]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - html/cgi-bin/logs.cgi/ids.dat
logs.cgi/ids.dat: Change url for snort sid details.
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / logs.cgi / ids.dat
CommitLineData
cd1a2927
MT
1#!/usr/bin/perl
2#
3# SmoothWall CGIs
4#
5# This code is distributed under the terms of the GPL
6#
7# (c) The SmoothWall Team
8#
9# Copyright (C) 18-03-2002 Mark Wormgoor <mark@wormgoor.com>
10# - Added links to Snort database and ipinfo.cgi
11#
12# $Id: ids.dat,v 1.6.2.16 2005/06/14 08:25:30 eoberlander Exp $
13#
14
15use strict;
16
17# enable only the following on debugging purpose
18#use warnings;
19#use CGI::Carp 'fatalsToBrowser';
20
986e08d9 21require '/var/ipfire/general-functions.pl';
cd1a2927
MT
22require "${General::swroot}/lang.pl";
23require "${General::swroot}/header.pl";
24
f2fdd0c1
CS
25my %color = ();
26my %mainsettings = ();
27&General::readhash("${General::swroot}/main/settings", \%mainsettings);
28&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
29
cd1a2927
MT
30use POSIX();
31
32#workaround to suppress a warning when a variable is used only once
33my @dummy = ( ${Header::table1colour}, ${Header::table2colour} );
34undef (@dummy);
35
36my %cgiparams=();
37my %logsettings=();
38my @log=();
39my $errormessage = '';
40
41my @shortmonths = ( 'Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug',
42 'Sep', 'Oct', 'Nov', 'Dec' );
43my @longmonths = ( $Lang::tr{'january'}, $Lang::tr{'february'}, $Lang::tr{'march'},
44 $Lang::tr{'april'}, $Lang::tr{'may'}, $Lang::tr{'june'}, $Lang::tr{'july'}, $Lang::tr{'august'},
45 $Lang::tr{'september'}, $Lang::tr{'october'}, $Lang::tr{'november'},
46 $Lang::tr{'december'} );
47
48my @now = localtime(time);
49my $dow = $now[6];
50my $doy = $now[7];
51my $tdoy = $now[7];
52my $year = $now[5]+1900;
53
54$cgiparams{'DAY'} = $now[3];
55$cgiparams{'MONTH'} = $now[4];
56$cgiparams{'ACTION'} = '';
57
58&Header::getcgihash(\%cgiparams);
59$logsettings{'LOGVIEW_REVERSE'} = 'off';
60&General::readhash("${General::swroot}/logging/settings", \%logsettings);
61${Header::viewsize} = defined ($logsettings{'LOGVIEW_VIEWSIZE'}) ? $logsettings{'LOGVIEW_VIEWSIZE'} : 150;
62$Header::viewsize /= 5; # each ids is displayed on 5 lines
63
64$now[4] = $cgiparams{'MONTH'}+1;
65if($now[4] < 10) {
66 $now[4] = "0$now[4]"; }
67
68my $start = -1;
69if ($ENV{'QUERY_STRING'} && $cgiparams{'ACTION'} ne $Lang::tr{'update'})
70{
71 my @temp = split(',',$ ENV{'QUERY_STRING'});
72 $start = $temp[0];
73 $cgiparams{'MONTH'} = $temp[1];
74 $cgiparams{'DAY'} = $temp[2];
75}
76
77if (!($cgiparams{'MONTH'} =~ /^(0|1|2|3|4|5|6|7|8|9|10|11)$/) ||
78 !($cgiparams{'DAY'} =~ /^(1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31)$/))
79{
80 $cgiparams{'DAY'} = $now[3];
81 $cgiparams{'MONTH'} = $now[4];
82}
83elsif($cgiparams{'ACTION'} eq '>>')
84{
85 my @temp_then=();
86 my @temp_now = localtime(time);
87 $temp_now[4] = $cgiparams{'MONTH'};
88 $temp_now[3] = $cgiparams{'DAY'};
89 @temp_then = localtime(POSIX::mktime(@temp_now) + 86400);
90 ## Retrieve the same time on the next day +
91 ## 86400 seconds in a day
92 $cgiparams{'MONTH'} = $temp_then[4];
93 $cgiparams{'DAY'} = $temp_then[3];
94}
95elsif($cgiparams{'ACTION'} eq '<<')
96{
97 my @temp_then=();
98 my @temp_now = localtime(time);
99 $temp_now[4] = $cgiparams{'MONTH'};
100 $temp_now[3] = $cgiparams{'DAY'};
