]>
Commit | Line | Data |
---|---|---|
cd1a2927 MT |
1 | #!/usr/bin/perl |
2 | # | |
3 | # SmoothWall CGIs | |
4 | # | |
5 | # This code is distributed under the terms of the GPL | |
6 | # | |
7 | # (c) The SmoothWall Team | |
8 | # | |
9 | # Copyright (C) 18-03-2002 Mark Wormgoor <mark@wormgoor.com> | |
10 | # - Added links to Snort database and ipinfo.cgi | |
11 | # | |
12 | # $Id: ids.dat,v 1.6.2.16 2005/06/14 08:25:30 eoberlander Exp $ | |
13 | # | |
14 | ||
15 | use strict; | |
16 | ||
17 | # enable only the following on debugging purpose | |
18 | #use warnings; | |
19 | #use CGI::Carp 'fatalsToBrowser'; | |
20 | ||
21 | require 'CONFIG_ROOT/general-functions.pl'; | |
22 | require "${General::swroot}/lang.pl"; | |
23 | require "${General::swroot}/header.pl"; | |
24 | ||
25 | use POSIX(); | |
26 | ||
27 | #workaround to suppress a warning when a variable is used only once | |
28 | my @dummy = ( ${Header::table1colour}, ${Header::table2colour} ); | |
29 | undef (@dummy); | |
30 | ||
31 | my %cgiparams=(); | |
32 | my %logsettings=(); | |
33 | my @log=(); | |
34 | my $errormessage = ''; | |
35 | ||
36 | my @shortmonths = ( 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', | |
37 | 'Sep', 'Oct', 'Nov', 'Dec' ); | |
38 | my @longmonths = ( $Lang::tr{'january'}, $Lang::tr{'february'}, $Lang::tr{'march'}, | |
39 | $Lang::tr{'april'}, $Lang::tr{'may'}, $Lang::tr{'june'}, $Lang::tr{'july'}, $Lang::tr{'august'}, | |
40 | $Lang::tr{'september'}, $Lang::tr{'october'}, $Lang::tr{'november'}, | |
41 | $Lang::tr{'december'} ); | |
42 | ||
43 | my @now = localtime(time); | |
44 | my $dow = $now[6]; | |
45 | my $doy = $now[7]; | |
46 | my $tdoy = $now[7]; | |
47 | my $year = $now[5]+1900; | |
48 | ||
49 | $cgiparams{'DAY'} = $now[3]; | |
50 | $cgiparams{'MONTH'} = $now[4]; | |
51 | $cgiparams{'ACTION'} = ''; | |
52 | ||
53 | &Header::getcgihash(\%cgiparams); | |
54 | $logsettings{'LOGVIEW_REVERSE'} = 'off'; | |
55 | &General::readhash("${General::swroot}/logging/settings", \%logsettings); | |
56 | ${Header::viewsize} = defined ($logsettings{'LOGVIEW_VIEWSIZE'}) ? $logsettings{'LOGVIEW_VIEWSIZE'} : 150; | |
57 | $Header::viewsize /= 5; # each ids is displayed on 5 lines | |
58 | ||
59 | $now[4] = $cgiparams{'MONTH'}+1; | |
60 | if($now[4] < 10) { | |
61 | $now[4] = "0$now[4]"; } | |
62 | ||
63 | my $start = -1; | |
64 | if ($ENV{'QUERY_STRING'} && $cgiparams{'ACTION'} ne $Lang::tr{'update'}) | |
65 | { | |
66 | my @temp = split(',',$ ENV{'QUERY_STRING'}); | |
67 | $start = $temp[0]; | |
68 | $cgiparams{'MONTH'} = $temp[1]; | |
69 | $cgiparams{'DAY'} = $temp[2]; | |
70 | } | |
71 | ||
72 | if (!($cgiparams{'MONTH'} =~ /^(0|1|2|3|4|5|6|7|8|9|10|11)$/) || | |
73 | !($cgiparams{'DAY'} =~ /^(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31)$/)) | |
74 | { | |
75 | $cgiparams{'DAY'} = $now[3]; | |
76 | $cgiparams{'MONTH'} = $now[4]; | |
77 | } | |
78 | elsif($cgiparams{'ACTION'} eq '>>') | |
79 | { | |
80 | my @temp_then=(); | |
81 | my @temp_now = localtime(time); | |
82 | $temp_now[4] = $cgiparams{'MONTH'}; | |
83 | $temp_now[3] = $cgiparams{'DAY'}; | |
84 | @temp_then = localtime(POSIX::mktime(@temp_now) + 86400); | |
