Snort 2.9.2.3 pkg v. 2.2.2 - No Alert Description

10101000

Hello,

Please give this patch a try. I haven't tested it anywhere but my own system so as usual, USE AT YOUR OWN RISK. For patching information, please read: http://doc.pfsense.org/index.php/System_Patches. This should work with or without the "Ignore Whitespace" option enabled. Use 0 for "Path Strip Count" and /usr/local/www/snort/ for "Base Directory". Let me know if you find any problems.

UPDATE: Fixed a bug with $blocked_ips_array:

--- /usr/local/www/snort/snort_blocked.php.broken	2012-07-07 21:54:14.000000000 -0600
+++ /usr/local/www/snort/snort_blocked.php	2012-07-08 03:38:13.000000000 -0600
@@ -39,6 +39,7 @@

 $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
 $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
+$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype'];

 if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0')
 	$bnentries = '500';
@@ -69,7 +70,7 @@
 	exec('/bin/mkdir /tmp/snort_blocked');
 	exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.pf');

-	$blocked_ips_array_save = str_replace('   ', '', explode("\n", file_get_contents('/tmp/snort_block.pf')));
+	$blocked_ips_array_save = preg_replace("\s+", '', file('/tmp/snort_block.pf'));

 	if ($blocked_ips_array_save[0] != '') {
 		/* build the list */
@@ -131,7 +132,7 @@
 function get_snort_alert_disc($fileline)
 {
 	/* disc */
-	if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+	if (preg_match("/\[\*\*\]\s+(\[[0-9:]+\])\s+(.+)\s+(\[\*\*\])/", $fileline, $matches))
 		$alert_disc =  "$matches[2]";

 	return $alert_disc;
@@ -282,27 +283,31 @@

 				/* set the arrays */
 				exec('/sbin/pfctl -t snort2c -T show > /tmp/snort_block.cache');
-				$blocked_ips_array = explode("\n", str_replace('   ', '', file_get_contents('/tmp/snort_block.cache')));
+				$blocked_ips_array = preg_replace("/\s+/", '', file('/tmp/snort_block.cache'));
 			if (!empty($blocked_ips_array)) {
 				$input = array();
 				$alert_ip_src_array = array();
 				foreach (glob("/var/log/snort/*/alert") as $alert) {
-					$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
-					if (!empty($alerts_array[0])) {
+					if ($pconfig['snortalertlogtype'] == 'full') {
+						$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
+					} else {
+						$alerts_array = array_reverse(file($alert));
+					}
+					if (!empty($alerts_array)) {
 						/* build the list and compare blocks to alerts */
 						$counter = 0;
 						foreach($alerts_array as $fileline) {
+							if (!empty($fileline)) {
+								$counter++;

-							$counter++;
-
-							$alert_ip_src =  get_snort_alert_ip_src($fileline);
-							$alert_ip_disc = get_snort_alert_disc($fileline);
-							$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
-
-							if (in_array("$alert_ip_src", $blocked_ips_array))
-								$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+								$alert_ip_src =  get_snort_alert_ip_src($fileline);
+								$alert_ip_disc = get_snort_alert_disc($fileline);
+								$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
+
+								if (in_array("$alert_ip_src", $blocked_ips_array))
+										$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+							}
 						}
-
 					}
 				}

Original patch:

--- /usr/local/www/snort/snort_blocked.php.broken	2012-07-07 21:54:14.000000000 -0600
+++ /usr/local/www/snort/snort_blocked.php	2012-07-07 22:46:54.000000000 -0600
@@ -39,6 +39,7 @@

 $pconfig['brefresh'] = $config['installedpackages']['snortglobal']['alertsblocks']['brefresh'];
 $pconfig['blertnumber'] = $config['installedpackages']['snortglobal']['alertsblocks']['blertnumber'];
+$pconfig['snortalertlogtype'] = $config['installedpackages']['snortglobal']['snortalertlogtype'];

 if ($pconfig['blertnumber'] == '' || $pconfig['blertnumber'] == '0')
 	$bnentries = '500';
@@ -131,7 +132,7 @@
 function get_snort_alert_disc($fileline)
 {
 	/* disc */
-	if (preg_match("/\[\*\*\] (\[.*\]) (.*) (\[\*\*\])/", $fileline, $matches))
+	if (preg_match("/\[\*\*\]\s+(\[[0-9:]+\])\s+(.+)\s+(\[\*\*\])/", $fileline, $matches))
 		$alert_disc =  "$matches[2]";

 	return $alert_disc;
@@ -287,22 +288,26 @@
 				$input = array();
 				$alert_ip_src_array = array();
 				foreach (glob("/var/log/snort/*/alert") as $alert) {
-					$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
-					if (!empty($alerts_array[0])) {
+					if ($pconfig['snortalertlogtype'] == 'full') {
+						$alerts_array = array_reverse(explode("\n\n", file_get_contents($alert)));
+					} else {
+						$alerts_array = array_reverse(file($alert));
+					}
+					if (!empty($alerts_array)) {
 						/* build the list and compare blocks to alerts */
 						$counter = 0;
 						foreach($alerts_array as $fileline) {
+							if (!empty($fileline)) {
+								$counter++;

