aboutsummaryrefslogtreecommitdiffstats
path: root/config/widget-snort
diff options
context:
space:
mode:
Diffstat (limited to 'config/widget-snort')
-rw-r--r--config/widget-snort/snort_alerts.inc15
-rw-r--r--config/widget-snort/snort_alerts.inc.php77
-rw-r--r--config/widget-snort/snort_alerts.js145
-rw-r--r--config/widget-snort/snort_alerts.widget.php67
-rw-r--r--config/widget-snort/snort_alerts_helper.php13
-rw-r--r--config/widget-snort/widget-snort.inc13
-rw-r--r--config/widget-snort/widget-snort.xml85
7 files changed, 415 insertions, 0 deletions
diff --git a/config/widget-snort/snort_alerts.inc b/config/widget-snort/snort_alerts.inc
new file mode 100644
index 00000000..d6e3b0ca
--- /dev/null
+++ b/config/widget-snort/snort_alerts.inc
@@ -0,0 +1,15 @@
+<?php
+
+require_once("includes/snort_alerts.inc.php");
+
+$snort_alerts_title = "Snort Alerts";
+$snort_alerts_title_link = "snort_alerts.php";
+
+$snort_alerts_logfile = "{$g['varlog_path']}/snort/alert";
+$nentries = 5;
+$snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries);
+
+/* AJAX related routines */
+handle_snort_ajax($snort_alerts_logfile, $nentries = 5);
+
+?> \ No newline at end of file
diff --git a/config/widget-snort/snort_alerts.inc.php b/config/widget-snort/snort_alerts.inc.php
new file mode 100644
index 00000000..99e3ee9f
--- /dev/null
+++ b/config/widget-snort/snort_alerts.inc.php
@@ -0,0 +1,77 @@
+<?
+function get_snort_alerts($snort_alerts, $nentries, $tail = 20) {
+ global $config, $g;
+ $logarr = "";
+ /* Always do a reverse tail, to be sure we're grabbing the 'end' of the alerts. */
+ exec("/usr/bin/tail -r -n {$tail} {$snort_alerts}", $logarr);
+
+ $snortalerts = array();
+
+ $counter = 0;
+
+ foreach ($logarr as $logent) {
+ if($counter >= $nentries)
+ break;
+
+ $alert = parse_snort_alert_line($logent);
+ if ($alert != "") {
+ $counter++;
+ $snortalerts[] = $alert;
+ }
+
+ }
+ /* Since the rules are in reverse order, flip them around if needed based on the user's preference */
+ return isset($config['syslog']['reverse']) ? $snortalerts : array_reverse($snortalerts);
+}
+
+function parse_snort_alert_line($line) {
+ $log_split = "";
+
+ preg_match("/^(.*)\s+\[\*\*\]\s+\[(\d+\:\d+:\d+)\]\s(.*)\s(.*)\s+\[\*\*\].*\s+\[Priority:\s(\d+)\]\s{(.*)}\s+(.*)\s->\s(.*)$/U", $line, $log_split);
+
+ list($all, $alert['time'], $alert['rule'], $alert['category'], $alert['descr'],
+ $alert['priority'], $alert['proto'], $alert['src'], $alert['dst']) = $log_split;
+
+ $usableline = true;
+
+ if(trim($alert['src']) == "")
+ $usableline = false;
+ if(trim($alert['dst']) == "")
+ $usableline = false;
+
+ if($usableline == true) {
+ return $alert;
+ } else {
+ if($g['debug']) {
+ log_error("There was a error parsing line: $line. Please report to mailing list or forum.");
+ }
+ return "";
+ }
+}
+
+/* AJAX specific handlers */
+function handle_snort_ajax($snort_alerts_logfile, $nentries = 5, $tail = 50) {
+ if($_GET['lastsawtime'] or $_POST['lastsawtime']) {
+ if($_GET['lastsawtime'])
+ $lastsawtime = $_GET['lastsawtime'];
+ if($_POST['lastsawtime'])
+ $lastsawtime = $_POST['lastsawtime'];
+ /* compare lastsawrule's time stamp to alert logs.
+ * afterwards return the newer records so that client
+ * can update AJAX interface screen.
