Class: Suricata::Nagios

Inherits:
Object
  • Object
show all
Defined in:
lib/suricata/nagios.rb

Overview

This class offers all functionalities for a suricata-nagios-plugin

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(alertfile = "/var/log/suricata/fast.log", whitelist = nil) ⇒ Nagios

constructor

Parameters:

  • alertfile (String) (defaults to: "/var/log/suricata/fast.log")

    path to the suricata-log-file(default: /var/log/suricata/fast.log)

  • whitelist (String) (defaults to: nil)

    path to the whitelist(default: nil)


58
59
60
61
62
63
64
# File 'lib/suricata/nagios.rb', line 58

def initialize(alertfile="/var/log/suricata/fast.log",whitelist=nil)
	@whitelist = whitelist
	@alertfile = alertfile
	@return_found = 2
	@return_notfound = 0
	@ack = "/tmp/surack.lst"
end

Instance Attribute Details

#ackObject

it is possible to acknowlege alerts, so that they will be excluded from the next search. Use this member to set the acknowlege-file. Default ack-file is: /tmp/surack.lst


53
# File 'lib/suricata/nagios.rb', line 53

attr_accessor :whitelist, :alertfile, :return_found, :return_notfound, :ack

#alertfileObject

this alertfile(fast.log) is used for the search


53
# File 'lib/suricata/nagios.rb', line 53

attr_accessor :whitelist, :alertfile, :return_found, :return_notfound, :ack

#fastObject

this attribute stores the Suricata::Logfile-object


39
40
41
# File 'lib/suricata/nagios.rb', line 39

def fast
  @fast
end

#found_strObject

this attribute stores the string found by search() in the Logfile-object


39
# File 'lib/suricata/nagios.rb', line 39

attr_reader :fast, :found_str, :search_str

#return_foundObject

this value is returned from search() on succes. (Default: 2)


53
# File 'lib/suricata/nagios.rb', line 53

attr_accessor :whitelist, :alertfile, :return_found, :return_notfound, :ack

#return_notfoundObject

this value is returned from search() on failure (Default: 0)


53
# File 'lib/suricata/nagios.rb', line 53

attr_accessor :whitelist, :alertfile, :return_found, :return_notfound, :ack

#search_strObject

Returns the value of attribute search_str


39
# File 'lib/suricata/nagios.rb', line 39

attr_reader :fast, :found_str, :search_str

#whitelistObject

this whitelist can be used to exclude results from the search


53
54
55
# File 'lib/suricata/nagios.rb', line 53

def whitelist
  @whitelist
end

Instance Method Details

#acknowlege(str) ⇒ Object

this method performs a search(str). It will ask interactively for ever hit if it should be acknowleged. In case of “yes”, the routine will add a shortform of the entry to the acknowlege-file

Parameters:

  • str (String)

    string to search

See Also:


123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# File 'lib/suricata/nagios.rb', line 123

def acknowlege(str)

	if @fast.nil?
		init_log
	end

	list = File.open(@ack,'a')

	@fast.readline_parse do |fast_entry|
		if fast_entry.description =~ /#{str}/
			if not search_list("#{fast_entry.timestamp} #{fast_entry.id} #{fast_entry.conn}",@ack)
			 	printf("Acknowlege the following entry:\n")
			 	printf("#{fast_entry}\n")
			 	printf("Acknowlege(y|n): ")
			 	answer = STDIN.gets
			 	if answer == "y\n"
			 		list.write("#{fast_entry.timestamp} #{fast_entry.id} #{fast_entry.conn}\n")
			 	end
			end	
		end
	end

	list.close

end

#init_logObject

this method initializes the Suricata::Logfile(@fast) and opens the @alertfile

See Also:


69
70
71
# File 'lib/suricata/nagios.rb', line 69

def init_log
	@fast = Suricata::Logfile.new(@alertfile)
end

#runApp(args) ⇒ Integer

this is the check_suricata-application. this function exits with 3 on error

Parameters:

  • args (Array)

    typically ARGV

Returns:

  • (Integer)

    @return_found if searchstring was found

  • (Integer)

    @return_notfound if searchstring was not found

See Also:


80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# File 'lib/suricata/nagios.rb', line 80

def runApp(args)
	help = nil
	interactive = false

	OptionParser.new do |opt|
		opt.banner = "Usage: #{$PROGRAM_NAME} [ -a alertfile ] [ -w whitelistfile ] -e searchstring"
		opt.on('-h', '--help', 'This help screen') do
  			$stderr.puts opt
			exit 3
  		end
		opt.on('-a','--alertfile ALERTFILE','alertfile(default: /var/log/suricata/fast.log)') { |o| @alertfile = o }
		opt.on('-w','--whitelist WHITELISTFILE','whitelistfile') { |o| @whitelist = o }
		opt.on('-e','--search STRING','searchstring') { |o| @search_str = o }
		opt.on('-i','--interactive','interactive acknowleges') { |o| interactive = o }
		opt.on('-k','--ackfile ACKFILE','ackfile(default: /tmp/surack.lst)') { |o| @ack = o }
		help = opt.help
	end.parse!(args)

	if @search_str.nil?
		$stderr.puts help
		exit 3
	end
	
	if interactive
		acknowlege(@search_str)
		exit 3
	end
	
	ret = search(@search_str)
	if ret > 0
		puts "FOUND"
	else
		puts "OK"
	end

	exit ret
end

#search(str) ⇒ Integer

this function performs a search for a string(str) in the alert-file. If a whitelistfile is given, or a acknowlege-file, it will search those files too and eventually exclude the hit from the result.

Parameters:

  • str (String)

    search-query

Returns:

  • (Integer)

    @return_found on success

  • (Integer)

    @return_notfound on failure

See Also:


160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# File 'lib/suricata/nagios.rb', line 160

def search(str)
	@search_str = str
	@found_str = nil

	if @fast.nil?
		init_log
	end	

	wl_found = false
	ack_found = false

	@fast.readline_parse do |fast_entry|
		if fast_entry.description =~ /#{@search_str}/
			if not @whitelist.nil?
				wl_found =  search_list(fast_entry.description,@whitelist)
			end

			if not @ack.nil? and File.file?(@ack)
				ack_found = search_list("#{fast_entry.timestamp} #{fast_entry.id} #{fast_entry.conn}",@ack)
			end

			if wl_found == false and ack_found == false
				@found_str = fast_entry.description
				return @return_found
			end
		end
	end
	@fast.close

	return @return_notfound
end