diff options
Diffstat (limited to 'config/suricata/suricata_alerts.php')
-rw-r--r-- | config/suricata/suricata_alerts.php | 578 |
1 files changed, 578 insertions, 0 deletions
diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php new file mode 100644 index 00000000..d21f7388 --- /dev/null +++ b/config/suricata/suricata_alerts.php @@ -0,0 +1,578 @@ +<?php +/* + * suricata_alerts.php + * part of pfSense + * + * Copyright (C) 2014 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +require_once("guiconfig.inc"); +require_once("/usr/local/pkg/suricata/suricata.inc"); + +$supplist = array(); + +function suricata_is_alert_globally_suppressed($list, $gid, $sid) { + + /************************************************/ + /* Checks the passed $gid:$sid to see if it has */ + /* been globally suppressed. If true, then any */ + /* "track by_src" or "track by_dst" options are */ + /* disabled since they are overridden by the */ + /* global suppression of the $gid:$sid. */ + /************************************************/ + + /* If entry has a child array, then it's by src or dst ip. */ + /* So if there is a child array or the keys are not set, */ + /* then this gid:sid is not globally suppressed. */ + if (is_array($list[$gid][$sid])) + return false; + elseif (!isset($list[$gid][$sid])) + return false; + else + return true; +} + +function suricata_add_supplist_entry($suppress) { + + /************************************************/ + /* Adds the passed entry to the Suppress List */ + /* for the active interface. If a Suppress */ + /* List is defined for the interface, it is */ + /* used. If no list is defined, a new default */ + /* list is created using the interface name. */ + /* */ + /* On Entry: */ + /* $suppress --> suppression entry text */ + /* */ + /* Returns: */ + /* TRUE if successful or FALSE on failure */ + /************************************************/ + + global $config, $a_instance, $instanceid; + + if (!is_array($config['installedpackages']['suricata']['suppress'])) + $config['installedpackages']['suricata']['suppress'] = array(); + if (!is_array($config['installedpackages']['suricata']['suppress']['item'])) + $config['installedpackages']['suricata']['suppress']['item'] = array(); + $a_suppress = &$config['installedpackages']['suricata']['suppress']['item']; + + $found_list = false; + + /* If no Suppress List is set for the interface, then create one with the interface name */ + if (empty($a_instance[$instanceid]['suppresslistname']) || $a_instance[$instanceid]['suppresslistname'] == 'default') { + $s_list = array(); + $s_list['uuid'] = uniqid(); + $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress" . "_" . $s_list['uuid']; + $s_list['descr'] = "Auto-generated list for Alert suppression"; + $s_list['suppresspassthru'] = base64_encode($suppress); + $a_suppress[] = $s_list; + $a_instance[$instanceid]['suppresslistname'] = $s_list['name']; + $found_list = true; + } else { + /* If we get here, a Suppress List is defined for the interface so see if we can find it */ + foreach ($a_suppress as $a_id => $alist) { + if ($alist['name'] == $a_instance[$instanceid]['suppresslistname']) { + $found_list = true; + if (!empty($alist['suppresspassthru'])) { + $tmplist = base64_decode($alist['suppresspassthru']); + $tmplist .= "\n{$suppress}"; + $alist['suppresspassthru'] = base64_encode($tmplist); + $a_suppress[$a_id] = $alist; + } + else { + $alist['suppresspassthru'] = base64_encode($suppress); + $a_suppress[$a_id] = $alist; + } + } + } + } + + /* If we created a new list or updated an existing one, save the change, */ + /* tell Snort to load it, and return true; otherwise return false. */ + if ($found_list) { + write_config(); + sync_suricata_package_config(); + suricata_reload_config($a_instance[$instanceid]); + return true; + } + else + return false; +} + +if ($_GET['instance']) + $instanceid = $_GET['instance']; +if ($_POST['instance']) + $instanceid = $_POST['instance']; +if (empty($instanceid)) + $instanceid = 0; + +if (!is_array($config['installedpackages']['suricata']['rule'])) + $config['installedpackages']['suricata']['rule'] = array(); +$a_instance = &$config['installedpackages']['suricata']['rule']; +$suricata_uuid = $a_instance[$instanceid]['uuid']; +$if_real = suricata_get_real_interface($a_instance[$instanceid]['interface']); +$suricatalogdir = SURICATALOGDIR; + +// Load up the arrays of force-enabled and force-disabled SIDs +$enablesid = suricata_load_sid_mods($a_instance[$instanceid]['rule_sid_on']); +$disablesid = suricata_load_sid_mods($a_instance[$instanceid]['rule_sid_off']); + +$pconfig = array(); +if (is_array($config['installedpackages']['suricata']['alertsblocks'])) { + $pconfig['arefresh'] = $config['installedpackages']['suricata']['alertsblocks']['arefresh']; + $pconfig['alertnumber'] = $config['installedpackages']['suricata']['alertsblocks']['alertnumber']; +} + +if (empty($pconfig['alertnumber'])) + $pconfig['alertnumber'] = '250'; +if (empty($pconfig['arefresh'])) + $pconfig['arefresh'] = 'off'; +$anentries = $pconfig['alertnumber']; + +if ($_POST['save']) { + if (!is_array($config['installedpackages']['suricata']['alertsblocks'])) + $config['installedpackages']['suricata']['alertsblocks'] = array(); + $config['installedpackages']['suricata']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; + $config['installedpackages']['suricata']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; + + write_config(); + + header("Location: /suricata/suricata_alerts.php?instance={$instanceid}"); + exit; +} + +//if ($_POST['todelete'] || $_GET['todelete']) { +// $ip = ""; +// if($_POST['todelete']) +// $ip = $_POST['todelete']; +// else if($_GET['todelete']) +// $ip = $_GET['todelete']; +// if (is_ipaddr($ip)) { +// exec("/sbin/pfctl -t snort2c -T delete {$ip}"); +// $savemsg = gettext("Host IP address {$ip} has been removed from the Blocked Table."); +// } +//} + +if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + if (empty($_GET['descr'])) + $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; + else + $suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; + + /* Add the new entry to the Suppress List */ + if (suricata_add_supplist_entry($suppress)) + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); + else + $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); +} + +if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + if ($_GET['act'] == "addsuppress_srcip") + $method = "by_src"; + else + $method = "by_dst"; + + /* Check for valid IP addresses, exit if not valid */ + if (is_ipaddr($_GET['ip']) || is_ipaddrv6($_GET['ip'])) { + if (empty($_GET['descr'])) + $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n"; + else + $suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n"; + } + else { + header("Location: /suricata/suricata_alerts.php?instance={$instanceid}"); + exit; + } + + /* Add the new entry to the Suppress List */ + if (suricata_add_supplist_entry($suppress)) + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."); + else + /* We did not find the defined list, so notify the user with an error */ + $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); +} + +if ($_GET['act'] == "togglesid" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + // Get the GID tag embedded in the clicked rule icon. + $gid = $_GET['gen_id']; + + // Get the SID tag embedded in the clicked rule icon. + $sid= $_GET['sidid']; + + // See if the target SID is in our list of modified SIDs, + // and toggle it if present. + if (isset($enablesid[$gid][$sid])) + unset($enablesid[$gid][$sid]); + if (isset($disablesid[$gid][$sid])) + unset($disablesid[$gid][$sid]); + elseif (!isset($disablesid[$gid][$sid])) + $disablesid[$gid][$sid] = "disablesid"; + + // Write the updated enablesid and disablesid values to the config file. + $tmp = ""; + foreach (array_keys($enablesid) as $k1) { + foreach (array_keys($enablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; + } + $tmp = rtrim($tmp, "||"); + + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_on'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_on']); + + $tmp = ""; + foreach (array_keys($disablesid) as $k1) { + foreach (array_keys($disablesid[$k1]) as $k2) + $tmp .