Regexp for havp widget question

matrix200

Hi,
I think this is a question to the developers of havp package as well as dashboard :)
I have created the regexp for this

^(\d+/\d+/\d+)\s+(\d+:\d+:\d+)\s+(\d+.\d+.\d+.\d+)\s+\w+\s+\d+\s+(https?://([0-9a-z-]+.)+([a-z]{2,3}|aero|coop|jobs|mobi|museum|name|travel)(:[0-9]{1,5})?(/[^ ]*)?)\s+[0-9+]+\s+\w+\s+\w+:\s+([\S]+)$

I basically want to report lan ip of the person who was stopped , url of the virus , kind of threat and threat name.

I have a few questions about the logs of havp.
07/08/2009 12:05:12 192.168.0.10 GET 200 http://www.eicar.org/download/eicar.com 413+68 VIRUS Clamd: Eicar-Test-Signature

In that line what does 413+68 mean?
Also regarding the "VIRUS Clamd:" part
I suppose this means virus found with clamd scanner.
Can I expect to see anything else here?
I mean clamd is the only scanner available for the package at the moment.
Also what could it possibly be except "VIRUS"?

Ok slightly bigger logfile :
07/08/2009 12:05:12 192.168.0.10 GET 200 http://www.eicar.org/download/eicar.com 413+68 VIRUS Clamd: Eicar-Test-Signature
07/08/2009 16:43:24 192.168.0.10 GET 200 http://el-killer.chez-alice.fr/Virii/silly.zip 243+284 VIRUS Clamd: VGEN.3347.0
07/08/2009 16:43:42 192.168.0.10 GET 200 http://el-killer.chez-alice.fr/Virii/Armageddon.zip 243+683 VIRUS Clamd: MPC1a-6
07/08/2009 16:43:49 192.168.0.10 GET 200 http://el-killer.chez-alice.fr/Virii/A_204.zip 244+1375 VIRUS Clamd: Jerusalem-USA

Sorry for pasting it  here  but pastebin won't let me post that :)

jimp

With a few tweaks, this seems to match up on most things, but not all:

$line = "07/08/2009 12:05:12 192.168.0.10 GET 200 http://www.eicar.org/download/eicar.com 413+68 VIRUS Clamd: Eicar-Test-Signature";
$log_split = "";
preg_match("/^(\d+\/\d+\/\d+)\s+(\d+:\d+:\d+)\s+(\d+.\d+.\d+.\d+)\s+\w+\s+\d+\s+(https?:\/\/([0-9a-z-]+\.)+([a-z]{2,3}|aero|coop|jobs|mobi|museum|name|travel)(:[0-9]{1,5})?(\/[^ ]*)?)\s+[0-9+]+\s+\w+\s+\w+:\s+([\S]+)$/U", $line, $log_split);
print_r($log_split);

Results in:

Array
(
    [0] => 07/08/2009 12:05:12 192.168.0.10 GET 200 http://www.eicar.org/download/eicar.com 413+68 VIRUS Clamd: Eicar-Test-Signature
    [1] => 07/08/2009
    [2] => 12:05:12
    [3] => 192.168.0.10
    [4] => http://www.eicar.org/download/eicar.com
    [5] => eicar.
    [6] => org
    [7] => 
    [8] => /download/eicar.com
    [9] => Eicar-Test-Signature
)

jimp

Actually it did match everything, there was no port on that URL so the entry for the port was blank.

matrix200

Thats fine.
I was not gonna use it anyway.
I will be using only :
date and time (together) , lan ip , url and virus name.
All other fields are not going to be used.

matrix200

Ok the widget works already :)
There are some issues which I should check (I really don't understand yet the ajax stuff that you wrote regarding the lastsawtime).
Unfortunately even with two columns the url still gets wrapped.
I also need to write something similar to snort_alerts.php because right now it links to nowhere since there is no similar php file for havp.
Still I am making progress :P

What do you think about its looks?

matrix200

Hi jimp,
I believe I resolved the ajax issues and the widget now updates properly.
I think I am ready to release the code for general consumption.
Please advise.

dvserg

I'm look you screenshot.
Maybe more usable info as table [date | viruses count].
And hint's for each date as list [dateTime | virus | url_path]

matrix200

You mean like 5 last dates when there were viruses and amount of viruses for each date?
Regarding hint's I am not sure whether this is possible within widget framework.
Jim-p, please respond to that :)

jimp

@matrix200:

You mean like 5 last dates when there were viruses and amount of viruses for each date?
Regarding hint's I am not sure whether this is possible within widget framework.
Jim-p, please respond to that :)

It should be possible to do a summary like that, it wouldn't have to even update with AJAX. Just add another table above what you have now and summarize the data a little. I can have a look when I test it out. I haven't had any time to try the code you sent to me yet. Hopefully I can do that tonight.

It might help to have a bigger sample of a HAVP log than what you posted. At least 10-20 lines with items from multiple dates.

matrix200

Ok I will try to assemble some more virus data.
My regular browsing habits don't contain too many viruses so I have to search for viruses in order to fill the logs :)
In my case that summary would be pretty dull.

jimp

I committed the havp widget into Dashboard v0.8.4, should be on the package server momentarily.