Dashboard 0.8.3 and Beyond, "Easy Rule" & FW Log Summary Graphs


  • Rebel Alliance Developer Netgate

    I just committed a new Dashboard package, 0.8.0. Ironically, there are very few actual changes to the dashboard, but the other things that were changed could really use some testing and feedback.

    I would like to have created a separate package for some other work, but it depends too heavily on things I have included in the dashboard to separate it out.

    Without further ado, here's the rundown:

    Introducing Easy Rule - Add rules easily from the Firewall Logs screen (See here)

    • Pass rules on a given interface/protocol, from source IP to the local IP:port.
    • Blocking a given IP adds it to a Block Alias for a given interface.
    • Confirmation is required before a rule is added.
      Diagnostics > DNS backported from 2.0
    • Simple DNS lookup using PHP's dns functions.
    • If an IP is given (or found), also links to some online IP lookup sites.
      Filter log view changes
    • Icon for using the DNS page to resolve an IP.
    • Tooltip on the src/dst port tries to lookup relevant /etc/services entry.

    If you want to try the Easy Rule stuff, it's worked great for me, but it would be a good idea to make backups first, as always!



  • will some of this get commited to 2.0?
    that would be cool


  • Rebel Alliance Developer Netgate

    @grandrivers:

    will some of this get commited to 2.0?
    that would be cool

    That's on my to-do list. I'm hoping the backend stuff isn't all that different, but I haven't looked at it too deeply.


  • Rebel Alliance Developer Netgate

    Just pushed Dashboard 0.8.2 with a couple exciting new features.

    #1: Firewall Log Summary Graphs - very cool :)

    #2: Firewall Log filtering - There is a text box at the bottom of the firewall log that may be used to filter the results



  • Great work Jimp!

    Loving all the improvements and added features.


  • Rebel Alliance Developer Netgate

    I put up 0.8.3 last night, main thing is just a bug fix for the summary graphs but it was a big one, the data sets weren't being populated properly, so the graphs were wildly incorrect.

    Should be OK now.


  • Rebel Alliance Developer Netgate

    @grandrivers:

    will some of this get commited to 2.0?
    that would be cool

    FYI, this should all be in 2.0 now. I checked it in over the weekend.



  • jimp,

    One of the main futures I use from the dashboard is the Snort alert widget.
    The login from snort change in the last build and broke the ability of the dashboard snort widgets to work.

    Can you look in to it?

    Thank You!


  • Rebel Alliance Developer Netgate

    I'll see what I can do, but it may be a while before I can get to this. I don't know that I have snort up and running on any of my testing systems.

    Do the alerts not show up at all?

    Hopefully it's just something simple like the path to the log file changing…



  • Actually is just a new option that Snort has… If you enable Full login it will fully change the way it logs...
    Here is an example:

    The new way:

    [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] 
    [ Classification: Executable code was detected ] [ Priority: 1 ] 
    06/09-17:53:02.354113 76.13.218.11:80 -> 98.199.248.92:46980
    TCP TTL:49 TOS:0x20 ID:63898 IpLen:20 DgmLen:1053 DF
    AP Seq: 0x89245C0C Ack: 0xB5E7090E Win: 0x2DA0 TcpLen: 20

    The old way:

    06/09-18:07:07.870063 [ ** ] [ 1:1394:10 ] SHELLCODE x86 inc ecx NOOP [ ** ] [ Classification: Executable code was detected ] [ Priority: 1 ] {TCP} 76.13.222.11:80 -> 98.199.248.92:18772

    But I did not notice that it was enabling the full login that broke it… I got it working again by disabling the full login option.

    Thanks!


  • Rebel Alliance Developer Netgate

    Probably best to leave things as they are then, rather than try to write up two different log parsers. As long as that solution is documented somewhere it should work out.



  • @serialdie:

    But I did not notice that it was enabling the full login that broke it… I got it working again by disabling the full login option.

    Thanks!

    Where is the option to disable that option?????



  • Yeah I also would like to know how to disable full logging.
    After the last upgrade I have the same issue here (not working with dashboard and look different in snort logs tab).

    Ok I still don't know how to do that via the gui but I modified snort.conf by replacing
    output alert_full: alert
    with
    output alert_fast: alert
    and then restarted snort.
    That did the trick.


Log in to reply