Snort Widget fix (Snort 2.9.2.3 pkg v. 2.5.0)

digdug3

Here is a quick fix for the Snort widget to get it to work with Snort 2.9.2.3 pkg v. 2.5.0
Thanks to ermal for fixing the alert code.
Update: 19-07-2012 - Fixed a bug in asc/desc, added ports and cleaned code

Just install Snort Widget v0.3.2 and replace the /usr/local/www/widgets/snort_alerts.widget.php with this:

/*
    snort_alerts.widget.php
    Copyright (C) 2009 Jim Pingle
    mod 19-07-2012

    Redistribution and use in source and binary forms, with or without
    modification, are permitted provided that the following conditions are met:

    1\. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.

    2\. Redistributions in binary form must reproduce the above copyright
       notice, this list of conditions and the following disclaimer in the
       documentation and/or other materials provided with the distribution.

    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
    INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGE.
*/
global $config, $g;

/* array sorting */
function sksort(&$array, $subkey="id", $sort_ascending=false) {
	if (count($array)) {
		$temp_array[key($array)] = array_shift($array);
	};

	foreach ($array as $key => $val){
		$offset = 0;
		$found = false;
		foreach ($temp_array as $tmp_key => $tmp_val) {
			if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) {
				$temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset));
				$found = true;
			};
			$offset++;
		};
		if (!$found) $temp_array = array_merge($temp_array, array($key => $val));
	};

	if ($sort_ascending) {
		$array = array_reverse($temp_array);
	} else $array = $temp_array;
};

/* retrieve snort variables */
require_once("/usr/local/pkg/snort/snort.inc");

$snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
if (!is_array($config['installedpackages']['snortglobal']['rule']))
	$config['installedpackages']['snortglobal']['rule'] = array();
$a_instance = &$config['installedpackages']['snortglobal']['rule'];

/* read log file(s) */
$counter=0;
foreach ($a_instance as $instanceid => $instance) {
	$snort_uuid = $a_instance[$instanceid]['uuid'];
	$if_real = snort_get_real_interface($a_instance[$instanceid]['interface']);

	/* make sure alert file exists */
	if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
		exec("tail -{$anentries} /var/log/snort/snort_{$if_real}{$snort_uuid}/alert | sort -r > /tmp/alert_{$snort_uuid}");
		if (file_exists("/tmp/alert_{$snort_uuid}")) {
			$tmpblocked = array_flip(snort_get_blocked_ips());

			/*                 0         1           2      3      4    5    6    7      8     9    10    11             12    */
			/* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */
			$fd = fopen("/tmp/alert_{$snort_uuid}", "r");
			while (($fileline = @fgets($fd))) {
				if (empty($fileline))
					continue;
				$fields = explode(",", $fileline);

				$snort_alerts[$counter]['instanceid'] = $a_instance[$instanceid]['interface'];
				$snort_alerts[$counter]['timestamp'] = $fields[0];
				$snort_alerts[$counter]['timeonly'] = substr($fields[0], 6, -8);
				$snort_alerts[$counter]['dateonly'] = substr($fields[0], 0, -17);
				$snort_alerts[$counter]['src'] = $fields[6];
				$snort_alerts[$counter]['srcport'] = $fields[7];
				$snort_alerts[$counter]['dst'] = $fields[8];
				$snort_alerts[$counter]['dstport'] = $fields[9];
				$snort_alerts[$counter]['priority'] = $fields[12];
				$snort_alerts[$counter]['category'] = $fields[11];
				$counter++;
			};
			fclose($fd);
			@unlink("/tmp/alert_{$snort_uuid}");
		};
	};
};

/* sort the array */
if (isset($config['syslog']['reverse'])) {
	sksort($snort_alerts, 'timestamp', false);
} else {
	sksort($snort_alerts, 'timestamp', true);
};

/* display the result */
?>

$counter=0;
if (is_array($snort_alerts)) {
	foreach ($snort_alerts as $alert) {
		if($counter > (count($a_instance) - 1)) {
			echo("	

");
		};
		$counter++;
		if($counter >= ($nentries + count($a_instance))) break;
	}
};
?>

| IF/Date |			 Src/Dst |			 Details |		
					 " . $alert['instanceid'] . "
" . $alert['timeonly'] . " " . $alert['dateonly'] . " |							 " . $alert['src'] . ":" . $alert['srcport'] . "
" . $alert['dst'] . ":" . $alert['dstport'] . " |					 Pri : " . $alert['priority'] . "
Cat : " . $alert['category'] . " |					

Cino

thanks digdug3!! Confirm it works for me on pfSense 2.1

_igor_

works on pfSensre 2.0.1 too. Great work! thx

marcelloc

Open a pull request for this fix on https://github.com/bsdperimeter/pfsense-packages.

This way ermal can check the code and commit.

digdug3

Thanks, but I think the code is not clean enough. Maybe I'll clean it later on. Besides that, the code is mostly a copy-paste…

digdug3

Just cleaned the code more and removed a bug.
Please test. If it works correctly maybe ermal can commit it.

_igor_

works.

p0intman

Thank you so much I have been waiting to use this widget forever.

_igor_

Therer seems to be a problem: I have 4 instances of the snort widget on my dashboard. If i delete one, all are deleted.

digdug3

@_igor_:

Therer seems to be a problem: I have 4 instances of the snort widget on my dashboard. If i delete one, all are deleted.

How did you get 4 instances? I can't get more than one running. Besides, why would you want that?
Can you get more instances of the Captive Portal or Firewall Logs as well?
Do you have the widescreen package installed?

_igor_

hey, you understood wrong - i dont want to have 4 instances. I activate one and get 4. Deleting one of them deletes all. There is an error.

Yes, i have widescreen installed. I dont have captive portal.
Activated firewall logs and have only one instance. It has to do with the snort alert widget, i think.

digdug3

Ah, yes, I  misunderstood you!

Can't replicate that, but I know there are some problems with the Widescreen package.
Is it possible for you to remove the widescreen package and see if the problem still exists?

mschiek01

@digdug3:

Ah, yes, I  misunderstood you!

Can't replicate that, but I know there are some problems with the Widescreen package.
Is it possible for you to remove the widescreen package and see if the problem still exists?

I have widescreen and four interfaces although snort is only running on 2 of them I have not had any problems as of yet.

digdug3

@ermal thanks for committing the code

Just viewed your changes, but with your code the widget will first display all alerts from IF 0 then IF 1 and so on,
I think it is more desireable to display alerts sorted by date, not by interface. Thats why I added the sorting of timestamps.