+ */
+ $new_rules = "";
+ $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries);
+ foreach($snort_alerts as $log_row) {
+ $time_regex = "";
+ preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex);
+ $row_time = strtotime($time_regex[1]);
+ if($row_time > $lastsawtime) {
+ $new_rules .= "{$log_row['time']}||{$log_row['priority']}||{$log_row['category']}||{$log_row['src']}||{$log_row['dst']}||" . time() . "||\n";
+ }
+ }
+ echo $new_rules;
+ exit;
+ }
+}
+?> \ No newline at end of file
diff --git a/config/widget-snort/snort_alerts.js b/config/widget-snort/snort_alerts.js
new file mode 100644
index 00000000..48c97d6c
--- /dev/null
+++ b/config/widget-snort/snort_alerts.js
@@ -0,0 +1,145 @@
+
+snortlastsawtime = '<?php echo time(); ?>';
+var snortlines = Array();
+var snorttimer;
+var snortupdateDelay = 25500;
+var snortisBusy = false;
+var snortisPaused = false;
+
+<?php
+ if(isset($config['syslog']['reverse']))
+ echo "var isReverse = true;\n";
+ else
+ echo "var isReverse = false;\n";
+?>
+
+if (typeof getURL == 'undefined') {
+ getURL = function(url, callback) {
+ if (!url)
+ throw 'No URL for getURL';
+ try {
+ if (typeof callback.operationComplete == 'function')
+ callback = callback.operationComplete;
+ } catch (e) {}
+ if (typeof callback != 'function')
+ throw 'No callback function for getURL';
+ var http_request = null;
+ if (typeof XMLHttpRequest != 'undefined') {
+ http_request = new XMLHttpRequest();
+ }
+ else if (typeof ActiveXObject != 'undefined') {
+ try {
+ http_request = new ActiveXObject('Msxml2.XMLHTTP');
+ } catch (e) {
+ try {
+ http_request = new ActiveXObject('Microsoft.XMLHTTP');
+ } catch (e) {}
+ }
+ }
+ if (!http_request)
+ throw 'Both getURL and XMLHttpRequest are undefined';
+ http_request.onreadystatechange = function() {
+ if (http_request.readyState == 4) {
+ callback( { success : true,
+ content : http_request.responseText,
+ contentType : http_request.getResponseHeader("Content-Type") } );
+ }
+ }
+ http_request.open('GET', url, true);
+ http_request.send(null);
+ }
+}
+
+function snort_alerts_fetch_new_rules() {
+ if(snortisPaused)
+ return;
+ if(snortisBusy)
+ return;
+ snortisBusy = true;
+ getURL('widgets/helpers/snort_alerts_helper.php?lastsawtime=' + snortlastsawtime, snort_alerts_fetch_new_rules_callback);
+}
+function snort_alerts_fetch_new_rules_callback(callback_data) {
+ if(snortisPaused)
+ return;
+
+ var data_split;
+ var new_data_to_add = Array();
+ var data = callback_data.content;
+
+ data_split = data.split("\n");
+
+ for(var x=0; x<data_split.length-1; x++) {
+ /* loop through rows */
+ row_split = data_split[x].split("||");
+ var line = '';
+ line = '<td width="5%" class="listr">' + row_split[1] + '</td>';
+ line += '<td width="5%" class="listr">' + row_split[2] + '</td>';
+ line += '<td width="45%" class="listr">' + row_split[3] + '</td>';
+ line += '<td width="45%" class="listr">' + row_split[4] + '</td>';
+ snortlastsawtime = row_split[5];
+ new_data_to_add[new_data_to_add.length] = line;
+ }
+ snort_alerts_update_div_rows(new_data_to_add);
+ snortisBusy = false;
+}
+function snort_alerts_update_div_rows(data) {
+ if(snortisPaused)
+ return;
+
+ var isIE = navigator.appName.indexOf('Microsoft') != -1;
+ var isSafari = navigator.userAgent.indexOf('Safari') != -1;
+ var isOpera = navigator.userAgent.indexOf('Opera') != -1;
+ var rulestable = document.getElementById('snort_alerts');
+ var rows = rulestable.getElementsByTagName('tr');
+ var showanim = 1;
+ if (isIE) {
+ showanim = 0;
+ }
+ //alert(data.length);
+ for(var x=0; x<data.length; x++) {
+ var numrows = rows.length;
+ /* if reverse logging is enabled we need to show the
+ * records in a reverse order with new items appearing
+ * on the top
+ */
+ if(isReverse == false) {
+ for (var i = 1; i < numrows; i++) {
+ nextrecord = i + 1;
+ if(nextrecord < numrows)
+ rows[i].innerHTML = rows[nextrecord].innerHTML;
+ }
+ } else {
+ for (var i = numrows; i > 0; i--) {
+ nextrecord = i + 1;
+ if(nextrecord < numrows)
+ rows[nextrecord].innerHTML = rows[i].innerHTML;
+ }
+ }
+ var item = document.getElementById('snort-firstrow');
+ if(x == data.length-1) {
+ /* nothing */
+ showanim = false;
+ } else {
+ showanim = false;
+ }
+ if (showanim) {
+ item.style.display = 'none';
+ item.innerHTML = data[x];
+ new Effect.Appear(item);
+ } else {
+ item.innerHTML = data[x];
+ }
+ }
+ /* rechedule AJAX interval */
+ //snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay);
+}
+function snort_alerts_toggle_pause() {
+ if(snortisPaused) {
