function PrintCleanURL()
{
// This function creates the url to display the cleaned up payload -- Kevin
$query = CleanVariable($_SERVER["QUERY_STRING"], VAR_PERIOD | VAR_DIGIT | VAR_PUNC | VAR_LETTER);
$sort_order = ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE);
if (isset($_GET['asciiclean']) && $_GET['asciiclean'] == 1 || isset($_COOKIE['asciiclean']) && $_COOKIE['asciiclean'] == "clean" && !isset($_GET['asciiclean'])) {
//create link to non-cleaned payload display
$url = '<a href="base_qry_alert.php?' . $query;
$url .= '&sort_order=' . urlencode($sort_order) . '&asciiclean=0&minimal_view=' . $_GET['minimal_view'] . '">' . _("Normal Display") . '</a>';
return $url;
} else {
//create link to cleaned payload display
$url = '<a href="base_qry_alert.php?' . $query;
$url .= '&sort_order=' . urlencode($sort_order) . '&asciiclean=1&minimal_view=' . $_GET['minimal_view'] . '">' . _("Plain Display") . '</a>';
return $url;
}
}
</head>
<body>
<?php
include "../hmenu.php";
?>
<div style="border:1px solid #AAAAAA;line-height:24px;width:100%;text-align:center;background:url('../pixmaps/fondo_col.gif') 50% 50% repeat-x;color:#222222;font-size:12px;font-weight:bold"> Shellcode Analysis </div>
<?php
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
$BUser = new BaseUser();
if ($BUser->hasRole($roleneeded) == 0 && $Use_Auth_System == 1) {
base_header("Location: " . $BASE_urlpath . "/index.php");
exit;
}
$cid = ImportHTTPVar("cid", VAR_DIGIT);
$sid = ImportHTTPVar("sid", VAR_DIGIT);
//print $cid."<br>";
//print $sid."<br>";
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
/* Get the Payload from the database: */
$sql2 = "SELECT data_payload FROM extra_data WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$result2->baseFreeRows();
/* get encoding information for payload */
/* 0 == hex, 1 == base64, 2 == ascii; */
$sql3 = 'SELECT encoding FROM sensor WHERE sid=' . $sid;
$result3 = $db->baseExecute($sql3);
$myrow3 = $result3->baseFetchRow();
$result3->baseFreeRows();
include_once "{$BASE_path}/base_stat_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_ag_common.php";
include_once "geoip.inc";
$_SESSION["siem_default_group"] = "base_stat_sensor.php?sort_order=occur_d";
$geoloc = new Geolocation("/usr/share/geoip/GeoLiteCity.dat");
$et = new EventTiming($debug_time_mode);
$cs = new CriteriaState("base_stat_sensor.php");
$cs->ReadState();
$qs = new QueryState();
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
#$BUser = new BaseUser();
#if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) base_header("Location: " . $BASE_urlpath . "/index.php");
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY));
$export = intval(ImportHTTPVar("complete", VAR_DIGIT));
// Called from report_launcher.php
$qs->MoveView($submit);
/* increment the view if necessary */
$page_title = gettext("Sensor Listing");
/* Connect to the Alert database */
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password, 0, 1);
if ($event_cache_auto_update == 1) {
UpdateAlertCache($db);
}
$criteria_clauses = ProcessCriteria();
// Include base_header.php
PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1);
$mssp = Session::show_entities();
//intval($conf->get_conf("alienvault_mssp", FALSE));
*/
require "base_conf.php";
require "vars_session.php";
require "{$BASE_path}/includes/base_constants.inc.php";
require "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_stat_common.php";