101 @temp_then = localtime(POSIX::mktime(@temp_now) - 86400);
102 ## Retrieve the same time on the previous day -
103 ## 86400 seconds in a day
104 $cgiparams{'MONTH'} = $temp_then[4];
105 $cgiparams{'DAY'} = $temp_then[3];
106}
107
108
109if (($cgiparams{'DAY'} ne $now[3]) || ($cgiparams{'MONTH'} ne $now[4]))
110{
111 my @then = ();
112 if ( ( $cgiparams{'MONTH'} eq $now[4]) && ($cgiparams{'DAY'} > $now[3]) ||
113 ( $cgiparams{'MONTH'} > $now[4] ) ) {
114 @then = localtime(POSIX::mktime( 0, 0, 0, $cgiparams{'DAY'}, $cgiparams{'MONTH'}, $year - 1901 ));
115 } else {
116 @then = localtime(POSIX::mktime( 0, 0, 0, $cgiparams{'DAY'}, $cgiparams{'MONTH'}, $year - 1900 ));
117 }
118 $tdoy = $then[7];
119 my $lastleap=($year-1)%4;
120 if ($tdoy>$doy) {
121 if ($lastleap == 0 && $tdoy < 60) {
122 $doy=$doy+366;
123 } else {
124 $doy=$doy+365;
125 }
126 }
127}
128my $datediff=0;
129my $dowd=0;
130my $multifile=0;
131if ($tdoy ne $doy) {
132 $datediff=int(($doy-$tdoy)/7);
133 $dowd=($doy-$tdoy)%7;
134 if (($dow-$dowd)<1) {
135 $datediff=$datediff+1;
136 }
137 if (($dow-$dowd)==0) {
138 $multifile=1;
139 }
140}
141
142my $longmonthstr = $longmonths[$cgiparams{'MONTH'}];
143my $monthnum = $cgiparams{'MONTH'} + 1;
144my $monthstr = $monthnum <= 9 ? "0$monthnum" : "$monthnum";
145my $daystr = $cgiparams{'DAY'} <= 9 ? "0$cgiparams{'DAY'}" : "$cgiparams{'DAY'}";
146
147my $lines = 0;
148my ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
149
150&processevent;
151
152if ($multifile) {
153 $datediff=$datediff-1;
154 &processevent;
155}
156
157if ($cgiparams{'ACTION'} eq $Lang::tr{'export'})
158{
159 print "Content-type: text/plain\n\n";
78331e30 160 print "IPFire IDS snort log\r\n";
cd1a2927
MT
161 print "Date: $cgiparams{'DAY'} $longmonths[$cgiparams{'MONTH'}]\r\n";
162 print "\r\n";
163
164 if ($logsettings{'LOGVIEW_REVERSE'} eq 'on') { @log = reverse @log; }
165
166 foreach $_ (@log)
167 {
168 my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
169 $refs =~ s/,$//;
170 print "Date: $datetime\n";
171 print "Name: $title\n";
172 print "Priority: $priority\n";
173 print "Type: $classification\n";
174 print "IP Info: ";
175 print "$srcip";
176 if ($srcport != "n/a") {
177 print ":$srcport";
178 }
179 print " -> ";
180 print "$destip";
181 if ($destport != "n/a") {
182 print ":$destport";
183 }
184 print "\n";
185 print "SID: $sid\n";
186 print "Refs: $refs\n\n";
187 }
188
189 exit;
190}
191
192&Header::showhttpheaders();
193
194&Header::openpage($Lang::tr{'ids log viewer'}, 1, '');
195
196&Header::openbigbox('100%', 'left', '', $errormessage);
197
198if ($errormessage) {
199 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
200 print "<font class='base'>$errormessage&nbsp;</font>\n";
201 &Header::closebox();
202}
203
204&Header::openbox('100%', 'left', "$Lang::tr{'settings'}:");
205
206print <<END
207<form method='post' action="$ENV{'SCRIPT_NAME'}">
208<table width='100%'>
209<tr>
210 <td width='10%' class='base'>$Lang::tr{'month'}:&nbsp;</td>
211 <td width='10%'>
212 <select name='MONTH'>
213END
214;
215for (my $month = 0; $month < 12; $month++)
216{
217 print "\t<option ";
218 if ($month == $cgiparams{'MONTH'}) {
219 print 'selected="selected" '; }
220 print "value='$month'>$longmonths[$month]</option>\n";
221}
222print <<END
223 </select>
224 </td>
