function PrintCleanURL() { // This function creates the url to display the cleaned up payload -- Kevin $query = CleanVariable($_SERVER["QUERY_STRING"], VAR_PERIOD | VAR_DIGIT | VAR_PUNC | VAR_LETTER); $sort_order = ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE); if (isset($_GET['asciiclean']) && $_GET['asciiclean'] == 1 || isset($_COOKIE['asciiclean']) && $_COOKIE['asciiclean'] == "clean" && !isset($_GET['asciiclean'])) { //create link to non-cleaned payload display $url = '<a href="base_qry_alert.php?' . $query; $url .= '&sort_order=' . urlencode($sort_order) . '&asciiclean=0&minimal_view=' . $_GET['minimal_view'] . '">' . _("Normal Display") . '</a>'; return $url; } else { //create link to cleaned payload display $url = '<a href="base_qry_alert.php?' . $query; $url .= '&sort_order=' . urlencode($sort_order) . '&asciiclean=1&minimal_view=' . $_GET['minimal_view'] . '">' . _("Plain Display") . '</a>'; return $url; } }
</head> <body> <?php include "../hmenu.php"; ?> <div style="border:1px solid #AAAAAA;line-height:24px;width:100%;text-align:center;background:url('../pixmaps/fondo_col.gif') 50% 50% repeat-x;color:#222222;font-size:12px;font-weight:bold"> Shellcode Analysis </div> <?php // Check role out and redirect if needed -- Kevin $roleneeded = 10000; $BUser = new BaseUser(); if ($BUser->hasRole($roleneeded) == 0 && $Use_Auth_System == 1) { base_header("Location: " . $BASE_urlpath . "/index.php"); exit; } $cid = ImportHTTPVar("cid", VAR_DIGIT); $sid = ImportHTTPVar("sid", VAR_DIGIT); //print $cid."<br>"; //print $sid."<br>"; $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); /* Get the Payload from the database: */ $sql2 = "SELECT data_payload FROM extra_data WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $result2->baseFreeRows(); /* get encoding information for payload */ /* 0 == hex, 1 == base64, 2 == ascii; */ $sql3 = 'SELECT encoding FROM sensor WHERE sid=' . $sid; $result3 = $db->baseExecute($sql3); $myrow3 = $result3->baseFetchRow(); $result3->baseFreeRows();
include_once "{$BASE_path}/base_stat_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_ag_common.php"; include_once "geoip.inc"; $_SESSION["siem_default_group"] = "base_stat_sensor.php?sort_order=occur_d"; $geoloc = new Geolocation("/usr/share/geoip/GeoLiteCity.dat"); $et = new EventTiming($debug_time_mode); $cs = new CriteriaState("base_stat_sensor.php"); $cs->ReadState(); $qs = new QueryState(); // Check role out and redirect if needed -- Kevin $roleneeded = 10000; #$BUser = new BaseUser(); #if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) base_header("Location: " . $BASE_urlpath . "/index.php"); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY)); $export = intval(ImportHTTPVar("complete", VAR_DIGIT)); // Called from report_launcher.php $qs->MoveView($submit); /* increment the view if necessary */ $page_title = gettext("Sensor Listing"); /* Connect to the Alert database */ $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password, 0, 1); if ($event_cache_auto_update == 1) { UpdateAlertCache($db); } $criteria_clauses = ProcessCriteria(); // Include base_header.php PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1); $mssp = Session::show_entities(); //intval($conf->get_conf("alienvault_mssp", FALSE));
*/ require "base_conf.php"; require "vars_session.php"; require "{$BASE_path}/includes/base_constants.inc.php"; require "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_stat_common.php"; $_SESSION["siem_default_group"] = "base_stat_alerts.php?sort_order=occur_d"; if ($_REQUEST['sort_order'] == '') { $_GET['sort_order'] = 'occur_d'; } $debug_time_mode >= 1 ? $et = new EventTiming($debug_time_mode) : ''; $cs = new CriteriaState("base_stat_alerts.php"); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY)); $export = intval(ImportHTTPVar("export", VAR_DIGIT)); // Called from report_launcher.php $cs->ReadState(); // Check role out and redirect if needed -- Kevin $roleneeded = 10000; #$BUser = new BaseUser(); #if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) base_header("Location: " . $BASE_urlpath . "/index.php"); $qs = new QueryState(); $qs->AddCannedQuery("most_frequent", $freq_num_alerts, gettext("Most Frequent Events"), "occur_d"); $qs->AddCannedQuery("last_alerts", $last_num_ualerts, gettext("Last Events"), "last_d"); $qs->MoveView($submit); /* increment the view if necessary */ $page_title = gettext("Event Listing"); /* Connect to the Alert database */ $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password, 0, 1);
