From d0f804ddd88b5687ae471a20da7b2726390ae97f Mon Sep 17 00:00:00 2001 From: robiscool Date: Wed, 30 Dec 2009 00:51:05 -0800 Subject: snort-dev, add filtering for corrupted alerts file --- config/snort-dev/snort.inc | 2 +- config/snort-dev/snort_alerts.php | 20 ++++++--- config/snort-dev/snort_blocked.php | 44 +++++++++++++++--- config/snort-dev/snort_rules.php | 92 ++++++++++++++++++-------------------- 4 files changed, 99 insertions(+), 59 deletions(-) (limited to 'config') diff --git a/config/snort-dev/snort.inc b/config/snort-dev/snort.inc index bae2c384..db7bbc27 100644 --- a/config/snort-dev/snort.inc +++ b/config/snort-dev/snort.inc @@ -1463,7 +1463,7 @@ preprocessor http_inspect_server: server default \ chunk_length 500000 \ bare_byte yes \ double_decode yes \ - iis_unicode yes \ + iis_unicode no \ iis_delimiter no \ multi_slash no diff --git a/config/snort-dev/snort_alerts.php b/config/snort-dev/snort_alerts.php index a9e002f8..bbfd214c 100644 --- a/config/snort-dev/snort_alerts.php +++ b/config/snort-dev/snort_alerts.php @@ -431,17 +431,23 @@ if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') { $alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert')))); }else{ - $alerts_array = array_reverse(split("\n", file_get_contents('/var/log/snort/alert'))); + $alerts_array = array_reverse(array_filter(split("\n", file_get_contents('/var/log/snort/alert')))); } + + +if (is_array($alerts_array)) +{ + $counter = 0; foreach($alerts_array as $fileline) { + if($logent <= $counter) continue; - + $counter++; - + /* Date */ $alert_date_str = get_snort_alert_date($fileline); @@ -573,7 +579,9 @@ if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') } /* NOTE: using one echo improves performance by 2x */ - echo " + if ($alert_disc != 'empty') + { + echo " {$counter} {$alert_priority} {$alert_proto} @@ -586,7 +594,8 @@ if ($pconfig['arefresh'] == 'on' || $pconfig['arefresh'] == '') {$alert_dst_p} {$alert_sid} {$alert_date} - \n"; + \n"; + } // } +} ?> diff --git a/config/snort-dev/snort_blocked.php b/config/snort-dev/snort_blocked.php index 06d03bd0..d4b4c2b9 100644 --- a/config/snort-dev/snort_blocked.php +++ b/config/snort-dev/snort_blocked.php @@ -323,7 +323,7 @@ $blocked_ips_array = str_replace(' ', '', array_filter(explode("\n", file_get_ $logent = $bnentries; -if ($blocked_ips_array[0] != '') +if ($blocked_ips_array[0] != '' && $alerts_array[0] != '') { /* build the list and compare blocks to alerts */ @@ -335,10 +335,21 @@ if ($blocked_ips_array[0] != '') $alert_ip_src = get_snort_alert_ip_src($fileline); $alert_ip_disc = get_snort_alert_disc($fileline); + $alert_ip_src_array[] = get_snort_alert_ip_src($fileline); - if (in_array("$alert_ip_src", $blocked_ips_array)) - $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + if (in_array("$alert_ip_src", $blocked_ips_array)) + { + $input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n"; + } + } + foreach($blocked_ips_array as $alert_block_ip) + { + + if (!in_array($alert_block_ip, $alert_ip_src_array)) + { + $input[] = "[$alert_block_ip] " . "[N\A]\n"; + } } /* reduce double occurrences */ @@ -374,7 +385,6 @@ if ($blocked_ips_array[0] != '') $alert_block_disc = 'empty'; } - /* use one echo to do the magic*/ echo " @@ -385,13 +395,37 @@ if ($blocked_ips_array[0] != '') \n"; } + +}else{ + + /* if alerts file is empty and blocked table is not empty */ + $counter2 = 0; + + foreach($blocked_ips_array as $alert_block_ip) + { + if($logent <= $counter2) + continue; + + $counter2++; + + $alert_block_disc = 'N/A'; + + /* use one echo to do the magic*/ + echo " + + \"Delete\" +  {$counter2} +  {$alert_block_ip} +  {$alert_block_disc} + \n"; + } } if ($blocked_ips_array[0] == '') { echo "\n
There are currently no items being blocked by snort."; }else{ - echo "\n{$counter} items listed."; + echo "\n{$counter2} items listed."; } ?> diff --git a/config/snort-dev/snort_rules.php b/config/snort-dev/snort_rules.php index bc2f481d..ae3fca62 100644 --- a/config/snort-dev/snort_rules.php +++ b/config/snort-dev/snort_rules.php @@ -577,56 +577,55 @@ function popup(url) if (strstr($tempstring, 'msg:"')) $message = get_middle($tempstring, 'msg:"', '";', 0); - echo ""; - echo ""; - echo $textss; + echo " + + $textss\n"; ?> - - onClick="enable_change(false) "> + + onClick="enable_change(false)"> "; - - - echo ""; - echo $textss; - echo $sid; - echo $textse; - echo ""; - - echo ""; - echo $textss; - echo $protocol; + echo "$textse + + + $textss + $sid + $textse + + + $textss + $protocol"; + ?> + "; - echo ""; - echo $textss; - echo $source; - echo $textse; - echo ""; - echo ""; - echo $textss; - echo $source_port; - echo $textse; - echo ""; - echo ""; - echo $textss; - echo $destination; - echo $textse; - echo ""; - echo ""; - echo $textss; - echo $destination_port; - echo $textse; - echo ""; + echo "$textse + + + $textss + $source + $textse + + + $textss + $source_port + $textse + + + $textss + $destination + $textse + + + $textss + $destination_port + $textse + "; ?> "; + echo "$textss + $message + $textse + "; ?> @@ -639,10 +638,7 @@ function popup(url)
"; + echo " There are $printcounter rules in this category.

"; ?>
-- cgit v1.2.3