From dcdd53a9fc3823af2727c7a2ed1feaf1af4c858e Mon Sep 17 00:00:00 2001 From: Ramon Novoa Date: Tue, 17 Jan 2012 14:01:49 +0000 Subject: [PATCH] 2012-01-17 Ramon Novoa * include/functions_graph.php, include/functions_netflow.php, godmode/netflow/nf_edit_form.php, pandoradb.sql, pandoradb.postgreSQL.sql, pandoradb.oracle.sql: Added suport for custom filters. Small fixes. * include/help/en/help_pcap_filter.php, include/help/es/help_pcap_filter.php: Added to repository. Nfdump filter syntax help files. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@5382 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_console/ChangeLog | 11 +++ .../godmode/netflow/nf_edit_form.php | 73 +++++++++++++++++-- pandora_console/include/functions_graph.php | 4 +- pandora_console/include/functions_netflow.php | 27 ++++--- .../include/help/en/help_pcap_filter.php | 40 ++++++++++ .../include/help/es/help_pcap_filter.php | 40 ++++++++++ pandora_console/pandoradb.oracle.sql | 11 +-- pandora_console/pandoradb.postgreSQL.sql | 11 +-- pandora_console/pandoradb.sql | 11 +-- 9 files changed, 194 insertions(+), 34 deletions(-) create mode 100644 pandora_console/include/help/en/help_pcap_filter.php create mode 100644 pandora_console/include/help/es/help_pcap_filter.php diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 8ab1336698..daeaf3d9ba 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,14 @@ +2012-01-17 Ramon Novoa + + * include/functions_graph.php, include/functions_netflow.php, + godmode/netflow/nf_edit_form.php, pandoradb.sql, + pandoradb.postgreSQL.sql, pandoradb.oracle.sql: Added suport for + custom filters. Small fixes. + + * include/help/en/help_pcap_filter.php, + include/help/es/help_pcap_filter.php: Added to repository. Nfdump + filter syntax help files. + 2012-01-17 Juan Manuel Ramon * include/functions_api.php: Added new functions add_agent_policy, diff --git a/pandora_console/godmode/netflow/nf_edit_form.php b/pandora_console/godmode/netflow/nf_edit_form.php index 705f22d683..6626951e99 100644 --- a/pandora_console/godmode/netflow/nf_edit_form.php +++ b/pandora_console/godmode/netflow/nf_edit_form.php @@ -65,6 +65,7 @@ if ($id) { $src_port = $filter['src_port']; $aggregate = $filter['aggregate']; $output = $filter['output']; + $advanced_filter = $filter['advanced_filter']; } else { $name = ''; @@ -75,6 +76,7 @@ if ($id) { $src_port = ''; $aggregate = 'none'; $output = 'bytes'; + $advanced_filter = ''; } if ($update) { @@ -86,6 +88,7 @@ if ($update) { $ip_src = get_parameter('ip_src',''); $dst_port = get_parameter('dst_port',''); $src_port = get_parameter('src_port',''); + $advanced_filter = get_parameter('advanced_filter',''); if ($name == '') { ui_print_error_message (__('Not updated. Blank name')); @@ -99,6 +102,7 @@ if ($update) { 'ip_src' => $ip_src, 'dst_port' => $dst_port, 'src_port' => $src_port, + 'advanced_filter' => $advanced_filter, 'output' => $output), array ('id_sg' => $id)); @@ -117,6 +121,7 @@ if ($create){ $ip_src = get_parameter('ip_src',''); $dst_port = get_parameter('dst_port',''); $src_port = get_parameter('src_port',''); + $advanced_filter = (string) get_parameter('advanced_filter', ''); if($name == db_get_value('id_name', 'tnetflow_filter', 'id_name', $name)){ $result = false; @@ -129,6 +134,7 @@ if ($create){ 'dst_port'=>$dst_port, 'src_port'=>$src_port, 'aggregate'=>$aggregate, + 'advanced_filter'=>$advanced_filter, 'output'=>$output ); $result = db_process_sql_insert('tnetflow_filter', $values); @@ -157,8 +163,16 @@ $table->data[1][1] = html_print_select_groups($config['id_user'], "IW", $own_info['is_admin'], 'assign_group', $assign_group, '', '', -1, true, false, false); +if ($advanced_filter != '') { + $filter_type = 1; +} else { + $filter_type = 0; +} + $table->data[2][0] = ''.