2012-01-17 Ramon Novoa <rnovoa@artica.es>

* include/functions_graph.php, include/functions_netflow.php, godmode/netflow/nf_edit_form.php, pandoradb.sql, pandoradb.postgreSQL.sql, pandoradb.oracle.sql: Added suport for custom filters. Small fixes. * include/help/en/help_pcap_filter.php, include/help/es/help_pcap_filter.php: Added to repository. Nfdump filter syntax help files. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@5382 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2012-01-17 14:01:49 +00:00 · 2012-01-17 14:01:49 +00:00 · dcdd53a9fc
parent 56b813d636
commit dcdd53a9fc
9 changed files with 194 additions and 34 deletions
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@ -1,3 +1,14 @@
+2012-01-17  Ramon Novoa  <rnovoa@artica.es>
+
+	* include/functions_graph.php, include/functions_netflow.php,
+	  godmode/netflow/nf_edit_form.php, pandoradb.sql,
+	  pandoradb.postgreSQL.sql, pandoradb.oracle.sql: Added suport for
+	  custom filters. Small fixes.
+
+	* include/help/en/help_pcap_filter.php,
+	  include/help/es/help_pcap_filter.php: Added to repository. Nfdump
+	  filter syntax help files.
+
 2012-01-17 Juan Manuel Ramon <juanmanuel.ramon@artica.es>

 	* include/functions_api.php: Added new functions add_agent_policy,
--- a/pandora_console/godmode/netflow/nf_edit_form.php
+++ b/pandora_console/godmode/netflow/nf_edit_form.php
@ -65,6 +65,7 @@ if ($id) {
 	$src_port = $filter['src_port'];
 	$aggregate = $filter['aggregate'];
 	$output = $filter['output'];
+	$advanced_filter = $filter['advanced_filter'];

 } else {
 	$name = '';
@ -75,6 +76,7 @@ if ($id) {
 	$src_port = '';
 	$aggregate = 'none';
 	$output = 'bytes';	
+	$advanced_filter = '';
 }

 if ($update) {
@ -86,6 +88,7 @@ if ($update) {
 	$ip_src = get_parameter('ip_src','');
 	$dst_port = get_parameter('dst_port','');
 	$src_port = get_parameter('src_port','');
+	$advanced_filter = get_parameter('advanced_filter','');
 	
 	if ($name == '') {
                ui_print_error_message (__('Not updated. Blank name'));
@ -99,6 +102,7 @@ if ($update) {
 				'ip_src' => $ip_src,
 				'dst_port' => $dst_port,
 				'src_port' => $src_port,
+				'advanced_filter' => $advanced_filter,
 				'output' => $output),
 			array ('id_sg' => $id));
 			
@ -117,6 +121,7 @@ if ($create){
 	$ip_src = get_parameter('ip_src','');
 	$dst_port = get_parameter('dst_port','');
 	$src_port = get_parameter('src_port','');
+	$advanced_filter = (string) get_parameter('advanced_filter', '');

 		if($name == db_get_value('id_name', 'tnetflow_filter', 'id_name', $name)){	
 			$result = false;
@ -129,6 +134,7 @@ if ($create){
 				'dst_port'=>$dst_port,
 				'src_port'=>$src_port,
 				'aggregate'=>$aggregate,
+				'advanced_filter'=>$advanced_filter,
 				'output'=>$output
 			);
 			$result = db_process_sql_insert('tnetflow_filter', $values);
@ -157,8 +163,16 @@ $table->data[1][1] = html_print_select_groups($config['id_user'], "IW",
 		$own_info['is_admin'], 'assign_group', $assign_group, '', '', -1, true,
 		false, false);
 	
+if ($advanced_filter != '') {
+	$filter_type = 1;
+} else {
+	$filter_type = 0;
+}
+
 $table->data[2][0] = '<b>'.__('Filter:').'</b>';
-	
+$table->data[2][1] = __('Normal') . ' ' . html_print_radio_button_extended ('filter_type', 0, '', $filter_type, false, 'displayNormalFilter();', 'style="margin-right: 40px;"', true);
+$table->data[2][1] .= __('Advanced') . ' ' . html_print_radio_button_extended ('filter_type', 1, '', $filter_type, false, 'displayAdvancedFilter();', 'style="margin-right: 40px;"', true);
+
 $table->data[3][0] = __('Dst Ip'). ui_print_help_tip (__("Destination IP. A comma separated list of destination ip. If we leave the field blank, will show all ip. Example filter by ip:<br>25.46.157.214,160.253.135.249"), true);
 $table->data[3][1] = html_print_input_text ('ip_dst', $ip_dst, false, 40, 80, true);
 	
