diff options
Diffstat (limited to 'config/snort-dev/snort_alerts.php')
-rw-r--r-- | config/snort-dev/snort_alerts.php | 441 |
1 files changed, 408 insertions, 33 deletions
diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php index d260aee9..fe466f6d 100644 --- a/config/snort-dev/snort_alerts.php +++ b/config/snort-dev/snort_alerts.php @@ -7,6 +7,9 @@ Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. All rights reserved. + + Modified for the Pfsense snort package by + Copyright (C) 2003 Robert Zelaya Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -32,13 +35,8 @@ require("globals.inc"); require("guiconfig.inc"); -require("/usr/local/pkg/snort/snort.inc"); -$snort_logfile = "{$g['varlog_path']}/snort/alert"; - -$nentries = $config['syslog']['nentries']; -if (!$nentries) - $nentries = 50; +$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; if ($_POST['clear']) { exec("killall syslogd"); @@ -49,11 +47,184 @@ if ($_POST['clear']) { exec("/usr/bin/killall -HUP snort"); } +/* WARNING: took me forever to figure reg expression, dont lose */ +// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; + +function get_snort_alert_date($fileline) +{ + /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ + if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1)) + { + $alert_date = "$matches1[0]"; + } + +return $alert_date; + +} + +function get_snort_alert_disc($fileline) +{ + /* disc */ + if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) + { + $alert_disc = "$matches[2]"; + } + +return $alert_disc; + +} + +function get_snort_alert_class($fileline) +{ + /* class */ + if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2)) + { + $alert_class = "$matches2[0]"; + } + +return $alert_class; + +} + +function get_snort_alert_priority($fileline) +{ + /* Priority */ + if (preg_match('/Priority:\s\d/', $fileline, $matches3)) + { + $alert_priority = "$matches3[0]"; + } + +return $alert_priority; + +} + +function get_snort_alert_proto($fileline) +{ + /* Priority */ + if (preg_match('/\{.+\}/', $fileline, $matches3)) + { + $alert_proto = "$matches3[0]"; + } + +return $alert_proto; + +} + +function get_snort_alert_proto_full($fileline) +{ + /* Protocal full */ + if (preg_match('/.+\sTTL/', $fileline, $matches2)) + { + $alert_proto_full = "$matches2[0]"; + } + +return $alert_proto_full; + +} + +function get_snort_alert_ip_src($fileline) +{ + /* SRC IP */ + $re1='.*?'; # Non-greedy match on filler + $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) + { + $alert_ip_src = $matches4[1][0]; + } + +return $alert_ip_src; + +} + +function get_snort_alert_src_p($fileline) +{ + /* source port */ + if (preg_match('/:\d+\s/', $fileline, $matches5)) + { + $alert_src_p = "$matches5[0]"; + } + +return $alert_src_p; + +} + +function get_snort_alert_flow($fileline) +{ + /* source port */ + if (preg_match('/(->|<-)/', $fileline, $matches5)) + { + $alert_flow = "$matches5[0]"; + } + +return $alert_flow; + +} + +function get_snort_alert_ip_dst($fileline) +{ + /* DST IP */ + $re1dp='.*?'; # Non-greedy match on filler + $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress + $re3dp='.*?'; # Non-greedy match on filler + $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 + + if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6)) + { + $alert_ip_dst = $matches6[1][0]; + } + +return $alert_ip_dst; + +} + +function get_snort_alert_dst_p($fileline) +{ + /* dst port */ + if (preg_match('/:\d+$/', $fileline, $matches7)) + { + $alert_dst_p = "$matches7[0]"; + } + +return $alert_dst_p; + +} + +function get_snort_alert_dst_p_full($fileline) +{ + /* dst port full */ + if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7)) + { + $alert_dst_p = "$matches7[0]"; + } + +return $alert_dst_p; + +} + +function get_snort_alert_sid($fileline) +{ + /* SID */ + if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8)) + { + $alert_sid = "$matches8[0]"; + } + +return $alert_sid; + +} + +// + $pgtitle = "Services: Snort: Snort Alerts"; include("head.inc"); ?