Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort Widget fix (Snort 2.9.2.3 pkg v. 2.5.0)

    Scheduled Pinned Locked Moved pfSense Packages
    14 Posts 6 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digdug3
      last edited by

      Here is a quick fix for the Snort widget to get it to work with Snort 2.9.2.3 pkg v. 2.5.0
      Thanks to ermal for fixing the alert code.
      Update: 19-07-2012 - Fixed a bug in asc/desc, added ports and cleaned code

      Just install Snort Widget v0.3.2 and replace the /usr/local/www/widgets/snort_alerts.widget.php with this:

      
      /*
          snort_alerts.widget.php
          Copyright (C) 2009 Jim Pingle
          mod 19-07-2012
      
          Redistribution and use in source and binary forms, with or without
          modification, are permitted provided that the following conditions are met:
      
          1\. Redistributions of source code must retain the above copyright notice,
             this list of conditions and the following disclaimer.
      
          2\. Redistributions in binary form must reproduce the above copyright
             notice, this list of conditions and the following disclaimer in the
             documentation and/or other materials provided with the distribution.
      
          THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
          INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
          AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
          AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
          OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
          SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
          INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
          CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
          ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
          POSSIBILITY OF SUCH DAMAGE.
      */
      global $config, $g;
      
      /* array sorting */
      function sksort(&$array, $subkey="id", $sort_ascending=false) {
      	if (count($array)) {
      		$temp_array[key($array)] = array_shift($array);
      	};
      
      	foreach ($array as $key => $val){
      		$offset = 0;
      		$found = false;
      		foreach ($temp_array as $tmp_key => $tmp_val) {
      			if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) {
      				$temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset));
      				$found = true;
      			};
      			$offset++;
      		};
      		if (!$found) $temp_array = array_merge($temp_array, array($key => $val));
      	};
      
      	if ($sort_ascending) {
      		$array = array_reverse($temp_array);
      	} else $array = $temp_array;
      };
      
      /* retrieve snort variables */
      require_once("/usr/local/pkg/snort/snort.inc");
      
      $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
      if (!is_array($config['installedpackages']['snortglobal']['rule']))
      	$config['installedpackages']['snortglobal']['rule'] = array();
      $a_instance = &$config['installedpackages']['snortglobal']['rule'];
      
      /* read log file(s) */
      $counter=0;
      foreach ($a_instance as $instanceid => $instance) {
      	$snort_uuid = $a_instance[$instanceid]['uuid'];
      	$if_real = snort_get_real_interface($a_instance[$instanceid]['interface']);
      
      	/* make sure alert file exists */
      	if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
      		exec("tail -{$anentries} /var/log/snort/snort_{$if_real}{$snort_uuid}/alert | sort -r > /tmp/alert_{$snort_uuid}");
      		if (file_exists("/tmp/alert_{$snort_uuid}")) {
      			$tmpblocked = array_flip(snort_get_blocked_ips());
      
      			/*                 0         1           2      3      4    5    6    7      8     9    10    11             12    */
      			/* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */
      			$fd = fopen("/tmp/alert_{$snort_uuid}", "r");
      			while (($fileline = @fgets($fd))) {
      				if (empty($fileline))
      					continue;
      				$fields = explode(",", $fileline);
      
      				$snort_alerts[$counter]['instanceid'] = $a_instance[$instanceid]['interface'];
      				$snort_alerts[$counter]['timestamp'] = $fields[0];
      				$snort_alerts[$counter]['timeonly'] = substr($fields[0], 6, -8);
      				$snort_alerts[$counter]['dateonly'] = substr($fields[0], 0, -17);
      				$snort_alerts[$counter]['src'] = $fields[6];
      				$snort_alerts[$counter]['srcport'] = $fields[7];
      				$snort_alerts[$counter]['dst'] = $fields[8];
      				$snort_alerts[$counter]['dstport'] = $fields[9];
      				$snort_alerts[$counter]['priority'] = $fields[12];
      				$snort_alerts[$counter]['category'] = $fields[11];
      				$counter++;
      			};
      			fclose($fd);
      			@unlink("/tmp/alert_{$snort_uuid}");
      		};
      	};
      };
      