85 | ## Retrieve the same time on the next day + | |
86 | ## 86400 seconds in a day | |
87 | $cgiparams{'MONTH'} = $temp_then[4]; | |
88 | $cgiparams{'DAY'} = $temp_then[3]; | |
89 | } | |
90 | elsif($cgiparams{'ACTION'} eq '<<') | |
91 | { | |
92 | my @temp_then=(); | |
93 | my @temp_now = localtime(time); | |
94 | $temp_now[4] = $cgiparams{'MONTH'}; | |
95 | $temp_now[3] = $cgiparams{'DAY'}; | |
96 | @temp_then = localtime(POSIX::mktime(@temp_now) - 86400); | |
97 | ## Retrieve the same time on the previous day - | |
98 | ## 86400 seconds in a day | |
99 | $cgiparams{'MONTH'} = $temp_then[4]; | |
100 | $cgiparams{'DAY'} = $temp_then[3]; | |
101 | } | |
102 | ||
103 | ||
104 | if (($cgiparams{'DAY'} ne $now[3]) || ($cgiparams{'MONTH'} ne $now[4])) | |
105 | { | |
106 | my @then = (); | |
107 | if ( ( $cgiparams{'MONTH'} eq $now[4]) && ($cgiparams{'DAY'} > $now[3]) || | |
108 | ( $cgiparams{'MONTH'} > $now[4] ) ) { | |
109 | @then = localtime(POSIX::mktime( 0, 0, 0, $cgiparams{'DAY'}, $cgiparams{'MONTH'}, $year - 1901 )); | |
110 | } else { | |
111 | @then = localtime(POSIX::mktime( 0, 0, 0, $cgiparams{'DAY'}, $cgiparams{'MONTH'}, $year - 1900 )); | |
112 | } | |
113 | $tdoy = $then[7]; | |
114 | my $lastleap=($year-1)%4; | |
115 | if ($tdoy>$doy) { | |
116 | if ($lastleap == 0 && $tdoy < 60) { | |
117 | $doy=$doy+366; | |
118 | } else { | |
119 | $doy=$doy+365; | |
120 | } | |
121 | } | |
122 | } | |
123 | my $datediff=0; | |
124 | my $dowd=0; | |
125 | my $multifile=0; | |
126 | if ($tdoy ne $doy) { | |
127 | $datediff=int(($doy-$tdoy)/7); | |
128 | $dowd=($doy-$tdoy)%7; | |
129 | if (($dow-$dowd)<1) { | |
130 | $datediff=$datediff+1; | |
131 | } | |
132 | if (($dow-$dowd)==0) { | |
133 | $multifile=1; | |
134 | } | |
135 | } | |
136 | ||
137 | my $longmonthstr = $longmonths[$cgiparams{'MONTH'}]; | |
138 | my $monthnum = $cgiparams{'MONTH'} + 1; | |
139 | my $monthstr = $monthnum <= 9 ? "0$monthnum" : "$monthnum"; | |
140 | my $daystr = $cgiparams{'DAY'} <= 9 ? "0$cgiparams{'DAY'}" : "$cgiparams{'DAY'}"; | |
141 | ||
142 | my $lines = 0; | |
143 | my ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs); | |
144 | ||
145 | &processevent; | |
146 | ||
147 | if ($multifile) { | |
148 | $datediff=$datediff-1; | |
149 | &processevent; | |
150 | } | |
151 | ||
152 | if ($cgiparams{'ACTION'} eq $Lang::tr{'export'}) | |
153 | { | |
154 | print "Content-type: text/plain\n\n"; | |
155 | print "IPCop IDS snort log\r\n"; | |
156 | print "Date: $cgiparams{'DAY'} $longmonths[$cgiparams{'MONTH'}]\r\n"; | |
157 | print "\r\n"; | |
158 | ||
159 | if ($logsettings{'LOGVIEW_REVERSE'} eq 'on') { @log = reverse @log; } | |
160 | ||
161 | foreach $_ (@log) | |
162 | { | |
163 | my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/); | |
164 | $refs =~ s/,$//; | |
165 | print "Date: $datetime\n"; | |
166 | print "Name: $title\n"; | |
167 | print "Priority: $priority\n"; | |
168 | print "Type: $classification\n"; | |
169 | print "IP Info: "; | |
170 | print "$srcip"; | |
171 | if ($srcport != "n/a") { | |
172 | print ":$srcport"; | |
173 | } | |
174 | print " -> "; | |
175 | print "$destip"; | |
