. * Copyright (C) 2003-2004 Manuel Kasper . * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2012 Ermal Luci * All rights reserved. * * Modified for the Pfsense snort package v. 1.8+ * Copyright (C) 2009 Robert Zelaya Sr. Developer * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype']; $supplist = array(); if ($_GET['instance']) $instanceid = $_GET['instance']; if ($_POST['instance']) $instanceid = $_POST['instance']; if (empty($instanceid)) $instanceid = 0; if (!is_array($config['installedpackages']['snortglobal']['rule'])) $config['installedpackages']['snortglobal']['rule'] = array(); $a_instance = &$config['installedpackages']['snortglobal']['rule']; $snort_uuid = $a_instance[$instanceid]['uuid']; $if_real = snort_get_real_interface($a_instance[$instanceid]['interface']); if (is_array($config['installedpackages']['snortglobal']['alertsblocks'])) { $pconfig['arefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['arefresh']; $pconfig['alertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber']; $anentries = $pconfig['alertnumber']; } else { $anentries = '250'; $pconfig['alertnumber'] = '250'; $pconfig['arefresh'] = 'off'; } if ($_POST['save']) { if (!is_array($config['installedpackages']['snortglobal']['alertsblocks'])) $config['installedpackages']['snortglobal']['alertsblocks'] = array(); $config['installedpackages']['snortglobal']['alertsblocks']['arefresh'] = $_POST['arefresh'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['alertsblocks']['alertnumber'] = $_POST['alertnumber']; write_config(); header("Location: /snort/snort_alerts.php?instance={$instanceid}"); exit; } if ($_POST['todelete'] || $_GET['todelete']) { $ip = ""; if($_POST['todelete']) $ip = $_POST['todelete']; else if($_GET['todelete']) $ip = $_GET['todelete']; if (is_ipaddr($ip)) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); $savemsg = "Host IP address {$ip} has been removed from the Bocked Hosts table."; } } if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { if (empty($_GET['descr'])) $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; else $suppress = "#{$_GET['descr']}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}"; if (!is_array($config['installedpackages']['snortglobal']['suppress'])) $config['installedpackages']['snortglobal']['suppress'] = array(); if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) $config['installedpackages']['snortglobal']['suppress']['item'] = array(); $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; if (empty($a_instance[$instanceid]['suppresslistname']) || $a_instance[$instanceid]['suppresslistname'] == 'default') { $s_list = array(); $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress"; $s_list['uuid'] = uniqid(); $s_list['descr'] = "Auto-generated list for suppress"; $s_list['suppresspassthru'] = base64_encode($suppress); $a_suppress[] = $s_list; $a_instance[$instanceid]['suppresslistname'] = $s_list['name']; } else { foreach ($a_suppress as $a_id => $alist) { if ($alist['name'] == $a_instance[$instanceid]['suppresslistname']) { if (!empty($alist['suppresspassthru'])) { $tmplist = base64_decode($alist['suppresspassthru']); $tmplist .= "\n{$suppress}"; $alist['suppresspassthru'] = base64_encode($tmplist); $a_suppress[$a_id] = $alist; } } } } $savemsg = "GID:SID '{$_GET['gen_id']}:{$_GET['sidid']}' has been added to the Suppress List."; write_config(); sync_snort_package_config(); } if ($_GET['action'] == "clear" || $_POST['delete']) { conf_mount_rw(); snort_post_delete_logs($snort_uuid); $fd = @fopen("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert", "w+"); if ($fd) fclose($fd); conf_mount_ro(); /* XXX: This is needed is snort is run as snort user */ //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); mwexec('/bin/chmod 660 /var/log/snort/*', true); if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); header("Location: /snort/snort_alerts.php?instance={$instanceid}"); exit; } if ($_POST['download']) { $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz"; exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort/snort_{$if_real}{$snort_uuid}"); if (file_exists("/tmp/{$file_name}")) { $file = "/tmp/snort_logs_{$save_date}.tar.gz"; header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); header("Pragma: private"); // needed for IE header("Cache-Control: private, must-revalidate"); // needed for IE header('Content-type: application/force-download'); header('Content-Transfer-Encoding: Binary'); header("Content-length: ".filesize($file)); header("Content-disposition: attachment; filename = {$file_name}"); readfile("$file"); @unlink("/tmp/{$file_name}"); } header("Location: /snort/snort_alerts.php?instance={$instanceid}"); exit; } /* Load up an array with the current Suppression List GID,SID values */ $supplist = snort_load_suppress_sigs($a_instance[$instanceid]); $pgtitle = "Services: Snort: Snort Alerts"; include_once("head.inc"); ?> \n"; ?> ' . $pgtitle . '

';} /* Display Alert message */ if ($input_errors) { print_input_errors($input_errors); // TODO: add checks } if ($savemsg) { print_info_box($savemsg); } ?>
  
  
> ', '', '', ''); ?>   ', '', '', ''); ?>
  
/tmp/alert_{$snort_uuid}"); if (file_exists("/tmp/alert_{$snort_uuid}")) { $tmpblocked = array_flip(snort_get_blocked_ips()); $counter = 0; /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ /* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */ $fd = fopen("/tmp/alert_{$snort_uuid}", "r"); while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { if(count($fields) < 11) continue; /* Time */ $alert_time = substr($fields[0], strpos($fields[0], '-')+1, -8); /* Date */ $alert_date = substr($fields[0], 0, strpos($fields[0], '-')); /* Description */ $alert_descr = $fields[4]; $alert_descr_url = urlencode($fields[4]); /* Priority */ $alert_priority = $fields[12]; /* Protocol */ $alert_proto = $fields[5]; /* IP SRC */ $alert_ip_src = $fields[6]; if (isset($tmpblocked[$fields[6]])) { $alert_ip_src .= "
\"Remove"; } /* IP SRC Port */ $alert_src_p = $fields[7]; /* IP Destination */ $alert_ip_dst = $fields[8]; if (isset($tmpblocked[$fields[8]])) { $alert_ip_dst .= "
\"Remove"; } /* IP DST Port */ $alert_dst_p = $fields[9]; /* SID */ $alert_sid_str = "{$fields[1]}:{$fields[2]}"; if (!isset($supplist[$fields[1]][$fields[2]])) { $sidsupplink = ""; $sidsupplink .= ""; } else { $sidsupplink = ""; } $alert_class = $fields[11]; echo "\n"; $counter++; } fclose($fd); @unlink("/tmp/alert_{$snort_uuid}"); } } ?>
{$alert_date}
{$alert_time}
{$alert_priority} {$alert_proto} {$alert_class} {$alert_ip_src} {$alert_src_p} {$alert_ip_dst} {$alert_dst_p} {$alert_sid_str}
{$sidsupplink}
{$alert_descr}