      /* sort the array */
      if (isset($config['syslog']['reverse'])) {
      	sksort($snort_alerts, 'timestamp', false);
      } else {
      	sksort($snort_alerts, 'timestamp', true);
      };
      
      /* display the result */
      ?>
      
      $counter=0;
      if (is_array($snort_alerts)) {
      	foreach ($snort_alerts as $alert) {
      		if($counter > (count($a_instance) - 1)) {
      			echo("	
      
      ");
      		};
      		$counter++;
      		if($counter >= ($nentries + count($a_instance))) break;
      	}
      };
      ?>
      
      | IF/Date |			 Src/Dst |			 Details |		
      					 " . $alert['instanceid'] . "
      " . $alert['timeonly'] . " " . $alert['dateonly'] . " |							 " . $alert['src'] . ":" . $alert['srcport'] . "
      " . $alert['dst'] . ":" . $alert['dstport'] . " |					 Pri : " . $alert['priority'] . "
      Cat : " . $alert['category'] . " |					
      
      
      1 Reply Last reply Reply Quote 0
      • C
        Cino
        last edited by

        thanks digdug3!! Confirm it works for me on pfSense 2.1

        1 Reply Last reply Reply Quote 0
        • _
          _igor_
          last edited by

          works on pfSensre 2.0.1 too. Great work! thx

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            Open a pull request for this fix on https://github.com/bsdperimeter/pfsense-packages.

            This way ermal can check the code and commit.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • D
              digdug3
              last edited by

              Thanks, but I think the code is not clean enough. Maybe I'll clean it later on. Besides that, the code is mostly a copy-paste…

              1 Reply Last reply Reply Quote 0
              • D
                digdug3
                last edited by

                Just cleaned the code more and removed a bug.
                Please test. If it works correctly maybe ermal can commit it.

                1 Reply Last reply Reply Quote 0
                • _
                  _igor_
                  last edited by

                  works.

                  1 Reply Last reply Reply Quote 0
                  • P
                    p0intman
                    last edited by

                    Thank you so much I have been waiting to use this widget forever.

                    1 Reply Last reply Reply Quote 0
                    • _
                      _igor_
                      last edited by

                      Therer seems to be a problem: I have 4 instances of the snort widget on my dashboard. If i delete one, all are deleted.

                      1 Reply Last reply Reply Quote 0
                      • D
                        digdug3
                        last edited by

                        @_igor_:

                        Therer seems to be a problem: I have 4 instances of the snort widget on my dashboard. If i delete one, all are deleted.

                        How did you get 4 instances? I can't get more than one running. Besides, why would you want that?
                        Can you get more instances of the Captive Portal or Firewall Logs as well?
                        Do you have the widescreen package installed?

                        1 Reply Last reply Reply Quote 0
                        • _
                          _igor_
                          last edited by

                          hey, you understood wrong - i dont want to have 4 instances. I activate one and get 4. Deleting one of them deletes all. There is an error.

                          Yes, i have widescreen installed. I dont have captive portal.
                          Activated firewall logs and have only one instance. It has to do with the snort alert widget, i think.

                          1 Reply Last reply Reply Quote 0
                          • D
                            digdug3
                            last edited by

                            Ah, yes, I  misunderstood you!

                            Can't replicate that, but I know there are some problems with the Widescreen package.
                            Is it possible for you to remove the widescreen package and see if the problem still exists?

                            1 Reply Last reply Reply Quote 0
                            • M
                              mschiek01
                              last edited by

                              @digdug3:

                              Ah, yes, I  misunderstood you!

                              Can't replicate that, but I know there are some problems with the Widescreen package.
                              Is it possible for you to remove the widescreen package and see if the problem still exists?

                              I have widescreen and four interfaces although snort is only running on 2 of them I have not had any problems as of yet.

                              1 Reply Last reply Reply Quote 0
                              • D
                                digdug3
                                last edited by

                                @ermal thanks for committing the code

                                Just viewed your changes, but with your code the widget will first display all alerts from IF 0 then IF 1 and so on,
                                I think it is more desireable to display alerts sorted by date, not by interface. Thats why I added the sorting of timestamps.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.