aboutsummaryrefslogtreecommitdiffstats
path: root/config/snort/snort_alerts.php
diff options
context:
space:
mode:
Diffstat (limited to 'config/snort/snort_alerts.php')
-rw-r--r--config/snort/snort_alerts.php624
1 files changed, 565 insertions, 59 deletions
diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php
index e67b9b5f..4f0ddb03 100644
--- a/config/snort/snort_alerts.php
+++ b/config/snort/snort_alerts.php
@@ -6,7 +6,11 @@
Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ Copyright (C) 2006 Scott Ullrich
All rights reserved.
+
+ Modified for the Pfsense snort package v. 1.8+
+ Copyright (C) 2009 Robert Zelaya Sr. Developer
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -30,95 +34,597 @@
POSSIBILITY OF SUCH DAMAGE.
*/
-require("globals.inc");
-require("guiconfig.inc");
-require("/usr/local/pkg/snort.inc");
+require_once("globals.inc");
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/snort/snort.inc");
-$snort_logfile = "{$g['varlog_path']}/snort/alert";
+$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
+$snort_logfile = '/var/log/snort/alert';
-$nentries = $config['syslog']['nentries'];
-if (!$nentries)
- $nentries = 50;
+$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'];
+$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'];
+
+if ($pconfig['alertnumber'] == '' || $pconfig['alertnumber'] == '0')
+{
+ $anentries = '250';
+}else{
+ $anentries = $pconfig['alertnumber'];
+}
+
+if ($_POST['save'])
+{
+
+ //unset($input_errors);
+ //$pconfig = $_POST;
+
+ /* input validation */
+ if ($_POST['save'])
+ {
+
+ // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) {
+ // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]";
+ // }
+
+ }
+
+ /* no errors */
+ if (!$input_errors)
+ {
+
+ $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? on : off;
+ $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber'];
+
+ conf_mount_rw();
+ write_config();
+ //conf_mount_ro();
+ sleep(2);
+
+ header("Location: /snort/snort_alerts.php");
+
+ }
+
+}
+
+
+if ($_POST['delete'])
+{
-if ($_POST['clear']) {
exec("killall syslogd");
conf_mount_rw();
- exec("rm {$snort_logfile}; touch {$snort_logfile}");
+ if(file_exists("/var/log/snort/alert"))
+ {
+ exec('/bin/rm /var/log/snort/*');
+ exec('/usr/bin/touch /var/log/snort/alert');
+ }
conf_mount_ro();
system_syslogd_start();
- exec("/usr/bin/killall -HUP snort");
- exec("/usr/bin/killall snort2c");
- if ($config['installedpackages']['snort']['config'][0]['blockoffenders'] == 'on')
- exec("/usr/local/bin/snort2c -w /var/db/whitelist -a /var/log/snort/alert");
+ //exec("/usr/bin/killall -HUP snort");
+
+}
+
+if ($_POST['download'])
+{
+
+ ob_start(); //importanr or other post will fail
+ $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+ $file_name = "snort_logs_{$save_date}.tar.gz";
+ exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort");
+
+ if(file_exists("/tmp/snort_logs_{$save_date}.tar.gz"))
+ {
+ $file = "/tmp/snort_logs_{$save_date}.tar.gz";
+ header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n");
+ header("Pragma: private"); // needed for IE
+ header("Cache-Control: private, must-revalidate"); // needed for IE
+ header('Content-type: application/force-download');
+ header('Content-Transfer-Encoding: Binary');
+ header("Content-length: ".filesize($file));
+ header("Content-disposition: attachment; filename = {$file_name}");
+ readfile("$file");
+ exec("/bin/rm /tmp/snort_logs_{$save_date}.tar.gz");
+ od_end_clean(); //importanr or other post will fail