= "{$k1}:{$k2}||"; + } + $tmp = rtrim($tmp, "||"); + + if (!empty($tmp)) + $a_instance[$instanceid]['rule_sid_off'] = $tmp; + else + unset($a_instance[$instanceid]['rule_sid_off']); + + /* Update the config.xml file. */ + write_config(); + + /*************************************************/ + /* Update the suricata.yaml file and rebuild the */ + /* rules for this interface. */ + /*************************************************/ + $rebuild_rules = true; + suricata_generate_yaml($a_instance[$instanceid]); + $rebuild_rules = false; + + /* Signal Suricata to live-load the new rules */ + suricata_reload_config($a_instance[$instanceid]); + + $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Suricata is 'live-reloading' the new rules list. Please wait at least 30 secs for the process to complete before toggling additional rules."); +} + +if ($_GET['action'] == "clear" || $_POST['delete']) { + conf_mount_rw(); + suricata_post_delete_logs($suricata_uuid); + $fd = @fopen("{$suricatalogdir}suricata_{$if_real}{$suricata_uuid}/alerts.log", "w+"); + if ($fd) + fclose($fd); + conf_mount_ro(); + /* XXX: This is needed if suricata is run as suricata user */ + mwexec('/bin/chmod 660 {$suricatalogdir}*', true); + if (file_exists("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) + mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid -a"); + header("Location: /suricata/suricata_alerts.php?instance={$instanceid}"); + exit; +} + +if ($_POST['download']) { + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "suricata_logs_{$save_date}_{$if_real}.tar.gz"; + exec("cd {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *"); + + if (file_exists("/tmp/{$file_name}")) { + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); + header("Content-length: " . filesize("/tmp/{$file_name}")); + header("Content-disposition: attachment; filename = {$file_name}"); + ob_end_clean(); //important or other post will fail + readfile("/tmp/{$file_name}"); + + // Clean up the temp file + @unlink("/tmp/{$file_name}"); + } + else + $savemsg = gettext("An error occurred while creating archive"); +} + +/* Load up an array with the current Suppression List GID,SID values */ +$supplist = suricata_load_suppress_sigs($a_instance[$instanceid], true); + +$pgtitle = gettext("Suricata: Alerts"); +include_once("head.inc"); + +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<script src="/javascript/filter_log.js" type="text/javascript"></script> +<?php +include_once("fbegin.inc"); + +/* refresh every 60 secs */ +if ($pconfig['arefresh'] == 'on') + echo "<meta http-equiv=\"refresh\" content=\"60;url=/suricata/suricata_alerts.php?instance={$instanceid}\" />\n"; +?> + +<?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} + /* Display Alert message */ + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } + if ($savemsg) { + print_info_box($savemsg); + } +?> +<form action="/suricata/suricata_alerts.php" method="post" id="formalert"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("Suricata Interfaces"), false, "/suricata/suricata_interfaces.php"); + $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); + $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); + $tab_array[] = array(gettext("Alerts"), true, "/suricata/suricata_alerts.php?instance={$instanceid}"); + $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); + $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); + display_top_tabs($tab_array); +?> +</td></tr> +<tr> + <td><div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> + <tr> + <td colspan="2" class="listtopic"><?php echo gettext("Alert Log View Settings"); ?></td> + </tr> + <tr> + <td width="22%" class="vncell"><?php echo gettext('Instance to Inspect'); ?></td> + <td width="78%" class="vtable"> + <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').method='get';document.getElementById('formalert').submit()"> + <?php + foreach ($a_instance as $id => $instance) { + $selected = ""; + if ($id == $instanceid) + $selected = "selected"; + echo "<option value='{$id}' {$selected}> (" . suricata_get_friendly_interface($instance['interface']) . "){$instance['descr']}</option>\n"; + } + ?> + </select> <?php echo gettext('Choose which instance alerts you want to inspect.'); ?> + </td> + <tr> + <td width="22%" class="vncell"><?php echo gettext('Save or Remove Logs'); ?></td> + <td width="78%" class="vtable"> + <input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext('All ' . + 'log files will be saved.'); ?> <a href="/suricata/suricata_alerts.php?action=clear&instance=<?=$instanceid;?>"> + <input name="delete" type="submit" class="formbtns" value="Clear" + onclick="return confirm('Do you really want to remove all instance logs?')"></a> + <span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo ' ' . gettext('all log files will be deleted.'); ?> + </td> + </tr> + <tr> + <td width="22%" class="vncell"><?php echo gettext('Auto Refresh and Log View'); ?></td> + <td width="78%" class="vtable"> + <input name="save" type="submit" class="formbtns" value="Save"> + <?