diff options
Diffstat (limited to 'config/widget-snort')
-rw-r--r-- | config/widget-snort/snort_alerts.inc | 16 | ||||
-rw-r--r-- | config/widget-snort/snort_alerts.inc.php | 93 | ||||
-rw-r--r-- | config/widget-snort/snort_alerts.js | 57 | ||||
-rw-r--r-- | config/widget-snort/snort_alerts.widget.php | 123 | ||||
-rw-r--r-- | config/widget-snort/snort_alerts_helper.php | 13 | ||||
-rw-r--r-- | config/widget-snort/widget-snort.inc | 13 | ||||
-rw-r--r-- | config/widget-snort/widget-snort.xml | 26 |
7 files changed, 98 insertions, 243 deletions
diff --git a/config/widget-snort/snort_alerts.inc b/config/widget-snort/snort_alerts.inc deleted file mode 100644 index 74adb4bb..00000000 --- a/config/widget-snort/snort_alerts.inc +++ /dev/null @@ -1,16 +0,0 @@ -<?php - -require_once("globals.inc"); -require_once("includes/snort_alerts.inc.php"); - -$snort_alerts_title = "Snort Alerts"; -$snort_alerts_title_link = "snort/snort_alerts.php"; - -$snort_alerts_logfile = "{$g['varlog_path']}/snort/alert"; -$nentries = 10; -$snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries); - -/* AJAX related routines */ -handle_snort_ajax($snort_alerts_logfile, $nentries = 10); - -?> diff --git a/config/widget-snort/snort_alerts.inc.php b/config/widget-snort/snort_alerts.inc.php deleted file mode 100644 index b56ac02c..00000000 --- a/config/widget-snort/snort_alerts.inc.php +++ /dev/null @@ -1,93 +0,0 @@ -<? -function get_snort_alerts($snort_alerts, $nentries, $tail = 20) { - global $config, $g; - $logarr = ""; - /* Always do a reverse tail, to be sure we're grabbing the 'end' of the alerts. */ - exec("/usr/bin/tail -r -n {$tail} {$snort_alerts}", $logarr); - - $snortalerts = array(); - - $counter = 0; - - foreach ($logarr as $logent) { - if($counter >= $nentries) - break; - - $alert = parse_snort_alert_line($logent); - if ($alert != "") { - $counter++; - $snortalerts[] = $alert; - } - - } - /* Since the rules are in reverse order, flip them around if needed based on the user's preference */ - return isset($config['syslog']['reverse']) ? $snortalerts : array_reverse($snortalerts); -} - -function parse_snort_alert_line($line) { - $log_split = ""; - $datesplit = ""; - preg_match("/^(.*)\s+\[\*\*\]\s+\[(\d+\:\d+:\d+)\]\s(.*)\s(.*)\s+\[\*\*\].*\s+\[Priority:\s(\d+)\]\s{(.*)}\s+(.*)\s->\s(.*)$/U", $line, $log_split); - - list($all, $alert['time'], $alert['rule'], $alert['category'], $alert['descr'], - $alert['priority'], $alert['proto'], $alert['src'], $alert['dst']) = $log_split; - - $usableline = true; - - if(trim($alert['src']) == "") - $usableline = false; - if(trim($alert['dst']) == "") - $usableline = false; - - if($usableline == true) { - preg_match("/^(\d+)\/(\d+)-(\d+\:\d+\:\d+).\d+$/U", $alert['time'], $datesplit); - $now_time = strtotime("now"); - $checkdate = $datesplit[1] . "/" . $datesplit[2] . "/" . date("Y"); - $fulldate = $datesplit[2] . "/" . $datesplit[1] . "/" . date("Y"); - $logdate = $checkdate . " " . $datesplit[3]; - if ($now_time < strtotime($logdate)) { - $fulldate = $datesplit[2] . "/" . $datesplit[1] . "/" . ((int)date("Y") - 1); - } - - $alert['dateonly'] = $fulldate; - $alert['timeonly'] = $datesplit[3]; - $alert['category'] = strtoupper( substr($alert["category"],0 , 1) ) . strtolower( substr($alert["category"],1 ) ); - return $alert; - } else { - if($g['debug']) { - log_error("There was a error parsing line: $line. Please report to mailing list or forum."); - } - return ""; - } -} - -/* AJAX specific handlers */ -function handle_snort_ajax($snort_alerts_logfile, $nentries = 5, $tail = 50) { - if($_GET['lastsawtime'] or $_POST['lastsawtime']) { - if($_GET['lastsawtime']) - $lastsawtime = $_GET['lastsawtime']; - if($_POST['lastsawtime']) - $lastsawtime = $_POST['lastsawtime']; - /* compare lastsawrule's time stamp to alert logs. - * afterwards return the newer records so that client - * can update AJAX interface screen. - */ - $new_rules = ""; - $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries); - foreach($snort_alerts as $log_row) { - $time_regex = ""; - preg_match("/.