176 | if ($destport != "n/a") { | |
177 | print ":$destport"; | |
178 | } | |
179 | print "\n"; | |
180 | print "SID: $sid\n"; | |
181 | print "Refs: $refs\n\n"; | |
182 | } | |
183 | ||
184 | exit; | |
185 | } | |
186 | ||
187 | &Header::showhttpheaders(); | |
188 | ||
189 | &Header::openpage($Lang::tr{'ids log viewer'}, 1, ''); | |
190 | ||
191 | &Header::openbigbox('100%', 'left', '', $errormessage); | |
192 | ||
193 | if ($errormessage) { | |
194 | &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); | |
195 | print "<font class='base'>$errormessage </font>\n"; | |
196 | &Header::closebox(); | |
197 | } | |
198 | ||
199 | &Header::openbox('100%', 'left', "$Lang::tr{'settings'}:"); | |
200 | ||
201 | print <<END | |
202 | <form method='post' action="$ENV{'SCRIPT_NAME'}"> | |
203 | <table width='100%'> | |
204 | <tr> | |
205 | <td width='10%' class='base'>$Lang::tr{'month'}: </td> | |
206 | <td width='10%'> | |
207 | <select name='MONTH'> | |
208 | END | |
209 | ; | |
210 | for (my $month = 0; $month < 12; $month++) | |
211 | { | |
212 | print "\t<option "; | |
213 | if ($month == $cgiparams{'MONTH'}) { | |
214 | print 'selected="selected" '; } | |
215 | print "value='$month'>$longmonths[$month]</option>\n"; | |
216 | } | |
217 | print <<END | |
218 | </select> | |
219 | </td> | |
220 | <td width='10%' class='base' align='right'> $Lang::tr{'day'}: </td> | |
221 | <td width='40%'> | |
222 | <select name='DAY'> | |
223 | END | |
224 | ; | |
225 | for (my $day = 1; $day <= 31; $day++) | |
226 | { | |
227 | print "\t<option "; | |
228 | if ($day == $cgiparams{'DAY'}) { | |
229 | print 'selected="selected" '; } | |
230 | print "value='$day'>$day</option>\n"; | |
231 | } | |
232 | print <<END | |
233 | </select> | |
234 | </td> | |
235 | <td width='5%' align='center'><input type='submit' name='ACTION' title='$Lang::tr{'day before'}' value='<<' /></td> | |
236 | <td width='5%' align='center'><input type='submit' name='ACTION' title='$Lang::tr{'day after'}' value='>>' /></td> | |
237 | <td width='10%' align='center'><input type='submit' name='ACTION' value='$Lang::tr{'update'}' /></td> | |
238 | <td width='10%' align='center'><input type='submit' name='ACTION' value='$Lang::tr{'export'}' /></td> | |
239 | </tr> | |
240 | </table> | |
241 | </form> | |
242 | END | |
243 | ; | |
244 | ||
245 | &Header::closebox(); | |
246 | ||
247 | &Header::openbox('100%', 'left', $Lang::tr{'log'}); | |
248 | print "<p><b>$Lang::tr{'snort hits'} $longmonthstr $daystr: $lines</b></p>"; | |
249 | ||
250 | if ($start == -1) { | |
251 | $start = $lines - ${Header::viewsize}; } | |
252 | if ($start >= $lines - ${Header::viewsize}) { $start = $lines - ${Header::viewsize}; }; | |
253 | if ($start < 0) { $start = 0; } | |
254 | ||
255 | my $prev = $start - ${Header::viewsize}; | |
256 | my $next = $start + ${Header::viewsize}; | |
257 | ||
258 | if ($prev < 0) { $prev = 0; } | |
259 | if ($next >= $lines) { $next = -1 } | |
260 | if ($start == 0) { $prev = -1; } | |
261 | my @slice = splice(@log, $start, ${Header::viewsize}); | |
262 | ||
263 | if ($logsettings{'LOGVIEW_REVERSE'} eq 'on') { @slice = reverse @slice; } | |
264 | ||
265 | if ($lines != 0) { | |