*/ require 'base_conf.php'; require 'vars_session.php'; require_once 'classes/Util.inc'; require "{$BASE_path}/includes/base_constants.inc.php"; require "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_stat_common.php"; require_once 'classes/geolocation.inc'; if (GET('fqdn') == 'yes' || GET('fqdn') == 'no') { $_SESSION['siem_default_group'] = "base_stat_iplink.php?sort_order=events_d&fqdn=" . GET('fqdn'); } $geoloc = new Geolocation('/usr/share/geoip/GeoLiteCity.dat'); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY)); $fqdn = ImportHTTPVar("fqdn", VAR_ALPHA | VAR_SPACE); $et = new EventTiming($debug_time_mode); $cs = new CriteriaState("base_stat_iplink.php"); $cs->ReadState(); // Check role out and redirect if needed -- Kevin $roleneeded = 10000; #$BUser = new BaseUser(); #if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) base_header("Location: " . $BASE_urlpath . "/index.php"); $qs = new QueryState(); $qs->AddCannedQuery("most_frequent", $freq_num_alerts, gettext("Most Frequent Events"), "occur_d"); $qs->AddCannedQuery("last_alerts", $last_num_ualerts, gettext("Last Events"), "last_d"); $qs->MoveView($submit); /* increment the view if necessary */ $page_title = gettext("IP Links"); /* Connect to the Alert database */ $db = NewBASEDBConnection($DBlib_path, $DBtype);
function Action_del_alert_post($action_arg, &$action_ctx, $db, &$num_alert, $action_cnt, $context, $deltmp) { $sel_cnt = 0; $action_lst_cnt = count(ImportHTTPVar("action_lst")); $action_chk_lst = ImportHTTPVar("action_chk_lst"); /* count the number of check boxes selected */ for ($i = 0; $i < $action_lst_cnt; $i++) { if (isset($action_chk_lst[$i])) { $sel_cnt++; } } if ($sel_cnt > 0) { /* 1 or more check boxes selected ? */ $num_alert -= $sel_cnt; } elseif ($context == 1) { /* detail alert list ? */ $num_alert -= $action_cnt; } else { $num_alert -= count(ImportHTTPVar("action_chk_lst")); } if ($deltmp != "") { // launch delete in background $rnd = explode("_", $deltmp); $_SESSION["deletetask"] = $rnd[1]; //error_log("launch $deltmp\n",3,"/var/tmp/dellog"); shell_exec("nohup cat {$deltmp} | /usr/bin/ossim-db snort > /var/tmp/latest_siem_events_purge.sql.log 2>&1 &"); echo "<script>bgtask();</script>\n"; } }
die("If you wish to re-run the setup routine, please either move OR delete your previous base_conf file first."); } $errorMsg = ''; if (@$_GET['action'] == "check") { // form was submitted do the checks! $dbtype = ImportHTTPVar("dbtype", VAR_ALPHA); $dbport = ImportHTTPVar("dbport", VAR_DIGIT); $dbhost = ImportHTTPVar("dbhost", VAR_ALPHA | VAR_PERIOD | VAR_SCORE); $dbusername = ImportHTTPVar("dbusername"); $dbpasswd = ImportHTTPVar("dbpasswd"); $dbname = ImportHTTPVar("dbname", VAR_ALPHA | VAR_SCORE | VAR_USCORE); $arcdbport = ImportHTTPVar("arcdbport", VAR_DIGIT); $arcdbhost = ImportHTTPVar("arcdbhost", VAR_ALPHA | VAR_PERIOD | VAR_SCORE); $arcdbusername = ImportHTTPVar("arcdbusername"); $arcdbpasswd = ImportHTTPVar("arcdbpasswd"); $arcdbname = ImportHTTPVar("arcdbname", VAR_ALPHA | VAR_SCORE | VAR_USCORE); $db = NewADOConnection($dbtype); $dbconnect = $db->Connect($dbport == "" ? $dbhost : $dbhost . ":" . $dbport, $dbusername, $dbpasswd, $dbname); if (!$dbconnect) { $errorMsg = $errorMsg . "Database connection failed!<br>Please try again!"; $error = 1; } $_SESSION['dbtype'] = $dbtype; $_SESSION['dbhost'] = $dbhost; $_SESSION['dbport'] = $dbport; $_SESSION['dbname'] = $dbname; $_SESSION['dbusername'] = $dbusername; $_SESSION['dbpasswd'] = $dbpasswd; $_SESSION['usearchive'] = 0; if (@$_POST['usearchive'] == "on") { $_SESSION['usearchive'] = 1;
include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_stat_common.php"; Session::logcheck("MenuEvents", "EventsForensics"); include "geoip.inc"; require_once 'classes/Util.inc'; $gi = geoip_open("/usr/share/geoip/GeoIP.dat", GEOIP_STANDARD); $hosts_ips = array_keys($hosts); $debug_time_mode >= 1 ? $et = new EventTiming($debug_time_mode) : ''; $cs = new CriteriaState("base_timeline.php"); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY)); $max = ImportHTTPVar("max", VAR_DIGIT); if (!$max) { $max = 50; } $resolution = ImportHTTPVar("resolution", VAR_ALPHA); if ($resolution == "") { $resolution = "m"; } // $cs->ReadState(); // Check role out and redirect if needed -- Kevin $roleneeded = 10000; $BUser = new BaseUser(); if ($BUser->hasRole($roleneeded) == 0 && $Use_Auth_System == 1) { base_header("Location: " . $BASE_urlpath . "/index.php"); } $qs = new QueryState(); $qs->AddCannedQuery("most_frequent", $freq_num_alerts, gettext("Most Frequent Events"), "occur_d"); $qs->AddCannedQuery("last_alerts", $last_num_ualerts, gettext("Last Events"), "last_d"); $qs->MoveView($submit);