*([0-9][0-9])\/([0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex); - $logdate = $time_regex[1] . "/" . $time_regex[2] . "/" . date("Y") . " " . $time_regex[3]; - //preg_match("/.*([0-9][0-9])\/([0-9][0-9])-([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $testsplit[1], $time_regex); - // preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex); - $row_time = strtotime($logdate); - $now_time = strtotime("now"); - if($row_time > $lastsawtime and $row_time <= $nowtime) { - $new_rules .= "{$log_row['time']}||{$log_row['priority']}||{$log_row['category']}||{$log_row['src']}||{$log_row['dst']}||" . time() . "||{$log_row['timeonly']}||{$log_row['dateonly']}" . "||\n"; - } - } - echo $new_rules; - exit; - } -} -?>
\ No newline at end of file diff --git a/config/widget-snort/snort_alerts.js b/config/widget-snort/snort_alerts.js index 0cc76ab1..0c2d9ca6 100644 --- a/config/widget-snort/snort_alerts.js +++ b/config/widget-snort/snort_alerts.js @@ -1,63 +1,10 @@ -snortlastsawtime = '<?php echo time(); ?>'; var snortlines = Array(); var snorttimer; var snortupdateDelay = 25500; var snortisBusy = false; var snortisPaused = false; -<?php - if(isset($config['syslog']['reverse'])) - echo "var isReverse = true;\n"; - else - echo "var isReverse = false;\n"; -?> - -if (typeof getURL == 'undefined') { - getURL = function(url, callback) { - if (!url) - throw 'No URL for getURL'; - try { - if (typeof callback.operationComplete == 'function') - callback = callback.operationComplete; - } catch (e) {} - if (typeof callback != 'function') - throw 'No callback function for getURL'; - var http_request = null; - if (typeof XMLHttpRequest != 'undefined') { - http_request = new XMLHttpRequest(); - } - else if (typeof ActiveXObject != 'undefined') { - try { - http_request = new ActiveXObject('Msxml2.XMLHTTP'); - } catch (e) { - try { - http_request = new ActiveXObject('Microsoft.XMLHTTP'); - } catch (e) {} - } - } - if (!http_request) - throw 'Both getURL and XMLHttpRequest are undefined'; - http_request.onreadystatechange = function() { - if (http_request.readyState == 4) { - callback( { success : true, - content : http_request.responseText, - contentType : http_request.getResponseHeader("Content-Type") } ); - } - } - http_request.open('GET', url, true); - http_request.send(null); - } -} - -function snort_alerts_fetch_new_rules() { - if(snortisPaused) - return; - if(snortisBusy) - return; - snortisBusy = true; - getURL('widgets/helpers/snort_alerts_helper.php?lastsawtime=' + snortlastsawtime, snort_alerts_fetch_new_rules_callback); -} function snort_alerts_fetch_new_rules_callback(callback_data) { if(snortisPaused) return; @@ -75,8 +22,6 @@ function snort_alerts_fetch_new_rules_callback(callback_data) { line = '<td width="30%" class="listr" >' + row_split[6] + '<br>' + row_split[7]+ '</td>'; line += '<td width="40%" class="listr" >' + row_split[3] + '<br>' + row_split[4] + '</td>'; line += '<td width="40%" class="listr" >' + 'Pri : ' + row_split[1] + '<br>' + 'Cat : ' + row_split[2] + '</td>'; - snortlastsawtime = row_split[5]; - //alert(row_split[0]); new_data_to_add[new_data_to_add.length] = line; } snort_alerts_update_div_rows(new_data_to_add); @@ -131,7 +76,7 @@ function snort_alerts_update_div_rows(data) { } } /* rechedule AJAX interval */ - //snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay); + snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay); } function