266 | ||
267 | &oldernewer(); | |
268 | ||
269 | $lines = 0; | |
270 | ||
271 | print <<END | |
272 | <table width='100%'> | |
273 | END | |
274 | ; | |
275 | ||
276 | foreach $_ (@slice) | |
277 | { | |
278 | if ($lines % 2) { | |
279 | print "<tr bgcolor='${Header::table1colour}'><td>\n"; } | |
280 | else { | |
281 | print "<tr bgcolor='${Header::table2colour}'><td>\n"; } | |
282 | my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/); | |
283 | print <<END | |
284 | <table width='100%'> | |
285 | <tr> | |
286 | <td width='15%'><b>$Lang::tr{'date'}:</b></td><td width='25%'>$datetime</td> | |
287 | <td width='10%'><b>$Lang::tr{'name'}:</b></td><td width='50%'>$title</td> | |
288 | </tr> | |
289 | <tr><td><b>$Lang::tr{'priority'}:</b></td><td>$priority</td> | |
290 | <td><b>$Lang::tr{'type'}:</b></td><td>$classification</td> | |
291 | </tr> | |
292 | <tr><td><b>$Lang::tr{'ipinfo'}:</b></td> | |
293 | <td colspan='3'> | |
294 | END | |
295 | ; | |
296 | if ($srcip ne "n/a") { | |
297 | print "<a href='/cgi-bin/ipinfo.cgi?ip=$srcip'>$srcip</a>"; | |
298 | } else { | |
299 | print "$srcip"; | |
300 | } | |
301 | print ":$srcport -> "; | |
302 | if ($destip ne "n/a") { | |
303 | print "<a href='/cgi-bin/ipinfo.cgi?ip=$destip'>$destip</a>"; | |
304 | } else { | |
305 | print "$destip"; | |
306 | } | |
307 | print ":$destport"; | |
308 | print <<END | |
309 | </td> | |
310 | </tr> | |
311 | <tr><td valign='top'><b>$Lang::tr{'references'}:</b></td><td valign='top'> | |
312 | END | |
313 | ; | |
314 | foreach my $ref (split(/,/,$refs)) { | |
315 | if ($ref =~ m/url (.*)/) { | |
316 | print "<a href='http://$1'>$1</a><br />"; | |
317 | } elsif ($ref =~ m/cve (.*)/) { | |
318 | print "<a href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=$1'>$1</a><br />"; | |
319 | } elsif ($ref =~ m/nessus (.*)/) { | |
320 | print "<a href='http://cgi.nessus.org/plugins/dump.php3?id=$1'>Nessus $1</a><br />"; | |
321 | } elsif ($ref =~ m/bugtraq (.*)/) { | |
322 | print "<a href='http://www.securityfocus.com/bid/$1'>Bugtraq $1</a><br />"; | |
323 | } else { | |
324 | print "$ref<br />"; | |
325 | } | |
326 | } | |
327 | print $Lang::tr{'none found'} unless $refs =~ /,/; | |
328 | print <<END | |
329 | <td valign='top'><b>SID:</b></td> | |
330 | <td valign='top'> | |
331 | END | |
332 | ; | |
333 | if ($sid ne "n/a") { | |
334 | print "<a href='http://www.snort.org/pub-bin/sigs.cgi?sid=$sid' "; | |
335 | print "target='_blank'>$sid</a></td>\n"; | |
336 | } else { | |
337 | print $sid; | |
338 | } | |
339 | print <<END | |
340 | </tr> | |
341 | </table> | |
342 | </td></tr> | |
343 | END | |
344 | ; | |
345 | $lines++; | |
346 | } | |
347 | ||
348 | print "</table>"; | |
349 | ||
350 | } | |
351 | ||
352 | &oldernewer(); | |
353 | ||
354 | &Header::closebox(); | |
355 | ||
356 | &Header::closebigbox(); | |
357 | ||
358 | &Header::closepage(); | |
359 | ||
360 | sub processevent | |
361 | { | |
362 | our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs); | |
363 | ||
364 | my $filestr=''; | |
365 | if ($datediff==0) { | |
366 | $filestr="/var/log/snort/alert"; | |
367 | } else { | |
