aboutsummaryrefslogtreecommitdiffstats
path: root/config/widget-snort
diff options
context:
space:
mode:
Diffstat (limited to 'config/widget-snort')
-rw-r--r--config/widget-snort/snort_alerts.inc16
-rw-r--r--config/widget-snort/snort_alerts.inc.php93
-rw-r--r--config/widget-snort/snort_alerts.js57
-rw-r--r--config/widget-snort/snort_alerts.widget.php123
-rw-r--r--config/widget-snort/snort_alerts_helper.php13
-rw-r--r--config/widget-snort/widget-snort.inc13
-rw-r--r--config/widget-snort/widget-snort.xml26
7 files changed, 98 insertions, 243 deletions
diff --git a/config/widget-snort/snort_alerts.inc b/config/widget-snort/snort_alerts.inc
deleted file mode 100644
index 74adb4bb..00000000
--- a/config/widget-snort/snort_alerts.inc
+++ /dev/null
@@ -1,16 +0,0 @@
-<?php
-
-require_once("globals.inc");
-require_once("includes/snort_alerts.inc.php");
-
-$snort_alerts_title = "Snort Alerts";
-$snort_alerts_title_link = "snort/snort_alerts.php";
-
-$snort_alerts_logfile = "{$g['varlog_path']}/snort/alert";
-$nentries = 10;
-$snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries);
-
-/* AJAX related routines */
-handle_snort_ajax($snort_alerts_logfile, $nentries = 10);
-
-?>
diff --git a/config/widget-snort/snort_alerts.inc.php b/config/widget-snort/snort_alerts.inc.php
deleted file mode 100644
index b56ac02c..00000000
--- a/config/widget-snort/snort_alerts.inc.php
+++ /dev/null
@@ -1,93 +0,0 @@
-<?
-function get_snort_alerts($snort_alerts, $nentries, $tail = 20) {
- global $config, $g;
- $logarr = "";
- /* Always do a reverse tail, to be sure we're grabbing the 'end' of the alerts. */
- exec("/usr/bin/tail -r -n {$tail} {$snort_alerts}", $logarr);
-
- $snortalerts = array();
-
- $counter = 0;
-
- foreach ($logarr as $logent) {
- if($counter >= $nentries)
- break;
-
- $alert = parse_snort_alert_line($logent);
- if ($alert != "") {
- $counter++;
- $snortalerts[] = $alert;
- }
-
- }
- /* Since the rules are in reverse order, flip them around if needed based on the user's preference */
- return isset($config['syslog']['reverse']) ? $snortalerts : array_reverse($snortalerts);
-}
-
-function parse_snort_alert_line($line) {
- $log_split = "";
- $datesplit = "";
- preg_match("/^(.*)\s+\[\*\*\]\s+\[(\d+\:\d+:\d+)\]\s(.*)\s(.*)\s+\[\*\*\].*\s+\[Priority:\s(\d+)\]\s{(.*)}\s+(.*)\s->\s(.*)$/U", $line, $log_split);
-
- list($all, $alert['time'], $alert['rule'], $alert['category'], $alert['descr'],
- $alert['priority'], $alert['proto'], $alert['src'], $alert['dst']) = $log_split;
-
- $usableline = true;
-
- if(trim($alert['src']) == "")
- $usableline = false;
- if(trim($alert['dst']) == "")
- $usableline = false;
-
- if($usableline == true) {
- preg_match("/^(\d+)\/(\d+)-(\d+\:\d+\:\d+).\d+$/U", $alert['time'], $datesplit);
- $now_time = strtotime("now");
- $checkdate = $datesplit[1] . "/" . $datesplit[2] . "/" . date("Y");
- $fulldate = $datesplit[2] . "/" . $datesplit[1] . "/" . date("Y");
- $logdate = $checkdate . " " . $datesplit[3];
- if ($now_time < strtotime($logdate)) {
- $fulldate = $datesplit[2] . "/" . $datesplit[1] . "/" . ((int)date("Y") - 1);
- }
-
- $alert['dateonly'] = $fulldate;
- $alert['timeonly'] = $datesplit[3];
- $alert['category'] = strtoupper( substr($alert["category"],0 , 1) ) . strtolower( substr($alert["category"],1 ) );
- return $alert;
- } else {
- if($g['debug']) {
- log_error("There was a error parsing line: $line. Please report to mailing list or forum.");
- }
- return "";
- }
-}
-
-/* AJAX specific handlers */
-function handle_snort_ajax($snort_alerts_logfile, $nentries = 5, $tail = 50) {
- if($_GET['lastsawtime'] or $_POST['lastsawtime']) {
- if($_GET['lastsawtime'])
- $lastsawtime = $_GET['lastsawtime'];
- if($_POST['lastsawtime'])
- $lastsawtime = $_POST['lastsawtime'];
- /* compare lastsawrule's time stamp to alert logs.