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on" + <?php if ($config['installedpackages']['suricata']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> + <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> + <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + </td> + </tr> + <tr> + <td colspan="2" class="listtopic"><?php printf(gettext("Last %s Alert Entries"), $anentries); ?> + <?php echo gettext("(Most recent entries are listed first)"); ?></td> + </tr> + <tr> + <td width="100%" colspan="2"> + <table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> + <colgroup> + <col width="10%" align="center" axis="date"> + <col width="41" align="center" axis="number"> + <col width="64" align="center" axis="string"> + <col width="10%" axis="string"> + <col width="13%" align="center" axis="string"> + <col width="8%" align="center" axis="string"> + <col width="13%" align="center" axis="string"> + <col width="8%" align="center" axis="string"> + <col width="9%" align="center" axis="number"> + <col axis="string"> + </colgroup> + <thead> + <tr> + <th class="listhdrr" axis="date"><?php echo gettext("DATE"); ?></th> + <th class="listhdrr" axis="number"><?php echo gettext("PRI"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("PROTO"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("CLASS"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("SRC"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("SPORT"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("DST"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("DPORT"); ?></th> + <th class="listhdrr" axis="number"><?php echo gettext("SID"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("DESCRIPTION"); ?></th> + </tr> + </thead> + <tbody> + <?php + +/* make sure alert file exists */ +if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log")) { + exec("tail -{$anentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/alerts_{$suricata_uuid}"); + if (file_exists("/tmp/alerts_{$suricata_uuid}")) { + $tmpblocked = array_flip(suricata_get_blocked_ips()); + $counter = 0; + /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ + /* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */ + $fd = fopen("/tmp/alerts_{$suricata_uuid}", "r"); + while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { + if(count($fields) < 12) + continue; + + /* Time */ + $alert_time = substr($fields[0], strpos($fields[0], '-')+1, -7); + /* Date */ + $alert_date = trim(substr($fields[0], 0, strpos($fields[0], '-'))); + /* Description */ + $alert_descr = $fields[5]; + $alert_descr_url = urlencode($fields[5]); + /* Priority */ + $alert_priority = $fields[7]; + /* Protocol */ + $alert_proto = $fields[8]; + /* IP SRC */ + $alert_ip_src = $fields[9]; + /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ + $alert_ip_src = str_replace(":", ":​", $alert_ip_src); + /* Add Reverse DNS lookup icons */ + $alert_ip_src .= "<br/><a onclick=\"javascript:getURL('/diag_dns.php?host={$fields[9]}&dialog_output=true', outputrule);\">"; + $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' "; + $alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a> "; + $alert_ip_src .= "<a href='/diag_dns.php?host={$fields[9]}&instance={$instanceid}'>"; + $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; + $alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; + /* Add icons for auto-adding to Suppress List if appropriate */ + if (!suricata_is_alert_globally_suppressed($supplist, $fields[2], $fields[3]) && + !isset($supplist[$fields[2]][$fields[3]]['by_src'][$fields[9]])) { + $alert_ip_src .= " <a href='?instance={$instanceid}&act=addsuppress_srcip&sidid={$fields[3]}&gen_id={$fields[2]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[9])) . "'>"; + $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; + $alert_ip_src .= "title='" . gettext("Add this alert to the Suppress List and track by_src IP") . "'></a>"; + } + elseif (isset($supplist[$fields[2]][$fields[3]]['by_src'][$fields[9]])) { + $alert_ip_src .= " <img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; + $alert_ip_src .= "title='" . gettext("This alert track by_src IP is already in the Suppress List") . "'/>"; + } + /* Add icon for auto-removing from Blocked Table if required */ + if (isset($tmpblocked[$fields[9]])) { + $alert_ip_src .= " "; + $alert_ip_src .