From 40e4bdc22e9db5a416b9cf1b03f5ba83016514cb Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Thu, 9 Jun 2016 21:35:22 +0200
Subject: [PATCH] (ids) add option to drop/reset suricata log file (eve.json*),
 closes https://github.com/opnsense/core/issues/997

---
 .../OPNsense/IDS/Api/ServiceController.php    | 20 ++++++++
 .../mvc/app/views/OPNsense/IDS/index.volt     | 33 ++++++++++++-
 src/opnsense/scripts/suricata/dropAlertLog.py | 48 +++++++++++++++++++
 .../service/conf/actions.d/actions_ids.conf   |  6 +++
 4 files changed, 105 insertions(+), 2 deletions(-)
 create mode 100755 src/opnsense/scripts/suricata/dropAlertLog.py

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/IDS/Api/ServiceController.php b/src/opnsense/mvc/app/controllers/OPNsense/IDS/Api/ServiceController.php
index c6ec78b56..7f5cf3b37 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/IDS/Api/ServiceController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/IDS/Api/ServiceController.php
@@ -311,4 +311,24 @@ class ServiceController extends ApiControllerBase
             return array();
         }
     }
+
+    /**
+     * drop alert log
+     * @return array status
+     */
+    public function dropAlertLogAction()
+    {
+        if ($this->request->isPost()) {
+            // close session for long running action
+            $this->sessionClose();
+            $backend = new Backend();
+            $filename = $this->request->getPost('filename', 'string', null);
+            if ($filename != null) {
+                $filename = basename($filename);
+                $backend->configdpRun("ids drop alertlog", array($filename));
+                return array("status" => "ok");
+            }
+        }
+        return array("status" => "failed");
+    }
 }
diff --git a/src/opnsense/mvc/app/views/OPNsense/IDS/index.volt b/src/opnsense/mvc/app/views/OPNsense/IDS/index.volt
index 5fc7dd4b2..f6e455db9 100644
--- a/src/opnsense/mvc/app/views/OPNsense/IDS/index.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/IDS/index.volt
@@ -69,9 +69,9 @@ POSSIBILITY OF SUCH DAMAGE.
                     $('#alert-logfile').html("");
                     $.each(data, function(key, value) {
                         if (value['sequence'] == undefined) {
-                            $('#alert-logfile').append($("<option></option>").attr("value",'none').text(value['modified']));
+                            $('#alert-logfile').append($("<option/>").data('filename', value['filename']).attr("value",'none').text(value['modified']));
                         } else {
-                            $('#alert-logfile').append($("<option></option>").attr("value",value['sequence']).text(value['modified']));
+                            $('#alert-logfile').append($("<option/>").data('filename', value['filename']).attr("value",value['sequence']).text(value['modified']));
                         }
                     });
                     $('.selectpicker').selectpicker('refresh');
@@ -427,6 +427,34 @@ POSSIBILITY OF SUCH DAMAGE.
             history.pushState(null, null, e.target.hash);
         });
 
+        // delete selected alert log
+        $("#actDeleteLog").click(function(){
+            var selected_log = $("#alert-logfile > option:selected");
+            BootstrapDialog.show({
+                type:BootstrapDialog.TYPE_DANGER,
+                title: '{{ lang._('Remove log file ') }} ' + selected_log.html(),
+                message: '{{ lang._('Removing this file will cleanup disk space, but cannot be undone.') }}',
+                buttons: [{
+                    icon: 'fa fa-trash-o',
+                    label: '{{ lang._('Yes') }}',
+                    cssClass: 'btn-primary',
+                    action: function(dlg){
+                        ajaxCall(url="/api/ids/service/dropAlertLog/",sendData={filename: selected_log.data('filename')},
+                                callback=function(data,status){
+                                    updateAlertLogs();
+                                });
+                        dlg.close();
+                    }
+                }, {
+                    label: 'Close',
+                    action: function(dlg){
+                        dlg.close();
+                    }
+                }]
+            });
+
+        });
+
     });
 
 
@@ -568,6 +596,7 @@ POSSIBILITY OF SUCH DAMAGE.
             <div class="row">
                 <div class="col-sm-12 actionBar">
                     <select id="alert-logfile" class="selectpicker" data-width="200px"></select>
+                    <span  id="actDeleteLog" class="btn btn-lg fa fa-trash" style="cursor: pointer;"></span>
                     <select id="alert-logfile-max" class="selectpicker" data-width="80px">
                         <option value="7">7</option>
                         <option value="50">50</option>
diff --git a/src/opnsense/scripts/suricata/dropAlertLog.py b/src/opnsense/scripts/suricata/dropAlertLog.py
new file mode 100755
index 000000000..5edb4316f
--- /dev/null
+++ b/src/opnsense/scripts/suricata/dropAlertLog.py
@@ -0,0 +1,48 @@
+#!/usr/local/bin/python2.7
+
+"""
+    Copyright (c) 2016 Ad Schellevis
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+     this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+     notice, this list of conditions and the following disclaimer in the
+     documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+    --------------------------------------------------------------------------------------
+    drop requested alert log
+"""
+
+import os
+import sys
+import glob
+from lib import suricata_alert_log
+
+if __name__ == '__main__' and len(sys.argv) > 1:
+    result = []
+    for filename in glob.glob('%s*' % suricata_alert_log):
+        if os.path.basename(filename) == sys.argv[1]:
+            if os.path.basename(filename) == 'eve.json':
+                # current logfile, truncate to 0
+                with open(filename, 'wb') as f:
+                    f.truncate()
+            else:
+                # archive, remove
+                os.remove(filename)
+            print ("removed %s" % filename)
diff --git a/src/opnsense/service/conf/actions.d/actions_ids.conf b/src/opnsense/service/conf/actions.d/actions_ids.conf
index a694ff1f8..5feed59cd 100644
--- a/src/opnsense/service/conf/actions.d/actions_ids.conf
+++ b/src/opnsense/service/conf/actions.d/actions_ids.conf
@@ -22,6 +22,12 @@ parameters:
 type:script_output
 message:list available suricata alert logs
 
+[drop.alertlog]
+command:/usr/local/opnsense/scripts/suricata/dropAlertLog.py
+parameters:%s
+type:script_output
+message:drop suricata alert log %s
+
 [query.rules]
 command:/usr/local/opnsense/scripts/suricata/queryInstalledRules.py
 parameters:/limit %s /offset %s /filter %s /sort_by %s