@ -171,17 +185,19 @@ $table->data[5][1] = html_print_input_text ('dst_port', $dst_port, false, 40, 80
 $table->data[6][0] = __('Src Port'). ui_print_help_tip (__("Source port. A comma separated list of source ports. If we leave the field blank, will show all ports. Example filter by ports 80 and 22:<br>80,22"), true);
 $table->data[6][1] = html_print_input_text ('src_port', $src_port, false, 40, 80, true);

+$table->data[7][0] = ui_print_help_icon ('pcap_filter', true);
+$table->data[7][1] = html_print_textarea ('advanced_filter', 4, 40, $advanced_filter, '', true);
 	
-$table->data[7][0] = '<b>'.__('Aggregate by').'</b>'. ui_print_help_icon ('aggregate_by', true);
+$table->data[8][0] = '<b>'.__('Aggregate by').'</b>'. ui_print_help_icon ('aggregate_by', true);
 $aggregate_list = array();
 $aggregate_list = array ('none' => __('None'), 'proto' => __('Protocol'), 'srcip' =>__('Src Ip Address'), 'dstip' =>__('Dst Ip Address'), 'srcport' =>__('Src Port'), 'dstport' =>__('Dst Port') );

-$table->data[7][1] = html_print_select ($aggregate_list, "aggregate", $aggregate, '', '', 0, true, false, true, '', false);
+$table->data[8][1] = html_print_select ($aggregate_list, "aggregate", $aggregate, '', '', 0, true, false, true, '', false);
 	
-$table->data[8][0] = '<b>'.__('Output format').'</b>';
+$table->data[9][0] = '<b>'.__('Output format').'</b>';
 $show_output = array();
-$show_output = array ('packets' => __('Packets'), 'bytes' => __('Bytes'), 'bps' =>__('Bits per second'), 'bpp' =>__('Bytes per packet'));
-$table->data[8][1] = html_print_select ($show_output, 'output', $output, '', '', 0, true, false, true, '', false);
+$show_output = array ('packets' => __('Packets'), 'bytes' => __('Bytes'), 'flows' =>__('Flows'));
+$table->data[9][1] = html_print_select ($show_output, 'output', $output, '', '', 0, true, false, true, '', false);

 echo '<form method="post" action="index.php?sec=netf&sec2=godmode/netflow/nf_edit_form">';
 html_print_table ($table);
@ -198,4 +214,49 @@ echo '</div>';
 echo '</form>';
 ?>

+<script type="text/javascript">
+
+	function displayAdvancedFilter () {
+	
+		// Erase the normal filter
+		document.getElementById("text-ip_dst").value = '';
+		document.getElementById("text-ip_src").value = '';
+		document.getElementById("text-dst_port").value = '';
+		document.getElementById("text-src_port").value = '';
+
+		// Hide the normal filter
+		document.getElementById("table1-3").style.display = 'none';
+		document.getElementById("table1-4").style.display = 'none';
+		document.getElementById("table1-5").style.display = 'none';
+		document.getElementById("table1-6").style.display = 'none';
+		
+		// Show the advanced filter
+		document.getElementById("table1-7").style.display = '';
+	};
+
+	function displayNormalFilter () {
+	
+		// Erase the advanced filter
+		document.getElementById("textarea_advanced_filter").value = '';
+
+		// Hide the advanced filter
+		document.getElementById("table1-7").style.display = 'none';
+	
+		// Show the normal filter
+		document.getElementById("table1-3").style.display = '';
+		document.getElementById("table1-4").style.display = '';
+		document.getElementById("table1-5").style.display = '';
+		document.getElementById("table1-6").style.display = '';
+	};
+
+	var filter_type = <?php echo $filter_type ?>;
+	if (filter_type == 0) {
+		displayNormalFilter ();
+	} else {
+		displayAdvancedFilter ();
+	}
+
+</script>
+
+