= "<a href='?instance={$instanceid}&todelete=" . trim(urlencode($fields[9])) . "'> + <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; + } + /* IP SRC Port */ + $alert_src_p = $fields[10]; + /* IP Destination */ + $alert_ip_dst = $fields[11]; + /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ + $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); + /* Add Reverse DNS lookup icons */ + $alert_ip_dst .= "<br/><a onclick=\"javascript:getURL('/diag_dns.php?host={$fields[11]}&dialog_output=true', outputrule);\">"; + $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log_d.gif' width='11' height='11' border='0' "; + $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup (quick pop-up)") . "' style=\"cursor: pointer;\"></a> "; + $alert_ip_dst .= "<a href='/diag_dns.php?host={$fields[11]}&instance={$instanceid}'>"; + $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; + $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; + /* Add icons for auto-adding to Suppress List if appropriate */ + if (!suricata_is_alert_globally_suppressed($supplist, $fields[2], $fields[3]) && + !isset($supplist[$fields[2]][$fields[3]]['by_dst'][$fields[1]])) { + $alert_ip_dst .= " <a href='?instance={$instanceid}&act=addsuppress_dstip&sidid={$fields[3]}&gen_id={$fields[2]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[11])) . "'>"; + $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; + $alert_ip_dst .= "title='" . gettext("Add this alert to the Suppress List and track by_dst IP") . "'></a>"; + } + elseif (isset($supplist[$fields[2]][$fields[3]]['by_dst'][$fields[11]])) { + $alert_ip_dst .= " <img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; + $alert_ip_dst .= "title='" . gettext("This alert track by_dst IP is already in the Suppress List") . "'/>"; + } + /* Add icon for auto-removing from Blocked Table if required */ + if (isset($tmpblocked[$fields[11]])) { + $alert_ip_dst .= " "; + $alert_ip_dst .= "<a href='?instance={$instanceid}&todelete=" . trim(urlencode($fields[11])) . "'> + <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; + } + /* IP DST Port */ + $alert_dst_p = $fields[12]; + /* SID */ + $alert_sid_str = "{$fields[2]}:{$fields[3]}"; + if (!suricata_is_alert_globally_suppressed($supplist, $fields[2], $fields[3])) { + $sidsupplink = "<a href='?instance={$instanceid}&act=addsuppress&sidid={$fields[3]}&gen_id={$fields[2]}&descr={$alert_descr_url}'>"; + $sidsupplink .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; + $sidsupplink .= "title='" . gettext("Add this alert to the Suppress List") . "'></a>"; + } + else { + $sidsupplink = "<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; + $sidsupplink .= "title='" . gettext("This alert is already in the Suppress List") . "'/>"; + } + /* Add icon for toggling rule state */ + if (isset($disablesid[$fields[2]][$fields[3]])) { + $sid_dsbl_link = "<a href='?instance={$instanceid}&act=togglesid&sidid={$fields[3]}&gen_id={$fields[2]}'>"; + $sid_dsbl_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_reject.gif' width='11' height='11' border='0' "; + $sid_dsbl_link .= "title='" . gettext("Rule is forced to a disabled state. Click to remove the force-disable action from this rule.") . "'></a>"; + } + else { + $sid_dsbl_link = "<a href='?instance={$instanceid}&act=togglesid&sidid={$fields[3]}&gen_id={$fields[2]}'>"; + $sid_dsbl_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_block.gif' width='11' height='11' border='0' "; + $sid_dsbl_link .= "title='" . gettext("Force-disable this rule and remove it from current rules set.") . "'></a>"; + } + /* DESCRIPTION */ + $alert_class = $fields[6]; + + echo "<tr> + <td class='listr' align='center'>{$alert_date}<br/>{$alert_time}</td> + <td class='listr' align='center'>{$alert_priority}</td> + <td class='listr' align='center'>{$alert_proto}</td> + <td class='listr' style=\"word-wrap:break-word;\">{$alert_class}</td> + <td class='listr' align='center'>{$alert_ip_src}</td> + <td class='listr' align='center'>{$alert_src_p}</td> + <td class='listr' align='center'>{$alert_ip_dst}</td> + <td class='listr' align='center'>{$alert_dst_p}</td> + <td class='listr' align='center'>{$alert_sid_str}<br/>{$sidsupplink} {$sid_dsbl_link}</td> + <td class='listr' style=\"word-wrap:break-word;\">{$alert_descr}</td> + </tr>\n"; + + $counter++; + } + fclose($fd); + @unlink("/tmp/alerts_{$suricata_uuid}"); + } +} +?> + </tbody> + </table> + </td> +</tr> +</table> +</div> +</td></tr> +</table> +</form> +<?php +include("fend.inc"); +?> + +</body> +</html> |