From f5ddcad1cc38cfcc3b01f819bc4c4f01e6d1c189 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Thu, 6 Sep 2018 12:09:34 +0200
Subject: [PATCH] logs.cgi/ids.dat: Adjust code to show suricata events

As default show the events generated by suricata and if
for a certain selected date no suricata log is available
try to fall-back to read the events from the old snort
alert files (if available).

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 html/cgi-bin/logs.cgi/ids.dat | 38 +++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/html/cgi-bin/logs.cgi/ids.dat b/html/cgi-bin/logs.cgi/ids.dat
index 030fd4b64d..ab8cac2b60 100644
--- a/html/cgi-bin/logs.cgi/ids.dat
+++ b/html/cgi-bin/logs.cgi/ids.dat
@@ -375,11 +375,26 @@ sub processevent
 	our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
 
 	my $filestr='';
+	my $readmode='';
 	if ($datediff==0) {
-		$filestr="/var/log/snort/alert";
+		# If there is no datediff, directly assign the suricata fast.log.
+		$filestr="/var/log/suricata/fast.log";
 	} else {
-		$filestr="/var/log/snort/alert.$datediff";
-		$filestr = "$filestr.gz" if -f "$filestr.gz";
+		# If there is a datediff, assign the datediff to the filestring.
+		$filestr="/var/log/suricata/fast.log.$datediff";
+
+		# The files are compressed add the extension to the filestring.
+		$filestr="$filestr.gz";
+
+		# If the file does not exist, try to fallback to legacy snort alert file.
+		unless (-f $filestr) {
+			# Assign snort alert file, the datediff and extension for compressed file.
+			$filestr = "/var/log/snort/alert.$datediff";
+			$filestr = "$filestr.gz";
+
+			# Assign "snort" as readmode.
+			$readmode="snort";
+		}
 	}
 	if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) {
 		$errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}";
@@ -388,15 +403,26 @@ sub processevent
 
 		while(<LOG>) {
 			$line++;
-			if ($_ =~ m/\[\*\*\]/) {
+			if (($_ =~ m/\[\*\*\]/) && ($readmode eq "snort")) {
 				unless ($line == 1 || $date ne "$monthstr/$daystr") {
 					&append;
 					$line = 1;
 				}
-				($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+				($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
 				@refs = ();
 				$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
 				$title = &Header::cleanhtml($2,"y");
+			} else {
+				&append;
+				$line = 1;
+
+				# Assign default values.
+				($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+				@refs = ();
+
+				# Gather title details from line.
+				$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
+				$title = &Header::cleanhtml($2,"y");
 			}
 			if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) {
 				$classification = &Header::cleanhtml($1,"y");
@@ -413,7 +439,7 @@ sub processevent
 				$destport = $10;
 			}
 
-			if ($_  =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
+			if ($_  =~ m/^([0-9\/]{3,10})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
 				($date,$time) = ($1,$2);
 			}
 			if ($_ =~ m/\[Xref \=\>.*\]/) {
-- 
2.39.5