--- a/pandora_console/include/functions_graph.php
+++ b/pandora_console/include/functions_graph.php
@ -1996,8 +1996,8 @@ function graph_netflow_aggregate_area ($data, $period, $width, $height, $only_im
 		$homeurl = '';
 	}

-	return area_graph($flash_chart, $chart, $width, $height, array (), $sources,
-		 null, "images/image_problem.opaque.png", "", "", $homeurl,
+	return stacked_area_graph($flash_chart, $chart, $width, $height, null, $sources,
+		 null, "images/image_problem.opaque.png", "", "",
 		 $config['homedir'] .  "/images/logo_vertical_water.png",
 		 $config['fontpath'], $config['font_size'], "");
 }
--- a/pandora_console/include/functions_netflow.php
+++ b/pandora_console/include/functions_netflow.php
@ -16,6 +16,7 @@


 include_once("include/functions_users.php");
+include_once("include/functions_io.php");

 // Date format for nfdump
 $nfdump_date_format = 'Y/m/d.H:i:s';
@ -408,15 +409,12 @@ function netflow_get_stats ($start_date, $end_date, $command, $aggregate, $max,
 		$values[$i]['agg'] = $val[4];
 		
 		switch ($unit){
+			case "flows":
+				$values[$i]['data'] = $val[5];
+				break;
 			case "packets":
 				$values[$i]['data'] = $val[6];
 				break;
-			case "bps":
-				$values[$i]['data'] = $val[9];
-				break;
-			case "bpp":
-				$values[$i]['data'] = $val[10];
-				break;
 			case "bytes":
 			default:
 				$values[$i]['data'] = $val[7];
@ -447,9 +445,16 @@ function netflow_get_command ($filter) {
 	if (isset($config['netflow_path']) && $config['netflow_path'] != '') {
 		$command .= ' -R '.$config['netflow_path'];
 	}
-	
-	// Filter options
+
+	// Advanced filter
 	$filter_args = '';
+	if ($filter['advanced_filter'] != '') {
+		$filter_args = preg_replace('/"/','', io_safe_output ($filter['advanced_filter']));
+		$command .= ' "(' . $filter_args . ')"';
+		return $command;
+	}
+
+	// Normal filter
 	if ($filter['ip_dst'] != ''){
 		$filter_args .= ' "(';
 		$val_ipdst = explode(',', $filter['ip_dst']);
@ -611,15 +616,15 @@ function netflow_parse_file ($start_date, $end_date, $file, &$values, $aggregate
 				}
 				
 				switch ($unit) {
+					case "flows":
+						$flow['data'] = $val[6];
+						break;
 					case "packets":
 						$flow['data'] = $val[7];
 						break;
 					case "bytes":
 						$flow['data'] = $val[8];
 						break;
-					case "flows":
-						$flow['data'] = $val[9];
-						break;
 				}
 				$flow['timestamp'] = strtotime ($flow['date'] . " " . $flow['time']);
 				$last_timestamp = $flow['timestamp'];
--- a/pandora_console/include/help/en/help_pcap_filter.php
+++ b/pandora_console/include/help/en/help_pcap_filter.php
@ -0,0 +1,40 @@
+<?php
+/**
+ * @package Include/help/en
+ */
+?>
+<h1>Nfdump filter syntax</h1>
+
+The filter syntax is very similar to that of tcpdump. For example:
+
+<ul>
+<li>Capture traffic to or from 192.168.0.1:</li>
+<pre>
+host 192.168.0.1
+</pre>
+
+<ul>
+<li>Capture traffic to 192.168.0.1:</li>
+<pre>
+dst host 192.168.0.1
+</pre>
+
+<li>Capture traffic from 192.168.0.0/24:</li>
+<pre>
+src net 192.168.0.0/24
+</pre>
+
+<li>Capture HTTP and HTTPS traffic:</li>
+<pre>
+(port 80) or (port 443)
+</pre>
+
+<li>Capture all traffic except DNS:</li>
+<pre>
+port not 53
+</pre>
+
+<li>Capture SSH traffic to 192.168.0.1:</li>
+<pre>
+(port 22) and (dst host 192.168.0.1)
+</pre>
--- a/pandora_console/include/help/es/help_pcap_filter.php
+++ b/pandora_console/include/help/es/help_pcap_filter.php
@ -0,0 +1,40 @@
+<?php
+/**
+ * @package Include/help/en
+ */
+?>
+<h1>Sintaxis de filtros de Nfdump</h1>
+
+La sintaxis de filtros es muy parecida a la de tcpdump. Por ejemplo:
+
+<ul>
+<li>Capturar tráfico hacia o desde 192.168.0.1:</li>
+<pre>
+host 192.168.0.1
+</pre>
+
+<ul>
+<li>Capturar tráfico hacia 192.168.0.1:</li>
+<pre>
+dst host 192.168.0.1
+</pre>
+
+<li>Capturar tráfico desde 192.168.0.0/24:</li>
+<pre>
+src net 192.168.0.0/24
+</pre>
+
+<li>Capturar tráfico HTTP y HTTPS:</li>
+<pre>
+(port 80) or (port 443)
+</pre>
+
+<li>Capturar todo el tráfico excepto DNS:</li>
+<pre>
+port not 53
+</pre>
+
+<li>Capturar el tráfico SSH hacia 192.168.0.1:</li>
+<pre>
+(port 22) and (dst host 192.168.0.1)
+</pre>
--- a/pandora_console/pandoradb.oracle.sql
+++ b/pandora_console/pandoradb.oracle.sql
@ -1482,12 +1482,13 @@ CREATE INDEX ttag_event_id_evento_idx ON ttag_event(id_evento);

