librenms-librenms/includes/polling/applications/suricata.inc.php

<?php

use LibreNMS\Exceptions\JsonAppException;
use LibreNMS\RRD\RrdDefinition;

$name = 'suricata';
try {
    $suricata = json_app_get($device, 'suricata-stats');
} catch (JsonAppException $e) {
    echo PHP_EOL . $name . ':' . $e->getCode() . ':' . $e->getMessage() . PHP_EOL;
    update_application($app, $e->getCode() . ':' . $e->getMessage(), []); // Set empty metrics and error message

    return;
}

// grab  the alert here as it is the global one
$metrics = ['alert'=>$suricata['alert']];

$rrd_def = RrdDefinition::make()
    ->addDataset('af_dcerpc_tcp', 'DERIVE', 0)
    ->addDataset('af_dcerpc_udp', 'DERIVE', 0)
    ->addDataset('af_dhcp', 'DERIVE', 0)
    ->addDataset('af_dns_tcp', 'DERIVE', 0)
    ->addDataset('af_dns_udp', 'DERIVE', 0)
    ->addDataset('af_failed_tcp', 'DERIVE', 0)
    ->addDataset('af_failed_udp', 'DERIVE', 0)
    ->addDataset('af_ftp', 'DERIVE', 0)
    ->addDataset('af_ftp_data', 'DERIVE', 0)
    ->addDataset('af_http', 'DERIVE', 0)
    ->addDataset('af_ikev2', 'DERIVE', 0)
    ->addDataset('af_imap', 'DERIVE', 0)
    ->addDataset('af_krb5_tcp', 'DERIVE', 0)
    ->addDataset('af_krb5_udp', 'DERIVE', 0)
    ->addDataset('af_mqtt', 'DERIVE', 0)
    ->addDataset('af_nfs_tcp', 'DERIVE', 0)
    ->addDataset('af_nfs_udp', 'DERIVE', 0)
    ->addDataset('af_ntp', 'DERIVE', 0)
    ->addDataset('af_rdp', 'DERIVE', 0)
    ->addDataset('af_rfb', 'DERIVE', 0)
    ->addDataset('af_sip', 'DERIVE', 0)
    ->addDataset('af_smb', 'DERIVE', 0)
    ->addDataset('af_smtp', 'DERIVE', 0)
    ->addDataset('af_snmp', 'DERIVE', 0)
    ->addDataset('af_ssh', 'DERIVE', 0)
    ->addDataset('af_tftp', 'DERIVE', 0)
    ->addDataset('af_tls', 'DERIVE', 0)
    ->addDataset('alert', 'GAUGE', 0)
    ->addDataset('at_dcerpc_tcp', 'DERIVE', 0)
    ->addDataset('at_dcerpc_udp', 'DERIVE', 0)
    ->addDataset('at_dhcp', 'DERIVE', 0)
    ->addDataset('at_dns_tcp', 'DERIVE', 0)
    ->addDataset('at_dns_udp', 'DERIVE', 0)
    ->addDataset('at_ftp', 'DERIVE', 0)
    ->addDataset('at_ftp_data', 'DERIVE', 0)
    ->addDataset('at_http', 'DERIVE', 0)
    ->addDataset('at_ikev2', 'DERIVE', 0)
    ->addDataset('at_imap', 'DERIVE', 0)
    ->addDataset('at_krb5_tcp', 'DERIVE', 0)
    ->addDataset('at_krb5_udp', 'DERIVE', 0)
    ->addDataset('at_mqtt', 'DERIVE', 0)
    ->addDataset('at_nfs_tcp', 'DERIVE', 0)
    ->addDataset('at_nfs_udp', 'DERIVE', 0)
    ->addDataset('at_ntp', 'DERIVE', 0)
    ->addDataset('at_rdp', 'DERIVE', 0)
    ->addDataset('at_rfb', 'DERIVE', 0)
    ->addDataset('at_sip', 'DERIVE', 0)
    ->addDataset('at_smb', 'DERIVE', 0)
    ->addDataset('at_smtp', 'DERIVE', 0)
    ->addDataset('at_snmp', 'DERIVE', 0)
    ->addDataset('at_ssh', 'DERIVE', 0)
    ->addDataset('at_tftp', 'DERIVE', 0)
    ->addDataset('at_tls', 'DERIVE', 0)
    ->addDataset('bytes', 'DERIVE', 0)
    ->addDataset('dec_avg_pkt_size', 'DERIVE', 0)
    ->addDataset('dec_chdlc', 'DERIVE', 0)
    ->addDataset('dec_ethernet', 'DERIVE', 0)
    ->addDataset('dec_geneve', 'DERIVE', 0)
    ->addDataset('dec_ieee8021ah', 'DERIVE', 0)
    ->addDataset('dec_invalid', 'DERIVE', 0)
    ->addDataset('dec_ipv4', 'DERIVE', 0)
    ->addDataset('dec_ipv4_in_ipv6', 'DERIVE', 0)
    ->addDataset('dec_ipv6', 'DERIVE', 0)
    ->addDataset('dec_max_pkt_size', 'DERIVE', 0)
    ->addDataset('dec_mpls', 'DERIVE', 0)
    ->addDataset('dec_mx_mac_addrs_d', 'DERIVE', 0)
    ->addDataset('dec_mx_mac_addrs_s', 'DERIVE', 0)
    ->addDataset('dec_packets', 'DERIVE', 0)
    ->addDataset('dec_ppp', 'DERIVE', 0)
    ->addDataset('dec_pppoe', 'DERIVE', 0)
    ->addDataset('dec_raw', 'DERIVE', 0)
    ->addDataset('dec_sctp', 'DERIVE', 0)
    ->addDataset('dec_sll', 'DERIVE', 0)
    ->addDataset('dec_tcp', 'DERIVE', 0)
    ->addDataset('dec_teredo', 'DERIVE', 0)
    ->addDataset('dec_too_many_layer', 'DERIVE', 0)
    ->addDataset('dec_udp', 'DERIVE', 0)
    ->addDataset('dec_vlan', 'DERIVE', 0)
    ->addDataset('dec_vlan_qinq', 'DERIVE', 0)
    ->addDataset('dec_vntag', 'DERIVE', 0)
    ->addDataset('dec_vxlan', 'DERIVE', 0)
    ->addDataset('drop_percent', 'GAUGE', 0)
    ->addDataset('dropped', 'DERIVE', 0)
    ->addDataset('error_percent', 'GAUGE', 0)
    ->addDataset('errors', 'DERIVE', 0)
    ->addDataset('f_icmpv4', 'DERIVE', 0)
    ->addDataset('f_icmpv6', 'DERIVE', 0)
    ->addDataset('f_memuse', 'GAUGE', 0)
    ->addDataset('f_tcp', 'DERIVE', 0)
    ->addDataset('f_udp', 'DERIVE', 0)
    ->addDataset('ftp_memuse', 'GAUGE', 0)
    ->addDataset('http_memuse', 'GAUGE', 0)
    ->addDataset('ifdrop_percent', 'GAUGE', 0)
    ->addDataset('ifdropped', 'DERIVE', 0)
    ->addDataset('packets', 'DERIVE', 0)
    ->addDataset('tcp_memuse', 'GAUGE', 0)
    ->addDataset('tcp_reass_memuse', 'GAUGE', 0)
    ->addDataset('uptime', 'GAUGE', 0);

