From 196610ae4ce93843d877993c6f1a400c7670df1e Mon Sep 17 00:00:00 2001 From: jim-p Date: Wed, 14 Oct 2009 17:10:40 -0400 Subject: Add separate packages for snort and havp dashboard widgets. --- config/widget-snort/snort_alerts.inc | 15 +++ config/widget-snort/snort_alerts.inc.php | 77 +++++++++++++++ config/widget-snort/snort_alerts.js | 145 ++++++++++++++++++++++++++++ config/widget-snort/snort_alerts.widget.php | 67 +++++++++++++ config/widget-snort/snort_alerts_helper.php | 13 +++ config/widget-snort/widget-snort.inc | 13 +++ config/widget-snort/widget-snort.xml | 85 ++++++++++++++++ 7 files changed, 415 insertions(+) create mode 100644 config/widget-snort/snort_alerts.inc create mode 100644 config/widget-snort/snort_alerts.inc.php create mode 100644 config/widget-snort/snort_alerts.js create mode 100644 config/widget-snort/snort_alerts.widget.php create mode 100644 config/widget-snort/snort_alerts_helper.php create mode 100644 config/widget-snort/widget-snort.inc create mode 100644 config/widget-snort/widget-snort.xml (limited to 'config/widget-snort') diff --git a/config/widget-snort/snort_alerts.inc b/config/widget-snort/snort_alerts.inc new file mode 100644 index 00000000..d6e3b0ca --- /dev/null +++ b/config/widget-snort/snort_alerts.inc @@ -0,0 +1,15 @@ + \ No newline at end of file diff --git a/config/widget-snort/snort_alerts.inc.php b/config/widget-snort/snort_alerts.inc.php new file mode 100644 index 00000000..99e3ee9f --- /dev/null +++ b/config/widget-snort/snort_alerts.inc.php @@ -0,0 +1,77 @@ += $nentries) + break; + + $alert = parse_snort_alert_line($logent); + if ($alert != "") { + $counter++; + $snortalerts[] = $alert; + } + + } + /* Since the rules are in reverse order, flip them around if needed based on the user's preference */ + return isset($config['syslog']['reverse']) ? $snortalerts : array_reverse($snortalerts); +} + +function parse_snort_alert_line($line) { + $log_split = ""; + + preg_match("/^(.*)\s+\[\*\*\]\s+\[(\d+\:\d+:\d+)\]\s(.*)\s(.*)\s+\[\*\*\].*\s+\[Priority:\s(\d+)\]\s{(.*)}\s+(.*)\s->\s(.*)$/U", $line, $log_split); + + list($all, $alert['time'], $alert['rule'], $alert['category'], $alert['descr'], + $alert['priority'], $alert['proto'], $alert['src'], $alert['dst']) = $log_split; + + $usableline = true; + + if(trim($alert['src']) == "") + $usableline = false; + if(trim($alert['dst']) == "") + $usableline = false; + + if($usableline == true) { + return $alert; + } else { + if($g['debug']) { + log_error("There was a error parsing line: $line. Please report to mailing list or forum."); + } + return ""; + } +} + +/* AJAX specific handlers */ +function handle_snort_ajax($snort_alerts_logfile, $nentries = 5, $tail = 50) { + if($_GET['lastsawtime'] or $_POST['lastsawtime']) { + if($_GET['lastsawtime']) + $lastsawtime = $_GET['lastsawtime']; + if($_POST['lastsawtime']) + $lastsawtime = $_POST['lastsawtime']; + /* compare lastsawrule's time stamp to alert logs. + * afterwards return the newer records so that client + * can update AJAX interface screen. + */ + $new_rules = ""; + $snort_alerts = get_snort_alerts($snort_alerts_logfile, $nentries); + foreach($snort_alerts as $log_row) { + $time_regex = ""; + preg_match("/.*([0-9][0-9]:[0-9][0-9]:[0-9][0-9]).*/", $log_row['time'], $time_regex); + $row_time = strtotime($time_regex[1]); + if($row_time > $lastsawtime) { + $new_rules .= "{$log_row['time']}||{$log_row['priority']}||{$log_row['category']}||{$log_row['src']}||{$log_row['dst']}||" . time() . "||\n"; + } + } + echo $new_rules; + exit; + } +} +?> \ No newline at end of file diff --git a/config/widget-snort/snort_alerts.js b/config/widget-snort/snort_alerts.js new file mode 100644 index 00000000..48c97d6c --- /dev/null +++ b/config/widget-snort/snort_alerts.js @@ -0,0 +1,145 @@ + +snortlastsawtime = ''; +var snortlines = Array(); +var snorttimer; +var snortupdateDelay = 25500; +var snortisBusy = false; +var snortisPaused = false; + + + +if (typeof getURL == 'undefined') { + getURL = function(url, callback) { + if (!url) + throw 'No URL for getURL'; + try { + if (typeof callback.operationComplete == 'function') + callback = callback.operationComplete; + } catch (e) {} + if (typeof callback != 'function') + throw 'No callback function for getURL'; + var http_request = null; + if (typeof XMLHttpRequest != 'undefined') { + http_request = new XMLHttpRequest(); + } + else if (typeof ActiveXObject != 