next »

[metalo]

So I was bored, and ripped pieces from the snort alert log to fit into the snort_alerts widget.

This is to my snort logging which is set to Full, I didn't throw in the checks to verify what type of logging you're doing, I figured the author of the widget could finish it up.  I didn't add anything new, just modified this so that it will function.  I hate when things don't function.

You can change the $logent=10; for however many lines of alerts you want I would recommend keeping this small, it's just a widget.  You can see some of the functions I grabbed from /usr/local/www/snort/snort_alerts.php

The below code should replace the widget located in "/usr/local/www/widgets/widgets/snort_alerts.widget.php".

Code:

<?php
/*
    snort_alerts.widget.php
    Copyright (C) 2009 Jim Pingle

    Redistribution and use in source and binary forms, with or without
    modification, are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.

    2. Redistributions in binary form must reproduce the above copyright
       notice, this list of conditions and the following disclaimer in the
       documentation and/or other materials provided with the distribution.

    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
    INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGE.

*/

global $config, $g;
$logent=10;

function get_snort_alert_class($fileline)
{
        /* class */
        if (preg_match('/\[Classification:\s.+[^\d]\]/', $fileline, $matches2))
                $alert_class = "$matches2[0]";

        return $alert_class;
}

function get_snort_alert_priority($fileline)
{
        /* Priority */
        if (preg_match('/Priority:\s\d/', $fileline, $matches3))
                $alert_priority = "$matches3[0]";

        return $alert_priority;
}

function get_snort_alert_disc($fileline)
{
        /* disc */
        if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
                $alert_disc =  "$matches[2]";

        return $alert_disc;
}

function get_snort_alert_ip_src($fileline)
{
        /* SRC IP */
        $re1='.*?';   # Non-greedy match on filler
        $re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[0
1]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1

        if ($c=preg_match_all ("/".$re1.$re2."/is", $fileline, $matches4))
                $alert_ip_src = $matches4[1][0];

        return $alert_ip_src;
}

function get_snort_alert_ip_dst($fileline)
{
        /* DST IP */
        $re1dp='.*?';   # Non-greedy match on filler
        $re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])';   # Uninteresting: ipaddress
        $re3dp='.*?';   # Non-greedy match on filler
        $re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'; # IPv4 IP Address 1

        if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is", $fileline, $matches6
))
                $alert_ip_dst = $matches6[1][0];

        return $alert_ip_dst;
}

function get_snort_alert_date($fileline)
{
        /* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */
        if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/", $fileline, $matches1))
                $alert_date =  "$matches1[0]";

        return $alert_date;
}

?>

<table width="100%" border="0" cellspacing="0" cellpadding="0">
        <tbody>
                <tr class="snort-alert-header">
                  <td width="30%" class="widgetsubheader" >Date-Time</td>
                        <td width="40%" class="widgetsubheader">Src/Dst</td>
                        <td width="40%" class="widgetsubheader">Details</td>
                </tr>
<?php

$alerts_array = array_reverse(array_filter(explode("\n\n", file_get_contents('/var/log/snort/alert'))));

             if (is_array($alerts_array)) {

                        $counter = 0;
                        foreach($alerts_array as $fileline)
                        {
                                if($logent <= $counter)
                                continue;

                                $counter++;

                                /* Date */
                                $alert_date_str = get_snort_alert_date($fileline);

                                if($alert_date_str != '')
                                {
                                        $alert_date = $alert_date_str;
                                }else{
                                        $alert_date = '';
                                }

                                /* Discription */
                                $alert_disc_str = get_snort_alert_disc($fileline);

                                if($alert_disc_str != '')
                                {
                                        $alert_disc = $alert_disc_str;
                                }else{
                                        $alert_disc = 'empty';
                                }

                                /* Classification */
                                $alert_class_str = get_snort_alert_class($fileline);

                                if($alert_class_str != '')
                                {

                                        $alert_class_match = array('[Classification:',']');
                                        $alert_class = str_replace($alert_class_match, '', "$alert_class_str");
                                }else{
                                        $alert_class = 'Prep';
                                }

                                /* Priority */
                                $alert_priority_str = get_snort_alert_priority($fileline);

                                if($alert_priority_str != '')
                                {
                                        $alert_priority_match = array('Priority: ',']');
                                        $alert_priority = str_replace($alert_priority_match, '', "$alert_priority_str");
                                }else{
                                        $alert_priority = '';
                                }

                                /* IP SRC */
                                $alert_ip_src_str = get_snort_alert_ip_src($fileline);

                                if($alert_ip_src_str != '')
                                {
                                        $alert_ip_src = $alert_ip_src_str;
                                }else{
                                        $alert_ip_src = '';
                                }

                                /* IP Destination */
                                $alert_ip_dst_str = get_snort_alert_ip_dst($fileline);

                                if($alert_ip_dst_str != '')
                                {
                                        $alert_ip_dst = $alert_ip_dst_str;
                                }else{
                                        $alert_ip_dst = 'unk';
                                }
        //      echo $activerow;
         if ($alert_disc != 'empty')
                {

                echo "<tr class=\"snort-alert-entry\" id=\"snort-firstrow\"> \n";
                echo "<td width=\"30%\" class=\"listr\">{$alert_date}<br></td>
                        <td width=\"40%\" class=\"listr\">{$alert_ip_src}<br>{$alert_ip_dst}</td>
                        <td width=\"40%\" class=\"listr\">Pri: {$alert_priority}<br>Cat: {$alert_class}</td>
                </tr>";
                }
        }
        }
?>
        </tbody>
</table>

[Cino]

nice work!! One thing I would add, is a function to check the log every 10-30 seconds for updates. This way you don't have to refresh the page..

[marcelloc]

nice work!! One thing I would add, is a function to check the log every 10-30 seconds for updates. This way you don't have to refresh the page..

varnish, postfix and maiscanner widget has this ajax to reload page.

Just note that all must be unique name function as they will be on same dashboard page.


metalo,

read this topic to see the best way to push fixes and updates  

http://forum.pfsense.org/index.php/topic,45379.msg236713.html#msg236713

[sekular]

Thanks for doing this. I tried to do it myself but I was unsuccessful.

[ermal]

I just put simple fixes to the widget code.
Not imported your code at all actually but it should work ok the widget now with previous code.

[Cino]

@ermal I installed updated package and it doesn't seem to update with the alert log.. refreshing the page doesn't show the log. Just a wild guess but snort_alerts.widget.php doesn't have anything that references the other files. almost thinking it needs a couple of include/require statements in there.... i really should just break down and attempt to learn php.. I can do almost everything in IT/Telecom except program

[marcelloc]

I really should just break down and attempt to learn php..

You have no idea how far you can go as a sysadmin and a coder.

[metalo]

@ermal I installed updated package and it doesn't seem to update with the alert log.. refreshing the page doesn't show the log. Just a wild guess but snort_alerts.widget.php doesn't have anything that references the other files. almost thinking it needs a couple of include/require statements in there.... i really should just break down and attempt to learn php.. I can do almost everything in IT/Telecom except program

Yeah I noticed the same thing.  The original author didn't reference the alert log file so I was confused how in the world he was not only parsing the data but retrieving the data.

Soooo I just ripped out some functions to do that within the widget.

[digdug3]

  Thanks! Just replaced the code and the widget is now working with the FULL snort log!

[sekular]

I have changed the code as described but for some reason I get two snort alert widgets after pressing save settings after adding the widget. Any idea why?