widgetsubheader" align="center">Src/Dst</td>
+ <td width="39%" class="widgetsubheader" align="center">Details</td>
+ </tr>
+ </thead>
+ <tbody id="suricata-alert-entries">
+ <?php
+ $suricata_alerts = suricata_widget_get_alerts($nentries);
+ $counter=0;
+ if (is_array($suricata_alerts)) {
+ foreach ($suricata_alerts as $alert) {
+ $evenRowClass = $counter % 2 ? " listMReven" : " listMRodd";
+ echo(" <tr class='" . $evenRowClass . "'>
+ <td width='22%' class='listMRr' nowrap>" . $alert['instanceid'] . " " . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td>
+ <td width='39%' class='listMRr'>" . $alert['src'] . ":" . $alert['srcport'] . "<br>" . $alert['dst'] . ":" . $alert['dstport'] . "</td>
+ <td width='39%' class='listMRr'>Priority: " . $alert['priority'] . "<br/>" . $alert['category'] . "</td></tr>");
+ $counter++;
+ if($counter >= $nentries)
+ break;
+ }
+ }
+ ?>
+ </tbody>
+</table>
+
+<!-- needed to display the widget settings menu -->
+<script type="text/javascript">
+//<![CDATA[
+ selectIntLink = "suricata_alerts-configure";
+ textlink = document.getElementById(selectIntLink);
+ textlink.style.display = "inline";
+//]]>
+
+</script>
+
diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php
index 6603d5ab..72257325 100644
--- a/config/suricata/suricata_post_install.php
+++ b/config/suricata/suricata_post_install.php
@@ -89,7 +89,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
// ## BETA pkg bug fix-up -- be sure default rules enabled ##
$rules = explode("||", $value['rulesets']);
- foreach (array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules" ) as $r){
+ foreach (array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ) as $r){
if (!in_array($r, $rules))
$rules[] = $r;
}
@@ -117,6 +117,12 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
// Add the recurring jobs created above to crontab
configure_cron();
+ // Restore the Dashboard Widget if it was previously enabled and saved
+ if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget']) && !empty($config['widgets']['sequence']))
+ $config['widgets']['sequence'] .= "," . $config['installedpackages']['suricata']['config'][0]['dashboard_widget'];
+ if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows']) && !empty($config['widgets']))
+ $config['widgets']['widget_suricata_display_lines'] = $config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows'];
+
$rebuild_rules = false;
update_output_window(gettext("Finished rebuilding Suricata configuration files..."));
log_error(gettext("[Suricata] Finished rebuilding installation from saved settings..."));
@@ -132,7 +138,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
}
// Update Suricata package version in configuration
-$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "0.1-BETA";
+$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "v0.2-BETA";
write_config();
// Done with post-install, so clear flag
diff --git a/config/suricata/suricata_uninstall.php b/config/suricata/suricata_uninstall.php
index 0a7f8d5a..b8ea6097 100644
--- a/config/suricata/suricata_uninstall.php
+++ b/config/suricata/suricata_uninstall.php
@@ -76,6 +76,31 @@ if ($config['installedpackages']['suricata']['config'][0]['clearlogs'] == 'on')
mwexec("/bin/rm -rf /usr/local/pkg/suricata");
mwexec("/bin/rm -rf /usr/local/www/suricata");
+/* Remove our associated Dashboard widget config and files. */
+/* If "save settings" is enabled, then save old widget */
+/* container settings so we can restore them later. */
+$widgets = $config['widgets']['sequence'];
+if (!empty($widgets)) {
+ $widgetlist = explode(",", $widgets);
+ foreach ($widgetlist as $key => $widget) {
+ if (strstr($widget, "suricata_alerts-container")) {
+ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') {
+ $config['installedpackages']['suricata']['config'][0]['dashboard_widget'] = $widget;
+ if ($config['widgets']['widget_suricata_display_lines']) {
+ $config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows'] = $config['widgets']['widget_suricata_display_lines'];
+ unset($config['widgets']['widget_suricata_display_lines']);
+ }
+ }
+ unset($widgetlist[$key]);
+ }
+ }
+ $config['widgets']['sequence'] = implode(",", $widgetlist);
+ write_config();
+}
+@unlink("/usr/local/www/widgets/include/widget-suricata.inc");
+@unlink("/usr/local/www/widgets/widgets/suricata_alerts.widget.php");
+@unlink("/usr/local/www/widgets/javascript/suricata_alerts.js");
+
/* Keep this as a last step */
if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] != 'on') {
log_error(gettext("Not saving settings... all Suricata configuration info and logs deleted..."));
diff --git a/config/suricata/widget-suricata.inc b/config/suricata/widget-suricata.inc
new file mode 100644
index 00000000..48424588
--- /dev/null
+++ b/config/suricata/widget-suricata.inc
@@ -0,0 +1,8 @@
+<?php
+require_once("config.inc");
+
+//set variable for custom title
+$suricata_alerts_title = "Suricata Alerts";
+$suricata_alerts_title_link = "suricata/suricata_alerts.php";
+
+?>