webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 03:07:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

logs.cgi/ids.dat: Adjust code to show suricata events

Browse Source 
As default show the events generated by suricata and if
for a certain selected date no suricata log is available
try to fall-back to read the events from the old snort
alert files (if available).

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This commit is contained in:
Stefan Schantl
2018-09-06 12:09:34 +02:00
parent 80bcd4dd1a
commit f5ddcad1cc
1 changed files with 32 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
html/cgi-bin/logs.cgi/ids.dat
View File

@@ -375,11 +375,26 @@ sub processevent
our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
my $filestr='';
my $readmode='';
if ($datediff==0) {
$filestr="/var/log/snort/alert";
# If there is no datediff, directly assign the suricata fast.log.
$filestr="/var/log/suricata/fast.log";
} else {
$filestr="/var/log/snort/alert.$datediff";
$filestr = "$filestr.gz" if -f "$filestr.gz";
# If there is a datediff, assign the datediff to the filestring.
$filestr="/var/log/suricata/fast.log.$datediff";
# The files are compressed add the extension to the filestring.
$filestr="$filestr.gz";
# If the file does not exist, try to fallback to legacy snort alert file.
unless (-f $filestr) {
# Assign snort alert file, the datediff and extension for compressed file.
$filestr = "/var/log/snort/alert.$datediff";
$filestr = "$filestr.gz";
# Assign "snort" as readmode.
$readmode="snort";
}
}
if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) {
$errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}";
@@ -388,15 +403,26 @@ sub processevent
while(<LOG>) {
$line++;
if ($_ =~ m/\[\*\*\]/) {
if (($_ =~ m/\[\*\*\]/) && ($readmode eq "snort")) {
unless ($line == 1 || $date ne "$monthstr/$daystr") {
&append;
$line = 1;
}
($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
@refs = ();
$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
$title = &Header::cleanhtml($2,"y");
} else {
&append;
$line = 1;
# Assign default values.
($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
@refs = ();
# Gather title details from line.
$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
$title = &Header::cleanhtml($2,"y");
}
if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) {
$classification = &Header::cleanhtml($1,"y");
@@ -413,7 +439,7 @@ sub processevent
$destport = $10;
}
if ($_ =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
if ($_ =~ m/^([0-9\/]{3,10})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
($date,$time) = ($1,$2);
}
if ($_ =~ m/\[Xref \=\>.*\]/) {