function Import() { parent::Import(); include dirname(__FILE__) . '/../base_conf.php'; $vals = NULL; /* expand IP into octets */ $this->criteria = $_SESSION['ip_addr']; $this->criteria_cnt = $_SESSION['ip_addr_cnt']; for ($i = 0; $i < $this->criteria_cnt; $i++) { if (isset($this->criteria[$i][3]) && preg_match("/([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)/", $this->criteria[$i][3])) { $tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3]; $this->criteria[$i][3] = strtok($tmp_ip_str, "."); $this->criteria[$i][4] = strtok("."); $this->criteria[$i][5] = strtok("."); $this->criteria[$i][6] = strtok("/"); $this->criteria[$i][10] = strtok(""); } $vals[] = $this->criteria[$i]; } //print_r ($this->criteria); $this->criteria = $vals; $this->criteria_cnt = count($vals); $new = ImportHTTPVar("new", VAR_DIGIT); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE); if ($new == 1 && $submit == "") { // This is commented. // When you return to the search form, you must preserve all criteria. Lately only was reseting the _cnt vars // Now doesn't reset anything //$this->criteria = NULL; //$this->criteria_cnt = 1; } if ($this->criteria_cnt == "") { $this->criteria_cnt = 1; } //print_r ($this->criteria); $_SESSION['ip_addr'] =& $this->criteria; $_SESSION['ip_addr_cnt'] =& $this->criteria_cnt; }
** Built upon work by the BASE Project Team <*****@*****.**> */ require "base_conf.php"; require "vars_session.php"; require_once 'classes/Util.inc'; require "{$BASE_path}/includes/base_constants.inc.php"; require "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_stat_common.php"; if ($_SESSION['_siem_plugins_query'] == "") { echo "-##-"; die; } $plugin_id = ImportHTTPVar("plugin", VAR_DIGIT | VAR_USCORE); $device_id = ImportHTTPVar("id", VAR_HEX); $sql = str_replace("DID", $device_id, $_SESSION['_siem_plugins_query']); if (preg_match("/\\d+_\\d+/", $plugin_id)) { $sc = explode("_", $plugin_id); $sql = str_replace("PLUGIN_ID", $sc[0], str_replace("SUBCAT", $sc[1], $sql)); } else { $sql = str_replace("PLUGIN_ID", $plugin_id, $sql); } session_write_close(); $tz = Util::get_timezone(); $qs = new QueryState(); $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $name = $timestamp = '-'; $rs = $qs->ExecuteOutputQueryNoCanned($sql, $db); if ($row = $rs->baseFetchRow()) {
** (see the file 'base_main.php' for license details) ** ** Built upon work by Roman Danyliw <*****@*****.**>, <*****@*****.**> ** Built upon work by the BASE Project Team <*****@*****.**> */ require "base_conf.php"; require "vars_session.php"; require_once 'classes/Util.inc'; require "{$BASE_path}/includes/base_constants.inc.php"; require "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_stat_common.php"; if ($_SESSION['_siem_port_query'] == "") { echo "-##-"; die; } $device_id = ImportHTTPVar("id", VAR_HEX); $ip_port = ImportHTTPVar("port", VAR_DIGIT); $sql = str_replace("DEVICEID", $device_id, str_replace("IP_PORT", $ip_port, $_SESSION['_siem_port_query'])); session_write_close(); $qs = new QueryState(); $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $rs = $qs->ExecuteOutputQueryNoCanned($sql, $db); if ($row = $rs->baseFetchRow()) { $src_addrs = $row[0]; $dst_addrs = $row[1]; } $rs->baseFreeRows(); echo "{$src_addrs}##{$dst_addrs}";
require "{$BASE_path}/includes/base_constants.inc.php"; require "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/includes/base_action.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_common.php"; include_once "{$BASE_path}/base_ag_common.php"; include_once "{$BASE_path}/base_qry_common.php"; require_once 'av_init.php'; Session::logcheck("analysis-menu", "EventsForensics"); /* Connect to the Alert database */ $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $cs = new CriteriaState("base_qry_main.php", "&new=1&submit=" . gettext("Query+DB")); $cs->ReadState(); /* This call can include many values. */ $submit = Util::htmlentities(ImportHTTPVar("submit", VAR_DIGIT | VAR_PUNC | VAR_LETTER, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), gettext("Delete Entire Query"), gettext("Query DB"), gettext("ADD TIME"), gettext("ADD Addr"), gettext("ADD IP Field"), gettext("ADD TCP Port"), gettext("ADD TCP Field"), gettext("ADD UDP Port"), gettext("ADD UDP Field"), _ADDICMPFIELD))); if ($submit == "TCP") { $cs->criteria['layer4']->Set("TCP"); } if ($submit == "UDP") { $cs->criteria['layer4']->Set("UDP"); } if ($submit == "ICMP") { $cs->criteria['layer4']->Set("ICMP"); } if ($submit == gettext("no layer4")) { $cs->criteria['layer4']->Set(""); } if ($submit == gettext("ADD TIME") && $cs->criteria['time']->GetFormItemCnt() < $MAX_ROWS) { $cs->criteria['time']->AddFormItem($submit, $cs->criteria['layer4']->Get()); }
