Regexp for havp widget question



  • Hi,
    I think this is a question to the developers of havp package as well as dashboard :)
    I have created the regexp for this

    ^(\d+/\d+/\d+)\s+(\d+:\d+:\d+)\s+(\d+.\d+.\d+.\d+)\s+\w+\s+\d+\s+(https?://([0-9a-z-]+.)+([a-z]{2,3}|aero|coop|jobs|mobi|museum|name|travel)(:[0-9]{1,5})?(/[^ ]*)?)\s+[0-9+]+\s+\w+\s+\w+:\s+([\S]+)$

    I basically want to report lan ip of the person who was stopped , url of the virus , kind of threat and threat name.

    I have a few questions about the logs of havp.
    07/08/2009 12:05:12 192.168.0.10 GET 200 http://www.eicar.org/download/eicar.com 413+68 VIRUS Clamd: Eicar-Test-Signature

    In that line what does 413+68 mean?
    Also regarding the "VIRUS Clamd:" part
    I suppose this means virus found with clamd scanner.
    Can I expect to see anything else here?
    I mean clamd is the only scanner available for the package at the moment.
    Also what could it possibly be except "VIRUS"?

    Ok slightly bigger logfile :
    07/08/2009 12:05:12 192.168.0.10 GET 200 http://www.eicar.org/download/eicar.com 413+68 VIRUS Clamd: Eicar-Test-Signature
    07/08/2009 16:43:24 192.168.0.10 GET 200 http://el-killer.chez-alice.fr/Virii/silly.zip 243+284 VIRUS Clamd: VGEN.3347.0
    07/08/2009 16:43:42 192.168.0.10 GET 200 http://el-killer.chez-alice.fr/Virii/Armageddon.zip 243+683 VIRUS Clamd: MPC1a-6
    07/08/2009 16:43:49 192.168.0.10 GET 200 http://el-killer.chez-alice.fr/Virii/A_204.zip 244+1375 VIRUS Clamd: Jerusalem-USA

    Sorry for pasting it  here  but pastebin won't let me post that :)


  • Rebel Alliance Developer Netgate

    With a few tweaks, this seems to match up on most things, but not all:

    $line = "07/08/2009 12:05:12 192.168.0.10 GET 200 http://www.eicar.org/download/eicar.com 413+68 VIRUS Clamd: Eicar-Test-Signature";
    $log_split = "";
    preg_match("/^(\d+\/\d+\/\d+)\s+(\d+:\d+:\d+)\s+(\d+.\d+.\d+.\d+)\s+\w+\s+\d+\s+(https?:\/\/([0-9a-z-]+\.)+([a-z]{2,3}|aero|coop|jobs|mobi|museum|name|travel)(:[0-9]{1,5})?(\/[^ ]*)?)\s+[0-9+]+\s+\w+\s+\w+:\s+([\S]+)$/U", $line, $log_split);
    print_r($log_split);
    
    

    Results in:

    Array
    (
        [0] => 07/08/2009 12:05:12 192.168.0.10 GET 200 http://www.eicar.org/download/eicar.com 413+68 VIRUS Clamd: Eicar-Test-Signature
        [1] => 07/08/2009
        [2] => 12:05:12
        [3] => 192.168.0.10
        [4] => http://www.eicar.org/download/eicar.com
        [5] => eicar.
        [6] => org
        [7] => 
        [8] => /download/eicar.com
        [9] => Eicar-Test-Signature
    )
    
    

  • Rebel Alliance Developer Netgate

    Actually it did match everything, there was no port on that URL so the entry for the port was blank.



  • Thats fine.
    I was not gonna use it anyway.
    I will be using only :
    date and time (together) , lan ip , url and virus name.
    All other fields are not going to be used.



  • Ok the widget works already :)
    There are some issues which I should check (I really don't understand yet the ajax stuff that you wrote regarding the lastsawtime).
    Unfortunately even with two columns the url still gets wrapped.
    I also need to write something similar to snort_alerts.php because right now it links to nowhere since there is no similar php file for havp.
    Still I am making progress :P

    What do you think about its looks?



  • Hi jimp,
    I believe I resolved the ajax issues and the widget now updates properly.
    I think I am ready to release the code for general consumption.
    Please advise.



  • I'm look you screenshot.
    Maybe more usable info as table [date | viruses count].
    And hint's for each date as list [dateTime | virus | url_path]



  • You mean like 5 last dates when there were viruses and amount of viruses for each date?
    Regarding hint's I am not sure whether this is possible within widget framework.
    Jim-p, please respond to that :)


  • Rebel Alliance Developer Netgate

    @matrix200:

    You mean like 5 last dates when there were viruses and amount of viruses for each date?
    Regarding hint's I am not sure whether this is possible within widget framework.
    Jim-p, please respond to that :)

    It should be possible to do a summary like that, it wouldn't have to even update with AJAX. Just add another table above what you have now and summarize the data a little. I can have a look when I test it out. I haven't had any time to try the code you sent to me yet. Hopefully I can do that tonight.

    It might help to have a bigger sample of a HAVP log than what you posted. At least 10-20 lines with items from multiple dates.



  • Ok I will try to assemble some more virus data.
    My regular browsing habits don't contain too many viruses so I have to search for viruses in order to fill the logs :)
    In my case that summary would be pretty dull.


  • Rebel Alliance Developer Netgate

    I committed the havp widget into Dashboard v0.8.4, should be on the package server momentarily.


Log in to reply