-- acf model for displaying logfiles recusivly module (..., package.seeall) -- no initializer in model - use controller.init for that require("posix") require("fs") -- START SORT ################################################################################ --[[ function __genOrderedIndex( t ) local orderedIndex = {} for key in pairs(t) do table.insert( orderedIndex, key ) end table.sort( orderedIndex ) return orderedIndex end function orderedNext(t, state) -- Equivalent of the next function, but returns the keys in the alphabetic -- order. We use a temporary ordered key table that is stored in the -- table being iterated. --print("orderedNext: state = "..tostring(state) ) if state == nil then -- the first time, generate the index t.__orderedIndex = __genOrderedIndex( t ) key = t.__orderedIndex[1] return key, t[key] end -- fetch the next value key = nil for i = 1,table.getn(t.__orderedIndex) do if t.__orderedIndex[i] == state then key = t.__orderedIndex[i+1] end end if key then return key, t[key] end -- no more value to return, cleanup t.__orderedIndex = nil return end function orderedPairs(t) -- Equivalent of the pairs() function on tables. Allows to iterate -- in order return orderedNext, t, nil end --]] -- END SORT ################################################################################ local function get_version() local cmd = "snort -V 2>&1 | grep Version | sed 's/.*ersion\ /snort-/'" local cmd_output = io.popen( cmd ) local cmd_output_result = cmd_output:read("*a") or "" cmd_output:close() return cmd_output_result end local is_running = function( process ) local statusreport = nil local cmdoutput = {} local cmd, error = io.popen("pidof " .. process ,r) local cmdoutput = string.gsub(cmd:read("*a"), "%s", "") cmd:close() if (cmdoutput ~= "") then statusreport = "Running" else statusreport = "Stopped" end return statusreport end -- ################################################################################ -- PUBLIC FUNCTIONS getstatus = function (self) local status = {} local version = get_version() status.version = version local isrunning = is_running("snort") status.status = isrunning return status end service_control = function ( self, srvcmd ) local srvcmd = string.lower(srvcmd) local retval = "" local line = "" if (srvcmd == "start") or (srvcmd == "stop") or (srvcmd == "restart") then local file = io.popen( "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin /etc/init.d/snort " .. srvcmd .. " 2>&1" ) if file ~= nil then line = file:read( "*l" ) while line ~= nil do retval = retval .. "\n" .. line line = file:read( "*l" ) end file:close() end else retval = "Unknown command!" end return retval end xxxread_alert = function () local alertfile = "/var/log/snort/alert" local alerts = "" local fileresult = {} local fileresultcnt = "" local presentation = {} local presentationtable = {} local liboutput = fs.read_file_as_array(alertfile) if (liboutput) then for k,v in ipairs(liboutput) do local generator,signature,revision = string.match(v, "^.*%[%*%*%]%s*%[(%d*):(%d*):(%d*).*") if (generator) and (signature) and (revision) then if not (fileresult[generator..":"..signature..":"..revision]) then fileresult[generator..":"..signature..":"..revision]={} end table.insert (fileresult[generator..":"..signature..":"..revision], v) local tablemax = table.maxn(fileresult[generator..":"..signature..":"..revision]) fileresult[generator..":"..signature..":"..revision][tablemax]={} fileresult[generator..":"..signature..":"..revision][tablemax]["classification"]=string.match(liboutput[k+1],"^.*%[.*lassification:%s*(.*)%]%s*%[") or "Classification: unknown" fileresult[generator..":"..signature..":"..revision][tablemax]["priority"]=string.match(liboutput[k+1],"^.*%[.*lassification:%s*.*%]%s*%[(.*)%]") or "Priority: unknown" fileresult[generator..":"..signature..":"..revision][tablemax]["count"]=tablemax for i=0, 6 do if liboutput[k+i] == "" then break end if (liboutput[k+i-1]) then if not (string.match(liboutput[k+i],"^%[Classification.*")) then table.insert(fileresult[generator..":"..signature..":"..revision][tablemax],liboutput[k+i]) end end end end end for k,v in pairs(fileresult) do table.insert(presentation,v) end for i = 1, table.maxn(presentation) do local maxn = table.maxn(presentation[i]) presentationtable[i] = presentation[i][maxn] end alerts = table.maxn(presentationtable) else alerts = "0" end return alerts,presentationtable end read_alert = function () local alertfile = "/var/log/snort/alert" local alertcount = 0 local alertpriority = {} local alertprioritytmp = "" local priority = "" local classification = "" local currid = "" local prevrid = "" local count = {} local liboutput = fs.read_file_as_array(alertfile) if (liboutput) then for k,v in ipairs(liboutput) do --DEBUG -- if (k == 1) then break end currid = string.match(v, "^.*%[%*%*%]%s*%[(%d+:%d+:%d+)%].*") if (currid) then local priority = string.match(liboutput[k+1],"^.*%[.*lassification:%s*.*%]%s*%[(.*)%]") or "Priority: Unknown" local classification = string.match(liboutput[k+1],"^.*%[.*lassification:%s*(.*)%]%s*%[") or "Classification: Unknown" if (alertpriority[priority] == nil) then alertpriority[priority] = {} end if (alertpriority[priority][classification] == nil) then alertpriority[priority][classification] = {} end alertpriority[priority][classification][currid] = {} if (alertpriority[priority][classification][currid]["value"] == nil) then alertpriority[priority][classification][currid]["value"] = {} end -- COUNTER if not (count[priority..classification..currid]) then count[priority..classification..currid] = 0 end count[priority..classification..currid] = count[priority..classification..currid] + 1 alertpriority[priority][classification][currid]["count"] = count[priority..classification..currid] for i=0, 10 do local rowvalue = liboutput[k+i] if (rowvalue == "") then break end if (rowvalue) then table.insert(alertpriority[priority][classification][currid]["value"],rowvalue) end end alertcount = alertcount + 1 end end end --[[ t = { ['a'] = 'xxx', ['b'] = 'xxx', ['c'] = 'xxx', ['d'] = 'xxx', ['e'] = 'xxx', } for key, val in orderedNext(t) do t=key end --]] return alertcount,alertpriority end