+ }else{
+ echo 'Error no saved file.';
+ }
+
+}
+
+
+/* WARNING: took me forever to figure reg expression, dont lose */
+// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50';
+
+function get_snort_alert_date($fileline)
+{
+ /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */
+ if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1))
+ {
+ $alert_date = "$matches1[0]";
+ }
+
+return $alert_date;
+
+}
+
+function get_snort_alert_disc($fileline)
+{
+ /* disc */
+ if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+ {
+ $alert_disc = "$matches[2]";
+ }
+
+return $alert_disc;
+
+}
+
+function get_snort_alert_class($fileline)
+{
+ /* class */
+ if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2))
+ {
+ $alert_class = "$matches2[0]";
+ }
+
+return $alert_class;
+
+}
+
+function get_snort_alert_priority($fileline)
+{
+ /* Priority */
+ if (preg_match('/Priority:\s\d/', $fileline, $matches3))
+ {
+ $alert_priority = "$matches3[0]";
+ }
+
+return $alert_priority;
+
+}
+
+function get_snort_alert_proto($fileline)
+{
+ /* Priority */
+ if (preg_match('/\{.+\}/', $fileline, $matches3))
+ {
+ $alert_proto = "$matches3[0]";
+ }
+
+return $alert_proto;
+
+}
+
+function get_snort_alert_proto_full($fileline)
+{
+ /* Protocal full */
+ if (preg_match('/.+\sTTL/', $fileline, $matches2))
+ {
+ $alert_proto_full = "$matches2[0]";
+ }
+
+return $alert_proto_full;
+
+}
+
+function get_snort_alert_ip_src($fileline)
+{
+ /* SRC IP */
+ $re1='.*?'; # Non-greedy match on filler
+ $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
+
+ if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4))
+ {
+ $alert_ip_src = $matches4[1][0];
+ }
+
+return $alert_ip_src;
+
+}
+
+function get_snort_alert_src_p($fileline)
+{
+ /* source port */
+ if (preg_match('/:\d+\s-/', $fileline, $matches5))
+ {
+ $alert_src_p = "$matches5[0]";
+ }
+
+return $alert_src_p;
+
+}
+
+function get_snort_alert_flow($fileline)
+{
+ /* source port */
+ if (preg_match('/(->|<-)/', $fileline, $matches5))
+ {
+ $alert_flow = "$matches5[0]";
+ }
+
+return $alert_flow;
+
+}
+
+function get_snort_alert_ip_dst($fileline)
+{
+ /* DST IP */
+ $re1dp='.*?'; # Non-greedy match on filler
+ $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress
+ $re3dp='.*?'; # Non-greedy match on filler
+ $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1
+
+ if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6))
+ {
+ $alert_ip_dst = $matches6[1][0];
+ }
+
+return $alert_ip_dst;
+
}
+
+function get_snort_alert_dst_p($fileline)
+{
+ /* dst port */
+ if (preg_match('/:\d+$/', $fileline, $matches7))
+ {
+ $alert_dst_p = "$matches7[0]";
+ }
+
+return $alert_dst_p;
+
+}
+
+function get_snort_alert_dst_p_full($fileline)
+{
+ /* dst port full */
+ if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches7))
+ {
+ $alert_dst_p = "$matches7[0]";
+ }
+
+return $alert_dst_p;
+
+}
+
+function get_snort_alert_sid($fileline)
+{
+ /* SID */
+ if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches8))
+ {
+ $alert_sid = "$matches8[0]";
+ }
+
+return $alert_sid;
+
+}
+
+//
$pgtitle = "Services: Snort: Snort Alerts";
include("head.inc");
?>
+<link rel="stylesheet" href="/snort/css/style.css" type="text/css" media="all">
+<script type="text/javascript" src="/snort/javascript/mootools.js"></script>
+<script type="text/javascript" src="/snort/javascript/sortableTable.js"></script>
+
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-<?php
-if(!$pgtitle_output)
- echo "<p class=\"pgtitle\"><?=$pgtitle?></p>";