+ snortisPaused = false;
+ snort_alerts_fetch_new_rules();
+ } else {
+ snortisPaused = true;
+ }
+}
+/* start local AJAX engine */
+snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay);
diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php
new file mode 100644
index 00000000..22bd1b69
--- /dev/null
+++ b/config/widget-snort/snort_alerts.widget.php
@@ -0,0 +1,67 @@
+<?php
+/*
+ snort_alerts.widget.php
+ Copyright (C) 2009 Jim Pingle
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+global $config, $g;
+
+?>
+<table width="100%" border="0" cellspacing="0" cellpadding="0">
+ <tbody>
+ <tr class="snort-alert-header">
+ <td width="5%" class="widgetsubheader">Pri</td>
+ <td width="5%" class="widgetsubheader">Category</td>
+ <td width="45%" class="widgetsubheader">Src</td>
+ <td width="45%" class="widgetsubheader">Dst</td>
+ </tr>
+<?php $counter=0;
+ foreach ($snort_alerts as $alert) { ?>
+
+ <?php
+ if(isset($config['syslog']['reverse'])) {
+ /* honour reverse logging setting */
+ if($counter == 0)
+ $activerow = " id=\"snort-firstrow\"";
+ else
+ $activerow = "";
+
+ } else {
+ /* non-reverse logging */
+ if($counter == count($snort_alerts) - 1)
+ $activerow = " id=\"snort-firstrow\"";
+ else
+ $activerow = "";
+ }
+ ?>
+
+ <tr class="snort-alert-entry" <?php echo $activerow; ?>>
+ <td width="5%" class="listr"><?= $alert["priority"] ?></td>
+ <td width="5%" class="listr"><?= $alert["category"] ?></td>
+ <td width="45%" class="listr"><?= $alert["src"] ?></td>
+ <td width="45%" class="listr"><?= $alert["dst"] ?></td>
+ </tr>
+<?php $counter++;
+ } ?>
+ </tbody>
+</table>
diff --git a/config/widget-snort/snort_alerts_helper.php b/config/widget-snort/snort_alerts_helper.php
new file mode 100644
index 00000000..0e7b4fad
--- /dev/null
+++ b/config/widget-snort/snort_alerts_helper.php
@@ -0,0 +1,13 @@
+<?php
+require("guiconfig.inc");
+
+require_once("includes/snort_alerts.inc.php");
+
+$snort_alerts_logfile = "{$g['varlog_path']}/snort/alert";
+$nentries = 5;
+handle_snort_ajax($snort_alerts_logfile, $nentries);
+
+?>
+<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script>
+<script src="/javascript/scriptaculous/scriptaculous.js" type="text/javascript"></script>
+<script src="/widgets/javascript/snort_alerts.js" type="text/javascript"></script>
diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc
new file mode 100644
index 00000000..584e5f2d
--- /dev/null
+++ b/config/widget-snort/widget-snort.inc
@@ -0,0 +1,13 @@
+<?php
+
+function widget_snort_uninstall() {
+
+ unlink("/usr/local/www/includes/snort_alerts.inc.php");
+ unlink("/usr/local/www/widgets/helpers/snort_alerts_helper.php");
+ unlink("/usr/local/www/widgets/include/snort_alerts.inc");
+ unlink("/usr/local/www/widgets/javascript/snort_alerts.js");
+ unlink("/usr/local/www/widgets/widgets/snort_alerts.widget.php");
+
+}
+
+?> \ No newline at end of file
diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml
new file mode 100644
index 00000000..b32a27d7
--- /dev/null
+++ b/config/widget-snort/widget-snort.xml
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ widget-snort.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2009 Jim Pingle
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Snort widget add-on for Dashboard package</description>
+ <requirements>Dashboard package and Snort</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>widget-snort</name>
+ <version>0.1</version>
+ <title>Widget - Snort</title>
+ <include_file>/usr/local/pkg/widget-snort.inc</include_file>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/widget-snort/widget-snort.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/includes/</prefix>
+ <chmod>0644</chmod>
+ <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/widgets/helpers/</prefix>
+ <chmod>0644</chmod>
+ <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts_helper.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/widgets/include/</prefix>
+ <chmod>0644</chmod>
+ <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/widgets/javascript/</prefix>
+ <chmod>0644</chmod>
+ <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.js</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/widgets/widgets/</prefix>
+ <chmod>0644</chmod>
+ <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.widget.php</item>
+ </additional_files_needed>
+ <custom_php_deinstall_command>
+ widget_snort_uninstall();
+ </custom_php_deinstall_command>
+</packagegui>
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-22 15:38:44 +0000