Snort Widget fix (Snort 2.9.2.3 pkg v. 2.5.0)



  • Here is a quick fix for the Snort widget to get it to work with Snort 2.9.2.3 pkg v. 2.5.0
    Thanks to ermal for fixing the alert code.
    Update: 19-07-2012 - Fixed a bug in asc/desc, added ports and cleaned code

    Just install Snort Widget v0.3.2 and replace the /usr/local/www/widgets/snort_alerts.widget.php with this:

    
    /*
        snort_alerts.widget.php
        Copyright (C) 2009 Jim Pingle
        mod 19-07-2012
    
        Redistribution and use in source and binary forms, with or without
        modification, are permitted provided that the following conditions are met:
    
        1\. Redistributions of source code must retain the above copyright notice,
           this list of conditions and the following disclaimer.
    
        2\. Redistributions in binary form must reproduce the above copyright
           notice, this list of conditions and the following disclaimer in the
           documentation and/or other materials provided with the distribution.
    
        THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
        INClUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
        AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
        AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
        OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
        SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
        INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
        CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
        ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
        POSSIBILITY OF SUCH DAMAGE.
    */
    global $config, $g;
    
    /* array sorting */
    function sksort(&$array, $subkey="id", $sort_ascending=false) {
    	if (count($array)) {
    		$temp_array[key($array)] = array_shift($array);
    	};
    
    	foreach ($array as $key => $val){
    		$offset = 0;
    		$found = false;
    		foreach ($temp_array as $tmp_key => $tmp_val) {
    			if (!$found and strtolower($val[$subkey]) > strtolower($tmp_val[$subkey])) {
    				$temp_array = array_merge((array)array_slice($temp_array,0,$offset), array($key => $val), array_slice($temp_array,$offset));
    				$found = true;
    			};
    			$offset++;
    		};
    		if (!$found) $temp_array = array_merge($temp_array, array($key => $val));
    	};
    
    	if ($sort_ascending) {
    		$array = array_reverse($temp_array);
    	} else $array = $temp_array;
    };
    
    /* retrieve snort variables */
    require_once("/usr/local/pkg/snort/snort.inc");
    
    $snortalertlogt = $config['installedpackages']['snortglobal']['snortalertlogtype'];
    if (!is_array($config['installedpackages']['snortglobal']['rule']))
    	$config['installedpackages']['snortglobal']['rule'] = array();
    $a_instance = &$config['installedpackages']['snortglobal']['rule'];
    
    /* read log file(s) */
    $counter=0;
    foreach ($a_instance as $instanceid => $instance) {
    	$snort_uuid = $a_instance[$instanceid]['uuid'];
    	$if_real = snort_get_real_interface($a_instance[$instanceid]['interface']);
    
    	/* make sure alert file exists */
    	if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) {
    		exec("tail -{$anentries} /var/log/snort/snort_{$if_real}{$snort_uuid}/alert | sort -r > /tmp/alert_{$snort_uuid}");
    		if (file_exists("/tmp/alert_{$snort_uuid}")) {
    			$tmpblocked = array_flip(snort_get_blocked_ips());
    
    			/*                 0         1           2      3      4    5    6    7      8     9    10    11             12    */
    			/* File format timestamp,sig_generator,sig_id,sig_rev,msg,proto,src,srcport,dst,dstport,id,classification,priority */
    			$fd = fopen("/tmp/alert_{$snort_uuid}", "r");
    			while (($fileline = @fgets($fd))) {
    				if (empty($fileline))
    					continue;
    				$fields = explode(",", $fileline);
    
    				$snort_alerts[$counter]['instanceid'] = $a_instance[$instanceid]['interface'];
    				$snort_alerts[$counter]['timestamp'] = $fields[0];
    				$snort_alerts[$counter]['timeonly'] = substr($fields[0], 6, -8);
    				$snort_alerts[$counter]['dateonly'] = substr($fields[0], 0, -17);
    				$snort_alerts[$counter]['src'] = $fields[6];
    				$snort_alerts[$counter]['srcport'] = $fields[7];
    				$snort_alerts[$counter]['dst'] = $fields[8];
    				$snort_alerts[$counter]['dstport'] = $fields[9];
    				$snort_alerts[$counter]['priority'] = $fields[12];
    				$snort_alerts[$counter]['category'] = $fields[11];
    				$counter++;
    			};
    			fclose($fd);
    			@unlink("/tmp/alert_{$snort_uuid}");
    		};
    	};
    };
    
    /* sort the array */
    if (isset($config['syslog']['reverse'])) {
    	sksort($snort_alerts, 'timestamp', false);
    } else {
    	sksort($snort_alerts, 'timestamp', true);
    };
    
    /* display the result */
    ?>
    
    $counter=0;
    if (is_array($snort_alerts)) {
    	foreach ($snort_alerts as $alert) {
    		if($counter > (count($a_instance) - 1)) {
    			echo("	
    
    ");
    		};
    		$counter++;
    		if($counter >= ($nentries + count($a_instance))) break;
    	}
    };
    ?>
    
    | IF/Date |			 Src/Dst |			 Details |		
    					 " . $alert['instanceid'] . "
    " . $alert['timeonly'] . " " . $alert['dateonly'] . " |							 " . $alert['src'] . ":" . $alert['srcport'] . "
    " . $alert['dst'] . ":" . $alert['dstport'] . " |					 Pri : " . $alert['priority'] . "
    Cat : " . $alert['category'] . " |					
    
    


  • thanks digdug3!! Confirm it works for me on pfSense 2.1



  • works on pfSensre 2.0.1 too. Great work! thx



  • Open a pull request for this fix on https://github.com/bsdperimeter/pfsense-packages.

    This way ermal can check the code and commit.



  • Thanks, but I think the code is not clean enough. Maybe I'll clean it later on. Besides that, the code is mostly a copy-paste…



  • Just cleaned the code more and removed a bug.
    Please test. If it works correctly maybe ermal can commit it.



  • works.



  • Thank you so much I have been waiting to use this widget forever.



  • Therer seems to be a problem: I have 4 instances of the snort widget on my dashboard. If i delete one, all are deleted.



  • @_igor_:

    Therer seems to be a problem: I have 4 instances of the snort widget on my dashboard. If i delete one, all are deleted.

    How did you get 4 instances? I can't get more than one running. Besides, why would you want that?
    Can you get more instances of the Captive Portal or Firewall Logs as well?
    Do you have the widescreen package installed?



  • hey, you understood wrong - i dont want to have 4 instances. I activate one and get 4. Deleting one of them deletes all. There is an error.

    Yes, i have widescreen installed. I dont have captive portal.
    Activated firewall logs and have only one instance. It has to do with the snort alert widget, i think.



  • Ah, yes, I  misunderstood you!

    Can't replicate that, but I know there are some problems with the Widescreen package.
    Is it possible for you to remove the widescreen package and see if the problem still exists?



  • @digdug3:

    Ah, yes, I  misunderstood you!

    Can't replicate that, but I know there are some problems with the Widescreen package.
    Is it possible for you to remove the widescreen package and see if the problem still exists?

    I have widescreen and four interfaces although snort is only running on 2 of them I have not had any problems as of yet.



  • @ermal thanks for committing the code

    Just viewed your changes, but with your code the widget will first display all alerts from IF 0 then IF 1 and so on,
    I think it is more desireable to display alerts sorted by date, not by interface. Thats why I added the sorting of timestamps.


Log in to reply