// keys that need to by migrated from the instance to the
$instance_keys = [
    'af_dcerpc_tcp', 'af_dcerpc_udp', 'af_dhcp', 'af_dns_tcp', 'af_dns_udp', 'af_failed_tcp', 'af_failed_udp', 'af_ftp',
    'af_ftp_data', 'af_http', 'af_ikev2', 'af_imap', 'af_krb5_tcp', 'af_krb5_udp', 'af_mqtt', 'af_nfs_tcp', 'af_nfs_udp',
    'af_ntp', 'af_rdp', 'af_rfb', 'af_sip', 'af_smb', 'af_smtp', 'af_snmp', 'af_ssh', 'af_tftp', 'af_tls', 'alert',
    'at_dcerpc_tcp', 'at_dcerpc_udp', 'at_dhcp', 'at_dns_tcp', 'at_dns_udp', 'at_ftp', 'at_ftp_data', 'at_http', 'at_ikev2',
    'at_imap', 'at_krb5_tcp', 'at_krb5_udp', 'at_mqtt', 'at_nfs_tcp', 'at_nfs_udp', 'at_ntp', 'at_rdp', 'at_rfb', 'at_sip',
    'at_smb', 'at_smtp', 'at_snmp', 'at_ssh', 'at_tftp', 'at_tls', 'bytes', 'dec_avg_pkt_size', 'dec_chdlc', 'dec_ethernet',
    'dec_geneve', 'dec_ieee8021ah', 'dec_invalid', 'dec_ipv4', 'dec_ipv4_in_ipv6', 'dec_ipv6', 'dec_max_pkt_size', 'dec_mpls',
    'dec_mx_mac_addrs_d', 'dec_mx_mac_addrs_s', 'dec_packets', 'dec_ppp', 'dec_pppoe', 'dec_raw', 'dec_sctp', 'dec_sll',
    'dec_tcp', 'dec_teredo', 'dec_too_many_layer', 'dec_udp', 'dec_vlan', 'dec_vlan_qinq', 'dec_vntag', 'dec_vxlan',
    'drop_delta', 'drop_percent', 'dropped', 'error_delta', 'error_percent', 'errors', 'f_icmpv4', 'f_icmpv6', 'f_memuse',
    'f_tcp', 'f_udp', 'ftp_memuse', 'http_memuse', 'ifdrop_delta', 'ifdrop_percent', 'ifdropped', 'packet_delta', 'packets',
    'tcp_memuse', 'tcp_reass_memuse', 'uptime',
];

