Netgate m1n1wall

Author Topic: Snort Widget, works now  (Read 2035 times)

0 Members and 1 Guest are viewing this topic.

Offline metalo

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Snort Widget, works now
« on: January 23, 2012, 11:01:05 pm »
So I was bored, and ripped pieces from the snort alert log to fit into the snort_alerts widget.

This is to my snort logging which is set to Full, I didn't throw in the checks to verify what type of logging you're doing, I figured the author of the widget could finish it up.  I didn't add anything new, just modified this so that it will function.  I hate when things don't function.

You can change the $logent=10; for however many lines of alerts you want I would recommend keeping this small, it's just a widget.  You can see some of the functions I grabbed from /usr/local/www/snort/snort_alerts.php

The below code should replace the widget located in "/usr/local/www/widgets/widgets/snort_alerts.widget.php".


Code: [Select]

<?php
/*
    snort_alerts.widget.php
    Copyright (C) 2009 Jim Pingle

    Redistribution and use in source and binary forms, with or without
    modification, are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.

    2. Redistributions in binary form must reproduce the above copyright
       notice, this list of conditions and the following disclaimer in the
       documentation and/or other materials provided with the distribution.

    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
    INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGE.

*/

global $config$g;
$logent=10;

function 
get_snort_alert_class($fileline)
{
        
/* class */
        
if (preg_match('/\[Classification:\s.+[^\d]\]/'$fileline$matches2))
                
$alert_class "$matches2[0]";

        return 
$alert_class;
}

function 
get_snort_alert_priority($fileline)
{
        
/* Priority */
        
if (preg_match('/Priority:\s\d/'$fileline$matches3))
                
$alert_priority "$matches3[0]";

        return 
$alert_priority;
}

function 
get_snort_alert_disc($fileline)
{
        
/* disc */
        
if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/"$fileline$matches))
                
$alert_disc =  "$matches[2]";

        return 
$alert_disc;
}

function 
get_snort_alert_ip_src($fileline)
{
        
/* SRC IP */
        
$re1='.*?';   # Non-greedy match on filler
        
$re2='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[0
1]?[0-9][0-9]?))(?![\\d])'
# IPv4 IP Address 1

        
if ($c=preg_match_all ("/".$re1.$re2."/is"$fileline$matches4))
                
$alert_ip_src $matches4[1][0];

        return 
$alert_ip_src;
}

function 
get_snort_alert_ip_dst($fileline)
{
        
/* DST IP */
        
$re1dp='.*?';   # Non-greedy match on filler
        
$re2dp='(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?![\\d])';   # Uninteresting: ipaddress
        
$re3dp='.*?';   # Non-greedy match on filler
        
$re4dp='((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))(?![\\d])'# IPv4 IP Address 1

        
if ($c=preg_match_all ("/".$re1dp.$re2dp.$re3dp.$re4dp."/is"$fileline$matches6
))
                
$alert_ip_dst $matches6[1][0];

        return 
$alert_ip_dst;
}

function 
get_snort_alert_date($fileline)
{
        
/* date full date \d+\/\d+-\d+:\d+:\d+\.\d+\s */
        
if (preg_match("/\d+\/\d+-\d+:\d+:\d\d/"$fileline$matches1))
                
$alert_date =  "$matches1[0]";

        return 
$alert_date;
}

?>


<table width="100%" border="0" cellspacing="0" cellpadding="0">
        <tbody>
                <tr class="snort-alert-header">
                  <td width="30%" class="widgetsubheader" >Date-Time</td>
                        <td width="40%" class="widgetsubheader">Src/Dst</td>
                        <td width="40%" class="widgetsubheader">Details</td>
                </tr>
<?php

$alerts_array 
array_reverse(array_filter(explode("\n\n"file_get_contents('/var/log/snort/alert'))));

             if (
is_array($alerts_array)) {

                        
$counter 0;
                        foreach(
$alerts_array as $fileline)
                        {
                                if(
$logent <= $counter)
                                continue;

                                
$counter++;

                                
/* Date */
                                
$alert_date_str get_snort_alert_date($fileline);

                                if(
$alert_date_str != '')
                                {
                                        
$alert_date $alert_date_str;
                                }else{
                                        
$alert_date '';
                                }

                                
/* Discription */
                                
$alert_disc_str get_snort_alert_disc($fileline);

                                if(
$alert_disc_str != '')
                                {
                                        
$alert_disc $alert_disc_str;
                                }else{
                                        
$alert_disc 'empty';
                                }

                                
/* Classification */
                                
$alert_class_str get_snort_alert_class($fileline);

                                if(
$alert_class_str != '')
                                {

                                        
$alert_class_match = array('[Classification:',']');
                                        
$alert_class str_replace($alert_class_match''"$alert_class_str");
                                }else{
                                        
