From a636371c5e9a0c2078a970adeaab97f54c660053 Mon Sep 17 00:00:00 2001
From: Eric Fahlgren <ericfahlgren@gmail.com>
Date: Wed, 14 Feb 2024 07:14:31 -0800
Subject: [PATCH] snort3: improve date filtering in report

 - Take advantage of bug fix in jsonfilter to get rid of array hack, should
   improve memory footprint quite a bit

 - Implement substring matching in dates so you can collect data for a specific
   day, hour or run bin reports for histograms

 - Report title now contains specified date range, footer percentages

Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
---
 net/snort3/Makefile        |  2 +-
 net/snort3/files/snort-mgr | 71 +++++++++++++++++++++++---------------
 2 files changed, 45 insertions(+), 28 deletions(-)

diff --git a/net/snort3/Makefile b/net/snort3/Makefile
index 77c6fe2615..c4c98fed05 100644
--- a/net/snort3/Makefile
+++ b/net/snort3/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=snort3
 PKG_VERSION:=3.1.84.0
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_VERSION:=$(PKG_VERSION)
diff --git a/net/snort3/files/snort-mgr b/net/snort3/files/snort-mgr
index 3ea1b3e4d3..a950802a3b 100644
--- a/net/snort3/files/snort-mgr
+++ b/net/snort3/files/snort-mgr
@@ -131,28 +131,38 @@ check() {
 
 }
 
+_date_range=''
+_operator=''
+_date=''
+
+_parse_date_range() {
+	local date_spec="$1"
+	case "$date_spec" in
+		('')    _operator='>' ; _date=''                   ;;
+		(-*)    _operator='<' ; _date="${date_spec:1}"     ;;
+		(=*)    _operator='~' ; _date="${date_spec:1}"     ;;
+		(+*)    _operator='>' ; _date="${date_spec:1}"     ;;
+		(today) _operator='>' ; _date=$(date +'%y/%m/%d-') ;;
+		(*)     die "Invalid date specification '${date_spec}', did you forget the +/- prefix?" ;;
+	esac
+	if [ -z "$_date" ]; then
+		_date_range=''
+	else
+		local op=$_operator
+		[ "$op" = "~" ] && op='contains'
+		_date_range=" where date $op '$_date'"
+	fi
+}
+
 _filter_by_date() {
 	# Grab all the alert_json files in the log directory, scan them
 	# for matching timestamps and return those lines that match.
-	local log_dir="$1"
 
-	local operator date
-	case "$DATE_SPEC" in
-		('')    operator='>' ; date=''                   ;;
-		(-*)    operator='<' ; date="${DATE_SPEC:1}"     ;;
-		(+*)    operator='>' ; date="${DATE_SPEC:1}"     ;;
-		(today) operator='>' ; date=$(date +'%y/%m/%d-') ;;
-		(*)     die "Invalid date specification '${DATE_SPEC}', did you forget the +/- prefix?" ;;
-	esac
-
-	# We need to create a single json array because 'jsonfilter -a' is
-	# severely broken.
-	awk '
-		BEGIN { print "[" }
-		{ print $0"," }
-		END { print "{}]" }
-	' "${log_dir}"/*alert_json.txt \
-	| jsonfilter -e '$[@.timestamp '${operator}' "'"${date}"'"]'
+	local log_dir="$1"
+	local operator="$2"
+	local date="$3"
+	cat "${log_dir}"/*alert_json.txt \
+	| jsonfilter -a -e '$[@.timestamp '${operator}' "'"${date}"'"]'
 }
 
 report() {
@@ -174,7 +184,8 @@ report() {
 	#-- Collect the inputs --
 	local msg src srcP dst dstP dir gid sid
 	local tmp=$(mktemp -t snort.rep.XXXXXX)
-	_filter_by_date "${log_dir}" | while read -r line; do
+	_parse_date_range "$DATE_SPEC"
+	_filter_by_date "${log_dir}" "${_operator}" "${_date}" | while read -r line; do
 		src='' && dst='' && srcP='' && dstP=''
 		eval "$(jsonfilter -s "$line" \
 			-e 'msg=$.msg' \
@@ -210,11 +221,14 @@ report() {
 	local mlen=$(echo "$lines" | awk -F'#' '{print $1}' | wc -L)
 	local slen=$(echo "$lines" | awk -F'#' '{print $2}' | wc -L)
 
-	echo "Events involving ${PATTERN:-all IPs} - $(date -Is)"
+	local match=''
+	[ -n "$PATTERN" ] && match=" involving '${PATTERN}'"
+	echo "Events${match}${_date_range} (run at $(date -Is))"
 	printf "%-*s %3s %5s %-3s %-*s %s\n" "$mlen"  "  Count Message" "gid" "sid" "Dir" "$slen" "Source" "Destination"
 	echo "$lines" | awk -F'#' '{printf "%-'"$mlen"'s %3d %5d %s %-'"$slen"'s %s\n", $1, $5, $6, $4, $2, $3}'
 
-	printf "%7d incidents shown of %d logged\n" "$n_incidents" "$n_total"
+	local pct=$(awk -v n=$n_incidents -v t=$n_total 'END{printf "%.2f", 100*n/t}' /dev/null)
+	printf "%7d incidents shown of %d logged (%s%%)\n" "$n_incidents" "$n_total" "$pct"
 
 	#-- Lookup rules and references, if requested. --
 	if $VERBOSE; then
@@ -288,7 +302,7 @@ status() {
 #-------------------------------------------------------------------------------
 
 usage() {
-	local msg="$1"
+	local msg="${1:-}"
 	[ -n "$msg" ] && printf "ERROR: %s\n\n" "$msg"
 
 	cat <<USAGE
@@ -316,12 +330,15 @@ Usage:
       pattern = A case-insensitive grep pattern used to filter output.
 
     The date specification for '-d' can be either literal 'today'
-    or a snort-formatted date prefixed by '-' or '+', meaning 'before'
-    and 'after', respectively.  Snort date reporting has the format
+    or a snort-formatted date prefixed by '-', '=' or '+', meaning 'before',
+    'on' and 'after', respectively.  Snort date reporting has the format
     'YY/MM/DD-hh:mm:ss.ssssss', and you can use any prefix as a date.
-    For example,
-      > snort-mgr --date-spec +23/12/20-09 report
-    will process all incidents from from 2023-12-20 at 0900 and later.
+
+    For example, to show incidents from 2023-12-20 at 0900 and later:
+      > snort-mgr report --date-spec +23/12/20-09
+
+    and to report all of the incidents between 1300-1400 on all dates:
+      > snort-mgr report --date-spec =-13:
 
 
   $0 update-rules [-t/--testing]
-- 
2.30.2