$_SESSION["siem_default_group"] = "base_stat_alerts.php?sort_order=occur_d";
if ($_REQUEST['sort_order'] == '') {
$_GET['sort_order'] = 'occur_d';
}
$debug_time_mode >= 1 ? $et = new EventTiming($debug_time_mode) : '';
$cs = new CriteriaState("base_stat_alerts.php");
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY));
$export = intval(ImportHTTPVar("export", VAR_DIGIT));
// Called from report_launcher.php
$cs->ReadState();
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
#$BUser = new BaseUser();
#if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) base_header("Location: " . $BASE_urlpath . "/index.php");
$qs = new QueryState();
$qs->AddCannedQuery("most_frequent", $freq_num_alerts, gettext("Most Frequent Events"), "occur_d");
$qs->AddCannedQuery("last_alerts", $last_num_ualerts, gettext("Last Events"), "last_d");
$qs->MoveView($submit);
/* increment the view if necessary */
$page_title = gettext("Event Listing");
/* Connect to the Alert database */
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password, 0, 1);
*/
require 'base_conf.php';
require 'vars_session.php';
require_once 'classes/Util.inc';
require "{$BASE_path}/includes/base_constants.inc.php";
require "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_stat_common.php";
require_once 'classes/geolocation.inc';
if (GET('fqdn') == 'yes' || GET('fqdn') == 'no') {
$_SESSION['siem_default_group'] = "base_stat_iplink.php?sort_order=events_d&fqdn=" . GET('fqdn');
}
$geoloc = new Geolocation('/usr/share/geoip/GeoLiteCity.dat');
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY));
$fqdn = ImportHTTPVar("fqdn", VAR_ALPHA | VAR_SPACE);
$et = new EventTiming($debug_time_mode);
$cs = new CriteriaState("base_stat_iplink.php");
$cs->ReadState();
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
#$BUser = new BaseUser();
#if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) base_header("Location: " . $BASE_urlpath . "/index.php");
$qs = new QueryState();
$qs->AddCannedQuery("most_frequent", $freq_num_alerts, gettext("Most Frequent Events"), "occur_d");
$qs->AddCannedQuery("last_alerts", $last_num_ualerts, gettext("Last Events"), "last_d");
$qs->MoveView($submit);
/* increment the view if necessary */
$page_title = gettext("IP Links");
/* Connect to the Alert database */
$db = NewBASEDBConnection($DBlib_path, $DBtype);
function Action_del_alert_post($action_arg, &$action_ctx, $db, &$num_alert, $action_cnt, $context, $deltmp)
{
$sel_cnt = 0;
$action_lst_cnt = count(ImportHTTPVar("action_lst"));
$action_chk_lst = ImportHTTPVar("action_chk_lst");
/* count the number of check boxes selected */
for ($i = 0; $i < $action_lst_cnt; $i++) {
if (isset($action_chk_lst[$i])) {
$sel_cnt++;
}
}
if ($sel_cnt > 0) {
/* 1 or more check boxes selected ? */
$num_alert -= $sel_cnt;
} elseif ($context == 1) {
/* detail alert list ? */
$num_alert -= $action_cnt;
} else {
$num_alert -= count(ImportHTTPVar("action_chk_lst"));
}
if ($deltmp != "") {
// launch delete in background
$rnd = explode("_", $deltmp);
$_SESSION["deletetask"] = $rnd[1];
//error_log("launch $deltmp\n",3,"/var/tmp/dellog");
shell_exec("nohup cat {$deltmp} | /usr/bin/ossim-db snort > /var/tmp/latest_siem_events_purge.sql.log 2>&1 &");
echo "<script>bgtask();</script>\n";
}
}
die("If you wish to re-run the setup routine, please either move OR delete your previous base_conf file first.");
}
$errorMsg = '';
if (@$_GET['action'] == "check") {
// form was submitted do the checks!
