From de040922497c3ff0f1a77451063de25b3b579393 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 22 Feb 2014 00:33:26 -0500 Subject: Continue change of $_GET to $_POST wherever possible. --- config/suricata/suricata_alerts.php | 190 +++++++++++++++++++----------------- 1 file changed, 103 insertions(+), 87 deletions(-) (limited to 'config/suricata/suricata_alerts.php') diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index c36c0dd7..2f23260b 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -121,10 +121,11 @@ function suricata_add_supplist_entry($suppress) { return false; } -if ($_GET['instance']) - $instanceid = $_GET['instance']; if ($_POST['instance']) $instanceid = $_POST['instance']; +// This is for the auto-refresh so wecan stay on the same interface +if (is_numeric($_GET['instance'])) + $instanceid = $_GET['instance']; if (empty($instanceid)) $instanceid = 0; @@ -163,63 +164,61 @@ if ($_POST['save']) { exit; } -//if ($_POST['todelete'] || $_GET['todelete']) { -// $ip = ""; -// if($_POST['todelete']) -// $ip = $_POST['todelete']; -// else if($_GET['todelete']) -// $ip = $_GET['todelete']; -// if (is_ipaddr($ip)) { -// exec("/sbin/pfctl -t snort2c -T delete {$ip}"); -// $savemsg = gettext("Host IP address {$ip} has been removed from the Blocked Table."); +//if ($_POST['unblock'] && $_POST['ip']) { +// if (is_ipaddr($_POST['ip'])) { +// exec("/sbin/pfctl -t snort2c -T delete {$_POST['ip']}"); +// $savemsg = gettext("Host IP address {$_POST['ip']} has been removed from the Blocked Table."); // } //} -if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { - if (empty($_GET['descr'])) - $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; - else - $suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; - - /* Add the new entry to the Suppress List */ - if (suricata_add_supplist_entry($suppress)) - $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); - else - $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); -} - -if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { - if ($_GET['act'] == "addsuppress_srcip") +if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsuppress']) && is_numeric($_POST['sidid']) && is_numeric($_POST['gen_id'])) { + if ($_POST['addsuppress_srcip']) $method = "by_src"; - else + elseif ($_POST['addsuppress_dstip']) $method = "by_dst"; - - /* Check for valid IP addresses, exit if not valid */ - if (is_ipaddr($_GET['ip']) || is_ipaddrv6($_GET['ip'])) { - if (empty($_GET['descr'])) - $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n"; - else - $suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}\n"; - } - else { - header("Location: /suricata/suricata_alerts.php?instance={$instanceid}"); - exit; + else + $method ="all"; + + // See which kind of Suppress Entry to create + switch ($method) { + case "all": + if (empty($_POST['descr'])) + $suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n"; + else + $suppress = "#{$_POST['descr']}\nsuppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n"; + $success = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); + break; + case "by_src": + case "by_dst": + // Check for valid IP addresses, exit if not valid + if (is_ipaddr($_POST['ip']) || is_ipaddrv6($_POST['ip'])) { + if (empty($_POST['descr'])) + $suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}, track {$method}, ip {$_POST['ip']}\n"; + else + $suppress = "#{$_POST['descr']}\nsuppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}, track {$method}, ip {$_POST['ip']}\n"; + $success = gettext("An entry for 'suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}, track {$method}, ip {$_POST['ip']}' has been added to the Suppress List."); + } + else { + header("Location: /suricata/suricata_alerts.php"); + exit; + } + break; + default: + header("Location: /suricata/suricata_alerts.php"); + exit; } /* Add the new entry to the Suppress List */ if (suricata_add_supplist_entry($suppress)) - $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."); + $savemsg = $success; else - /* We did not find the defined list, so notify the user with an error */ $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } -if ($_GET['act'] == "togglesid" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { - // Get the GID tag embedded in the clicked rule icon. - $gid = $_GET['gen_id']; - - // Get the SID tag embedded in the clicked rule