our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
my $filestr='';
+ my $readmode='';
if ($datediff==0) {
- $filestr="/var/log/snort/alert";
+ # If there is no datediff, directly assign the suricata fast.log.
+ $filestr="/var/log/suricata/fast.log";
} else {
- $filestr="/var/log/snort/alert.$datediff";
- $filestr = "$filestr.gz" if -f "$filestr.gz";
+ # If there is a datediff, assign the datediff to the filestring.
+ $filestr="/var/log/suricata/fast.log.$datediff";
+
+ # The files are compressed add the extension to the filestring.
+ $filestr="$filestr.gz";
+
+ # If the file does not exist, try to fallback to legacy snort alert file.
+ unless (-f $filestr) {
+ # Assign snort alert file, the datediff and extension for compressed file.
+ $filestr = "/var/log/snort/alert.$datediff";
+ $filestr = "$filestr.gz";
+
+ # Assign "snort" as readmode.
+ $readmode="snort";
+ }
}
if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) {
$errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}";
while(<LOG>) {
$line++;
- if ($_ =~ m/\[\*\*\]/) {
+ if (($_ =~ m/\[\*\*\]/) && ($readmode eq "snort")) {
unless ($line == 1 || $date ne "$monthstr/$daystr") {
&append;
$line = 1;
}
- ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+ ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
@refs = ();
$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
$title = &Header::cleanhtml($2,"y");
+ } else {
+ &append;
+ $line = 1;
+
+ # Assign default values.
+ ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+ @refs = ();
+
+ # Gather title details from line.
+ $_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
+ $title = &Header::cleanhtml($2,"y");
}
if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) {
$classification = &Header::cleanhtml($1,"y");
$destport = $10;
}
- if ($_ =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
+ if ($_ =~ m/^([0-9\/]{3,10})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
($date,$time) = ($1,$2);
}
if ($_ =~ m/\[Xref \=\>.*\]/) {