$db = NewBASEDBConnection($DBlib_path, $DBtype); /* FIXME: OSSIM */ /* This used to break the port filters, have to look deeply on this maybe changing db_connect_method in base_conf.php */ $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $cs = new CriteriaState("base_stat_ports.php"); $cs->ReadState(); // Check role out and redirect if needed -- Kevin $roleneeded = 10000; $port_proto = "TCP"; $qs = new QueryState(); $qs->AddCannedQuery("most_frequent", $freq_num_uports, gettext("Most Frequent Ports"), "occur_d"); $qs->AddCannedQuery("last_ports", $last_num_uports, gettext("Last Ports"), "last_d"); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY)); $port_type = ImportHTTPVar("port_type", VAR_DIGIT); $proto = ImportHTTPVar("proto", VAR_DIGIT | VAR_PUNC); $qs->MoveView($submit); /* increment the view if necessary */ $page_title = ""; switch ($proto) { case TCP: $page_title = gettext("Unique") . " TCP "; $displaytitle = $port_type == SOURCE_PORT ? gettext("Displaying source tcp ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.") : gettext("Displaying destination tcp ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database."); break; case UDP: $page_title = gettext("Unique") . " UDP "; $displaytitle = $port_type == SOURCE_PORT ? gettext("Displaying source udp ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.") : gettext("Displaying destination udp ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database."); break; case -1: $page_title = gettext("Unique") . " "; $displaytitle = $port_type == SOURCE_PORT ? gettext("Displaying source ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.") : gettext("Displaying destination ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.");
function Import() { parent::Import(); require dirname(__FILE__) . '/../base_conf.php'; $vals = NULL; $empty = 1; /* expand IP into octets */ $this->criteria = $_SESSION['ip_addr']; $this->criteria_cnt = $_SESSION['ip_addr_cnt']; for ($i = 0; $i < $this->criteria_cnt; $i++) { if (isset($this->criteria[$i][3]) && ereg("([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)", $this->criteria[$i][3])) { if ($use_ossim_session && Session::allowedNets()) { require_once 'classes/Net.inc'; $domain = Session::allowedNets(); if ($domain != "") { $tmp_myip = $this->criteria[$i][3]; $myip = strtok($tmp_myip, "/"); if (Net::isIpInNet($myip, $domain)) { $tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3]; $this->criteria[$i][2] = "="; $this->criteria[$i][3] = strtok($tmp_ip_str, "."); $this->criteria[$i][4] = strtok("."); $this->criteria[$i][5] = strtok("."); $this->criteria[$i][6] = strtok("/"); $this->criteria[$i][10] = strtok(""); $empty = 0; $vals[] = $this->criteria[$i]; } } } else { $tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3]; $this->criteria[$i][3] = strtok($tmp_ip_str, "."); $this->criteria[$i][4] = strtok("."); $this->criteria[$i][5] = strtok("."); $this->criteria[$i][6] = strtok("/"); $this->criteria[$i][10] = strtok(""); $empty = 0; $vals[] = $this->criteria[$i]; } } elseif (is_array($this->criteria[$i]) && array_key_exists(7, $this->criteria[$i]) && ereg("([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)", $this->criteria[$i][7])) { $empty = 0; $vals[] = $this->criteria[$i]; } } //print_r ($this->criteria); $this->criteria = $vals; $this->criteria_cnt = count($vals); if ($use_ossim_session && $empty) { $domain = Session::allowedNets(); if ($domain != "") { $nets = explode(",", $domain); $this->criteria = array(); for ($i = 0; $i < count($nets); $i++) { $tmp_ip_str = $tmp[7] = $nets[$i]; $tmp[0] = " "; $tmp[1] = "ip_both"; $tmp[2] = "="; $tmp[3] = strtok($tmp_ip_str, "."); $tmp[4] = strtok("."); $tmp[5] = strtok("."); $tmp[6] = strtok("/"); $tmp[10] = strtok(""); $tmp[8] = " "; if ($i == count($nets) - 1) { $tmp[9] = " "; } else { $tmp[9] = "OR"; } $this->criteria[$this->criteria_cnt] = $tmp; $this->criteria_cnt++; } } } $new = ImportHTTPVar("new", VAR_DIGIT); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE); if ($new == 1 && $submit == "") { $this->criteria = NULL; $this->criteria_cnt = 1; } if ($this->criteria_cnt == "") { $this->criteria_cnt = 1; } //print_r ($this->criteria); $_SESSION['ip_addr'] =& $this->criteria; $_SESSION['ip_addr_cnt'] =& $this->criteria_cnt; }