__('Filter:').''; - +$table->data[2][1] = __('Normal') . ' ' . html_print_radio_button_extended ('filter_type', 0, '', $filter_type, false, 'displayNormalFilter();', 'style="margin-right: 40px;"', true); +$table->data[2][1] .= __('Advanced') . ' ' . html_print_radio_button_extended ('filter_type', 1, '', $filter_type, false, 'displayAdvancedFilter();', 'style="margin-right: 40px;"', true); + $table->data[3][0] = __('Dst Ip'). ui_print_help_tip (__("Destination IP. A comma separated list of destination ip. If we leave the field blank, will show all ip. Example filter by ip:
25.46.157.214,160.253.135.249"), true); $table->data[3][1] = html_print_input_text ('ip_dst', $ip_dst, false, 40, 80, true); @@ -171,17 +185,19 @@ $table->data[5][1] = html_print_input_text ('dst_port', $dst_port, false, 40, 80 $table->data[6][0] = __('Src Port'). ui_print_help_tip (__("Source port. A comma separated list of source ports. If we leave the field blank, will show all ports. Example filter by ports 80 and 22:
80,22"), true); $table->data[6][1] = html_print_input_text ('src_port', $src_port, false, 40, 80, true); +$table->data[7][0] = ui_print_help_icon ('pcap_filter', true); +$table->data[7][1] = html_print_textarea ('advanced_filter', 4, 40, $advanced_filter, '', true); -$table->data[7][0] = ''.__('Aggregate by').''. ui_print_help_icon ('aggregate_by', true); +$table->data[8][0] = ''.__('Aggregate by').''. ui_print_help_icon ('aggregate_by', true); $aggregate_list = array(); $aggregate_list = array ('none' => __('None'), 'proto' => __('Protocol'), 'srcip' =>__('Src Ip Address'), 'dstip' =>__('Dst Ip Address'), 'srcport' =>__('Src Port'), 'dstport' =>__('Dst Port') ); -$table->data[7][1] = html_print_select ($aggregate_list, "aggregate", $aggregate, '', '', 0, true, false, true, '', false); +$table->data[8][1] = html_print_select ($aggregate_list, "aggregate", $aggregate, '', '', 0, true, false, true, '', false); -$table->data[8][0] = ''.__('Output format').''; +$table->data[9][0] = ''.__('Output format').''; $show_output = array(); -$show_output = array ('packets' => __('Packets'), 'bytes' => __('Bytes'), 'bps' =>__('Bits per second'), 'bpp' =>__('Bytes per packet')); -$table->data[8][1] = html_print_select ($show_output, 'output', $output, '', '', 0, true, false, true, '', false); +$show_output = array ('packets' => __('Packets'), 'bytes' => __('Bytes'), 'flows' =>__('Flows')); +$table->data[9][1] = html_print_select ($show_output, 'output', $output, '', '', 0, true, false, true, '', false); echo '
'; html_print_table ($table); @@ -198,4 +214,49 @@ echo ''; echo '