'undefined') { + try { + http_request = new ActiveXObject('Msxml2.XMLHTTP'); + } catch (e) { + try { + http_request = new ActiveXObject('Microsoft.XMLHTTP'); + } catch (e) {} + } + } + if (!http_request) + throw 'Both getURL and XMLHttpRequest are undefined'; + http_request.onreadystatechange = function() { + if (http_request.readyState == 4) { + callback( { success : true, + content : http_request.responseText, + contentType : http_request.getResponseHeader("Content-Type") } ); + } + } + http_request.open('GET', url, true); + http_request.send(null); + } +} + +function snort_alerts_fetch_new_rules() { + if(snortisPaused) + return; + if(snortisBusy) + return; + snortisBusy = true; + getURL('widgets/helpers/snort_alerts_helper.php?lastsawtime=' + snortlastsawtime, snort_alerts_fetch_new_rules_callback); +} +function snort_alerts_fetch_new_rules_callback(callback_data) { + if(snortisPaused) + return; + + var data_split; + var new_data_to_add = Array(); + var data = callback_data.content; + + data_split = data.split("\n"); + + for(var x=0; x'; + line += '' + row_split[2] + ''; + line += '' + row_split[3] + ''; + line += '' + row_split[4] + ''; + snortlastsawtime = row_split[5]; + new_data_to_add[new_data_to_add.length] = line; + } + snort_alerts_update_div_rows(new_data_to_add); + snortisBusy = false; +} +function snort_alerts_update_div_rows(data) { + if(snortisPaused) + return; + + var isIE = navigator.appName.indexOf('Microsoft') != -1; + var isSafari = navigator.userAgent.indexOf('Safari') != -1; + var isOpera = navigator.userAgent.indexOf('Opera') != -1; + var rulestable = document.getElementById('snort_alerts'); + var rows = rulestable.getElementsByTagName('tr'); + var showanim = 1; + if (isIE) { + showanim = 0; + } + //alert(data.length); + for(var x=0; x 0; i--) { + nextrecord = i + 1; + if(nextrecord < numrows) + rows[nextrecord].innerHTML = rows[i].innerHTML; + } + } + var item = document.getElementById('snort-firstrow'); + if(x == data.length-1) { + /* nothing */ + showanim = false; + } else { + showanim = false; + } + if (showanim) { + item.style.display = 'none'; + item.innerHTML = data[x]; + new Effect.Appear(item); + } else { + item.innerHTML = data[x]; + } + } + /* rechedule AJAX interval */ + //snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay); +} +function snort_alerts_toggle_pause() { + if(snortisPaused) { + snortisPaused = false; + snort_alerts_fetch_new_rules(); + } else { + snortisPaused = true; + } +} +/* start local AJAX engine */ +snorttimer = setInterval('snort_alerts_fetch_new_rules()', snortupdateDelay); diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php new file mode 100644 index 00000000..22bd1b69 --- /dev/null +++ b/config/widget-snort/snort_alerts.widget.php @@ -0,0 +1,67 @@ + + + + + + + + + + + + + + > + + + + + + + +
PriCategorySrcDst
diff --git a/config/widget-snort/snort_alerts_helper.php b/config/widget-snort/snort_alerts_helper.php new file mode 100644 index 00000000..0e7b4fad --- /dev/null +++ b/config/widget-snort/snort_alerts_helper.php @@ -0,0 +1,13 @@ + + + + diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc new file mode 100644 index 00000000..584e5f2d --- /dev/null +++ b/config/widget-snort/widget-snort.inc @@ -0,0 +1,13 @@ + \ No newline at end of file diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml new file mode 100644 index 00000000..b32a27d7 --- /dev/null +++ b/config/widget-snort/widget-snort.xml @@ -0,0 +1,85 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Snort widget add-on for Dashboard package + Dashboard package and Snort + Currently there are no FAQ items provided. + widget-snort + 0.1 + Widget - Snort + /usr/local/pkg/widget-snort.inc + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/widget-snort/widget-snort.inc + + + /usr/local/www/includes/ + 0644 + http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc.php + + + /usr/local/www/widgets/helpers/ + 0644 + http://www.pfsense.com/packages/config/widget-snort/snort_alerts_helper.php + + + /usr/local/www/widgets/include/ + 0644 + http://www.pfsense.com/packages/config/widget-snort/snort_alerts.inc + + + /usr/local/www/widgets/javascript/ + 0644 + http://www.pfsense.com/packages/config/widget-snort/snort_alerts.js + + + /usr/local/www/widgets/widgets/ + 0644 + http://www.pfsense.com/packages/config/widget-snort/snort_alerts.widget.php + + + widget_snort_uninstall(); + + -- cgit v1.2.3