$errorMsg = ''; /* build array of languages */ $i = 0; if ($handle = opendir('../languages')) { while (false !== ($file = readdir($handle))) { if ($file != "." && $file != ".." && $file != "CVS" && $file != "index.php") { $filename = explode(".", $file); $languages[$i] = $filename[0]; $i++; } } closedir($handle); } if (@$_GET['action'] == "check") { // form has been submitted. Check answers. $_SESSION['language'] = ImportHTTPVar("language", "", $languages); //Check path to ADODB $adodbexists = file_exists($_POST['adodbpath'] . "/adodb.inc.php"); if ($adodbexists != 1) { $errorMsg = $errorMsg . "<br>The Path to ADODB does not appear to be correct!<br>"; $errorMsg = $errorMsg . "Please correct."; $error = 1; } else { $_SESSION['adodbpath'] = $_POST['adodbpath']; $error = 0; } if ($error != 1) { header("Location: setup2.php"); } exit; }
** ** Built upon work by Roman Danyliw <*****@*****.**>, <*****@*****.**> ** Built upon work by the BASE Project Team <*****@*****.**> */ include_once 'base_conf.php'; include_once "{$BASE_path}/includes/base_constants.inc.php"; include_once "{$BASE_path}/includes/base_include.inc.php"; // Check role out and redirect if needed -- Kevin $roleneeded = 10000; #$BUser = new BaseUser(); #if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) { # base_header("Location: " . $BASE_urlpath . "/index.php"); # exit(); #} $id = ImportHTTPVar("id", VAR_DIGIT | VAR_LETTER); $download = ImportHTTPVar("download", VAR_DIGIT); if ($download == 1) { /* Connect to the Alert database */ $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); /* Get the Payload from the database: */ $sql2 = "SELECT data_payload,binary_data FROM alienvault_siem.extra_data WHERE event_id=unhex('{$id}')"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $result2->baseFreeRows(); if (empty($myrow2)) { $sql2 = "SELECT data_payload,binary_data FROM alienvault.extra_data WHERE event_id=unhex('{$id}')"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $result2->baseFreeRows(); }
$xdata = $_SESSION['xdata']; $width = ImportHTTPVar("width", VAR_DIGIT); $height = ImportHTTPVar("height", VAR_DIGIT); $pmargin0 = ImportHTTPVar("pmargin0", VAR_DIGIT); $pmargin1 = ImportHTTPVar("pmargin1", VAR_DIGIT); $pmargin2 = ImportHTTPVar("pmargin2", VAR_DIGIT); $pmargin3 = ImportHTTPVar("pmargin3", VAR_DIGIT); $title = ImportHTTPVar("title", VAR_ALPHA | VAR_SPACE); $xaxis_label = ImportHTTPVar("xaxis_label", VAR_ALPHA | VAR_SPACE); $yaxis_label = ImportHTTPVar("yaxis_label", VAR_ALPHA | VAR_SPACE); $yaxis_scale = ImportHTTPVar("yaxis_scale", VAR_DIGIT); $xaxis_grid = ImportHTTPVar("xaxis_grid", VAR_DIGIT); $yaxis_grid = ImportHTTPVar("yaxis_grid", VAR_DIGIT); $rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl", VAR_DIGIT); $style = ImportHTTPVar("style", VAR_ALPHA); $chart_type = ImportHTTPVar("chart_type", VAR_DIGIT); if ($chart_type == 15 || $chart_type == 17) { // Number of alerts spread over a worldmap: width and height // MUST be constant. At least as of Image_Graph-0.7.2 // Otherwise the coordinates file must be regenerated. And this // is NOT possible during runtime (as of version 0.7.2) $Graph =& Image_Graph::factory('graph', array(1800, 913)); //$Graph =& Image_Graph::factory('graph', array(600, 300)); } elseif ($yaxis_scale == 1 && $style != 'pie') { // the old form of instantiation does not seem to work // any more with PEAR::Image_Canvas-0.3.1 with logarithmic // y-axes. So factory-method is required. $Graph =& Image_Graph::factory('graph', array($width, $height)); } else { // Create the graph area, legends on bottom -- Alejandro $Graph =& new Image_Graph(array('driver' => 'gd', 'width' => $width, 'height' => $height));
function ReadState() { $this->current_canned_query = ImportHTTPVar("caller", VAR_LETTER | VAR_USCORE); $this->num_result_rows = ImportHTTPVar("num_result_rows", VAR_DIGIT | VAR_SCORE); $this->current_sort_order = ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE); $this->current_view = ImportHTTPVar("current_view", VAR_DIGIT); //echo "CURRENT VIEW: ".$this->current_view; // New CALC_FOUND_ROWS current_view = 0 initially //$this->current_view = 1; $this->action_arg = ImportHTTPVar("action_arg", VAR_ALPHA | VAR_PERIOD | VAR_USCORE | VAR_SCORE | VAR_AT); $this->action_chk_lst = ImportHTTPVar("action_chk_lst", VAR_ALPHA | VAR_PUNC); /* array */ $this->action_lst = ImportHTTPVar("action_lst", VAR_ALPHA | VAR_PUNC | VAR_SCORE); /* array */ $this->action = ImportHTTPVar("action", VAR_ALPHA | VAR_USCORE); }