+<?php
+
+include("./snort_fbegin.inc");
+
+echo "<p class=\"pgtitle\">";
+if($pfsense_stable == 'yes'){echo $pgtitle;}
+echo "</p>\n";
+
+/* refresh every 60 secs */
+if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '')
+{
+ echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n";
+}
?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
<?php
$tab_array = array();
- $tab_array[] = array(gettext("Settings"), false, "/pkg_edit.php?xml=snort.xml&id=0");
- $tab_array[] = array(gettext("Update Rules"), false, "/snort_download_rules.php");
- $tab_array[] = array(gettext("Categories"), false, "/snort_rulesets.php");
- $tab_array[] = array(gettext("Rules"), false, "/snort_rules.php");
- $tab_array[] = array(gettext("Servers"), false, "/pkg_edit.php?xml=snort_define_servers.xml&amp;id=0");
- $tab_array[] = array(gettext("Blocked"), false, "/snort_blocked.php");
- $tab_array[] = array(gettext("Whitelist"),false, "/pkg.php?xml=snort_whitelist.xml");
- $tab_array[] = array(gettext("Threshold"), false, "/pkg.php?xml=snort_threshold.xml");
- $tab_array[] = array(gettext("Alerts"), true, "/snort_alerts.php");
- $tab_array[] = array(gettext("Advanced"), false, "/pkg_edit.php?xml=snort_advanced.xml&id=0");
+ $tab_array[] = array("Snort Interfaces", false, "/snort/snort_interfaces.php");
+ $tab_array[] = array("Global Settings", false, "/snort/snort_interfaces_global.php");
+ $tab_array[] = array("Rule Updates", false, "/snort/snort_download_rules.php");
+ $tab_array[] = array("Alerts", true, "/snort/snort_alerts.php");
+ $tab_array[] = array("Blocked", false, "/snort/snort_blocked.php");
+ $tab_array[] = array("Whitelists", false, "/pkg.php?xml=/snort/snort_whitelist.xml");
+ $tab_array[] = array("Help & Info", false, "/snort/snort_help_info.php");
display_top_tabs($tab_array);
?>
- </td></tr>
- <tr>
- <td>
+</td>
+</tr>
+ <tr>
+ <td>
<div id="mainarea">
- <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
+ <table class="tabcont" width="100%" border="1" cellspacing="0" cellpadding="0">
<tr>
- <td colspan="2" class="listtopic">
- Last <?=$nentries;?> Snort Alert entries</td>
+ <td width="22%" colspan="0" class="listtopic">
+ Last <?=$anentries;?> Alert Entries.
+ </td>
+ <td width="78%" class="listtopic">
+ Latest Alert Entries Are Listed First.
+ </td>
</tr>
- <?php dump_log_file($snort_logfile, $nentries); ?>
- <tr><td><br><form action="snort_alerts.php" method="post">
- <input name="clear" type="submit" class="formbtn" value="Clear log"></td></tr>
+ <tr>
+ <td width="22%" class="vncell">Save or Remove Logs</td>
+ <td width="78%" class="vtable">
+ <form action="/snort/snort_alerts.php" method="post">
+ <input name="download" type="submit" class="formbtn" value="Download">
+ All log files will be saved.
+ <input name="delete" type="submit" class="formbtn" value="Clear">
+ <span class="red"><strong>Warning:</strong></span> all log files will be deleted.
+ </form>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" class="vncell">Auto Refresh and Log View</td>
+ <td width="78%" class="vtable">
+ <form action="/snort/snort_alerts.php" method="post">
+ <input name="save" type="submit" class="formbtn" value="Save">
+ Refresh
+ <input name="arefresh" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>>
+ <strong>Default</strong> is <strong>ON</strong>.
+ <input name="alertnumber" type="text" class="formfld" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>">
+ Enter the number of log entries to view. <strong>Default</strong> is <strong>250</strong>.