368 | $filestr="/var/log/snort/alert.$datediff"; | |
369 | $filestr = "$filestr.gz" if -f "$filestr.gz"; | |
370 | } | |
371 | if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) { | |
372 | $errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}"; | |
373 | } else { | |
374 | my $line = 0; | |
375 | ||
376 | while(<LOG>) { | |
377 | $line++; | |
378 | if ($_ =~ m/\[\*\*\]/) { | |
379 | unless ($line == 1 || $date ne "$monthstr/$daystr") { | |
380 | &append; | |
381 | $line = 1; | |
382 | } | |
383 | ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a"); | |
384 | @refs = (); | |
385 | $_ =~ m/:([0-9]{1,4})\] (.*) \[\*\*\]/; | |
386 | $title = &Header::cleanhtml($2,"y"); | |
387 | } | |
388 | if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) { | |
389 | $classification = &Header::cleanhtml($1,"y"); | |
390 | $priority = $2; | |
391 | } | |
392 | if ($_ =~ m/([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}) \-\> ([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/) { | |
393 | $srcip = $1 . "." . $2 . "." . $3 . "." . $4; | |
394 | $destip = $5 . "." . $6 . "." . $7 . "." . $8; | |
395 | } | |
396 | if ($_ =~ m/([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\:([0-9]{1,6}) \-\> ([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\:([0-9]{1,6})/) { | |
397 | $srcip = $1 . "." . $2 . "." . $3 . "." . $4; | |
398 | $srcport = $5; | |
399 | $destip = $6 . "." . $7 . "." . $8 . "." . $9; | |
400 | $destport = $10; | |
401 | } | |
402 | ||
403 | if ($_ =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) { | |
404 | ($date,$time) = ($1,$2); | |
405 | } | |
406 | if ($_ =~ m/\[Xref \=\>.*\]/) { | |
407 | $_ =~ s/\]\[Xref \=\> /, /g; | |
408 | $_ =~ m/\[Xref \=\> (.*)\]/; | |
409 | push(@refs, $1); | |
410 | } | |
411 | if ($_ =~ m/\[1:([0-9]+):[0-9]+\]/) { | |
412 | $sid = $1; | |
413 | } | |
414 | } | |
415 | $line++; | |
416 | unless ($line == 1 || $date ne "$monthstr/$daystr") { &append; } | |
417 | close(LOG); | |
418 | } | |
419 | } | |
420 | ||
421 | sub append | |
422 | { | |
423 | our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs); | |
424 | ||
425 | $log[$lines] = "$date $time|$title|$priority|$classification|$srcip|$srcport|$destip|$destport|$sid|"; | |
426 | foreach $_ (@refs) { | |
427 | $log[$lines] = "$log[$lines]$_,"; } | |
428 | $lines++; | |
429 | } | |
430 | ||
431 | sub oldernewer | |
432 | { | |
433 | print <<END | |
434 | <table width='100%'> | |
435 | <tr> | |
436 | END | |
437 | ; | |
438 | ||
439 | print "<td align='center' width='50%'>"; | |
440 | if ($prev != -1) { | |
441 | print "<a href='/cgi-bin/logs.cgi/ids.dat?$prev,$cgiparams{'MONTH'},$cgiparams{'DAY'}'>$Lang::tr{'older'}</a>"; } | |
442 | else { | |
443 | print "$Lang::tr{'older'}"; } | |
444 | print "</td>\n"; | |
445 | ||
446 | print "<td align='center' width='50%'>"; | |
447 | if ($next != -1) { | |
448 | print "<a href='/cgi-bin/logs.cgi/ids.dat?$next,$cgiparams{'MONTH'},$cgiparams{'DAY'}'>$Lang::tr{'newer'}</a>"; } | |
449 | else { | |
450 | print "$Lang::tr{'newer'}"; } | |
451 | print "</td>\n"; | |
452 | ||
453 | print <<END | |
454 | </tr> | |
455 | </table> | |
456 | END | |
457 | ; | |
458 | } |