$dbtype = ImportHTTPVar("dbtype", VAR_ALPHA);
$dbport = ImportHTTPVar("dbport", VAR_DIGIT);
$dbhost = ImportHTTPVar("dbhost", VAR_ALPHA | VAR_PERIOD | VAR_SCORE);
$dbusername = ImportHTTPVar("dbusername");
$dbpasswd = ImportHTTPVar("dbpasswd");
$dbname = ImportHTTPVar("dbname", VAR_ALPHA | VAR_SCORE | VAR_USCORE);
$arcdbport = ImportHTTPVar("arcdbport", VAR_DIGIT);
$arcdbhost = ImportHTTPVar("arcdbhost", VAR_ALPHA | VAR_PERIOD | VAR_SCORE);
$arcdbusername = ImportHTTPVar("arcdbusername");
$arcdbpasswd = ImportHTTPVar("arcdbpasswd");
$arcdbname = ImportHTTPVar("arcdbname", VAR_ALPHA | VAR_SCORE | VAR_USCORE);
$db = NewADOConnection($dbtype);
$dbconnect = $db->Connect($dbport == "" ? $dbhost : $dbhost . ":" . $dbport, $dbusername, $dbpasswd, $dbname);
if (!$dbconnect) {
$errorMsg = $errorMsg . "Database connection failed!<br>Please try again!";
$error = 1;
}
$_SESSION['dbtype'] = $dbtype;
$_SESSION['dbhost'] = $dbhost;
$_SESSION['dbport'] = $dbport;
$_SESSION['dbname'] = $dbname;
$_SESSION['dbusername'] = $dbusername;
$_SESSION['dbpasswd'] = $dbpasswd;
$_SESSION['usearchive'] = 0;
if (@$_POST['usearchive'] == "on") {
$_SESSION['usearchive'] = 1;
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_stat_common.php";
Session::logcheck("MenuEvents", "EventsForensics");
include "geoip.inc";
require_once 'classes/Util.inc';
$gi = geoip_open("/usr/share/geoip/GeoIP.dat", GEOIP_STANDARD);
$hosts_ips = array_keys($hosts);
$debug_time_mode >= 1 ? $et = new EventTiming($debug_time_mode) : '';
$cs = new CriteriaState("base_timeline.php");
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY));
$max = ImportHTTPVar("max", VAR_DIGIT);
if (!$max) {
$max = 50;
}
$resolution = ImportHTTPVar("resolution", VAR_ALPHA);
if ($resolution == "") {
$resolution = "m";
}
//
$cs->ReadState();
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
$BUser = new BaseUser();
if ($BUser->hasRole($roleneeded) == 0 && $Use_Auth_System == 1) {
base_header("Location: " . $BASE_urlpath . "/index.php");
}
$qs = new QueryState();
$qs->AddCannedQuery("most_frequent", $freq_num_alerts, gettext("Most Frequent Events"), "occur_d");
$qs->AddCannedQuery("last_alerts", $last_num_ualerts, gettext("Last Events"), "last_d");
$qs->MoveView($submit);
function Import()
{
parent::Import();
include dirname(__FILE__) . '/../base_conf.php';
$vals = NULL;
/* expand IP into octets */
$this->criteria = $_SESSION['ip_addr'];
$this->criteria_cnt = $_SESSION['ip_addr_cnt'];
for ($i = 0; $i < $this->criteria_cnt; $i++) {
if (isset($this->criteria[$i][3]) && preg_match("/([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)/", $this->criteria[$i][3])) {
$tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3];
$this->criteria[$i][3] = strtok($tmp_ip_str, ".");
$this->criteria[$i][4] = strtok(".");
$this->criteria[$i][5] = strtok(".");
$this->criteria[$i][6] = strtok("/");
$this->criteria[$i][10] = strtok("");
}
$vals[] = $this->criteria[$i];
}
//print_r ($this->criteria);
$this->criteria = $vals;
$this->criteria_cnt = count($vals);
$new = ImportHTTPVar("new", VAR_DIGIT);
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
if ($new == 1 && $submit == "") {
// This is commented.