- * afterwards return the newer records so that client
- * can update AJAX interface screen.
- */
- $new_rules = "";
- $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries);
- foreach($snort_alerts as $log_row) {
- $time_regex = "";
- preg_match("/.*([0-9][0-9])\/([0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex);
- $logdate = $time_regex[1] . "/" . $time_regex[2] . "/" . date("Y") . " " . $time_regex[3];
- //preg_match("/.*([0-9][0-9])\/([0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $testsplit[1], $time_regex);
- // preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex);
- $row_time = strtotime($logdate);
- $now_time = strtotime("now");
- if($row_time > $lastsawtime and $row_time <= $nowtime) {
- $new_rules .= "{$log_row['time']}||{$log_row['priority']}||{$log_row['category']}||{$log_row['src']}||{$log_row['dst']}||" . time() . "||{$log_row['timeonly']}||{$log_row['dateonly']}" . "||\n";
- }
- }
- echo $new_rules;
- exit;
- }
-}
-?> \ No newline at end of file
diff --git a/config/widget-snort/snort_alerts.js b/config/widget-snort/snort_alerts.js
index 0cc76ab1..0c2d9ca6 100644
--- a/config/widget-snort/snort_alerts.js
+++ b/config/widget-snort/snort_alerts.js
@@ -1,63 +1,10 @@
-snortlastsawtime = '<?php echo time(); ?>';
var snortlines = Array();
var snorttimer;
var snortupdateDelay = 25500;
var snortisBusy = false;
var snortisPaused = false;
-<?php
- if(isset($config['syslog']['reverse']))
- echo "var isReverse = true;\n";
- else
- echo "var isReverse = false;\n";
-?>
-
-if (typeof getURL == 'undefined') {
- getURL = function(url, callback) {
- if (!url)
- throw 'No URL for getURL';
- try {
- if (typeof callback.operationComplete == 'function')
- callback = callback.operationComplete;
- } catch (e) {}
- if (typeof callback != 'function')
- throw 'No callback function for getURL';
- var http_request = null;
- if (typeof XMLHttpRequest != 'undefined') {
- http_request = new XMLHttpRequest();
- }
- else if (typeof ActiveXObject != 'undefined') {
- try {
- http_request = new ActiveXObject('Msxml2.XMLHTTP');
- } catch (e) {
- try {
- http_request = new ActiveXObject('Microsoft.XMLHTTP');
- } catch (e) {}
- }
- }
- if (!http_request)
- throw 'Both getURL and XMLHttpRequest are undefined';
- http_request.onreadystatechange = function() {
- if (http_request.readyState == 4) {
- callback( { success : true,
- content : http_request.responseText,
- contentType : http_request.getResponseHeader("Content-Type") } );
- }
- }
- http_request.open('GET', url, true);
- http_request.send(null);
- }
-}
-
-function snort_alerts_fetch_new_rules() {
- if(snortisPaused)
- return;
- if(snortisBusy)
- return;
- snortisBusy = true;
- getURL('widgets/helpers/snort_alerts_helper.php?lastsawtime=' + snortlastsawtime, snort_alerts_fetch_new_rules_callback);
-}
function snort_alerts_fetch_new_rules_callback(callback_data) {
if(snortisPaused)
return;
@@ -75,8 +22,6 @@ function snort_alerts_fetch_new_rules_callback(callback_data) {
line = '<td width="30%" class="listr" >' + row_split[6] + '<br>' + row_split[7]+ '</td>';
line += '<td width="40%" class="listr" >' + row_split[3] + '<br>' + row_split[4] + '</td>';
line += '<td width="40%" class="listr" >' + 'Pri : ' + row_split[1] + '<br>' + 'Cat : ' + row_split[2] + '</td>';
- snortlastsawtime = row_split[5];
- //alert(row_split[0]);
new_data_to_add[new_data_to_add.length] = line;
}
snort_alerts_update_div_rows(new_data_to_add);
@@ -131,7 +76,7 @@ function snort_alerts_update_div_rows(data) {
}
}
/* rechedule AJAX interval */
- //snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay);
+ snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay);
}
function snort_alerts_toggle_pause() {
if(snortisPaused) {
diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php
index c2622dc7..bb51a387 100644
--- a/config/widget-snort/snort_alerts.widget.php