'; ?> + + + diff --git a/pandora_console/include/functions_graph.php b/pandora_console/include/functions_graph.php index fe07e52c59..4c7e92d25b 100755 --- a/pandora_console/include/functions_graph.php +++ b/pandora_console/include/functions_graph.php @@ -1996,8 +1996,8 @@ function graph_netflow_aggregate_area ($data, $period, $width, $height, $only_im $homeurl = ''; } - return area_graph($flash_chart, $chart, $width, $height, array (), $sources, - null, "images/image_problem.opaque.png", "", "", $homeurl, + return stacked_area_graph($flash_chart, $chart, $width, $height, null, $sources, + null, "images/image_problem.opaque.png", "", "", $config['homedir'] . "/images/logo_vertical_water.png", $config['fontpath'], $config['font_size'], ""); } diff --git a/pandora_console/include/functions_netflow.php b/pandora_console/include/functions_netflow.php index 0cbfcbd46e..aaef8e9e01 100644 --- a/pandora_console/include/functions_netflow.php +++ b/pandora_console/include/functions_netflow.php @@ -16,6 +16,7 @@ include_once("include/functions_users.php"); +include_once("include/functions_io.php"); // Date format for nfdump $nfdump_date_format = 'Y/m/d.H:i:s'; @@ -408,15 +409,12 @@ function netflow_get_stats ($start_date, $end_date, $command, $aggregate, $max, $values[$i]['agg'] = $val[4]; switch ($unit){ + case "flows": + $values[$i]['data'] = $val[5]; + break; case "packets": $values[$i]['data'] = $val[6]; break; - case "bps": - $values[$i]['data'] = $val[9]; - break; - case "bpp": - $values[$i]['data'] = $val[10]; - break; case "bytes": default: $values[$i]['data'] = $val[7]; @@ -447,9 +445,16 @@ function netflow_get_command ($filter) { if (isset($config['netflow_path']) && $config['netflow_path'] != '') { $command .= ' -R '.$config['netflow_path']; } - - // Filter options + + // Advanced filter $filter_args = ''; + if ($filter['advanced_filter'] != '') { + $filter_args = preg_replace('/"/','', io_safe_output ($filter['advanced_filter'])); + $command .= ' "(' . $filter_args . ')"'; + return $command; + } + + // Normal filter if ($filter['ip_dst'] != ''){ $filter_args .= ' "('; $val_ipdst = explode(',', $filter['ip_dst']); @@ -611,15 +616,15 @@ function netflow_parse_file ($start_date, $end_date, $file, &$values, $aggregate } switch ($unit) { + case "flows": + $flow['data'] = $val[6]; + break; case "packets": $flow['data'] = $val[7]; break; case "bytes": $flow['data'] = $val[8]; break; - case "flows": - $flow['data'] = $val[9]; - break; } $flow['timestamp'] = strtotime ($flow['date'] . " " . $flow['time']); $last_timestamp = $flow['timestamp']; diff --git a/pandora_console/include/help/en/help_pcap_filter.php b/pandora_console/include/help/en/help_pcap_filter.php new file mode 100644 index 0000000000..17af4da838 --- /dev/null +++ b/pandora_console/include/help/en/help_pcap_filter.php @@ -0,0 +1,40 @@ + +

Nfdump filter syntax

+ +The filter syntax is very similar to that of tcpdump. For example: + +
    +
  • Capture traffic to or from 192.168.0.1:
    • +
    +host 192.168.0.1
+
    + +
      +
    • Capture traffic to 192.168.0.1:
      • +
      +dst host 192.168.0.1
+
      + +
    • Capture traffic from 192.168.0.0/24:
      • +
      +src net 192.168.0.0/24
+
      + +
    • Capture HTTP and HTTPS traffic:
      • +
      +(port 80) or (port 443)
+
      + +
    • Capture all traffic except DNS:
      • +
      +port not 53
+
      + +
    • Capture SSH traffic to 192.168.0.1:
      • +
      +(port 22) and (dst host 192.168.0.1)
+