> +<link rel="stylesheet" href="/snort/style.css" type="text/css" media="all"> +<script type="text/javascript" src="/snort/mootools.js"></script> +<script type="text/javascript" src="/snort/sortableTable.js"></script> + <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <p class="pgtitle"><?=$pgtitle?></p> @@ -76,40 +247,244 @@ include("head.inc"); <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> - <td colspan="2" class="listtopic"> + <td colspan="1" class="listtopic"> + <input name="clear" type="submit" class="formbtn" value="Clear log"> Last <?=$nentries;?> Snort Alert entries</td> </tr> - <?php dump_log_file($snort_logfile, $nentries); ?> - <tr><td><br><form action="snort_alerts.php" method="post"> - <input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr> </table> </div> - </form> </td> </tr> </table> -<?php include("fend.inc"); ?> -<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>"> -</body> -</html> -<!-- <?php echo $snort_logfile; ?> --> - +<table width="100%" border="0" cellpadding="0" cellspacing="0"> + <td width="100%"> + <br> + <div class="tableFilter"> + <form id="tableFilter" onsubmit="myTable.filter(this.id); return false;">Filter: + <select id="column"> + <option value="1">PRIORITY</option> + <option value="2">PROTO</option> + <option value="3">DESCRIPTION</option> + <option value="4">CLASS</option> + <option value="5">SRC</option> + <option value="6">SRC PORT</option> + <option value="7">FLOW</option> + <option value="8">DST</option> + <option value="9">DST PORT</option> + <option value="10">SID</option> + <option value="11">Date</option> + </select> + <input type="text" id="keyword" /> + <input type="submit" value="Submit" /> + <input type="reset" value="Clear" /> + </form> + </div> +<table class="allRow" id="myTable" width="100%" border="2" cellpadding="1" cellspacing="1"> + <thead> + <th axis="number">#</th> + <th axis="string">PRI</th> + <th axis="string">PROTO</th> + <th axis="string">DESCRIPTION</th> + <th axis="string">CLASS</th> + <th axis="string">SRC</th> + <th axis="string">SPORT</th> + <th axis="string">FLOW</th> + <th axis="string">DST</th> + <th axis="string">DPORT</th> + <th axis="string">SID</th> + <th axis="date">Date</th> + </thead> + <tbody> <?php + + $alerts = file_get_contents('/var/log/snort/alert'); + $logent = '50'; + + /* detect the alert file type */ + if ($snortalertlogt == 'full') + { + $alerts_array = array_reverse(array_filter(explode("\n\n", $alerts))); + }else{ + $alerts_array = array_reverse(split("\n", $alerts)); + } + + $counter = 0; + foreach($alerts_array as $fileline) + { + if($logent <= $counter) + continue; + + $counter++; + + /* Date */ + $alert_date_str = get_snort_alert_date($fileline); + + if($alert_date_str != '') + { + $alert_date = $alert_date_str; + }else{ + $alert_date = 'empty'; + } -function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") { - global $g, $config; - $logarr = ""; - exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr); - foreach ($logarr as $logent) { - if(!logent) - continue; - $ww_logent = $logent; - $ww_logent = str_replace("[", " [ ", $ww_logent); - $ww_logent = str_replace("]", " ] ", $ww_logent); - echo "<tr valign=\"top\">\n"; - echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . " </td>\n"; - echo "</tr>\n"; - } -} + /* Discription */ + $alert_disc_str = get_snort_alert_disc($fileline); + + if($alert_disc_str != '') + { + $alert_disc = $alert_disc_str; + }else{ + $alert_disc = 'empty'; + } + + /* Classification */ + $alert_class_str = get_snort_alert_class($fileline); + + if($alert_class_str != '') + { + + $alert_class_match = array('[Classification:',']'); + $alert_class = str_replace($alert_class_match, '', "$alert_class_str"); + }else{ + $alert_class = 'Prep'; + } + + /* Priority */ + $alert_priority_str = get_snort_alert_priority($fileline); + + if($alert_priority_str != '') + { + $alert_priority_match = array('Priority: ',']'); + $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str"); + }else{ + $alert_priority = 'empty'; + } + + /* Protocol */ + /* Detect alert file type */ + if ($snortalertlogt == 'full') + { + $alert_proto_str = get_snort_alert_proto_full($fileline); + }else{ + $alert_proto_str = get_snort_alert_proto($fileline); + } + + if($alert_proto_str != '') + { + $alert_proto_match = array(" TTL",'{','}'); + $alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str"); + }else{ + $alert_proto = 'empty'; + } + + /* IP SRC */ + $alert_ip_src_str = get_snort_alert_ip_src($fileline); + + if($alert_ip_src_str != '') + { + $alert_ip_src = $alert_ip_src_str; + }else{ + $alert_ip_src = 'empty'; + } + + /* IP SRC Port */ + $alert_src_p_str = get_snort_alert_src_p($fileline); + + if($alert_src_p_str != '') + { + $alert_src_p_match = array(' ',':'); + $alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str"); + }else{ + $alert_src_p = 'empty'; + } + + /* Flow */ + $alert_flow_str = get_snort_alert_flow($fileline); + + if($alert_flow_str != '') + { + $alert_flow = $alert_flow_str; + }else{ + $alert_flow = 'empty'; + } + + /* IP Destination */ + $alert_ip_dst_str = get_snort_alert_ip_dst($fileline); + + if($alert_ip_dst_str != '') + { + $alert_ip_dst = $alert_ip_dst_str; + }else{ + $alert_ip_dst = 'empty'; + } + + /* IP DST Port */ + if ($snortalertlogt == 'full') + { + $alert_dst_p_str = get_snort_alert_dst_p_full($fileline); + }else{ + $alert_dst_p_str = get_snort_alert_dst_p($fileline); + } + + if($alert_dst_p_str != '') + { + $alert_dst_p_match = array(':',"\n"," TTL"); + $alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str"); + $alert_dst_p_match2 = array('/[A-Z]/'); + $alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2"); + }else{ + $alert_dst_p = 'empty'; + } + + /* SID */ + $alert_sid_str = get_snort_alert_sid($fileline); + + if($alert_sid_str != '') + { + $alert_sid_match = array('[',']'); + $alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str"); + }else{ + $alert_sid_str = 'empty'; + } + + /* NOTE: using one echo improves performance by 2x */ + echo "<tr id=\"{$counter}\"> + <td class=\"centerAlign\">{$counter}</td> + <td class=\"centerAlign\">{$alert_priority}</td> + <td class=\"centerAlign\">{$alert_proto}</td> + <td>{$alert_disc}</td> + <td class=\"centerAlign\">{$alert_class}</td> + <td>{$alert_ip_src}</td> + <td class=\"centerAlign\">{$alert_src_p}</td> + <td class=\"centerAlign\">{$alert_flow}</td> + <td>{$alert_ip_dst}</td> + <td class=\"centerAlign\">{$alert_dst_p}</td> + <td class=\"centerAlign\">{$alert_sid}</td> + <td>{$alert_date}</td> + </tr>\n"; + +// <script type="text/javascript"> +// var myTable = {}; +// window.addEvent('domready', function(){ +// myTable = new sortableTable('myTable', {overCls: 'over', onClick: function(){alert(this.id)}}); +// }); +// </script> + + } -?>
\ No newline at end of file +?> + </tbody> + </table> + </td> +</table> + +<?php include("fend.inc"); ?> + + <script type="text/javascript"> + var myTable = {}; + window.addEvent('domready', function(){ + myTable = new sortableTable('myTable', {overCls: 'over'}); + }); + </script> + +</body> +</html>
\ No newline at end of file |