function Import() { parent::Import(); include dirname(__FILE__) . '/../base_conf.php'; $vals = NULL; $empty = 1; /* expand IP into octets */ $this->criteria = $_SESSION['ip_addr']; $this->criteria_cnt = $_SESSION['ip_addr_cnt']; for ($i = 0; $i < $this->criteria_cnt; $i++) { if (isset($this->criteria[$i][3]) && ereg("([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)", $this->criteria[$i][3])) { // The code below is deprecated and is giving functionality errors // There's no need to filter here by allowed nets, the main query will do it /* if (($use_ossim_session) && (Session::allowedNets())) { $domain = Session::allowedNets(); if ($domain != "") { $tmp_myip = $this->criteria[$i][3]; $myip = strtok($tmp_myip, "/"); if (Asset_host::is_ip_in_nets($myip, $domain)) { $tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3]; $this->criteria[$i][2] = "="; $this->criteria[$i][3] = strtok($tmp_ip_str, "."); $this->criteria[$i][4] = strtok("."); $this->criteria[$i][5] = strtok("."); $this->criteria[$i][6] = strtok("/"); $this->criteria[$i][10] = strtok(""); $empty = 0; $vals[] = $this->criteria[$i]; } } } else { */ $tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3]; $this->criteria[$i][3] = strtok($tmp_ip_str, "."); $this->criteria[$i][4] = strtok("."); $this->criteria[$i][5] = strtok("."); $this->criteria[$i][6] = strtok("/"); $this->criteria[$i][10] = strtok(""); $empty = 0; $vals[] = $this->criteria[$i]; //} } elseif (is_array($this->criteria[$i]) && array_key_exists(7, $this->criteria[$i]) && ereg("([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)", $this->criteria[$i][7])) { $empty = 0; $vals[] = $this->criteria[$i]; } } //print_r ($this->criteria); $this->criteria = $vals; $this->criteria_cnt = count($vals); /*if (($use_ossim_session) && ($empty)) { $domain = Session::allowedNets(); if ($domain != "") { $nets = explode(",", $domain); $this->criteria = Array(); for ($i = 0; $i < count($nets); $i++) { $tmp_ip_str = $tmp[7] = $nets[$i]; $tmp[0] = " "; $tmp[1] = "ip_both"; $tmp[2] = "="; $tmp[3] = strtok($tmp_ip_str, "."); $tmp[4] = strtok("."); $tmp[5] = strtok("."); $tmp[6] = strtok("/"); $tmp[10] = strtok(""); $tmp[8] = " "; if ($i == (count($nets) - 1)) $tmp[9] = " "; else $tmp[9] = "OR"; $this->criteria[$this->criteria_cnt] = $tmp; $this->criteria_cnt++; } } }*/ $new = ImportHTTPVar("new", VAR_DIGIT); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE); if ($new == 1 && $submit == "") { // This is commented. // When you return to the search form, you must preserve all criteria. Lately only was reseting the _cnt vars // Now doesn't reset anything //$this->criteria = NULL; //$this->criteria_cnt = 1; } if ($this->criteria_cnt == "") { $this->criteria_cnt = 1; } //print_r ($this->criteria); $_SESSION['ip_addr'] =& $this->criteria; $_SESSION['ip_addr_cnt'] =& $this->criteria_cnt; }
include "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/includes/base_action.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_ag_common.php"; $debug_time_mode >= 1 ? $et = new EventTiming($debug_time_mode) : ''; $cs = new CriteriaState("base_ag_main.php"); $cs->ReadState(); $qs = new QueryState(); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY)); $ag_action = ImportHTTPVar("ag_action", VAR_ALPHA | VAR_USCORE); //$ag_id = ImportHTTPVar("ag_id", VAR_DIGIT); $ag_id = filterSql(ImportHTTPVar("ag_id", VAR_DIGIT)); $ag_name = filterSql(ImportHTTPVar("ag_name")); $ag_desc = filterSql(ImportHTTPVar("ag_desc")); // Check role out and redirect if needed -- Kevin $roleneeded = 10000; $BUser = new BaseUser(); if ($BUser->hasRole($roleneeded) == 0 && $Use_Auth_System == 1) { base_header("Location: " . $BASE_urlpath . "/index.php"); } $page_title = gettext("Event Group (AG) Maintenance"); PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1); /* Connect to the Alert database */ $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); /* a browsing button was clicked */ if (is_numeric($submit)) { if ($debug_mode > 0) { ErrorMessage("Browsing Clicked ({$submit})");
** Built upon work by the BASE Project Team <*****@*****.**> */ require "base_conf.php"; require "vars_session.php"; require "{$BASE_path}/includes/base_constants.inc.php"; require "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_stat_common.php"; if ($_SESSION['siem_current_query_graph'] == "" || $_SESSION['siem_alerts_query'] == "") { echo "-##-##-"; die; } $tz = Util::get_timezone(); $plugin_id = ImportHTTPVar("id", VAR_DIGIT); $plugin_sid = ImportHTTPVar("sid", VAR_DIGIT); $sqlgraph = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_current_query_graph'])); $sql = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_alerts_query'])); session_write_close(); $qs = new QueryState(); $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $rs = $qs->ExecuteOutputQuery($sql, $db); if ($row = $rs->baseFetchRow()) { $addr_link = '&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=' . urlencode($plugin_id . ";" . $plugin_sid); $src_addrs = BuildUniqueAddressLink(1, $addr_link) . $row[0] . '</A>'; $dst_addrs = BuildUniqueAddressLink(2, $addr_link) . $row[1] . '</A>'; $last = get_utc_unixtime($db, $row[2]); } $rs->baseFreeRows(); if ($tz != 0) {
function Action_del_alert_post($action_arg, &$action_ctx, $db, &$num_alert, $action_cnt, $context, $deltmp) { $sel_cnt = 0; $action_lst_cnt = count(ImportHTTPVar("action_lst")); $action_chk_lst = ImportHTTPVar("action_chk_lst"); /* count the number of check boxes selected */ for ($i = 0; $i < $action_lst_cnt; $i++) { if (isset($action_chk_lst[$i])) { $sel_cnt++; } } if ($sel_cnt > 0) { /* 1 or more check boxes selected ? */ $num_alert -= $sel_cnt; } elseif ($context == 1) { /* detail alert list ? */ $num_alert -= $action_cnt; } else { $num_alert -= count(ImportHTTPVar("action_chk_lst")); } }
echo Util::get_css_id(); ?> "> </head> <body> <div style="border:1px solid #AAAAAA;line-height:24px;width:100%;text-align:center;background:url('../pixmaps/fondo_col.gif') 50% 50% repeat-x;color:#222222;font-size:12px;font-weight:bold"> Shellcode Analysis </div> <?php // Check role out and redirect if needed -- Kevin $roleneeded = 10000; #$BUser = new BaseUser(); #if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) { # base_header("Location: " . $BASE_urlpath . "/index.php"); # exit(); #} $id = ImportHTTPVar("id", VAR_DIGIT | VAR_LETTER); $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); /* Get the Payload from the database: */ $sql2 = "SELECT data_payload,binary_data FROM extra_data WHERE event_id=unhex('{$id}')"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $result2->baseFreeRows(); //print $myrow2[0]."<br>"; $payload = str_replace("\n", "", $myrow2[0]); $len = strlen($payload); $counter = 0; $tmp = tempnam("/tmp", "bin"); $fh = fopen($tmp, "w"); for ($i = 0; $i < $len + 32; $i += 2) { $counter++;
** (see the file 'base_main.php' for license details) ** ** Built upon work by Roman Danyliw <*****@*****.**>, <*****@*****.**> ** Built upon work by the BASE Project Team <*****@*****.**> */ require "base_conf.php"; require "vars_session.php"; require_once 'classes/Util.inc'; require "{$BASE_path}/includes/base_constants.inc.php"; require "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_stat_common.php"; if ($_SESSION['_siem_sensor_query'] == "") { echo "-##-##-"; die; } $device_id = ImportHTTPVar("id", VAR_DIGIT); $sql = str_replace("DEVICEID", $device_id, $_SESSION['_siem_sensor_query']); session_write_close(); $qs = new QueryState(); $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $rs = $qs->ExecuteOutputQueryNoCanned($sql, $db); if ($row = $rs->baseFetchRow()) { $unique_addrs = BuildUniqueAlertLink("?sensor=" . urlencode($device_id)) . Util::number_format_locale($row[0], 0) . '</A>'; $src_addrs = BuildUniqueAddressLink(1, "&sensor=" . urlencode($device_id)) . Util::number_format_locale($row[1], 0) . '</A>'; $dst_addrs = BuildUniqueAddressLink(2, "&sensor=" . urlencode($device_id)) . Util::number_format_locale($row[2], 0) . '</A>'; } $rs->baseFreeRows(); echo "{$unique_addrs}##{$src_addrs}##{$dst_addrs}";
$_GET["sort_order"] = "time_d"; $sort_order = "time_d"; //if ($_GET['sensor'] != "") $sort_order = "time_d"; } } /* End 'interesting' browser code fixes */ /* Totally new Search */ if ($new == 1 && $submit == "") { // This is commented. // When you return to the search form, you must preserve all criteria. Lately only was reseting the _cnt vars // Now doesn't reset anything //$cs->InitState(); } /* is this a new query, invoked from the SEARCH screen ? */ /* if the query string if very long (> 700) then this must be from the Search screen */ $back = ImportHTTPVar("back", VAR_DIGIT); if ($GLOBALS['maintain_history'] == 1 && $back != 1 && $submit == gettext("Query DB") && (isset($_GET['search']) && $_GET['search'] == 1)) { !empty($_SESSION['back_list_cnt']) ? $_SESSION['back_list_cnt']-- : ($_SESSION['back_list_cnt'] = 0); /* save on top of initial blank query screen */ $submit = ""; /* save entered search criteria as if one hit Enter */ $_POST['submit'] = $submit; $cs->ReadState(); /* save the search criteria */ // Solve error when payload is searched cnt = 1 // if ($_GET{"data"} { // 0 // } { // 2 // } != "") $cs->criteria['data']->criteria_cnt = 1; if ($_GET["data"][0][2] != "") {