// keys to add to the RRD field
$field_keys = [
    'af_dcerpc_tcp', 'af_dcerpc_udp', 'af_dhcp', 'af_dns_tcp', 'af_dns_udp', 'af_failed_tcp', 'af_failed_udp', 'af_ftp',
    'af_ftp_data', 'af_http', 'af_ikev2', 'af_imap', 'af_krb5_tcp', 'af_krb5_udp', 'af_mqtt', 'af_nfs_tcp', 'af_nfs_udp',
    'af_ntp', 'af_rdp', 'af_rfb', 'af_sip', 'af_smb', 'af_smtp', 'af_snmp', 'af_ssh', 'af_tftp', 'af_tls', 'alert',
    'at_dcerpc_tcp', 'at_dcerpc_udp', 'at_dhcp', 'at_dns_tcp', 'at_dns_udp', 'at_ftp', 'at_ftp_data', 'at_http', 'at_ikev2',
    'at_imap', 'at_krb5_tcp', 'at_krb5_udp', 'at_mqtt', 'at_nfs_tcp', 'at_nfs_udp', 'at_ntp', 'at_rdp', 'at_rfb', 'at_sip',
    'at_smb', 'at_smtp', 'at_snmp', 'at_ssh', 'at_tftp', 'at_tls', 'bytes', 'dec_avg_pkt_size', 'dec_chdlc', 'dec_ethernet',
    'dec_geneve', 'dec_ieee8021ah', 'dec_invalid', 'dec_ipv4', 'dec_ipv4_in_ipv6', 'dec_ipv6', 'dec_max_pkt_size', 'dec_mpls',
    'dec_mx_mac_addrs_d', 'dec_mx_mac_addrs_s', 'dec_packets', 'dec_ppp', 'dec_pppoe', 'dec_raw', 'dec_sctp', 'dec_sll',
    'dec_tcp', 'dec_teredo', 'dec_too_many_layer', 'dec_udp', 'dec_vlan', 'dec_vlan_qinq', 'dec_vntag', 'dec_vxlan',
    'drop_percent', 'dropped', 'error_percent', 'errors', 'f_icmpv4', 'f_icmpv6', 'f_memuse',
    'f_tcp', 'f_udp', 'ftp_memuse', 'http_memuse', 'ifdrop_percent', 'ifdropped', 'packets',
    'tcp_memuse', 'tcp_reass_memuse', 'uptime',
];

// process each instance
$instances = [];
foreach ($suricata['data'] as $instance => $stats) {
    if ($instance == '.total') {
        $rrd_name = ['app', $name, $app->app_id];
    } else {
        $rrd_name = ['app', $name, $app->app_id, $instance];
        $instances[] = $instance;
    }

    foreach ($instance_keys as $metric_key) {
        $metrics[$instance . '_' . $metric_key] = $stats[$metric_key];
    }

    $fields = [];
    foreach ($field_keys as $field_key) {
        $fields[$field_key] = $stats[$field_key];
    }

    $tags = ['name' => $name, 'app_id' => $app->app_id, 'rrd_def' => $rrd_def, 'rrd_name' => $rrd_name];
    data_update($device, 'app', $tags, $fields);
}

// check for added or removed instances
$old_instances = $app->data['instances'] ?? [];
$added_instances = array_diff($instances, $old_instances);
$removed_instances = array_diff($old_instances, $instances);

// if we have any source instances, save and log
if (count($added_instances) > 0 || count($removed_instances) > 0) {
    $app->data = ['instances' => $instances];
    $log_message = 'Suricata Instance Change:';
    $log_message .= count($added_instances) > 0 ? ' Added ' . implode(',', $added_instances) : '';
    $log_message .= count($removed_instances) > 0 ? ' Removed ' . implode(',', $added_instances) : '';
    log_event($log_message, $device, 'application');
}

//
// all done so update the app metrics
//
update_application($app, 'OK', $metrics);