+++ b/config/widget-snort/snort_alerts.widget.php
@@ -2,6 +2,7 @@
/*
snort_alerts.widget.php
Copyright (C) 2009 Jim Pingle
+ mod 24-07-2012
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -26,43 +27,111 @@
*/
global $config, $g;
+/* array sorting */
+function sksort(&$array, $subkey="id", $sort_ascending=false) {
+ /* an empty array causes sksort to fail - this test alleviates the error */
+ if(empty($array))
+ {
+ return false;
+ }
+ if (count($array)) {
+ $temp_array[key($array)] = array_shift($array);
+ };
+ foreach ($array as $key => $val){
+ $offset = 0;
+ $found = false;
+ foreach ($temp_array as $tmp_key => $tmp_val) {
+ if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) {
+ $temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset));
+ $found = true;
+ };
+ $offset++;
+ };
+ if (!$found) $temp_array = array_merge($temp_array, array($key => $val));
+ };
+
+ if ($sort_ascending) {
+ $array = array_reverse($temp_array);
+ } else $array = $temp_array;
+ /* below is the complement for empty array test */
+ return true;
+};
+
+/* check if firewall widget variable is set */
+if (!isset($nentries)) $nentries = 5;
+
+/* retrieve snort variables */
+require_once("/usr/local/pkg/snort/snort.inc");
+if (!is_array($config['installedpackages']['snortglobal']['rule']))
+ $config['installedpackages']['snortglobal']['rule'] = array();
+$a_instance = &$config['installedpackages']['snortglobal']['rule'];
+
+/* read log file(s) */
+$counter=0;
+foreach ($a_instance as $instanceid => $instance) {
+ $snort_uuid = $a_instance[$instanceid]['uuid'];
+ $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']);
+
+ /* make sure alert file exists */
+ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
+ exec("tail -n{$nentries} /var/log/snort/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_{$snort_uuid}");
+ if (file_exists("/tmp/alert_{$snort_uuid}")) {
+ $tmpblocked = array_flip(snort_get_blocked_ips());
+
+ /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
+ /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */
+ $fd = fopen("/tmp/alert_{$snort_uuid}", "r");
+ while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
+ if(count($fields) < 11)
+ continue;
+
+ $snort_alerts[$counter]['instanceid'] = $a_instance[$instanceid]['interface'];
+ $snort_alerts[$counter]['timestamp'] = $fields[0];
+ $snort_alerts[$counter]['timeonly'] = substr($fields[0], 6, -8);
+ $snort_alerts[$counter]['dateonly'] = substr($fields[0], 0, -17);
+ $snort_alerts[$counter]['src'] = $fields[6];
+ $snort_alerts[$counter]['srcport'] = $fields[7];
+ $snort_alerts[$counter]['dst'] = $fields[8];
+ $snort_alerts[$counter]['dstport'] = $fields[9];
+ $snort_alerts[$counter]['priority'] = $fields[12];
+ $snort_alerts[$counter]['category'] = $fields[11];
+ $counter++;
+ };
+ fclose($fd);
+ @unlink("/tmp/alert_{$snort_uuid}");
+ };
+ };
+};
+
+/* sort the array */
+if (isset($config['syslog']['reverse'])) {
+ sksort($snort_alerts, 'timestamp', false);
+} else {
+ sksort($snort_alerts, 'timestamp', true);
+};
+
+/* display the result */
?>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr class="snort-alert-header">
- <td width="30%" class="widgetsubheader" >Date</td>
+ <td width="30%" class="widgetsubheader" >IF/Date</td>
<td width="40%" class="widgetsubheader">Src/Dst</td>
<td width="40%" class="widgetsubheader">Details</td>
</tr>
<?php
$counter=0;
if (is_array($snort_alerts)) {
- foreach ($snort_alerts as $alert) { ?>
-
- <?php
- if(isset($config['syslog']['reverse'])) {
- /* honour reverse logging setting */
- if($counter == 0)
- $activerow = " id=\"snort-firstrow\"";
- else
- $activerow = "";
-
- } else {
- /* non-reverse logging */
- if($counter == count($snort_alerts) - 1)
- $activerow = " id=\"snort-firstrow\"";
- else
- $activerow = "";
- }
- ?>
-
- <tr class="snort-alert-entry" <?php echo $activerow; ?>>