include "vars_session.php"; include "{$BASE_path}/includes/base_constants.inc.php"; include "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_common.php"; include_once "{$BASE_path}/base_qry_common.php"; set_time_limit(300); if (GET('sensor') != "") { ossim_valid(GET('sensor'), OSS_DIGIT, 'illegal:' . _("sensor")); } // Geoip include "geoip.inc"; $gi = geoip_open("/usr/share/geoip/GeoIP.dat", GEOIP_STANDARD); //$addr_type = ImportHTTPVar("addr_type", VAR_DIGIT); $addr_type = 1; $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY)); $dst_ip = NULL; // Check role out and redirect if needed -- Kevin $roleneeded = 10000; $BUser = new BaseUser(); if ($BUser->hasRole($roleneeded) == 0 && $Use_Auth_System == 1) { base_header("Location: " . $BASE_urlpath . "/index.php"); } $et = new EventTiming($debug_time_mode); // The below three lines were moved from line 87 because of the odd errors some users were having /* Connect to the Alert database */ $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $cs = new CriteriaState("base_stat_country.php", "&addr_type=1"); $cs->ReadState(); /* Dump some debugging information on the shared state */
function ReadState() { RegisterGlobalState(); /* * If the BACK button was clicked, shuffle the appropriate * criteria variables from the $back_list (history) array into * the current session ($_SESSION) */ if ($GLOBALS['maintain_history'] == 1 && ImportHTTPVar("back", VAR_DIGIT) == 1) { PopHistory(); } /* * Import, update and sanitize all persistant criteria variables */ $valid_criteria_list = array_keys($this->criteria); foreach ($valid_criteria_list as $cname) { $this->criteria[$cname]->Import(); $this->criteria[$cname]->Sanitize(); } /* * Check whether criteria elements need to be cleared */ $this->clear_criteria_name = ImportHTTPVar("clear_criteria", "", array_keys($this->criteria)); $this->clear_criteria_element = ImportHTTPVar("clear_criteria_element", "", array_keys($this->criteria)); $this->clear_allcriteria = ImportHTTPVar("clear_allcriteria", "1"); if ($this->clear_criteria_name != "") { $this->ClearCriteriaStateElement($this->clear_criteria_name, $this->clear_criteria_element); } if ($this->clear_allcriteria != "") { $this->ClearAllCriteria(); } /* * Save the current criteria into $back_list (history) */ if ($GLOBALS['maintain_history'] == 1) { PushHistory(); } }
echo " <TD align='center'> <A HREF=\"{$tmp_sensor_lookup}\">" . Util::htmlentities($num_sensors) . "</A> "; //echo " <TD align='center'> $num_sensors"; echo " <TD align='center'> {$start_time}"; echo " <TD align='center' valign='middle'> {$stop_time}"; echo '</TR>'; } echo "</TABLE>\n"; } $et = new EventTiming($debug_time_mode); $cs = new CriteriaState("base_stat_ipaddr.php"); $cs->ReadState(); $ip = ImportHTTPVar("ip", VAR_DIGIT | VAR_PERIOD); $ip = Util::htmlentities($ip); $netmask = ImportHTTPVar("netmask", VAR_DIGIT); $action = ImportHTTPVar("action", VAR_ALPHA); $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE); // Check role out and redirect if needed -- Kevin $roleneeded = 10000; #$BUser = new BaseUser(); #if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) base_header("Location: " . $BASE_urlpath . "/index.php"); if ($netmask == '') { $netmask = "32"; } $page_title = $ip . '/' . $netmask; /* Connect to the Alert database */ $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); // Include base_header.php PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1); if ($event_cache_auto_update == 1) { UpdateAlertCache($db);
require "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/includes/base_action.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_common.php"; include_once "{$BASE_path}/base_ag_common.php"; include_once "{$BASE_path}/base_qry_common.php"; require_once 'av_init.php'; Session::logcheck("analysis-menu", "EventsForensics"); /* Connect to the Alert database */ $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $cs = new CriteriaState("base_qry_main.php", "&new=1&submit=" . gettext("Query+DB")); $cs->ReadState(); $_submit_param = $_POST['mode'] != '' ? 'mode' : 'submit'; /* This call can include many values. */ $submit = Util::htmlentities(ImportHTTPVar($_submit_param, VAR_DIGIT | VAR_PUNC | VAR_LETTER, array(gettext("Query DB"), gettext("ADD Addr"), gettext("ADD TCP Port"), gettext("ADD UDP Port")))); if ($submit == "TCP") { $cs->criteria['layer4']->Set("TCP"); } if ($submit == "UDP") { $cs->criteria['layer4']->Set("UDP"); } /* if ($submit == "ICMP") { $cs->criteria['layer4']->Set("ICMP"); } */ if ($submit == gettext("no layer4")) { $cs->criteria['layer4']->Set(""); } //if ($submit == gettext("ADD TIME") && $cs->criteria['time']->GetFormItemCnt() < $MAX_ROWS) $cs->criteria['time']->AddFormItem($submit, $cs->criteria['layer4']->Get());