packages icon indicating copy to clipboard operation
packages copied to clipboard
verified publisher icon openwrt

snort3: improve date filtering in report

Open efahl opened this issue 1 year ago • 6 comments

  • Reduce memory footprint while running reports allowed by recent jsonfilter bug fix.
  • Improve headers and footers on report.
  • Add new match operator for date filtering.

Maintainer: @flyn-org @graysky2 Compile tested: NA Run tested: x86 snapshot

efahl avatar Feb 14 '24 15:02 efahl

Reviewing the code by eye seems OK. Full disclosure: my snort setup is using the legacy snort init script with legacy homenet.lua local.lua etc. so I am not able to test the code in this PR.

@flyn-org thoughts?

graysky2 avatar Feb 14 '24 15:02 graysky2

using the legacy snort init script with legacy ... local.lua

I'm pretty sure the only thing reporting depends on is the json alert files, so if you were to stick the following snippet in your local.lua at the end, then run with that for a little bit, you would have some test inputs (assuming snort sees some events to log). Oh, yeah, make sure /etc/config/snort has option log_dir set to point to wherever your logs actually reside...

alert_json = {
  file = true,
  fields = [[ timestamp pkt_num pkt_gen pkt_len proto dir src_addr src_port dst_addr dst_port gid sid rev action msg ]],
}

efahl avatar Feb 14 '24 16:02 efahl

@flyn-org , got a minute to look this over?

efahl avatar Mar 14 '24 14:03 efahl

Looks good. Recommend merge.

flyn-org avatar Mar 14 '24 16:03 flyn-org

@efahl - can you rebase? the 3.1.84 update got merged

graysky2 avatar Apr 13 '24 21:04 graysky2

Rebased.

efahl avatar Apr 14 '24 14:04 efahl

Please merge

graysky2 avatar Apr 30 '24 20:04 graysky2