 CREATE TABLE tnetflow_filter (
 id_sg NUMBER(10, 0) NOT NULL PRIMARY KEY,
-id_name VARCHAR2(100) NOT NULL,
+id_name VARCHAR2(600) NOT NULL,
 id_group NUMBER(10, 0),
-ip_dst VARCHAR2(100),
-ip_src VARCHAR2(100),
-dst_port VARCHAR2(100),
-src_port VARCHAR2(100),
+ip_dst CLOB NOT NULL,
+ip_src CLOB NOT NULL,
+dst_port CLOB NOT NULL,
+src_port CLOB NOT NULL,
+advanced_filter CLOB NOT NULL,
 aggregate VARCHAR2(60),
 output VARCHAR2(60)
 );
--- a/pandora_console/pandoradb.postgreSQL.sql
+++ b/pandora_console/pandoradb.postgreSQL.sql
@ -1195,12 +1195,13 @@ CREATE INDEX "ttag_event_id_evento_idx" ON "ttag_event"("id_evento");
 -- -----------------------------------------------------
 CREATE TABLE "tnetflow_filter" (
 	"id_sg" SERIAL NOT NULL PRIMARY KEY,
-  	"id_name" varchar(60) NOT NULL default '',
+  	"id_name" varchar(600) NOT NULL default '',
  	"id_group" INTEGER,
-  	"ip_dst" varchar(100),
-	"ip_src" varchar(100),
-  	"dst_port" varchar(100),
-	"src_port" varchar(100),
+  	"ip_dst" TEXT NOT NULL,
+	"ip_src" TEXT NOT NULL,
+  	"dst_port" TEXT NOT NULL,
+	"src_port" TEXT NOT NULL,
+	"advanced_filter" TEXT NOT NULL,
 	"aggregate" varchar(60),
 	"output" varchar(60)
 );
--- a/pandora_console/pandoradb.sql
+++ b/pandora_console/pandoradb.sql
@ -1286,12 +1286,13 @@ CREATE TABLE IF NOT EXISTS `ttag_event` (

 CREATE TABLE IF NOT EXISTS `tnetflow_filter` (
  `id_sg`  int(10) unsigned NOT NULL auto_increment,
-  `id_name` varchar(60) NOT NULL default '0',
+  `id_name` varchar(600) NOT NULL default '0',
  `id_group` int(10),
-  `ip_dst` varchar(100),
-  `ip_src` varchar(100),
-  `dst_port` varchar(100),
-  `src_port` varchar(100),
+  `ip_dst` TEXT NOT NULL,
+  `ip_src` TEXT NOT NULL,
+  `dst_port` TEXT NOT NULL,
+  `src_port` TEXT NOT NULL,
+  `advanced_filter` TEXT NOT NULL,,
  `aggregate` varchar(60),
  `output` varchar(60),
 PRIMARY KEY  (`id_sg`)