snort_alerts_toggle_pause() { if(snortisPaused) { diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php index c2622dc7..bb51a387 100644 --- a/config/widget-snort/snort_alerts.widget.php +++ b/config/widget-snort/snort_alerts.widget.php @@ -2,6 +2,7 @@ /* snort_alerts.widget.php Copyright (C) 2009 Jim Pingle + mod 24-07-2012 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -26,43 +27,111 @@ */ global $config, $g; +/* array sorting */ +function sksort(&$array, $subkey="id", $sort_ascending=false) { + /* an empty array causes sksort to fail - this test alleviates the error */ + if(empty($array)) + { + return false; + } + if (count($array)) { + $temp_array[key($array)] = array_shift($array); + }; + foreach ($array as $key => $val){ + $offset = 0; + $found = false; + foreach ($temp_array as $tmp_key => $tmp_val) { + if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) { + $temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset)); + $found = true; + }; + $offset++; + }; + if (!$found) $temp_array = array_merge($temp_array, array($key => $val)); + }; + + if ($sort_ascending) { + $array = array_reverse($temp_array); + } else $array = $temp_array; + /* below is the complement for empty array test */ + return true; +}; + +/* check if firewall widget variable is set */ +if (!isset($nentries)) $nentries = 5; + +/* retrieve snort variables */ +require_once("/usr/local/pkg/snort/snort.inc"); +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); +$a_instance = &$config['installedpackages']['snortglobal']['rule']; + +/* read log file(s) */ +$counter=0; +foreach ($a_instance as $instanceid => $instance) { + $snort_uuid = $a_instance[$instanceid]['uuid']; + $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); + + /* make sure alert file exists */ + if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { + exec("tail -n{$nentries} /var/log/snort/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_{$snort_uuid}"); + if (file_exists("/tmp/alert_{$snort_uuid}")) { + $tmpblocked = array_flip(snort_get_blocked_ips()); + + /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ + /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ + $fd = fopen("/tmp/alert_{$snort_uuid}", "r"); + while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { + if(count($fields) < 11) + continue; + + $snort_alerts[$counter]['instanceid'] = $a_instance[$instanceid]['interface']; + $snort_alerts[$counter]['timestamp'] = $fields[0]; + $snort_alerts[$counter]['timeonly'] = substr($fields[0], 6, -8); + $snort_alerts[$counter]['dateonly'] = substr($fields[0], 0, -17); + $snort_alerts[$counter]['src'] = $fields[6]; + $snort_alerts[$counter]['srcport'] = $fields[7]; + $snort_alerts[$counter]['dst'] = $fields[8]; + $snort_alerts[$counter]['dstport'] = $fields[9]; + $snort_alerts[$counter]['priority'] = $fields[12]; + $snort_alerts[$counter]['category'] = $fields[11]; + $counter++; + }; + fclose($fd); + @unlink("/tmp/alert_{$snort_uuid}"); + }; + }; +}; + +/* sort the array */ +if (isset($config['syslog']['reverse'])) { + sksort($snort_alerts, 'timestamp', false); +} else { + sksort($snort_alerts, 'timestamp', true); +}; + +/* display the result */ ?> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tbody> <tr class="snort-alert-header"> - <td width="30%" class="widgetsubheader" >Date</td> + <td width="30%" class="widgetsubheader" >IF/Date</td> <td width="40%" class="widgetsubheader">Src/Dst</td> <td width="40%" class="widgetsubheader">Details</td> </tr> <?php $counter=0; if (is_array($snort_alerts)) { - foreach ($snort_alerts as $alert) { ?