From 9a4da8fc0de9f80f4a034d03506e8bfe9adceaaa Mon Sep 17 00:00:00 2001 From: Ermal Date: Sat, 14 Jul 2012 06:23:20 +0000 Subject: Switch to output alert_csv to fix all issues with snort alerts/blocked descr --- config/snort/snort.inc | 10 +- config/snort/snort_alerts.php | 482 ++++++++---------------- config/snort/snort_blocked.php | 96 ++--- config/snort/snort_interfaces_edit.php | 6 +- config/snort/snort_interfaces_suppress_edit.php | 4 +- 5 files changed, 180 insertions(+), 418 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index cc2cd3c6..e5ce43db 100644 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -1283,10 +1283,10 @@ EOD; foreach($enabled_rulesets_array as $enabled_item) { if (substr($enabled_item, 0, 5) == "snort" && substr($enabled_item, -9) == ".so.rules") { $slib = substr($enabled_item, 6, -6); - if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}")) - $dynamic_rules_sections .= "dynamicdetection file {$snort_dirs['dynamicrules']}/{$slib}\n"; - } - if (file_exists("{$snortcfgdir}/rules/{$enabled_item}")) + if (file_exists("{$snort_dirs['dynamicrules']}/{$slib}") && + file_exists("{$snortcfgdir}/rules/{$enabled_item}")) + $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; + } else if (file_exists("{$snortcfgdir}/rules/{$enabled_item}")) $selected_rules_sections .= "include \$RULE_PATH/{$enabled_item}\n"; } } @@ -1332,7 +1332,7 @@ config event_queue: max_queue 8 log 3 order_events content_length #Configure dynamic loaded libraries dynamicpreprocessor directory {$snort_dirs['dynamicpreprocessor']} dynamicengine directory {$snort_dirs['dynamicengine']} -{$dynamic_rules_sections} +dynamicdetection directory {$snort_dirs['dynamicrules']} # Flow and stream # preprocessor frag3_global: max_frags 8192 diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index 0c6334d9..ea96d673 100644 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -37,10 +37,6 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -/* load only javascript that is needed */ -$snort_load_sortabletable = 'yes'; -$snort_load_mootools = 'yes'; - $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; if ($_GET['instance']) @@ -66,8 +62,7 @@ if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = 'off'; } -if ($_POST['save']) -{ +if ($_POST['save']) { if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $config['installedpackages']['snortglobal']['alertsblocks'] = array(); $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; @@ -79,22 +74,50 @@ if ($_POST['save']) exit; } -if ($_GET['action'] == "clear" || $_POST['delete']) { - if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { - conf_mount_rw(); - snort_post_delete_logs($snort_uuid); - $fd = fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w"); - if ($fd) { - @ftruncate($fd, 0); - fclose($fd); +if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { + $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; + if (!is_array($config['installedpackages']['snortglobal']['suppress'])) + $config['installedpackages']['snortglobal']['suppress'] = array(); + if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) + $config['installedpackages']['snortglobal']['suppress']['item'] = array(); + $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; + + if (empty($a_instance[$instanceid]['suppresslistname']) || $a_instance[$instanceid]['suppresslistname'] == 'default') { + $s_list = array(); + $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress"; + $s_list['uuid'] = uniqid(); + $s_list['descr'] = "Auto generted list for suppress"; + $s_list['suppresspassthru'] = base64_encode($suppress); + $a_suppress[] = $s_list; + $a_instance[$instanceid]['suppresslistname'] = $s_list['name']; + } else { + foreach ($a_suppress as $a_id => $alist) { + if ($alist['name'] == $a_instance[$instanceid]['suppresslistname']) { + if (!empty($alist['suppresspassthru'])) { + $tmplist = base64_decode($alist['suppresspassthru']); + $tmplist .