From 8c84e29191b2bf66d4ba8c389947032434f3f026 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 9 Sep 2014 15:04:04 -0400 Subject: Add filter dialog to ALERTS tab. --- config/snort/snort_alerts.php | 159 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) (limited to 'config') diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index c04f4e31..241b43b3 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -42,6 +42,7 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; $supplist = array(); $snortlogdir = SNORTLOGDIR; +$filterlogentries = FALSE; function snort_is_alert_globally_suppressed($list, $gid, $sid) { @@ -133,6 +134,32 @@ function snort_add_supplist_entry($suppress) { return false; } +function snort_escape_filter_regex($filtertext) { + /* If the caller (user) has not already put a backslash before a slash, to escape it in the regex, */ + /* then this will do it. Take out any "\/" already there, then turn all ordinary "/" into "\/". */ + return str_replace('/', '\/', str_replace('\/', '/', $filtertext)); +} + +function snort_match_filter_field($flent, $fields) { + foreach ($fields as $key => $field) { + if ($field == null) + continue; + if ((strpos($field, '!') === 0)) { + $field = substr($field, 1); + $field_regex = snort_escape_filter_regex($field); + if (@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + else { + $field_regex = snort_escape_filter_regex($field); + if (!@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + } + return true; +} + + if (isset($_POST['instance']) && is_numericint($_POST['instance'])) $instanceid = $_POST['instance']; elseif (isset($_GET['instance']) && is_numericint($_GET['instance'])) @@ -180,6 +207,35 @@ if (isset($_POST['resolve'])) { } # --- AJAX REVERSE DNS RESOLVE End --- +if ($_POST['filterlogentries_submit']) { + // Set flag for filtering alert entries + $filterlogentries = TRUE; + + // -- IMPORTANT -- + // Note the order of these fields must match the order decoded from the alerts log + $filterfieldsarray = array(); + $filterfieldsarray[0] = $_POST['filterlogentries_time'] ? $_POST['filterlogentries_time'] : null; + $filterfieldsarray[1] = $_POST['filterlogentries_gid'] ? $_POST['filterlogentries_gid'] : null; + $filterfieldsarray[2] = $_POST['filterlogentries_sid'] ? $_POST['filterlogentries_sid'] : null; + $filterfieldsarray[3] = null; + $filterfieldsarray[4] = $_POST['filterlogentries_description'] ? $_POST['filterlogentries_description'] : null; + $filterfieldsarray[5] = $_POST['filterlogentries_protocol'] ? $_POST['filterlogentries_protocol'] : null; + // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation + $filterfieldsarray[6] = $_POST['filterlogentries_sourceipaddress'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_sourceipaddress']) : null; + $filterfieldsarray[7] = $_POST['filterlogentries_sourceport'] ? $_POST['filterlogentries_sourceport'] : null; + // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation + $filterfieldsarray[8] = $_POST['filterlogentries_destinationipaddress'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_destinationipaddress']) : null; + $filterfieldsarray[9] = $_POST['filterlogentries_destinationport'] ? $_POST['filterlogentries_destinationport'] : null; + $filterfieldsarray[10] = null; + $filterfieldsarray[11] = $_POST['filterlogentries_classification'] ? $_POST['filterlogentries_classification'] : null; + $filterfieldsarray[12] = $_POST['filterlogentries_priority'] ? $_POST['filterlogentries_priority'] : null; +} + +if ($_POST['filterlogentries_clear']) { + $filterlogentries = TRUE; + $filterfieldsarray = array(); +} + if ($_POST['save']) { if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $config['installedpackages']['snortglobal']['alertsblocks'] = array(); @@ -439,10 +495,98 @@ if ($savemsg) {  ', '', '', ''); ?> + + + + "> + + + " onclick="enable_showFilter();" /> +    + + + "> + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ 		+
+
+ 		+
+
+ 		+
+
+ 		+
+
+
+
+
+ 		+
+
+ 		+
+
+ 		+
+
+ 		+
+
+
+
+
+ 		+ + +
" title="" /> +    " title="" /> +    " onclick="enable_hideFilter();" title="" />
+
+  ', '');?>   +    +
+ + + + +    + + +    + @@ -488,6 +632,10 @@ if (file_exists("{$snortlogdir}/snort_{$if_real}{$snort_uuid}/alert")) { if(count($fields) < 13) continue; + if ($filterlogentries && !snort_match_filter_field($fields, $filterfieldsarray)) { + continue; + } + /* Time */ $alert_time = substr($fields[0], strpos($fields[0], '-')+1, -8); /* Date */ @@ -629,6 +777,17 @@ function encRuleSig(rulegid,rulesid,srcip,ruledescr) { document.getElementById("ip").value = srcip; document.getElementById("descr").value = ruledescr; } + +function enable_showFilter() { + document.getElementById("filter_enable_row").style.display="none"; + document.getElementById("filter_options_row").style.display="table-row"; +} + +function enable_hideFilter() { + document.getElementById("filter_enable_row").style.display="table-row"; + document.getElementById("filter_options_row").style.display="none"; +} + -- cgit v1.2.3