aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata
diff options
context:
space:
mode:
Diffstat (limited to 'config/suricata')
-rw-r--r--config/suricata/suricata_blocked.php72
1 files changed, 60 insertions, 12 deletions
diff --git a/config/suricata/suricata_blocked.php b/config/suricata/suricata_blocked.php
index c3a0c1e3..a091835d 100644
--- a/config/suricata/suricata_blocked.php
+++ b/config/suricata/suricata_blocked.php
@@ -259,19 +259,67 @@ if ($savemsg) {
foreach (glob("{$suricatalogdir}*/block.log*") as $alertfile) {
$fd = fopen($alertfile, "r");
if ($fd) {
- /* 0 1 2 3 4 5 6 7 8 9 10 */
- /* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,ip,port */
- while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
- if(count($fields) != 11) {
- log_error("[suricata] ERROR: block.log entry failed to parse correctly with too many or not enough CSV entities, skipping this entry...");
- log_error("[suricata] Failed block.log entry fields are: " . print_r($fields, true));
- continue;
+
+ /*************** FORMAT for file -- BLOCK -- **************************************************************************/
+ /* Line format: timestamp action [**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} ip:port */
+ /* 0 1 2 3 4 5 6 7 8 9 10 */
+ /**********************************************************************************************************************/
+
+ $buf = "";
+ while (($buf = fgets($fd)) !== FALSE) {
+ $fields = array();
+ $tmp = array();
+
+ /***************************************************************/
+ /* Parse block log entry to find the parts we want to display. */
+ /* We parse out all the fields even though we currently use */
+ /* just a few of them. */
+ /***************************************************************/
+
+ // Field 0 is the event timestamp
+ $fields['time'] = substr($buf, 0, strpos($buf, ' '));
+
+ // Field 1 is the action
+ if (strpos($buf, '[') !== FALSE && strpos($buf, ']') !== FALSE)
+ $fields['action'] = substr($buf, strpos($buf, '[') + 1, strpos($buf, ']') - strpos($buf, '[') - 1);
+ else
+ $fields['action'] = null;
+
+ // The regular expression match below returns an array as follows:
+ // [2] => GID, [3] => SID, [4] => REV, [5] => MSG, [6] => CLASSIFICATION, [7] = PRIORITY
+ preg_match('/\[\*{2}\]\s\[((\d+):(\d+):(\d+))\]\s(.*)\[\*{2}\]\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp);
+ $fields['gid'] = trim($tmp[2]);
+ $fields['sid'] = trim($tmp[3]);
+ $fields['rev'] = trim($tmp[4]);
+ $fields['msg'] = trim($tmp[5]);
+ $fields['class'] = trim($tmp[6]);
+ $fields['priority'] = trim($tmp[7]);
+
+ // The regular expression match below looks for the PROTO, IP and PORT fields
+ // and returns an array as follows:
+ // [1] = PROTO, [2] => IP:PORT
+ if (preg_match('/\{(.*)\}\s(.*)/', $buf, $tmp)) {
+ // Get PROTO
+ $fields['proto'] = trim($tmp[1]);
+
+ // Get IP
+ $fields['ip'] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':')));
+ if (is_ipaddrv6($fields['ip']))
+ $fields['ip'] = inet_ntop(inet_pton($fields['ip']));
+
+ // Get PORT
+ $fields['port'] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1));
}
- $fields[9] = inet_pton($fields[9]);
- if (isset($tmpblocked[$fields[9]])) {
- if (!is_array($src_ip_list[$fields[9]]))
- $src_ip_list[$fields[9]] = array();
- $src_ip_list[$fields[9]][$fields[5]] = "{$fields[5]} - " . substr($fields[0], 0, -7);
+
+ // In the unlikely event we read an old log file and fail to parse
+ // out an IP address, just skip the record since we can't use it.
+ if (empty($fields['ip']))
+ continue;
+ $fields['ip'] = inet_pton($fields['ip']);
+ if (isset($tmpblocked[$fields['ip']])) {
+ if (!is_array($src_ip_list[$fields['ip']]))
+ $src_ip_list[$fields['ip']] = array();
+ $src_ip_list[$fields['ip']][$fields['msg']] = "{$fields['msg']} - " . substr($fields['time'], 0, -7);
}
}
fclose($fd);