= "\n{$suppress}"; + $alist['suppresspassthru'] = base64_encode($tmplist); + $a_suppress[$a_id] = $alist; + } + } } - conf_mount_ro(); - /* XXX: This is needed is snort is run as snort user */ - //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); - mwexec('/bin/chmod 660 /var/log/snort/*', true); - if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) - mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); } + write_config(); + sync_snort_package_config(); +} + +if ($_GET['action'] == "clear" || $_POST['delete']) { + conf_mount_rw(); + snort_post_delete_logs($snort_uuid); + $fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+"); + if ($fd) + fclose($fd); + conf_mount_ro(); + /* XXX: This is needed is snort is run as snort user */ + //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + mwexec('/bin/chmod 660 /var/log/snort/*', true); + if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) + mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); header("Location: /snort/snort_alerts.php?instance={$instanceid}"); exit; } @@ -114,140 +137,13 @@ if ($_POST['download']) { header("Content-length: ".filesize($file)); header("Content-disposition: attachment; filename = {$file_name}"); readfile("$file"); - exec("/bin/rm /tmp/{$file_name}"); + @unlink("/tmp/{$file_name}"); } header("Location: /snort/snort_alerts.php?instance={$instanceid}"); exit; } -/* WARNING: took me forever to figure reg expression, dont lose */ -// $fileline = '12/09-18:12:02.086733 [**] [122:6:0] (portscan) TCP Filtered Decoy Portscan [**] [Priority: 3] {PROTO:255} 125.135.214.166 -> 70.61.243.50'; -function get_snort_alert_date($fileline) -{ - /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */ - if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches)) - $alert_date = "$matches[0]"; - - return $alert_date; -} - -function get_snort_alert_disc($fileline) -{ - /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - $alert_disc = "$matches[2]"; - - return $alert_disc; -} - -function get_snort_alert_class($fileline) -{ - /* class */ - if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches)) - $alert_class = "$matches[0]"; - - return $alert_class; -} - -function get_snort_alert_priority($fileline) -{ - /* Priority */ - if (preg_match('/Priority:\s\d/', $fileline, $matches)) - $alert_priority = "$matches[0]"; - - return $alert_priority; -} - -function get_snort_alert_proto($fileline) -{ - /* Priority */ - if (preg_match('/\{.+\}/', $fileline, $matches)) - $alert_proto = "$matches[0]"; - - return $alert_proto; -} - -function get_snort_alert_proto_full($fileline) -{ - /* Protocal full */ - if (preg_match('/.+\sTTL/', $fileline, $matches)) - $alert_proto_full = "$matches[0]"; - - return $alert_proto_full; -} - -function get_snort_alert_ip_src($fileline) -{ - /* SRC IP */ - $re1='.*?'; # Non-greedy match on filler - $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if (preg_match_all ("/".$re1.$re2."/is", $fileline, $matches)) - $alert_ip_src = $matches[1][0]; - - return $alert_ip_src; -} - -function get_snort_alert_src_p($fileline) -{ - /* source port */ - if (preg_match('/:\d+\s-/', $fileline, $matches)) - $alert_src_p = "$matches[0]"; - - return $alert_src_p; -} - -function get_snort_alert_flow($fileline) -{ - /* source port */ - if (preg_match('/(->|<-)/', $fileline, $matches)) - $alert_flow = "$matches[0]"; - - return $alert_flow; -} - -function get_snort_alert_ip_dst($fileline) -{ - /* DST IP */ - $re1dp='.*?'; # Non-greedy match on filler - $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])'; # Uninteresting: ipaddress - $re3dp='.*?'; # Non-greedy match on filler - $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if (preg_match_all("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches)) - $alert_ip_dst = $matches[1][0]; - - return $alert_ip_dst; -} - -function get_snort_alert_dst_p($fileline) -{ - /* dst port */ - if (preg_match('/:\d+$/', $fileline, $matches)) - $alert_dst_p = "$matches[0]"; - - return $alert_dst_p; -} - -function get_snort_alert_dst_p_full($fileline) -{ - /* dst port full */ - if (preg_match('/:\d+\n[A-Z]+\sTTL/', $fileline, $matches)) - $alert_dst_p = "$matches[0]"; - - return $alert_dst_p; -} - -function get_snort_alert_sid($fileline) -{ - /* SID */ - if (preg_match('/\[\d+:\d+:\d+\]/', $fileline, $matches)) - $alert_sid = "$matches[0]"; - - return $alert_sid; -} - $pgtitle = "Services: Snort: Snort Alerts"; include_once("head.inc"); @@ -263,7 +159,12 @@ if ($pconfig['arefresh'] == 'on') echo "\n"; ?> -' . $pgtitle . '

';}?> +' . $pgtitle . '

';} + /* Display Alert message */ + if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks + } +?> -
-
- - +
+ +
@@ -322,207 +223,120 @@ if ($pconfig['arefresh'] == 'on') Enter the number of log entries to view. Default is 250. -
Last Alert Entries. Latest Alert Entries Are Listed First.