// When you return to the search form, you must preserve all criteria. Lately only was reseting the _cnt vars
// Now doesn't reset anything
//$this->criteria = NULL;
//$this->criteria_cnt = 1;
}
if ($this->criteria_cnt == "") {
$this->criteria_cnt = 1;
}
//print_r ($this->criteria);
$_SESSION['ip_addr'] =& $this->criteria;
$_SESSION['ip_addr_cnt'] =& $this->criteria_cnt;
}
** Built upon work by the BASE Project Team <*****@*****.**>
*/
require "base_conf.php";
require "vars_session.php";
require_once 'classes/Util.inc';
require "{$BASE_path}/includes/base_constants.inc.php";
require "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_stat_common.php";
if ($_SESSION['_siem_plugins_query'] == "") {
echo "-##-";
die;
}
$plugin_id = ImportHTTPVar("plugin", VAR_DIGIT | VAR_USCORE);
$device_id = ImportHTTPVar("id", VAR_HEX);
$sql = str_replace("DID", $device_id, $_SESSION['_siem_plugins_query']);
if (preg_match("/\\d+_\\d+/", $plugin_id)) {
$sc = explode("_", $plugin_id);
$sql = str_replace("PLUGIN_ID", $sc[0], str_replace("SUBCAT", $sc[1], $sql));
} else {
$sql = str_replace("PLUGIN_ID", $plugin_id, $sql);
}
session_write_close();
$tz = Util::get_timezone();
$qs = new QueryState();
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$name = $timestamp = '-';
$rs = $qs->ExecuteOutputQueryNoCanned($sql, $db);
if ($row = $rs->baseFetchRow()) {
** (see the file 'base_main.php' for license details)
**
** Built upon work by Roman Danyliw <*****@*****.**>, <*****@*****.**>
** Built upon work by the BASE Project Team <*****@*****.**>
*/
require "base_conf.php";
require "vars_session.php";
require_once 'classes/Util.inc';
require "{$BASE_path}/includes/base_constants.inc.php";
require "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_stat_common.php";
if ($_SESSION['_siem_port_query'] == "") {
echo "-##-";
die;
}
$device_id = ImportHTTPVar("id", VAR_HEX);
$ip_port = ImportHTTPVar("port", VAR_DIGIT);
$sql = str_replace("DEVICEID", $device_id, str_replace("IP_PORT", $ip_port, $_SESSION['_siem_port_query']));
session_write_close();
$qs = new QueryState();
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$rs = $qs->ExecuteOutputQueryNoCanned($sql, $db);
if ($row = $rs->baseFetchRow()) {
$src_addrs = $row[0];
$dst_addrs = $row[1];
}
$rs->baseFreeRows();
echo "{$src_addrs}##{$dst_addrs}";
require "{$BASE_path}/includes/base_constants.inc.php";
require "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/includes/base_action.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_common.php";
include_once "{$BASE_path}/base_ag_common.php";
include_once "{$BASE_path}/base_qry_common.php";
require_once 'av_init.php';
Session::logcheck("analysis-menu", "EventsForensics");
/* Connect to the Alert database */
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$cs = new CriteriaState("base_qry_main.php", "&new=1&submit=" . gettext("Query+DB"));
$cs->ReadState();
/* This call can include many values. */
$submit = Util::htmlentities(ImportHTTPVar("submit", VAR_DIGIT | VAR_PUNC | VAR_LETTER, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), gettext("Delete Entire Query"), gettext("Query DB"), gettext("ADD TIME"), gettext("ADD Addr"), gettext("ADD IP Field"), gettext("ADD TCP Port"), gettext("ADD TCP Field"), gettext("ADD UDP Port"), gettext("ADD UDP Field"), _ADDICMPFIELD)));
if ($submit == "TCP") {
$cs->criteria['layer4']->Set("TCP");
}
if ($submit == "UDP") {
$cs->criteria['layer4']->Set("UDP");
}
if ($submit == "ICMP") {
$cs->criteria['layer4']->Set("ICMP");
}
if ($submit == gettext("no layer4")) {
$cs->criteria['layer4']->Set("");
}
if ($submit == gettext("ADD TIME") && $cs->criteria['time']->GetFormItemCnt() < $MAX_ROWS) {
$cs->criteria['time']->AddFormItem($submit, $cs->criteria['layer4']->Get());
}
$db = NewBASEDBConnection($DBlib_path, $DBtype);
/* FIXME: OSSIM */
/* This used to break the port filters, have to look deeply on this
maybe changing db_connect_method in base_conf.php */
