aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata/suricata_alerts.widget.php
diff options
context:
space:
mode:
Diffstat (limited to 'config/suricata/suricata_alerts.widget.php')
-rw-r--r--config/suricata/suricata_alerts.widget.php72
1 files changed, 59 insertions, 13 deletions
diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php
index 21fad03d..776cead9 100644
--- a/config/suricata/suricata_alerts.widget.php
+++ b/config/suricata/suricata_alerts.widget.php
@@ -42,8 +42,8 @@ if (!is_array($config['installedpackages']['suricata']['rule']))
$a_instance = &$config['installedpackages']['suricata']['rule'];
/* array sorting */
-function sksort(&$array, $subkey="id", $sort_ascending=false) {
- /* an empty array causes sksort to fail - this test alleviates the error */
+function suricata_sksort(&$array, $subkey="id", $sort_ascending=false) {
+ /* an empty array causes suricata_sksort to fail - this test alleviates the error */
if(empty($array))
return false;
if (count($array)){
@@ -114,12 +114,58 @@ function suricata_widget_get_alerts() {
exec("tail -{$suri_nentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/surialerts_{$suricata_uuid}");
if (file_exists("/tmp/surialerts_{$suricata_uuid}")) {
- /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
- /* File format: timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */
+ /*************** FORMAT without CSV patch -- ALERT -- ***********************************************************************************/
+ /* Line format: timestamp action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} src:srcport -> dst:dstport */
+ /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
+ /****************************************************************************************************************************************/
+
+ /**************** FORMAT without CSV patch -- DECODER EVENT -- **************************************************************************/
+ /* Line format: timestamp action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] [**] [Raw pkt: ...] */
+ /* 0 1 2 3 4 5 6 7 */
+ /************** *************************************************************************************************************************/
+
$fd = fopen("/tmp/surialerts_{$suricata_uuid}", "r");
- while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
- if(count($fields) < 13)
- continue;
+ $buf = "";
+ while (($buf = fgets($fd)) !== FALSE) {
+ $fields = array();
+ $tmp = array();
+
+ // Parse alert log entry to find the parts we want to display
+ $fields[0] = substr($buf, 0, strpos($buf, ' '));
+
+ // The regular expression match below returns an array as follows:
+ // [1] => CLASSIFICATION, [2] = PRIORITY
+ preg_match('/\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp);
+ $fields[6] = trim($tmp[1]);
+ $fields[7] = trim($tmp[2]);
+
+ // The regular expression match below looks for the PROTO, SRC and DST fields
+ // and returns an array as follows:
+ // [1] = PROTO, [2] => SRC:SPORT [3] => DST:DPORT
+ if (preg_match('/\{(.*)\}\s(.*)\s->\s(.*)/', $buf, $tmp)) {
+ // Get SRC
+ $fields[9] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':')));
+ if (is_ipaddrv6($fields[9]))
+ $fields[9] = inet_ntop(inet_pton($fields[9]));
+
+ // Get SPORT
+ $fields[10] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1));
+
+ // Get DST
+ $fields[11] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':')));
+ if (is_ipaddrv6($fields[11]))
+ $fields[11] = inet_ntop(inet_pton($fields[11]));
+
+ // Get DPORT
+ $fields[12] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1));
+ }
+ else {
+ // If no PROTO and IP ADDR, then this is a DECODER EVENT
+ $fields[9] = gettext("Decoder Event");
+ $fields[10] = "";
+ $fields[11] = "";
+ $fields[12] = "";
+ }
// Create a DateTime object from the event timestamp that
// we can use to easily manipulate output formats.
@@ -130,7 +176,7 @@ function suricata_widget_get_alerts() {
if ($fields[6] == "(null)")
$fields[6] = "No classtype assigned";
- $suricata_alerts[$counter]['instanceid'] = strtoupper($a_instance[$instanceid]['interface']);
+ $suricata_alerts[$counter]['instanceid'] = strtoupper(convert_friendly_interface_to_friendly_descr($a_instance[$instanceid]['interface']));
$suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm));
$suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s");
$suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d");
@@ -140,15 +186,15 @@ function suricata_widget_get_alerts() {
else
$suricata_alerts[$counter]['src'] = $fields[9];
// Add the SRC PORT if not null
- if (!empty($fields[10]))
+ if (!empty($fields[10]) || $fields[10] == '0')
$suricata_alerts[$counter]['src'] .= ":" . $fields[10];
// Add square brackets around any IPv6 address
if (is_ipaddrv6($fields[11]))
$suricata_alerts[$counter]['dst'] = "[" . $fields[11] . "]";
else
$suricata_alerts[$counter]['dst'] = $fields[11];
- // Add the SRC PORT if not null
- if (!empty($fields[12]))
+ // Add the DST PORT if not null
+ if (!empty($fields[12]) || $fields[12] == '0')
$suricata_alerts[$counter]['dst'] .= ":" . $fields[12];
$suricata_alerts[$counter]['priority'] = $fields[7];
$suricata_alerts[$counter]['category'] = $fields[6];
@@ -162,9 +208,9 @@ function suricata_widget_get_alerts() {
// Sort the alerts array
if (isset($config['syslog']['reverse'])) {
- sksort($suricata_alerts, 'timestamp', false);
+ suricata_sksort($suricata_alerts, 'timestamp', false);
} else {
- sksort($suricata_alerts, 'timestamp', true);
+ suricata_sksort($suricata_alerts, 'timestamp', true);
}
return $suricata_alerts;