menu
Webinar: Top Tips for Effective Cyber Threat Hunting Watch Now
FlowTraq > Blog > FlowTraq Product Updates > Making a Web Interface Using the Command Line Tools

Making a Web Interface Using the Command Line Tools

Alex Barsamian
By | March 7, 2011


Facebooktwitterlinkedin

Much of the functionality of FlowTraq Client can be accessed via the FlowTraq Command Line Tools, which are included with FlowTraq Client. This article shows how you can use the command-line tools to create a simple web interface for querying FlowTraq Server.

This article assumes FlowTraq server is already up and running and receiving flows from at least one NetFlow/sFlow/jFlow/cFlow exporter. It also assumes you have a web server that interprets PHP up and running either on the same host as FlowTraq Server or on a host that can access it via the network. Some basic familiarity with programming for the web with PHP is also assumed.

Motivation

For most of what you do every day in FlowTraq, you’ll need to use FlowTraq Client. Investigating alerts, scheduling and processing reports, and keeping an eye on your network are tasks that are best done in the responsive, interactive environment of a desktop application rather than a web application. But sometimes you don’t want to launch an heavyweight client just to check the pulse of your network. Or perhaps you want to make certain views of your network available to everyone in your organization, without having to distribute FlowTraq Client to or maintain user accounts for dozens or hundreds of users.

In these situations, a quick-and-dirty web-based view might be the answer to your problems.

Implementation

FlowTraq ships with twenty command-line tools, each representing a different view of the network (except ns2um which is for user management):

eagle:tools abarsam$ ls
ns2countrysb	ns2countrysup	ns2hostsuh	ns2pairss	ns2portss
ns2countrysp	ns2hostsb	ns2hostsup	ns2pairsup	ns2portsuh
ns2countryss	ns2hostsp	ns2pairsb	ns2portsb	ns2sq
ns2countrysuh	ns2hostss	ns2pairsp	ns2portsp	ns2um

For instance ns2hostsb lists top hosts by volume, and ns2sq returns all sessions that match a given query. Each tool accepts a parameter specifying how many records to return, a timeframe and an optional filter. We want to make all of this accessible via the web, so first let’s construct a simple form that let’s users specify these things. (Many of these code snippets have been edited for brevity, but all the source code is included in a package at the end of this article.)

<form method="GET" action="flowtraq.php">
<table>
	<tr>
	<td align=right>Function:</td>
	<td align=left>
		<select name=function>
		<option value=ns2hostsb selected>ns2hostsb</option>
		<option value=ns2portsp>ns2portsp</option>
		> [snip] ...
		<option value=ns2portss>ns2portss</option>
		<option value=ns2portsuh>ns2portsuh</option>
		<option value=ns2sq>ns2sq</option>
		</select>
	</td>
	</tr>

	<tr>
		<td align=right>Rows:</td>
		<td align=left><input type=text size=4 maxlength=7 name=rows value=50> (max: 128)</td>
	</tr>

	<tr>
		<td align=right>Last:</td>
		<td align=left>
			<select name=last>
				<option value=15m selected>15 minutes</option>
				<option value=1h>hour</option>
				> [snip] ...
				<option value=1Y>year</option>
			</select>
		</td>
	</tr>

	<tr>
		<td align=right>Query:</td>
		<td align=left><input type=text size=40 name=query value="(SRVPORT==22)"></td>
	</tr>
	<tr>
		<td/>
		<td><input type=Submit value="Run"></td>
	</tr>
</table>
</form>

In a browser, this winds up looking like this

Very Web 0.1, yes, but this is an hour-long exercise, not a fully-designed and implemented web app, so we’ll take it.

Note that we’re using GET as the form method; this is because once we’ve crafted a view we think is interesting, it’d be nice to be able to share it simply by publishing a static link to the form page (GET requests encode the form parameters in the URL, e.g. http://example.com/script.php?param1=value1&param2=value2).

That just leaves the implementation of flowtraq.php, the page invoked by the form. We simply translate the contents of the GET into an invocation of one or another of the command-line tools. First the code that parses the request:

// tool location
$root = './tools/';

// defaults
$server = 'proquesys.com';
$port = '9640';
$query = '';
$function = 'ns2hostsb';
$rows = 50;
$last = '15m';

if($_GET["function"]) {
	$function = urldecode($_GET["function"]);
}

if($_GET["last"]) {
	$last = urldecode($_GET["last"]);
}

// [snip] ...

if($_GET["server"]) {
	$server = urldecode($_GET["server"]);
}

Next, we convert the form parameters into command-line parameters and run the appropriate command (capturing stdout, where the table rows are written in CSV, and specifying the file where it should write the graph to with -g):

$csv_option = ' -c+';
$graphfile = 'graphs/' . rand() . '.tga';

if($query == '') {
	$command = $root . $function . $csv_option . ' -tn -' . $last . ' -s ' . $server . ' -p ' . $port . ' -r ' . $rows . ' -g ' . $graphfile;
} else {
	$command = $root . $function . $csv_option . ' -tn -' . $last . ' -s ' . $server . ' -p ' . $port . ' -r ' . $rows . ' -g ' . $graphfile . ' -q ' . $query;
}

exec($command, $table);
echo '<img src="' . $graphfile . '" />';

Finally, we generate a link to the image (in php):

echo '<img src="' . $graphfile . '" />';

process the CSV into an HTML table:

<table id="gradient-style" width=800>
<tr>
	<?php foreach(explode(", ", $table[0]) as $field) { ?>
		<th><?php echo $field; ?></th>
	<? } ?>
</tr>

<?php foreach(array_slice($table, 1) as $row) { ?>
	<tr>
	<?php foreach(explode(", ", $row) as $field) { ?>
		<td><?php echo $field; ?></td>
	<? } ?>
	</tr>
<?php }?>
</table>

The output looks like this:

Not bad at all! And remember that any interesting reports you find can be shared with anyone you want just by passing the URL.

To get this up and running simply extract the contents of the source code (provided in .tar.gz format) into a directory under your webroot and edit the $tools variable in in flowtraq.php to point to the directory where you’ve installed the FlowTraq command-line tools. You can also edit the $server to point it to your own FlowTraq instance instead of our public demonstration server.