From 47d67bc88a0fbd00b1c37c4915466834879785a0 Mon Sep 17 00:00:00 2001 From: digdug3 Date: Wed, 25 Jul 2012 09:42:36 +0300 Subject: Update config/snort/snort_alerts.php Fix displaying Snort descriptions with "," like: "ET TROJAN MS Terminal Server User A Login, possible Morto inbound" --- config/snort/snort_alerts.php | 49 +++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 663e7621..b3afe941 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -47,7 +47,7 @@ if (empty($instanceid)) $instanceid = 0; if (!is_array($config['installedpackages']['snortglobal']['rule'])) - $config['installedpackages']['snortglobal']['rule'] = array(); + $config['installedpackages']['snortglobal']['rule'] = array(); $a_instance = &$config['installedpackages']['snortglobal']['rule']; $snort_uuid = $a_instance[$instanceid]['uuid']; $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); @@ -75,13 +75,13 @@ if ($_POST['save']) { } if ($_POST['todelete'] || $_GET['todelete']) { - $ip = ""; - if($_POST['todelete']) - $ip = $_POST['todelete']; - else if($_GET['todelete']) - $ip = $_GET['todelete']; - if (is_ipaddr($ip)) - exec("/sbin/pfctl -t snort2c -T delete {$ip}"); + $ip = ""; + if($_POST['todelete']) + $ip = $_POST['todelete']; + else if($_GET['todelete']) + $ip = $_GET['todelete']; + if (is_ipaddr($ip)) + exec("/sbin/pfctl -t snort2c -T delete {$ip}"); } if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { @@ -174,23 +174,23 @@ if ($pconfig['arefresh'] == 'on') ' . $pgtitle . '

';} /* Display Alert message */ - if ($input_errors) { - print_input_errors($input_errors); // TODO: add checks - } + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } ?>
@@ -265,10 +265,9 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ $fd = fopen("/tmp/alert_{$snort_uuid}", "r"); - while(($fileline = @fgets($fd))) { - if (empty($fileline)) + while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { + if(count($fields) < 11) continue; - $fields = explode(",", $fileline); /* Date */ $alert_date = substr($fields[0], 0, -8); @@ -311,7 +310,7 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { @@ -337,4 +336,4 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { include("fend.inc"); ?> - + \ No newline at end of file -- cgit v1.2.3 From 6d53928d242f8af1d73322e6d1cfa7edf13cd3bc Mon Sep 17 00:00:00 2001 From: digdug3 Date: Wed, 25 Jul 2012 09:46:50 +0300 Subject: Update config/snort/snort_blocked.php Fix Snort alerts descriptions with "," like: "ET TROJAN MS Terminal Server User A Login, possible Morto inbound" --- config/snort/snort_blocked.php | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index babb6bea..6815c18d 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -137,15 +137,15 @@ if ($pconfig['brefresh'] == 'on')
{$alert_sid_str} -
@@ -208,10 +208,9 @@ if ($pconfig['brefresh'] == 'on') if ($fd) { /* 0 1 2 3 4 5 6 7 8 9 10 11 12 /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ - while(($fileline = @fgets($fd))) { - if (empty($fileline)) + while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { + if(count($fields) < 11) continue; - $fields = explode(",", $fileline); if (isset($tmpblocked[$fields[6]])) { if (!is_array($src_ip_list[$fields[6]])) @@ -270,4 +269,4 @@ if ($pconfig['brefresh'] == 'on') include("fend.inc"); ?> - + \ No newline at end of file -- cgit v1.2.3 From ae7abb368b7336487156d84a1ae24ae46bd400ae Mon Sep 17 00:00:00 2001 From: digdug3 Date: Wed, 25 Jul 2012 09:48:51 +0300 Subject: Update config/widget-snort/snort_alerts.widget.php Sorts all interfaces by date, displays ip and port, fixes Snort alert descriptions with ",". Uses firewall widget setting as number of entries. --- config/widget-snort/snort_alerts.widget.php | 128 ++++++++++++++++------------ 1 file changed, 75 insertions(+), 53 deletions(-) diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php index c579a35e..c53f6593 100644 --- a/config/widget-snort/snort_alerts.widget.php +++ b/config/widget-snort/snort_alerts.widget.php @@ -2,7 +2,7 @@ /* snort_alerts.widget.php Copyright (C) 2009 Jim Pingle - mod 19-07-2012 + mod 24-07-2012 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -26,68 +26,86 @@ POSSIBILITY OF SUCH DAMAGE. */ global $config, $g; -$snort_alerts_title = "Snort Alerts"; -$snort_alerts_title_link = "snort/snort_alerts.php"; + +/* array sorting */ +function sksort(&$array, $subkey="id", $sort_ascending=false) { + if (count($array)) { + $temp_array[key($array)] = array_shift($array); + }; + + foreach ($array as $key => $val){ + $offset = 0; + $found = false; + foreach ($temp_array as $tmp_key => $tmp_val) { + if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) { + $temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset)); + $found = true; + }; + $offset++; + }; + if (!