+ </form>
+ </td>
+ </tr>
</table>
</div>
- </form>
</td>
</tr>
</table>
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <td width="100%">
+ <br>
+ <div class="tableFilter">
+ <form id="tableFilter" onsubmit="myTable.filter(this.id); return false;">Filter:
+ <select id="column">
+ <option value="1">PRIORITY</option>
+ <option value="2">PROTO</option>
+ <option value="3">DESCRIPTION</option>
+ <option value="4">CLASS</option>
+ <option value="5">SRC</option>
+ <option value="6">SRC PORT</option>
+ <option value="7">FLOW</option>
+ <option value="8">DST</option>
+ <option value="9">DST PORT</option>
+ <option value="10">SID</option>
+ <option value="11">Date</option>
+ </select>
+ <input type="text" id="keyword" />
+ <input type="submit" value="Submit" />
+ <input type="reset" value="Clear" />
+ </form>
+ </div>
+<table class="allRow" id="myTable" width="100%" border="2" cellpadding="1" cellspacing="1">
+ <thead>
+ <th axis="number">#</th>
+ <th axis="string">PRI</th>
+ <th axis="string">PROTO</th>
+ <th axis="string">DESCRIPTION</th>
+ <th axis="string">CLASS</th>
+ <th axis="string">SRC</th>
+ <th axis="string">SPORT</th>
+ <th axis="string">FLOW</th>
+ <th axis="string">DST</th>
+ <th axis="string">DPORT</th>
+ <th axis="string">SID</th>
+ <th axis="date">Date</th>
+ </thead>
+ <tbody>
+<?php
+
+ /* make sure alert file exists */
+ if(!file_exists('/var/log/snort/alert'))
+ {
+ conf_mount_rw();
+ exec('/usr/bin/touch /var/log/snort/alert');
+ conf_mount_ro();
+ }
+
+ $logent = $anentries;
+
+ /* detect the alert file type */
+ if ($snortalertlogt == 'full')
+ {
+ $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert'))));
+ }else{
+ $alerts_array = array_reverse(array_filter(split("\n", file_get_contents('/var/log/snort/alert'))));
+ }
+
+
+
+if (is_array($alerts_array))
+{
+
+ $counter = 0;
+ foreach($alerts_array as $fileline)
+ {
+
+ if($logent <= $counter)
+ continue;
+
+ $counter++;
+
+ /* Date */
+ $alert_date_str = get_snort_alert_date($fileline);
+
+ if($alert_date_str != '')
+ {
+ $alert_date = $alert_date_str;
+ }else{
+ $alert_date = 'empty';
+ }
+
+ /* Discription */
+ $alert_disc_str = get_snort_alert_disc($fileline);
+
+ if($alert_disc_str != '')
+ {
+ $alert_disc = $alert_disc_str;
+ }else{
+ $alert_disc = 'empty';
+ }
+
+ /* Classification */
+ $alert_class_str = get_snort_alert_class($fileline);
+
+ if($alert_class_str != '')
+ {
+
+ $alert_class_match = array('[Classification:',']');
+ $alert_class = str_replace($alert_class_match, '', "$alert_class_str");
+ }else{
+ $alert_class = 'Prep';
+ }
+
+ /* Priority */
+ $alert_priority_str = get_snort_alert_priority($fileline);
+
+ if($alert_priority_str != '')
+ {
+ $alert_priority_match = array('Priority: ',']');
+ $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str");
+ }else{
+ $alert_priority = 'empty';
+ }
+
+ /* Protocol */
+ /* Detect alert file type */
+ if ($snortalertlogt == 'full')
+ {
+ $alert_proto_str = get_snort_alert_proto_full($fileline);
+ }else{
+ $alert_proto_str = get_snort_alert_proto($fileline);
+ }
+
+ if($alert_proto_str != '')
+ {
+ $alert_proto_match = array(" TTL",'{','}');
+ $alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str");
+ }else{
+ $alert_proto = 'empty';
+ }
+
+ /* IP SRC */
+ $alert_ip_src_str = get_snort_alert_ip_src($fileline);
+