225 <td width='10%' class='base' align='right'>&nbsp;$Lang::tr{'day'}:&nbsp;</td>
226 <td width='40%'>
227 <select name='DAY'>
228END
229;
230for (my $day = 1; $day <= 31; $day++)
231{
232 print "\t<option ";
233 if ($day == $cgiparams{'DAY'}) {
234 print 'selected="selected" '; }
235 print "value='$day'>$day</option>\n";
236}
237print <<END
238 </select>
239 </td>
240 <td width='5%' align='center'><input type='submit' name='ACTION' title='$Lang::tr{'day before'}' value='&lt;&lt;' /></td>
241 <td width='5%' align='center'><input type='submit' name='ACTION' title='$Lang::tr{'day after'}' value='&gt;&gt;' /></td>
242 <td width='10%' align='center'><input type='submit' name='ACTION' value='$Lang::tr{'update'}' /></td>
243 <td width='10%' align='center'><input type='submit' name='ACTION' value='$Lang::tr{'export'}' /></td>
244</tr>
245</table>
246</form>
247END
248;
249
250&Header::closebox();
251
252&Header::openbox('100%', 'left', $Lang::tr{'log'});
253print "<p><b>$Lang::tr{'snort hits'} $longmonthstr $daystr: $lines</b></p>";
254
255if ($start == -1) {
256 $start = $lines - ${Header::viewsize}; }
257if ($start >= $lines - ${Header::viewsize}) { $start = $lines - ${Header::viewsize}; };
258if ($start < 0) { $start = 0; }
259
260my $prev = $start - ${Header::viewsize};
261my $next = $start + ${Header::viewsize};
262
263if ($prev < 0) { $prev = 0; }
264if ($next >= $lines) { $next = -1 }
265if ($start == 0) { $prev = -1; }
266my @slice = splice(@log, $start, ${Header::viewsize});
267
268if ($logsettings{'LOGVIEW_REVERSE'} eq 'on') { @slice = reverse @slice; }
269
270if ($lines != 0) {
271
272&oldernewer();
273
274$lines = 0;
275
276print <<END
277<table width='100%'>
278END
279;
280
281foreach $_ (@slice)
282{
283 if ($lines % 2) {
f2fdd0c1 284 print "<tr bgcolor='$color{'color20'}'><td>\n"; }
cd1a2927 285 else {
f2fdd0c1 286 print "<tr bgcolor='$color{'color22'}'><td>\n"; }
cd1a2927
MT
287 my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
288 print <<END
289<table width='100%'>
290<tr>
291<td width='15%'><b>$Lang::tr{'date'}:</b></td><td width='25%'>$datetime</td>
292<td width='10%'><b>$Lang::tr{'name'}:</b></td><td width='50%'>$title</td>
293</tr>
294<tr><td><b>$Lang::tr{'priority'}:</b></td><td>$priority</td>
295<td><b>$Lang::tr{'type'}:</b></td><td>$classification</td>
296</tr>
297<tr><td><b>$Lang::tr{'ipinfo'}:</b></td>
298<td colspan='3'>
299END
300 ;
301 if ($srcip ne "n/a") {
302 print "<a href='/cgi-bin/ipinfo.cgi?ip=$srcip'>$srcip</a>";
303 } else {
304 print "$srcip";
305 }
306 print ":$srcport -&gt; ";
307 if ($destip ne "n/a") {
308 print "<a href='/cgi-bin/ipinfo.cgi?ip=$destip'>$destip</a>";
309 } else {
310 print "$destip";
311 }
312 print ":$destport";
313print <<END
314</td>
315</tr>
316<tr><td valign='top'><b>$Lang::tr{'references'}:</b></td><td valign='top'>
317END
318;
319 foreach my $ref (split(/,/,$refs)) {
320 if ($ref =~ m/url (.*)/) {
321 print "<a href='http://$1'>$1</a><br />";
322 } elsif ($ref =~ m/cve (.*)/) {
323 print "<a href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=$1'>$1</a><br />";
324 } elsif ($ref =~ m/nessus (.*)/) {
325 print "<a href='http://cgi.nessus.org/plugins/dump.php3?id=$1'>Nessus $1</a><br />";
326 } elsif ($ref =~ m/bugtraq (.*)/) {
327 print "<a href='http://www.securityfocus.com/bid/$1'>Bugtraq $1</a><br />";
328 } else {
329 print "$ref<br />";
330 }
331 }