> - - <?php - if(isset($config['syslog']['reverse'])) { - /* honour reverse logging setting */ - if($counter == 0) - $activerow = " id=\"snort-firstrow\""; - else - $activerow = ""; - - } else { - /* non-reverse logging */ - if($counter == count($snort_alerts) - 1) - $activerow = " id=\"snort-firstrow\""; - else - $activerow = ""; - } - ?> - - <tr class="snort-alert-entry" <?php echo $activerow; ?>> - <td width="30%" class="listr"><?= $alert['timeonly'] . '<br>' . $alert['dateonly'] ?></td> - <td width="40%" class="listr"><?= $alert["src"] . '<br>' . $alert["dst"] ?></td> - <td width="40%" class="listr"><?= 'Pri : ' . $alert["priority"] . '<br>' . 'Cat : ' . $alert['category'] ?></td> - </tr> -<?php $counter++; + foreach ($snort_alerts as $alert) { + echo(" <tr class='snort-alert-entry'" . $activerow . "> + <td width='30%' class='listr'>" . $alert['instanceid'] . "<br>" . $alert['timeonly'] . " " . $alert['dateonly'] . "</td> + <td width='40%' class='listr'>" . $alert['src'] . ":" . $alert['srcport'] . "<br>" . $alert['dst'] . ":" . $alert['dstport'] . "</td> + <td width='40%' class='listr'>Pri : " . $alert['priority'] . "<br>Cat : " . $alert['category'] . "</td> + </tr>"); + $counter++; + if($counter >= $nentries) break; } -} ?> +}; +?> </tbody> </table> diff --git a/config/widget-snort/snort_alerts_helper.php b/config/widget-snort/snort_alerts_helper.php deleted file mode 100644 index b49af1d8..00000000 --- a/config/widget-snort/snort_alerts_helper.php +++ /dev/null @@ -1,13 +0,0 @@ -<?php -require_once("globals.inc"); -require_once("guiconfig.inc"); -require_once("includes/snort_alerts.inc.php"); - -$snort_alerts_logfile = "{$g['varlog_path']}/snort/alert"; -$nentries = 5; -handle_snort_ajax($snort_alerts_logfile, $nentries); - -?> -<script src="/javascript/scriptaculous/prototype.js" type="text/javascript"></script> -<script src="/javascript/scriptaculous/scriptaculous.js" type="text/javascript"></script> -<script src="/widgets/javascript/snort_alerts.js" type="text/javascript"></script> diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc deleted file mode 100644 index 584e5f2d..00000000 --- a/config/widget-snort/widget-snort.inc +++ /dev/null @@ -1,13 +0,0 @@ -<?php - -function widget_snort_uninstall() { - - unlink("/usr/local/www/includes/snort_alerts.inc.php"); - unlink("/usr/local/www/widgets/helpers/snort_alerts_helper.php"); - unlink("/usr/local/www/widgets/include/snort_alerts.inc"); - unlink("/usr/local/www/widgets/javascript/snort_alerts.js"); - unlink("/usr/local/www/widgets/widgets/snort_alerts.widget.php"); - -} - -?>
\ No newline at end of file diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml index 1644181c..785ac5b1 100644 --- a/config/widget-snort/widget-snort.xml +++ b/config/widget-snort/widget-snort.xml @@ -46,29 +46,8 @@ <requirements>Dashboard package and Snort</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>widget-snort</name> - <version>0.2</version> + <version>0.5</version> <title>Widget - Snort</title> - <include_file>/usr/local/pkg/widget-snort.inc</include_file> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/widget-snort/widget-snort.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/includes/</prefix> - <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/widgets/helpers/</prefix> - <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts_helper.php</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/www/widgets/include/</prefix> - <chmod>0644</chmod> - <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc</item> - </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/widgets/javascript/</prefix> <chmod>0644</chmod> @@ -79,7 +58,4 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/widget-snort/snort_alerts.widget.php</item> </additional_files_needed> - <custom_php_deinstall_command> - widget_snort_uninstall(); - </custom_php_deinstall_command> </packagegui> |