-
+
- - +

+
-
Filter: + + - - +
-
- - - - - - - - - - - - - - - - - $fileline) { - if (empty($fileline)) - continue; - if ($counter > $anentries) - break; - - /* Date */ - $alert_date_str = get_snort_alert_date($fileline); - if($alert_date_str != '') - $alert_date = $alert_date_str; - else - $alert_date = 'empty'; - - /* Discription */ - $alert_disc_str = get_snort_alert_disc($fileline); - if(empty($alert_disc_str)) - $alert_disc = 'empty'; - else - $alert_disc = $alert_disc_str; - - /* Classification */ - $alert_class_str = get_snort_alert_class($fileline); - if($alert_class_str != '') - { - $alert_class_match = array('[Classification:',']'); - $alert_class = str_replace($alert_class_match, '', "$alert_class_str"); - }else{ - $alert_class = 'Prep'; - } - - /* Priority */ - $alert_priority_str = get_snort_alert_priority($fileline); - if($alert_priority_str != '') - { - $alert_priority_match = array('Priority: ',']'); - $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str"); - }else{ - $alert_priority = 'empty'; - } - - /* Protocol */ - /* Detect alert file type */ - if ($snortalertlogt == 'full') - { - $alert_proto_str = get_snort_alert_proto_full($fileline); - }else{ - $alert_proto_str = get_snort_alert_proto($fileline); - } - - if($alert_proto_str != '') - { - $alert_proto_match = array(" TTL",'{','}'); - $alert_proto = str_replace($alert_proto_match, '', "$alert_proto_str"); - }else{ - $alert_proto = 'empty'; - } - - /* IP SRC */ - $alert_ip_src_str = get_snort_alert_ip_src($fileline); - if($alert_ip_src_str != '') - { - $alert_ip_src = $alert_ip_src_str; - }else{ - $alert_ip_src = 'empty'; - } - - /* IP SRC Port */ - $alert_src_p_str = get_snort_alert_src_p($fileline); - if($alert_src_p_str != '') - { - $alert_src_p_match = array(' -',':'); - $alert_src_p = str_replace($alert_src_p_match, '', "$alert_src_p_str"); - }else{ - $alert_src_p = 'empty'; - } - - /* Flow */ - $alert_flow_str = get_snort_alert_flow($fileline); - if($alert_flow_str != '') - { - $alert_flow = $alert_flow_str; - }else{ - $alert_flow = 'empty'; - } - - /* IP Destination */ - $alert_ip_dst_str = get_snort_alert_ip_dst($fileline); - if($alert_ip_dst_str != '') - { - $alert_ip_dst = $alert_ip_dst_str; - }else{ - $alert_ip_dst = 'empty'; - } - - /* IP DST Port */ - if ($snortalertlogt == 'full') - { - $alert_dst_p_str = get_snort_alert_dst_p_full($fileline); - }else{ - $alert_dst_p_str = get_snort_alert_dst_p($fileline); - } - - if($alert_dst_p_str != '') - { - $alert_dst_p_match = array(':',"\n"," TTL"); - $alert_dst_p_str2 = str_replace($alert_dst_p_match, '', "$alert_dst_p_str"); - $alert_dst_p_match2 = array('/[A-Z]/'); - $alert_dst_p = preg_replace($alert_dst_p_match2, '', "$alert_dst_p_str2"); - }else{ - $alert_dst_p = 'empty'; - } - - /* SID */ - $alert_sid_str = get_snort_alert_sid($fileline); - - if($alert_sid_str != '') - { - $alert_sid_match = array('[',']'); - $alert_sid = str_replace($alert_sid_match, '', "$alert_sid_str"); - }else{ - $alert_sid_str = 'empty'; - } - - /* NOTE: using one echo improves performance by 2x */ - echo " - - - - - - - - - - - - +