$alert_class 'Prep';
                                }

                                
/* Priority */
                                
$alert_priority_str get_snort_alert_priority($fileline);

                                if(
$alert_priority_str != '')
                                {
                                        
$alert_priority_match = array('Priority: ',']');
                                        
$alert_priority str_replace($alert_priority_match''"$alert_priority_str");
                                }else{
                                        
$alert_priority '';
                                }

                                
/* IP SRC */
                                
$alert_ip_src_str get_snort_alert_ip_src($fileline);

                                if(
$alert_ip_src_str != '')
                                {
                                        
$alert_ip_src $alert_ip_src_str;
                                }else{
                                        
$alert_ip_src '';
                                }

                                
/* IP Destination */
                                
$alert_ip_dst_str get_snort_alert_ip_dst($fileline);

                                if(
$alert_ip_dst_str != '')
                                {
                                        
$alert_ip_dst $alert_ip_dst_str;
                                }else{
                                        
$alert_ip_dst 'unk';
                                }
        
//      echo $activerow;
         
if ($alert_disc != 'empty')
                {

                echo 
"<tr class=\"snort-alert-entry\" id=\"snort-firstrow\"> \n";
                echo 
"<td width=\"30%\" class=\"listr\">{$alert_date}<br></td>
                        <td width=\"40%\" class=\"listr\">
{$alert_ip_src}<br>{$alert_ip_dst}</td>
                        <td width=\"40%\" class=\"listr\">Pri: 
{$alert_priority}<br>Cat: {$alert_class}</td>
                </tr>"
;
                }
        }
        }
?>

        </tbody>
</table>





Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Snort Widget, works now
« Reply #1 on: January 24, 2012, 05:36:11 am »
nice work!! One thing I would add, is a function to check the log every 10-30 seconds for updates. This way you don't have to refresh the page..
« Last Edit: January 24, 2012, 06:29:15 am by Cino »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: Snort Widget, works now
« Reply #2 on: January 24, 2012, 07:01:25 am »
nice work!! One thing I would add, is a function to check the log every 10-30 seconds for updates. This way you don't have to refresh the page..

varnish, postfix and maiscanner widget has this ajax to reload page.

Just note that all must be unique name function as they will be on same dashboard page.


metalo,

read this topic to see the best way to push fixes and updates  ;)

http://forum.pfsense.org/index.php/topic,45379.msg236713.html#msg236713
« Last Edit: January 24, 2012, 07:03:27 am by marcelloc »

Offline sekular

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Snort Widget, works now
« Reply #3 on: January 26, 2012, 10:12:08 am »
Thanks for doing this. I tried to do it myself but I was unsuccessful.

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3364
  • Karma: +2/-0
    • View Profile
Re: Snort Widget, works now
« Reply #4 on: January 27, 2012, 04:31:14 pm »
I just put simple fixes to the widget code.
Not imported your code at all actually but it should work ok the widget now with previous code.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
  • Karma: +0/-0
    • View Profile
Re: Snort Widget, works now
« Reply #5 on: January 27, 2012, 07:30:14 pm »
@ermal I installed updated package and it doesn't seem to update with the alert log.. refreshing the page doesn't show the log. Just a wild guess but snort_alerts.widget.php doesn't have anything that references the other files. almost thinking it needs a couple of include/require statements in there.... i really should just break down and attempt to learn php.. I can do almost everything in IT/Telecom except program
« Last Edit: January 27, 2012, 07:32:55 pm by Cino »

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 10004
  • Karma: +5/-0
    • View Profile
Re: Snort Widget, works now
« Reply #6 on: January 27, 2012, 07:38:38 pm »
I really should just break down and attempt to learn php..


You have no idea how far you can go as a sysadmin and a coder.


Offline metalo

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Snort Widget, works now
« Reply #7 on: January 27, 2012, 10:10:47 pm »
@ermal I installed updated package and it doesn't seem to update with the alert log.. refreshing the page doesn't show the log. Just a wild guess but snort_alerts.widget.php doesn't have anything that references the other files. almost thinking it needs a couple of include/require statements in there.... i really should just break down and attempt to learn php.. I can do almost everything in IT/Telecom except program

Yeah I noticed the same thing.  The original author didn't reference the alert log file so I was confused how in the world he was not only parsing the data but retrieving the data.

Soooo I just ripped out some functions to do that within the widget.

Offline digdug3

  • Full Member
  • ***
  • Posts: 119
  • Karma: +0/-0
    • View Profile
Re: Snort Widget, works now
« Reply #8 on: January 28, 2012, 03:50:57 am »
 ;D Thanks! Just replaced the code and the widget is now working with the FULL snort log!

Offline sekular

  • Jr. Member
  • **
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Snort Widget, works now
« Reply #9 on: February 25, 2012, 09:25:39 am »
I have changed the code as described but for some reason I get two snort alert widgets after pressing save settings after adding the widget. Any idea why?