332 print $Lang::tr{'none found'} unless $refs =~ /,/;
333print <<END
334<td valign='top'><b>SID:</b></td>
335<td valign='top'>
336END
337 ;
338 if ($sid ne "n/a") {
9cc46b56 339 print "<a href='https://www.snort.org/rule_docs/$sid' ";
cd1a2927
MT
340 print "target='_blank'>$sid</a></td>\n";
341 } else {
342 print $sid;
343 }
344print <<END
345</tr>
346</table>
347</td></tr>
348END
349 ;
350 $lines++;
351}
352
353print "</table>";
354
355}
356
357&oldernewer();
358
359&Header::closebox();
360
361&Header::closebigbox();
362
363&Header::closepage();
364
365sub processevent
366{
367 our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
368
369 my $filestr='';
370 if ($datediff==0) {
371 $filestr="/var/log/snort/alert";
372 } else {
373 $filestr="/var/log/snort/alert.$datediff";
374 $filestr = "$filestr.gz" if -f "$filestr.gz";
375 }
376 if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) {
377 $errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}";
378 } else {
379 my $line = 0;
380
381 while(<LOG>) {
382 $line++;
383 if ($_ =~ m/\[\*\*\]/) {
384 unless ($line == 1 || $date ne "$monthstr/$daystr") {
385 &append;
386 $line = 1;
387 }
388 ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
389 @refs = ();
390 $_ =~ m/:([0-9]{1,4})\] (.*) \[\*\*\]/;
391 $title = &Header::cleanhtml($2,"y");
392 }
393 if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) {
394 $classification = &Header::cleanhtml($1,"y");
395 $priority = $2;
396 }
397 if ($_ =~ m/([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3}) \-\> ([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/) {
398 $srcip = $1 . "." . $2 . "." . $3 . "." . $4;
399 $destip = $5 . "." . $6 . "." . $7 . "." . $8;
400 }
401 if ($_ =~ m/([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\:([0-9]{1,6}) \-\> ([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\:([0-9]{1,6})/) {
402 $srcip = $1 . "." . $2 . "." . $3 . "." . $4;
403 $srcport = $5;
404 $destip = $6 . "." . $7 . "." . $8 . "." . $9;
405 $destport = $10;
406 }
407
408 if ($_ =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
409 ($date,$time) = ($1,$2);
410 }
411 if ($_ =~ m/\[Xref \=\>.*\]/) {
412 $_ =~ s/\]\[Xref \=\> /, /g;
413 $_ =~ m/\[Xref \=\> (.*)\]/;
414 push(@refs, $1);
415 }
416 if ($_ =~ m/\[1:([0-9]+):[0-9]+\]/) {
417 $sid = $1;
418 }
419 }
420 $line++;
421 unless ($line == 1 || $date ne "$monthstr/$daystr") { &append; }
422 close(LOG);
423 }
424}
425
426sub append
427{
428 our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
429
430 $log[$lines] = "$date $time|$title|$priority|$classification|$srcip|$srcport|$destip|$destport|$sid|";
431 foreach $_ (@refs) {
432 $log[$lines] = "$log[$lines]$_,"; }
433 $lines++;
434}
435
436sub oldernewer
437{
438print <<END
439<table width='100%'>
440<tr>
441END
442;
443
444print "<td align='center' width='50%'>";
445if ($prev != -1) {
446 print "<a href='/cgi-bin/logs.cgi/ids.dat?$prev,$cgiparams{'MONTH'},$cgiparams{'DAY'}'>$Lang::tr{'older'}</a>"; }
447else {
448 print "$Lang::tr{'older'}"; }
449print "</td>\n";
450
451print "<td align='center' width='50%'>";
452if ($next != -1) {
453 print "<a href='/cgi-bin/logs.cgi/ids.dat?$next,$cgiparams{'MONTH'},$cgiparams{'DAY'}'>$Lang::tr{'newer'}</a>"; }
454else {
455 print "$Lang::tr{'newer'}"; }
456print "</td>\n";
457
458print <<END
459</tr>
460</table>
461END
462;
463}