+ if($alert_ip_src_str != '')
+ {
+ $alert_ip_src = $alert_ip_src_str;
+ }else{
+ $alert_ip_src = 'empty';
+ }
+
+ /* IP SRC Port */
+ $alert_src_p_str = get_snort_alert_src_p($fileline);
+
+ if($alert_src_p_str != '')
+ {
+ $alert_src_p_match = array(' -',':');
+ $alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str");
+ }else{
+ $alert_src_p = 'empty';
+ }
+
+ /* Flow */
+ $alert_flow_str = get_snort_alert_flow($fileline);
+
+ if($alert_flow_str != '')
+ {
+ $alert_flow = $alert_flow_str;
+ }else{
+ $alert_flow = 'empty';
+ }
+
+ /* IP Destination */
+ $alert_ip_dst_str = get_snort_alert_ip_dst($fileline);
+
+ if($alert_ip_dst_str != '')
+ {
+ $alert_ip_dst = $alert_ip_dst_str;
+ }else{
+ $alert_ip_dst = 'empty';
+ }
+
+ /* IP DST Port */
+ if ($snortalertlogt == 'full')
+ {
+ $alert_dst_p_str = get_snort_alert_dst_p_full($fileline);
+ }else{
+ $alert_dst_p_str = get_snort_alert_dst_p($fileline);
+ }
+
+ if($alert_dst_p_str != '')
+ {
+ $alert_dst_p_match = array(':',"\n"," TTL");
+ $alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str");
+ $alert_dst_p_match2 = array('/[A-Z]/');
+ $alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2");
+ }else{
+ $alert_dst_p = 'empty';
+ }
+
+ /* SID */
+ $alert_sid_str = get_snort_alert_sid($fileline);
+
+ if($alert_sid_str != '')
+ {
+ $alert_sid_match = array('[',']');
+ $alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str");
+ }else{
+ $alert_sid_str = 'empty';
+ }
+
+ /* NOTE: using one echo improves performance by 2x */
+ if ($alert_disc != 'empty')
+ {
+ echo "<tr id=\"{$counter}\">
+ <td class=\"centerAlign\">{$counter}</td>
+ <td class=\"centerAlign\">{$alert_priority}</td>
+ <td class=\"centerAlign\">{$alert_proto}</td>
+ <td>{$alert_disc}</td>
+ <td class=\"centerAlign\">{$alert_class}</td>
+ <td>{$alert_ip_src}</td>
+ <td class=\"centerAlign\">{$alert_src_p}</td>
+ <td class=\"centerAlign\">{$alert_flow}</td>
+ <td>{$alert_ip_dst}</td>
+ <td class=\"centerAlign\">{$alert_dst_p}</td>
+ <td class=\"centerAlign\">{$alert_sid}</td>
+ <td>{$alert_date}</td>
+ </tr>\n";
+ }
+
+// <script type="text/javascript">
+// var myTable = {};
+// window.addEvent('domready', function(){
+// myTable = new sortableTable('myTable', {overCls: 'over', onClick: function(){alert(this.id)}});
+// });
+// </script>
+
+ }
+}
+
+?>
+ </tbody>
+ </table>
+ </td>
+</table>
+
<?php include("fend.inc"); ?>
-<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>">
-</body>
-</html>
-<!-- <?php echo $snort_logfile; ?> -->
-<?php
+ <script type="text/javascript">
+ var myTable = {};
+ window.addEvent('domready', function(){
+ myTable = new sortableTable('myTable', {overCls: 'over'});
+ });
+ </script>
-function dump_log_file($logfile, $tail, $withorig = true, $grepfor = "", $grepinvert = "") {
- global $g, $config;
- $logarr = "";
- exec("cat {$logfile} | /usr/bin/tail -n {$tail}", $logarr);
- foreach ($logarr as $logent) {
- if(!logent)
- continue;
- $ww_logent = $logent;
- $ww_logent = str_replace("[", " [ ", $ww_logent);
- $ww_logent = str_replace("]", " ] ", $ww_logent);
- echo "<tr valign=\"top\">\n";
- echo "<td colspan=\"2\" class=\"listr\">" . make_clickable($ww_logent) . "&nbsp;</td>\n";
- echo "</tr>\n";
- }
-}
-
-?> \ No newline at end of file
+</body>
+</html>
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-22 18:58:04 +0000