$found) $temp_array = array_merge($temp_array, array($key => $val)); + }; + + if ($sort_ascending) { + $array = array_reverse($temp_array); + } else $array = $temp_array; +}; + +/* check if firewall widget variable is set */ +if (!isset($nentries)) $nentries = 5; /* retrieve snort variables */ require_once("/usr/local/pkg/snort/snort.inc"); +$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_instance = &$config['installedpackages']['snortglobal']['rule']; /* read log file(s) */ -$snort_alerts = array(); -$tmpblocked = array_flip(snort_get_blocked_ips()); +$counter=0; foreach ($a_instance as $instanceid => $instance) { - if ($instance['enable'] != 'on') - continue; + $snort_uuid = $a_instance[$instanceid]['uuid']; + $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); /* make sure alert file exists */ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { - $snort_uuid = $instance['uuid']; - $if_real = snort_get_real_interface($instance['interface']); - $tmpfile = "{$g['tmp_path']}/.widget_alert_{$snort_uuid}"; - if (isset($config['syslog']['reverse'])) - exec("tail -10 /var/log/snort/snort_{$if_real}{$snort_uuid}/alert | sort -r > {$tmpfile}"); - else - exec("tail -10 /var/log/snort/snort_{$if_real}{$snort_uuid}/alert > {$tmpfile}"); - if (file_exists($tmpfile)) { + exec("tail -n{$nentries} /var/log/snort/snort_{$if_real}{$snort_uuid}/alert > /tmp/alert_{$snort_uuid}"); + if (file_exists("/tmp/alert_{$snort_uuid}")) { + $tmpblocked = array_flip(snort_get_blocked_ips()); + /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ - $fd = fopen($tmpfile, "r"); - while (($fileline = @fgets($fd))) { - if (empty($fileline)) + $fd = fopen("/tmp/alert_{$snort_uuid}", "r"); + while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { + if(count($fields) < 11) continue; - $fields = explode(",", $fileline); - - $snort_alert = array(); - $snort_alert[]['instanceid'] = snort_get_friendly_interface($instance['interface']); - $snort_alert[]['timestamp'] = $fields[0]; - $snort_alert[]['timeonly'] = substr($fields[0], 6, -8); - $snort_alert[]['dateonly'] = substr($fields[0], 0, -17); - $snort_alert[]['src'] = $fields[6]; - $snort_alert[]['srcport'] = $fields[7]; - $snort_alert[]['dst'] = $fields[8]; - $snort_alert[]['dstport'] = $fields[9]; - $snort_alert[]['priority'] = $fields[12]; - $snort_alert[]['category'] = $fields[11]; - $snort_alerts[] = $snort_alert; - } - fclose($fd); - @unlink($tmpfile); - } - } -} -if ($_GET['evalScripts']) { - /* AJAX specific handlers */ - $new_rules = ""; - foreach($snort_alerts as $log_row) - $new_rules .= "{$log_row['time']}||{$log_row['priority']}||{$log_row['category']}||{$log_row['src']}||{$log_row['dst']}||{$log_row['timestamp']}||{$log_row['timeonly']}||{$log_row['dateonly']}\n"; + $snort_alerts[$counter]['instanceid'] = $a_instance[$instanceid]['interface']; + $snort_alerts[$counter]['timestamp'] = $fields[0]; + $snort_alerts[$counter]['timeonly'] = substr($fields[0], 6, -8); + $snort_alerts[$counter]['dateonly'] = substr($fields[0], 0, -17); + $snort_alerts[$counter]['src'] = $fields[6]; + $snort_alerts[$counter]['srcport'] = $fields[7]; + $snort_alerts[$counter]['dst'] = $fields[8]; + $snort_alerts[$counter]['dstport'] = $fields[9]; + $snort_alerts[$counter]['priority'] = $fields[12]; + $snort_alerts[$counter]['category'] = $fields[11]; + $counter++; + }; + fclose($fd); + @unlink("/tmp/alert_{$snort_uuid}"); + }; + }; +}; - echo $new_rules; +/* sort the array */ +if (isset($config['syslog']['reverse'])) { + sksort($snort_alerts, 'timestamp', false); } else { + sksort($snort_alerts, 'timestamp', true); +}; + /* display the result */ ?>
@@ -98,14 +116,18 @@ if ($_GET['evalScripts']) { $alert) { - echo(" - - - - "); -} +$counter=0; +if (is_array($snort_alerts)) { + foreach ($snort_alerts as $alert) { + echo(" + + + + "); + $counter++; + if($counter >= $nentries) break; + } +}; ?> -
Details
{$alert['instanceid']}
{$alert['timeonly']} {$alert['dateonly']}		{$alert['src']}:{$alert['srcport']}
{$alert['dst']}:{$alert['dstport']}		Pri : {$alert['priority']}
Cat : {$alert['category']}
" . $alert['instanceid'] . "
" . $alert['timeonly'] . " " . $alert['dateonly'] . "		" . $alert['src'] . ":" . $alert['srcport'] . "
" . $alert['dst'] . ":" . $alert['dstport'] . "		Pri : " . $alert['priority'] . "
Cat : " . $alert['category'] . "
- + \ No newline at end of file -- cgit v1.2.3 From 7c870c48bcfb2588f814c738372e1405afbeaeac Mon Sep 17 00:00:00 2001 From: digdug3 Date: Thu, 26 Jul 2012 09:43:19 +0300 Subject: Update config/widget-snort/snort_alerts.widget.php Removed a bogus line --- config/widget-snort/snort_alerts.widget.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php index c53f6593..6d6193d8 100644 --- a/config/widget-snort/snort_alerts.widget.php +++ b/config/widget-snort/snort_alerts.widget.php @@ -56,8 +56,6 @@ if (!isset($nentries)) $nentries = 5; /* retrieve snort variables */ require_once("/usr/local/pkg/snort/snort.inc"); - -$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_instance = &$config['installedpackages']['snortglobal']['rule']; -- cgit v1.2.3