#use warnings;
#use CGI::Carp 'fatalsToBrowser';
-require 'CONFIG_ROOT/general-functions.pl';
+require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
+my %color = ();
+my %mainsettings = ();
+&General::readhash("${General::swroot}/main/settings", \%mainsettings);
+&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+
use POSIX();
#workaround to suppress a warning when a variable is used only once
if ($cgiparams{'ACTION'} eq $Lang::tr{'export'})
{
print "Content-type: text/plain\n\n";
- print "IPFire IDS snort log\r\n";
+ print "IPFire IPS log\r\n";
print "Date: $cgiparams{'DAY'} $longmonths[$cgiparams{'MONTH'}]\r\n";
print "\r\n";
{
my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
$refs =~ s/,$//;
+
+ # Skip event if no datetime and title are available.
+ next unless (($datetime) && ($title));
+
print "Date: $datetime\n";
print "Name: $title\n";
print "Priority: $priority\n";
&Header::closebox();
&Header::openbox('100%', 'left', $Lang::tr{'log'});
-print "<p><b>$Lang::tr{'snort hits'} $longmonthstr $daystr: $lines</b></p>";
+print "<p><b>$Lang::tr{'ids log hits'} $longmonthstr $daystr: $lines</b></p>";
if ($start == -1) {
$start = $lines - ${Header::viewsize}; }
foreach $_ (@slice)
{
if ($lines % 2) {
- print "<tr bgcolor='${Header::table1colour}'><td>\n"; }
+ print "<tr bgcolor='$color{'color20'}'><td>\n"; }
else {
- print "<tr bgcolor='${Header::table2colour}'><td>\n"; }
+ print "<tr bgcolor='$color{'color22'}'><td>\n"; }
my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
+
+ # Only show the current event if at least datetime and title are available.
+ next unless (($datetime) && ($title));
+
print <<END
<table width='100%'>
<tr>
<td valign='top'>
END
;
- if ($sid ne "n/a") {
- print "<a href='http://www.snort.org/pub-bin/sigs.cgi?sid=$sid' ";
+ if ($sid eq "n/a") {
+ print $sid;
+ } elsif ($sid < 1000000) {
+ # Link to sourcefire if the the rule sid is less than 1000000.
+ print "<a href='https://www.snort.org/rule_docs/1-$sid' ";
+ print "target='_blank'>$sid</a></td>\n";
+ } elsif ($sid >= 2000000 and $sid < 3000000) {
+ # Link to emergingthreats if the rule sid is between 2000000 and 3000000.
+ print "<a href='http://doc.emergingthreats.net/$sid' ";
print "target='_blank'>$sid</a></td>\n";
} else {
+ # No external link for user defined rules
print $sid;
}
print <<END
</tr>
-</table>
+</table><br>
</td></tr>
END
;
my $filestr='';
if ($datediff==0) {
- $filestr="/var/log/snort/alert";
+ # If there is no datediff, directly assign the suricata fast.log.
+ $filestr="/var/log/suricata/fast.log";
} else {
- $filestr="/var/log/snort/alert.$datediff";
- $filestr = "$filestr.gz" if -f "$filestr.gz";
+ # If there is a datediff, assign the datediff to the filestring.
+ $filestr="/var/log/suricata/fast.log.$datediff";
+
+ # The files are compressed add the extension to the filestring.
+ $filestr="$filestr.gz";
+
+ # If the file does not exist, try to fallback to legacy snort alert file.
+ unless (-f $filestr) {
+ # Assign snort alert file, the datediff and extension for compressed file.
+ $filestr = "/var/log/snort/alert.$datediff";
+ $filestr = "$filestr.gz";
+ }
}
if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) {
$errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}";
&append;
$line = 1;
}
- ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+ ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
@refs = ();
- $_ =~ m/:([0-9]{1,4})\] (.*) \[\*\*\]/;
+ $_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
$title = &Header::cleanhtml($2,"y");
}
if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) {
$destport = $10;
}
- if ($_ =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
- ($date,$time) = ($1,$2);
+ if ($_ =~ m/^([0-9\/]{3,5})(\/\d+)?\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
+ ($date,$time) = ($1,$3);
}
if ($_ =~ m/\[Xref \=\>.*\]/) {
$_ =~ s/\]\[Xref \=\> /, /g;
}
}
$line++;
- unless ($line == 1 || $date ne "$monthstr/$daystr") { &append; }
+
+ # Split the date into single chunks.
+ my ($month, $day, $year) = split('/', $date);
+
+ # Check if all data is collected and the date of the event fits the desired date to
+ # get displayed.
+ if ($line gt 1 || "$month/$day" eq "$monthstr/$daystr") { &append; }
+
close(LOG);
}
}