icon. - $sid= $_GET['sidid']; +if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen_id'])) { + // Get the GID and SID tags embedded in the clicked rule icon. + $gid = $_POST['gen_id']; + $sid= $_POST['sidid']; // See if the target SID is in our list of modified SIDs, // and toggle it if present. @@ -272,7 +271,7 @@ if ($_GET['act'] == "togglesid" && is_numeric($_GET['sidid']) && is_numeric($_GE $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Suricata is 'live-reloading' the new rules list. Please wait at least 30 secs for the process to complete before toggling additional rules."); } -if ($_GET['action'] == "clear" || $_POST['delete']) { +if ($_POST['delete']) { conf_mount_rw(); suricata_post_delete_logs($suricata_uuid); $fd = @fopen("{$suricatalogdir}suricata_{$if_real}{$suricata_uuid}/alerts.log", "w+"); @@ -281,8 +280,7 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { conf_mount_ro(); /* XXX: This is needed if suricata is run as suricata user */ mwexec('/bin/chmod 660 {$suricatalogdir}*', true); - if (file_exists("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) - mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid -a"); + sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", "HUP"); header("Location: /suricata/suricata_alerts.php?instance={$instanceid}"); exit; } @@ -332,16 +330,21 @@ if ($pconfig['arefresh'] == 'on') echo "\n"; ?> -' . $pgtitle . '

';} - /* Display Alert message */ - if ($input_errors) { - print_input_errors($input_errors); // TODO: add checks - } - if ($savemsg) { - print_info_box($savemsg); - } +
+ + + + + @@ -470,20 +473,19 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* Add icons for auto-adding to Suppress List if appropriate */ if (!suricata_is_alert_globally_suppressed($supplist, $fields[2], $fields[3]) && !isset($supplist[$fields[2]][$fields[3]]['by_src'][$fields[9]])) { - $alert_ip_src .= "  "; - $alert_ip_src .= ""; + $alert_ip_src .= "  "; } elseif (isset($supplist[$fields[2]][$fields[3]]['by_src'][$fields[9]])) { $alert_ip_src .= "  "; } /* Add icon for auto-removing from Blocked Table if required */ - if (isset($tmpblocked[$fields[9]])) { - $alert_ip_src .= " "; - $alert_ip_src .= " - \"Remove"; - } +// if (isset($tmpblocked[$fields[9]])) { +// $alert_ip_src .= " "; +// } /* IP SRC Port */ $alert_src_p = $fields[10]; /* IP Destination */ @@ -499,29 +501,28 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'>"; /* Add icons for auto-adding to Suppress List if appropriate */ if (!suricata_is_alert_globally_suppressed($supplist, $fields[2], $fields[3]) && - !isset($supplist[$fields[2]][$fields[3]]['by_dst'][$fields[1]])) { - $alert_ip_dst .= "  "; - $alert_ip_dst .= ""; + !isset($supplist[$fields[2]][$fields[3]]['by_dst'][$fields[11]])) { + $alert_ip_dst .= "  "; } elseif (isset($supplist[$fields[2]][$fields[3]]['by_dst'][$fields[11]])) { $alert_ip_dst .= "  "; } /* Add icon for auto-removing from Blocked Table if required */ - if (isset($tmpblocked[$fields[11]])) { - $alert_ip_dst .= " "; - $alert_ip_dst .= " - \"Remove"; - } +// if (isset($tmpblocked[$fields[11]])) { +// $alert_ip_src .= " "; +// } /* IP DST Port */ $alert_dst_p = $fields[12]; /* SID */ $alert_sid_str = "{$fields[2]}:{$fields[3]}"; if (!suricata_is_alert_globally_suppressed($supplist, $fields[2], $fields[3])) { - $sidsupplink = ""; - $sidsupplink .= ""; + $sidsupplink = ""; } else { $sidsupplink = ""; + $sid_dsbl_link = ""; } else { - $sid_dsbl_link = ""; + $sid_dsbl_link = ""; + $sid_dsbl_link .= "title='" . gettext("Force-disable this rule and remove it from current rules set.") . "'/>"; } /* DESCRIPTION */ $alert_class = $fields[6]; @@ -573,6 +574,21 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo - + -- cgit v1.2.3 From c1717f2d9752d19c54e86e1bcb6cb81f5b253710 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 24 Feb 2014 00:45:10 -0500 Subject: Bug fixes and replace $_GET with $_POST where possible. --- config/suricata/suricata_alerts.php | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'config/suricata/suricata_alerts.php') diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 2f23260b..3fc39f36 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -208,9 +208,11 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu exit; } - /* Add the new entry to the Suppress List */ - if (suricata_add_supplist_entry($suppress)) + /* Add the new entry to the Suppress List and signal Suricata to reload config */ + if (suricata_add_supplist_entry($suppress)) { + suricata_reload_config($a_instance[$instanceid]); $savemsg = $success; + } else $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } @@ -547,11 +549,11 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo - + - + - + \n"; -- cgit v1.2.3 From af5566164c9b0b412962c26b831e78c499f53281 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 28 Feb 2014 20:41:37 -0500 Subject: Bug fixes and enhancements for v0.2-BETA in Suricata pkg. --- config/suricata/suricata_alerts.php | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) (limited to 'config/suricata/suricata_alerts.php') diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 3fc39f36..75f21333 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -274,12 +274,10 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen } if ($_POST['delete']) { - conf_mount_rw(); suricata_post_delete_logs($suricata_uuid); $fd = @fopen("{$suricatalogdir}suricata_{$if_real}{$suricata_uuid}/alerts.log", "w+"); if ($fd) fclose($fd); - conf_mount_ro(); /* XXX: This is needed if suricata is run as suricata user */ mwexec('/bin/chmod 660 {$suricatalogdir}*', true); sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", "HUP"); @@ -375,7 +373,7 @@ if ($savemsg) { $selected = ""; if ($id == $instanceid) $selected = "selected"; - echo "\n"; + echo "\n"; } ?>    @@ -386,7 +384,7 @@ if ($savemsg) {    + onclick="return confirm('Do you really want to remove all instance logs?');"> @@ -439,21 +437,30 @@ if ($savemsg) { /* make sure alert file exists */ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log")) { - exec("tail -{$anentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/alerts_{$suricata_uuid}"); - if (file_exists("/tmp/alerts_{$suricata_uuid}")) { + exec("tail -{$anentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/alerts_suricata{$suricata_uuid}"); + if (file_exists("/tmp/alerts_suricata{$suricata_uuid}")) { $tmpblocked = array_flip(suricata_get_blocked_ips()); $counter = 0; /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ /* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */ - $fd = fopen("/tmp/alerts_{$suricata_uuid}", "r"); + $fd = fopen("/tmp/alerts_suricata{$suricata_uuid}", "r"); while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { if(count($fields) < 12) continue; + // Create a DateTime object from the event timestamp that + // we can use to easily manipulate output formats. + $event_tm = date_create_from_format("m/d/Y-H:i:s.u", $fields[0]); + + // Check the 'CATEGORY' field for the text "(null)" and + // substitute "Not Assigned". + if ($fields[6] == "(null)") + $fields[6] = "Not Assigned"; + /* Time */ - $alert_time = substr($fields[0], strpos($fields[0], '-')+1, -7); + $alert_time = date_format($event_tm, "H:i:s"); /* Date */ - $alert_date = trim(substr($fields[0], 0, strpos($fields[0], '-'))); + $alert_date = date_format($event_tm, "m/d/Y"); /* Description */ $alert_descr = $fields[5]; $alert_descr_url = urlencode($fields[5]); @@ -462,7 +469,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* Protocol */ $alert_proto = $fields[8]; /* IP SRC */ - $alert_ip_src = $fields[9]; + $alert_ip_src = inet_ntop(inet_pton($fields[9])); /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":​", $alert_ip_src); /* Add Reverse DNS lookup icons */ @@ -491,7 +498,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* IP SRC Port */ $alert_src_p = $fields[10]; /* IP Destination */ - $alert_ip_dst = $fields[11]; + $alert_ip_dst = inet_ntop(inet_pton($fields[11])); /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); /* Add Reverse DNS lookup icons */ @@ -538,7 +545,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo } else { $sid_dsbl_link = ""; } /* DESCRIPTION */ @@ -560,7 +567,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo $counter++; } fclose($fd); - @unlink("/tmp/alerts_{$suricata_uuid}"); + @unlink("/tmp/alerts_suricata{$suricata_uuid}"); } } ?> -- cgit v1.2.3
- $instance) { $selected = ""; @@ -379,9 +382,9 @@ if ($pconfig['arefresh'] == 'on')    + 'log files will be saved.'); ?>   + onclick="return confirm('Do you really want to remove all instance logs?');">
{$alert_priority} {$alert_proto} {$alert_class}{$alert_ip_src}{$alert_ip_src} {$alert_src_p}{$alert_ip_dst}{$alert_ip_dst} {$alert_dst_p}{$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link}		{$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link}		 {$alert_descr}