+ + + + + + +
#PRIPROTODESCRIPTIONCLASSSRCSPORTFLOWDSTDPORTSIDDate
{$counter}{$alert_priority}{$alert_proto}{$alert_disc}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_flow}{$alert_ip_dst}{$alert_dst_p}{$alert_sid}{$alert_date}
+ + + + + + + + + + + + + + + + $anentries) + break; + $fields = explode(",", $fileline); + + /* Date */ + $alert_date = $fields[0]; + /* Description */ + $alert_descr = $fields[4]; + /* Priority */ + $alert_priority = $fields[12]; + /* Protocol */ + $alert_proto = $fields[5]; + /* IP SRC */ + $alert_ip_src = $fields[6]; + /* IP SRC Port */ + $alert_src_p = $fields[7]; + /* IP Destination */ + $alert_ip_dst = $fields[8]; + /* IP DST Port */ + $alert_dst_p = $fields[9]; + /* SID */ + $alert_sid_str = "{$fields[1]}:{$fields[2]}:{$fields[3]}"; + $alert_class = $fields[10]; + + echo " + + + + + + + + + + + \n"; - } + + $counter++; } - ?> + fclose($fd); + } +} +?>
#PRIPROTODESCRIPTIONCLASSSRCSPORTDSTDPORTSIDDate
{$counter}{$alert_priority}{$alert_proto}{$alert_descr}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p} + {$alert_sid_str} + + + {$alert_date}
+ +
diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index ddeae784..1ff7972c 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -38,7 +38,6 @@ if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh']; $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; -$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber']; if (empty($pconfig['blertnumber'])) $bnentries = '500'; @@ -115,62 +114,6 @@ if ($_POST['save']) } -/* build filter funcs */ -function get_snort_alert_ip_src($fileline) -{ - /* SRC IP */ - $re1='.*?'; # Non-greedy match on filler - $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1 - - if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4)) - return $matches4[1][0]; - - return ""; -} - -function get_snort_alert_disc($fileline) -{ - /* disc */ - if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches)) - return "{$matches[2]}"; - - return ""; -} - -/* tell the user what settings they have */ -$blockedtab_msg_chk = $config['installedpackages']['snortglobal']['rm_blocked']; -if ($blockedtab_msg_chk == "1h_b") { - $blocked_msg = "hour"; -} -if ($blockedtab_msg_chk == "3h_b") { - $blocked_msg = "3 hours"; -} -if ($blockedtab_msg_chk == "6h_b") { - $blocked_msg = "6 hours"; -} -if ($blockedtab_msg_chk == "12h_b") { - $blocked_msg = "12 hours"; -} -if ($blockedtab_msg_chk == "1d_b") { - $blocked_msg = "day"; -} -if ($blockedtab_msg_chk == "4d_b") { - $blocked_msg = "4 days"; -} -if ($blockedtab_msg_chk == "7d_b") { - $blocked_msg = "7 days"; -} -if ($blockedtab_msg_chk == "28d_b") { - $blocked_msg = "28 days"; -} - -if ($blockedtab_msg_chk != "never_b") -{ - $blocked_msg_txt = "Hosts are removed every $blocked_msg."; -}else{ - $blocked_msg_txt = "Settings are set to never remove hosts."; -} - $pgtitle = "Services: Snort Blocked Hosts"; include_once("head.inc"); @@ -272,28 +215,31 @@ if ($pconfig['brefresh'] == 'on') $blocked_ips_array[] = trim($blocked_ip, " \n\t"); } } - $input = array(); - $alert_ip_src_array = array(); - foreach (glob("/var/log/snort/*/alert") as $alert) { - if ($pconfig['snortalertlogtype'] == 'full') - $alerts_array = array_reverse(explode("\n\n", file_get_contents($alert))); - else - $alerts_array = array_reverse(file($alert)); - /* build the list and compare blocks to alerts */ - foreach($alerts_array as $counter => $fileline) { - if (empty($fileline)) - continue; - - $alert_ip_src = get_snort_alert_ip_src($fileline); - $alert_ip_disc = get_snort_alert_disc($fileline); - $alert_ip_src_array[] = $alert_ip_src; - if (!empty($blocked_ips_array) && in_array("$alert_ip_src", $blocked_ips_array)) { - if (!isset($input[$alert_ip_src])) - $input[$alert_ip_src] = "{$alert_ip_disc}\n"; + $src_ip_list = array(); + /* make sure alert file exists */ + if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { + $fd = fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "r"); + if ($fd) { + /* 0 1 2 3 4 5 6 7 8 9 10 11 12 + /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ + while(($fileline = @fgets($fd))) { + if (empty($fileline)) + continue; + $fields = explode(",", $fileline); + + $src_ip_list[$fields[6]] = "{$fields[4]} - {$fields[0]}";; + $src_ip_list[$fields[8]] = "{$fields[4]} - {$fields[0]}";; } + fclose($fd); } } + $input = array(); + foreach ($blocked_ips_array as $blocked_ip) { + if (isset($src_ip_list[$blocked_ip])) + $input[$blocked_ip] = $src_ip_list[$blocked_ip]; + } + foreach($blocked_ips_array as $blocked_ip) { if (is_ipaddr($blocked_ip) && !isset($input[$blocked_ip])) $input[$blocked_ip] = "N\A\n"; diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php index dc9c4601..50340853 100644 --- a/config/snort/snort_interfaces_edit.php +++ b/config/snort/snort_interfaces_edit.php @@ -106,8 +106,10 @@ if ($_POST["Submit"]) { $if_real = snort_get_real_interface($natent['interface']); if (isset($id) && $a_rule[$id]) { - if ($natent['interface'] != $a_rule[$id]['interface']) - snort_stop($a_rule[$id], $if_real); + if ($natent['interface'] != $a_rule[$id]['interface']) { + $oif_real = snort_get_real_interface($a_rule[$id]['interface']); + snort_stop($a_rule[$id], $oif_real); + } $a_rule[$id] = $natent; } else $a_rule[] = $natent; diff --git a/config/snort/snort_interfaces_suppress_edit.php b/config/snort/snort_interfaces_suppress_edit.php index 8a7e29ef..7dfe5d74 100644 --- a/config/snort/snort_interfaces_suppress_edit.php +++ b/config/snort/snort_interfaces_suppress_edit.php @@ -105,7 +105,7 @@ if ($_POST['submit']) { if (!$input_errors) { $s_list = array(); $s_list['name'] = $_POST['name']; - $s_list['uuid'] = $suppress_uuid; + $s_list['uuid'] = uniqid(); $s_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); if ($_POST['suppresspassthru']) $s_list['suppresspassthru'] = base64_encode($_POST['suppresspassthru']); @@ -123,7 +123,7 @@ if ($_POST['submit']) { } } -$pgtitle = "Services: Snort: Suppression: Edit $suppress_uuid"; +$pgtitle = "Services: Snort: Suppression: Edit"; include_once("head.inc"); ?> -- cgit v1.2.3