- <td width="30%" class="listr"><?= $alert['timeonly'] . '<br>' . $alert['dateonly'] ?></td>
- <td width="40%" class="listr"><?= $alert["src"] . '<br>' . $alert["dst"] ?></td>
- <td width="40%" class="listr"><?= 'Pri : ' . $alert["priority"] . '<br>' . 'Cat : ' . $alert['category'] ?></td>
- </tr>
-<?php $counter++;
+ foreach ($snort_alerts as $alert) {
+ echo(" <tr class='snort-alert-entry'" . $activerow . ">
+ <td width='30%' class='listr'>" . $alert['instanceid'] . "<br>" . $alert['timeonly'] . " " . $alert['dateonly'] . "</td>
+ <td width='40%' class='listr'>" . $alert['src'] . ":" . $alert['srcport'] . "<br>" . $alert['dst'] . ":" . $alert['dstport'] . "</td>
+ <td width='40%' class='listr'>Pri : " . $alert['priority'] . "<br>Cat : " . $alert['category'] . "</td>
+ </tr>");
+ $counter++;
+ if($counter >= $nentries) break;
}
-} ?>
+};
+?>
</tbody>
</table>
diff --git a/config/widget-snort/snort_alerts_helper.php b/config/widget-snort/snort_alerts_helper.php
deleted file mode 100644
index b49af1d8..00000000
--- a/config/widget-snort/snort_alerts_helper.php
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-require_once("globals.inc");
-require_once("guiconfig.inc");
-require_once("includes/snort_alerts.inc.php");
-
-$snort_alerts_logfile = "{$g['varlog_path']}/snort/alert";
-$nentries = 5;
-handle_snort_ajax($snort_alerts_logfile, $nentries);
-
-?>
-<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script>
-<script src="/javascript/scriptaculous/scriptaculous.js" type="text/javascript"></script>
-<script src="/widgets/javascript/snort_alerts.js" type="text/javascript"></script>
diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc
deleted file mode 100644
index 584e5f2d..00000000
--- a/config/widget-snort/widget-snort.inc
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-
-function widget_snort_uninstall() {
-
- unlink("/usr/local/www/includes/snort_alerts.inc.php");
- unlink("/usr/local/www/widgets/helpers/snort_alerts_helper.php");
- unlink("/usr/local/www/widgets/include/snort_alerts.inc");
- unlink("/usr/local/www/widgets/javascript/snort_alerts.js");
- unlink("/usr/local/www/widgets/widgets/snort_alerts.widget.php");
-
-}
-
-?> \ No newline at end of file
diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml
index 1644181c..785ac5b1 100644
--- a/config/widget-snort/widget-snort.xml
+++ b/config/widget-snort/widget-snort.xml
@@ -46,29 +46,8 @@
<requirements>Dashboard package and Snort</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>widget-snort</name>
- <version>0.2</version>
+ <version>0.5</version>
<title>Widget - Snort</title>
- <include_file>/usr/local/pkg/widget-snort.inc</include_file>
- <additional_files_needed>
- <prefix>/usr/local/pkg/</prefix>
- <chmod>077</chmod>
- <item>http://www.pfsense.com/packages/config/widget-snort/widget-snort.inc</item>
- </additional_files_needed>
- <additional_files_needed>
- <prefix>/usr/local/www/includes/</prefix>
- <chmod>0644</chmod>
- <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc.php</item>
- </additional_files_needed>
- <additional_files_needed>
- <prefix>/usr/local/www/widgets/helpers/</prefix>
- <chmod>0644</chmod>
- <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts_helper.php</item>
- </additional_files_needed>
- <additional_files_needed>
- <prefix>/usr/local/www/widgets/include/</prefix>
- <chmod>0644</chmod>
- <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc</item>
- </additional_files_needed>
<additional_files_needed>
<prefix>/usr/local/www/widgets/javascript/</prefix>
<chmod>0644</chmod>
@@ -79,7 +58,4 @@
<chmod>0644</chmod>
<item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.widget.php</item>
</additional_files_needed>
- <custom_php_deinstall_command>
- widget_snort_uninstall();
- </custom_php_deinstall_command>
</packagegui>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-20 12:04:51 +0000