-							$counter++;
-
-							$alert_ip_src =  get_snort_alert_ip_src($fileline);
-							$alert_ip_disc = get_snort_alert_disc($fileline);
-							$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
-
-							if (in_array("$alert_ip_src", $blocked_ips_array))
-								$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+								$alert_ip_src =  get_snort_alert_ip_src($fileline);
+								$alert_ip_disc = get_snort_alert_disc($fileline);
+								$alert_ip_src_array[] = get_snort_alert_ip_src($fileline);
+
+								if (in_array("$alert_ip_src", $blocked_ips_array))
+										$input[] = "[$alert_ip_src] " . "[$alert_ip_disc]\n";
+							}
 						}
-
 					}
 				}

Sincerely,

10101000

chowtamah

Thanks, I will try this patch and Will come back.

10101000

Please note that I've updated the patch to fix a bug. See post: 273828.

Thanks

Fesoj

A8,

thanks for the patch. I've installed System: Patches, but testing your patch gives

Patch can be applied cleanly

which is good, but

Patch can NOT be reverted cleanly

which is probably bad. The details are:

Output of full patch revert test:
/usr/bin/patch –directory=/usr/local/www/snort/ -f -p0 -i /var/patches/4ff962e6d4837.patch --check --reverse

Hmm...  Looks like a unified diff to me...
The text leading up to this was:

-- /usr/local/www/snort/snort_blocked.php.broken 2012-07-07 21:54:14.000000000 -0600

+++ /usr/local/www/snort/snort_blocked.php 2012-07-08 03:38:13.000000000 -0600
Patching file /usr/local/www/snort/snort_blocked.php using Plan A...
Hunk #1 failed at 39.
Hunk #2 failed at 69.
Hunk #3 failed at 131.
Hunk #4 failed at 282.
4 out of 4 hunks failed--saving rejects to /usr/local/www/snort/snort_blocked.php.rej
done

Do I need to worry about this?

Cino

Gave it try this morning and its working for me. Thanks!

Cino

@Fesoj You don't need to worry about that because you didn't apply the patch. Once your apply, it will be the other way around

Fesoj

Cino,

thanx for the info–I just didn't want to run into more problems. Of course, deleting and reinstalling the package also doesn't take too much time.

The patch works for me  as well. :)

chowtamah

Fesoj, whether this patch can be included in the next snort release?

Fesoj

It's not up to me to decide that. A8s patch seems to work, so it should be included to get the alert descriptions.

Unfortunately there is more to do to get snort running smoothly again. I am currently taking a crash course (coming from C/C++) on php in order to take care of some of the more peripheric issues myself and slowly learn more about the package. I have also started to setup a test environment for more experiments…

Maybe the ioctl error is currently the most severe problem. I cannot repeat it reliably yet, and it sometimes seems to be associated with a total freeze of the interface (so you can no longer log into the box, but existing connections are not affected).

dwood

installed 2.2.4 and added this patch.

Alert description have returned :-)  Thank you for your efforts.

Cheers,
Dennis

dwood

This patch on 2.2.4 (clean install, AMD64, 2.01) worked for me.

Descriptions in blocked IPs are back :-)  Thanks again and as always for your efforts guys.

Cheers,
Dennis.

chowtamah

Today reinstalled Snort 2.9.2.3 pkg v. 2.2.4,

In Blocked tab, Alert description still shows N/A.
But in Alerts tab, alerts are showing up.

In Alerts tab, If I select Wan or Lan from the Instance to inspect, nothing shows up. If I click 'Alerts' tab again, list comes back.

I didn't tried the patch, as I could not install the System Patches package due to repository error. It shows, 'Unable to retrieve package info from www.pfsense.com. Cached data will be used.'

Fesoj

You do need the System Patches (or do a manual merge ;D).
I installed the package yesterday and all went well–-maybe it is a temporary problem.
The GUI Alert portion of the snort package still needs work. As described somewhere else in this forum, the php code that distinguishes the selected snort interface is incomplete.

