logs.cgi/ids.dat: Adjust code to show suricata events

[ipfire-2.x.git] / html / cgi-bin / logs.cgi / ids.dat

diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat
index 030fd4b64def42e9995492497d723dfcdb957fbf..ab8cac2b607f1b1aacec448d716c562d9958ea62 100644 (file)
--- a/html/cgi-bin/logs.cgi/ids.dat
+++ b/html/cgi-bin/logs.cgi/ids.dat
@@ -375,11 +375,26 @@ sub processevent
        our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
 
        my $filestr='';
+       my $readmode='';
        if ($datediff==0) {
-               $filestr="/var/log/snort/alert";
+               # If there is no datediff, directly assign the suricata fast.log.
+               $filestr="/var/log/suricata/fast.log";
        } else {
-               $filestr="/var/log/snort/alert.$datediff";
-               $filestr = "$filestr.gz" if -f "$filestr.gz";
+               # If there is a datediff, assign the datediff to the filestring.
+               $filestr="/var/log/suricata/fast.log.$datediff";
+
+               # The files are compressed add the extension to the filestring.
+               $filestr="$filestr.gz";
+
+               # If the file does not exist, try to fallback to legacy snort alert file.
+               unless (-f $filestr) {
+                       # Assign snort alert file, the datediff and extension for compressed file.
+                       $filestr = "/var/log/snort/alert.$datediff";
+                       $filestr = "$filestr.gz";
+
+                       # Assign "snort" as readmode.
+                       $readmode="snort";
+               }
        }
        if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) {
                $errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}";
@@ -388,15 +403,26 @@ sub processevent
 
                while(<LOG>) {
                        $line++;
-                       if ($_ =~ m/\[\*\*\]/) {
+                       if (($_ =~ m/\[\*\*\]/) && ($readmode eq "snort")) {
                                unless ($line == 1 || $date ne "$monthstr/$daystr") {
                                        &append;
                                        $line = 1;
                                }
-                               ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+                               ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
                                @refs = ();
                                $_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
                                $title = &Header::cleanhtml($2,"y");
+                       } else {
+                               &append;
+                               $line = 1;
+
+                               # Assign default values.
+                               ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+                               @refs = ();
+
+                               # Gather title details from line.
+                               $_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
+                               $title = &Header::cleanhtml($2,"y");
                        }
                        if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) {
                                $classification = &Header::cleanhtml($1,"y");
@@ -413,7 +439,7 @@ sub processevent
                                $destport = $10;
                        }
 
-                       if ($_  =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
+                       if ($_  =~ m/^([0-9\/]{3,10})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
                                ($date,$time) = ($1,$2);
                        }
                        if ($_ =~ m/\[Xref \=\>.*\]/) {