From d0bae9cffe1beff984f1b8fc7aaa3c04ca510c37 Mon Sep 17 00:00:00 2001 From: robiscool Date: Tue, 22 Dec 2009 14:09:31 -0800 Subject: snort-dev, add log downlod and refresh options to the alerts tab, fix reg ex of ip src --- config/snort-dev/snort_alerts.php | 145 ++++++++++++++++++++++++++--- config/snort-dev/snort_interfaces_edit.php | 3 +- 2 files changed, 133 insertions(+), 15 deletions(-) diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php index 81ee78d7..824ea27a 100644 --- a/config/snort-dev/snort_alerts.php +++ b/config/snort-dev/snort_alerts.php @@ -37,16 +37,95 @@ require("globals.inc"); require("guiconfig.inc"); $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; +$snort_logfile = '/var/log/snort/alert'; + +$pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; +$pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; + +if ($pconfig['alertnumber'] == '' || $pconfig['alertnumber'] == '0') +{ + $anentries = '250'; +}else{ + $anentries = $pconfig['alertnumber']; +} + +if ($_POST['save']) +{ + + //unset($input_errors); + //$pconfig = $_POST; + + /* input validation */ + if ($_POST['save']) + { + + // if (($_POST['radiusacctport'] && !is_port($_POST['radiusacctport']))) { + // $input_errors[] = "A valid port number must be specified. [".$_POST['radiusacctport']."]"; + // } + + } + + /* no errors */ + if (!$input_errors) + { + + $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? on : off; + $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; + + conf_mount_rw(); + write_config(); + //conf_mount_ro(); + sleep(2); + + header("Location: /snort/snort_alerts.php"); + + } + +} + + +if ($_POST['delete']) +{ -if ($_POST['clear']) { exec("killall syslogd"); conf_mount_rw(); - exec("rm {$snort_logfile}; touch {$snort_logfile}"); + if(file_exists("/var/log/snort/alert")) + { + exec('/bin/rm /var/log/snort/*'); + exec('/usr/bin/touch /var/log/snort/alert'); + } conf_mount_ro(); system_syslogd_start(); - exec("/usr/bin/killall -HUP snort"); + //exec("/usr/bin/killall -HUP snort"); + +} + +if ($_POST['download']) +{ + + ob_start(); //importanr or other post will fail + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "snort_logs_{$save_date}.tar.gz"; + exec("/usr/bin/tar cfz /tmp/snort_logs_{$save_date}.tar.gz /var/log/snort"); + + if(file_exists("/tmp/snort_logs_{$save_date}.tar.gz")) + { + $file = "/tmp/snort_logs_{$save_date}.tar.gz"; + header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); + header('Content-type: application/force-download'); + header('Content-Transfer-Encoding: Binary'); + header("Content-length: ".filesize($file)); + header("Content-disposition: attachment; filename = {$file_name}"); + readfile("$file"); + exec("/bin/rm /tmp/snort_logs_{$save_date}.tar.gz"); + od_end_clean(); //importanr or other post will fail + }else{ + echo 'Error no saved file.'; + } + } + /* WARNING: took me forever to figure reg expression, dont lose */ // $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; @@ -140,7 +219,7 @@ return $alert_ip_src; function get_snort_alert_src_p($fileline) { /* source port */ - if (preg_match('/:\d+\s/', $fileline, $matches5)) + if (preg_match('/:\d+\s-/', $fileline, $matches5)) { $alert_src_p = "$matches5[0]"; } @@ -226,7 +305,15 @@ include("head.inc"); - +\n"; +} +?>

@@ -296,9 +407,17 @@ include("head.inc"); Description +
You may enter a description here for your reference (not parsed). -- cgit v1.2.3
@@ -245,12 +332,36 @@ include("head.inc");
- +
- + + + + + + + + +
- - Last Snort Alert entries + Last Snort Alert Entries.    Latest Alert Entries Are Listed First. +
Save or Remove Logs +
+ + All log files will be saved. + + Warning: all log files will be deleted. +
+
Auto Refresh and Log View +
+ + Refresh + > + Default is ON. + + Enter the number of log entries to view. Default is 250. +
+
-
You may enter a description here - for your reference (not parsed).
Memory Performance