      diff --git a/pandora_console/include/help/es/help_pcap_filter.php b/pandora_console/include/help/es/help_pcap_filter.php new file mode 100644 index 0000000000..425811b0ec --- /dev/null +++ b/pandora_console/include/help/es/help_pcap_filter.php @@ -0,0 +1,40 @@ + +

      Sintaxis de filtros de Nfdump

      + +La sintaxis de filtros es muy parecida a la de tcpdump. Por ejemplo: + +
        +
      • Capturar tráfico hacia o desde 192.168.0.1:
        • +
        +host 192.168.0.1
+
        + +
          +
        • Capturar tráfico hacia 192.168.0.1:
          • +
          +dst host 192.168.0.1
+
          + +
        • Capturar tráfico desde 192.168.0.0/24:
          • +
          +src net 192.168.0.0/24
+
          + +
        • Capturar tráfico HTTP y HTTPS:
          • +
          +(port 80) or (port 443)
+
          + +
        • Capturar todo el tráfico excepto DNS:
          • +
          +port not 53
+
          + +
        • Capturar el tráfico SSH hacia 192.168.0.1:
          • +
          +(port 22) and (dst host 192.168.0.1)
+
          diff --git a/pandora_console/pandoradb.oracle.sql b/pandora_console/pandoradb.oracle.sql index 5418d42652..cc7024176e 100644 --- a/pandora_console/pandoradb.oracle.sql +++ b/pandora_console/pandoradb.oracle.sql @@ -1482,12 +1482,13 @@ CREATE INDEX ttag_event_id_evento_idx ON ttag_event(id_evento); CREATE TABLE tnetflow_filter ( id_sg NUMBER(10, 0) NOT NULL PRIMARY KEY, -id_name VARCHAR2(100) NOT NULL, +id_name VARCHAR2(600) NOT NULL, id_group NUMBER(10, 0), -ip_dst VARCHAR2(100), -ip_src VARCHAR2(100), -dst_port VARCHAR2(100), -src_port VARCHAR2(100), +ip_dst CLOB NOT NULL, +ip_src CLOB NOT NULL, +dst_port CLOB NOT NULL, +src_port CLOB NOT NULL, +advanced_filter CLOB NOT NULL, aggregate VARCHAR2(60), output VARCHAR2(60) ); diff --git a/pandora_console/pandoradb.postgreSQL.sql b/pandora_console/pandoradb.postgreSQL.sql index cd56d1c013..bdd24e69b3 100644 --- a/pandora_console/pandoradb.postgreSQL.sql +++ b/pandora_console/pandoradb.postgreSQL.sql @@ -1195,12 +1195,13 @@ CREATE INDEX "ttag_event_id_evento_idx" ON "ttag_event"("id_evento"); -- ----------------------------------------------------- CREATE TABLE "tnetflow_filter" ( "id_sg" SERIAL NOT NULL PRIMARY KEY, - "id_name" varchar(60) NOT NULL default '', + "id_name" varchar(600) NOT NULL default '', "id_group" INTEGER, - "ip_dst" varchar(100), - "ip_src" varchar(100), - "dst_port" varchar(100), - "src_port" varchar(100), + "ip_dst" TEXT NOT NULL, + "ip_src" TEXT NOT NULL, + "dst_port" TEXT NOT NULL, + "src_port" TEXT NOT NULL, + "advanced_filter" TEXT NOT NULL, "aggregate" varchar(60), "output" varchar(60) ); diff --git a/pandora_console/pandoradb.sql b/pandora_console/pandoradb.sql index ada247611b..022091771d 100644 --- a/pandora_console/pandoradb.sql +++ b/pandora_console/pandoradb.sql @@ -1286,12 +1286,13 @@ CREATE TABLE IF NOT EXISTS `ttag_event` ( CREATE TABLE IF NOT EXISTS `tnetflow_filter` ( `id_sg` int(10) unsigned NOT NULL auto_increment, - `id_name` varchar(60) NOT NULL default '0', + `id_name` varchar(600) NOT NULL default '0', `id_group` int(10), - `ip_dst` varchar(100), - `ip_src` varchar(100), - `dst_port` varchar(100), - `src_port` varchar(100), + `ip_dst` TEXT NOT NULL, + `ip_src` TEXT NOT NULL, + `dst_port` TEXT NOT NULL, + `src_port` TEXT NOT NULL, + `advanced_filter` TEXT NOT NULL,, `aggregate` varchar(60), `output` varchar(60), PRIMARY KEY (`id_sg`)