_igor_

Applied the patch on v2.2.4 of snort and got back descriptions. Great work!!! Thx! :)

10101000

@chowtamah:

Today reinstalled Snort 2.9.2.3 pkg v. 2.2.4,

In Blocked tab, Alert description still shows N/A.
But in Alerts tab, alerts are showing up.

In Alerts tab, If I select Wan or Lan from the Instance to inspect, nothing shows up. If I click 'Alerts' tab again, list comes back.

I didn't tried the patch, as I could not install the System Patches package due to repository error. It shows, 'Unable to retrieve package info from www.pfsense.com. Cached data will be used.'

Chowtamah,

Actually you can apply the patch from a terminal session. For this I've attached snort_blocked_patch.txt. To test that the patch is successful run:

patch -C -p0 -i snort_blocked_patch.txt

If no errors are output, perform the actual patch:

patch -p0 -i snort_blocked_patch.txt

I am happy to hear that this is working for most.

Thanks

snort_blocked_patch.txt

eri--

I merged your regex into the 2.3.0 so please test if it fixes.

fragged

It seems like the Alert Descriptions changed from N/A to nothing. Also I'm now unable to save my suppression list. It just returns to the same form with no input in any of the fields.

eri--

Can you put from different people small part of your alert files?
They are in /var/log/snort*

chowtamah

Thanks to 10101000, Fesoj and ermal for all your efforts.

I will test snort 2.3.0 and raise issues in cino's thread.

fragged

Alert Descriptions are shown on the alerts page, but not on blocked.

From /var/log/snort/snort_em033213/alert

[**] [1:2002157:10] ET POLICY Skype User-Agent detected [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] 
07/10-05:26:57.360499 MYIP:47603 -> 204.9.163.247:80
TCP TTL:50 TOS:0x0 ID:31437 IpLen:20 DgmLen:542 DF
***A**** Seq: 0x26B83575  Ack: 0x7AAE8D12  Win: 0x1FFE  TcpLen: 20
[Xref => http://doc.emergingthreats.net/2002157]

[**] [1:2002157:10] ET POLICY Skype User-Agent detected [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] 
07/10-05:26:57.597973 MYIP:14580 -> 78.141.177.158:80
TCP TTL:52 TOS:0x0 ID:13728 IpLen:20 DgmLen:538 DF
***AP*** Seq: 0xB70BDB31  Ack: 0x989F230F  Win: 0x1FFE  TcpLen: 20
[Xref => http://doc.emergingthreats.net/2002157]

[**] [1:2002157:10] ET POLICY Skype User-Agent detected [**]
[Classification: Potential Corporate Privacy Violation] [Priority: 1] 
07/10-05:26:57.747503 MYIP:62744 -> 92.122.50.146:80
TCP TTL:55 TOS:0x0 ID:57600 IpLen:20 DgmLen:570 DF
***A**** Seq: 0x9C4E1C36  Ack: 0x4B26A476  Win: 0x3CC0  TcpLen: 32
[Xref => http://doc.emergingthreats.net/2002157]

[**] [1:2406417:287] ET RBN Known Russian Business Network IP UDP (209) [**]
[Classification: Misc Attack] [Priority: 2] 
07/10-05:27:01.426947 46.21.146.190:51413 -> MYIP:64284
UDP TTL:52 TOS:0x0 ID:0 IpLen:20 DgmLen:58 DF
Len: 30
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]

[**] [1:2406823:287] ET RBN Known Russian Business Network IP UDP (412) [**]
[Classification: Misc Attack] [Priority: 2] 
07/10-05:27:14.971087 89.248.163.5:53340 -> MYIP:60685
UDP TTL:117 TOS:0x0 ID:6851 IpLen:20 DgmLen:58
Len: 30
[Xref => http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork]

[**] [1:2520104:1165] ET TOR Known Tor Exit Node TCP Traffic (53) [**]
[Classification: Misc Attack] [Priority: 2] 
07/10-05:28:31.199256 77.247.181.165:50103 -> MYIP:64284
TCP TTL:50 TOS:0x0 ID:48027 IpLen:20 DgmLen:52 DF
******S* Seq: 0x85AA7429  Ack: 0x0  Win: 0x16D0  TcpLen: 32
TCP Options (6) => MSS: 1460 NOP NOP SackOK NOP WS: 10 
[Xref => http://doc.emergingthreats.net/bin/view/Main/TorRules]