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$cs = new CriteriaState("base_stat_ports.php");
$cs->ReadState();
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
$port_proto = "TCP";
$qs = new QueryState();
$qs->AddCannedQuery("most_frequent", $freq_num_uports, gettext("Most Frequent Ports"), "occur_d");
$qs->AddCannedQuery("last_ports", $last_num_uports, gettext("Last Ports"), "last_d");
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY));
$port_type = ImportHTTPVar("port_type", VAR_DIGIT);
$proto = ImportHTTPVar("proto", VAR_DIGIT | VAR_PUNC);
$qs->MoveView($submit);
/* increment the view if necessary */
$page_title = "";
switch ($proto) {
case TCP:
$page_title = gettext("Unique") . " TCP ";
$displaytitle = $port_type == SOURCE_PORT ? gettext("Displaying source tcp ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.") : gettext("Displaying destination tcp ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.");
break;
case UDP:
$page_title = gettext("Unique") . " UDP ";
$displaytitle = $port_type == SOURCE_PORT ? gettext("Displaying source udp ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.") : gettext("Displaying destination udp ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.");
break;
case -1:
$page_title = gettext("Unique") . " ";
$displaytitle = $port_type == SOURCE_PORT ? gettext("Displaying source ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.") : gettext("Displaying destination ports %d-%d of <b>%s</b> matching your selection. <b>%s</b> total events in database.");
function Import()
{
parent::Import();
require dirname(__FILE__) . '/../base_conf.php';
$vals = NULL;
$empty = 1;
/* expand IP into octets */
$this->criteria = $_SESSION['ip_addr'];
$this->criteria_cnt = $_SESSION['ip_addr_cnt'];
for ($i = 0; $i < $this->criteria_cnt; $i++) {
if (isset($this->criteria[$i][3]) && ereg("([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)", $this->criteria[$i][3])) {
if ($use_ossim_session && Session::allowedNets()) {
require_once 'classes/Net.inc';
$domain = Session::allowedNets();
if ($domain != "") {
$tmp_myip = $this->criteria[$i][3];
$myip = strtok($tmp_myip, "/");
if (Net::isIpInNet($myip, $domain)) {
$tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3];
$this->criteria[$i][2] = "=";
$this->criteria[$i][3] = strtok($tmp_ip_str, ".");
$this->criteria[$i][4] = strtok(".");
$this->criteria[$i][5] = strtok(".");
$this->criteria[$i][6] = strtok("/");
$this->criteria[$i][10] = strtok("");
$empty = 0;
$vals[] = $this->criteria[$i];
}
}
} else {
$tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3];
$this->criteria[$i][3] = strtok($tmp_ip_str, ".");
$this->criteria[$i][4] = strtok(".");
$this->criteria[$i][5] = strtok(".");
$this->criteria[$i][6] = strtok("/");
$this->criteria[$i][10] = strtok("");
$empty = 0;
$vals[] = $this->criteria[$i];
}
} elseif (is_array($this->criteria[$i]) && array_key_exists(7, $this->criteria[$i]) && ereg("([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)", $this->criteria[$i][7])) {
$empty = 0;
$vals[] = $this->criteria[$i];
}
}
//print_r ($this->criteria);
$this->criteria = $vals;
$this->criteria_cnt = count($vals);
if ($use_ossim_session && $empty) {
$domain = Session::allowedNets();
if ($domain != "") {
$nets = explode(",", $domain);
$this->criteria = array();
for ($i = 0; $i < count($nets); $i++) {
$tmp_ip_str = $tmp[7] = $nets[$i];
$tmp[0] = " ";
$tmp[1] = "ip_both";
$tmp[2] = "=";
$tmp[3] = strtok($tmp_ip_str, ".");
$tmp[4] = strtok(".");
$tmp[5] = strtok(".");
$tmp[6] = strtok("/");
$tmp[10] = strtok("");
$tmp[8] = " ";
if ($i == count($nets) - 1) {
$tmp[9] = " ";
} else {
$tmp[9] = "OR";
}
$this->criteria[$this->criteria_cnt] = $tmp;
$this->criteria_cnt++;
}
}
}
$new = ImportHTTPVar("new", VAR_DIGIT);
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
if ($new == 1 && $submit == "") {
$this->criteria = NULL;
$this->criteria_cnt = 1;
}
if ($this->criteria_cnt == "") {
$this->criteria_cnt = 1;
}
//print_r ($this->criteria);
$_SESSION['ip_addr'] =& $this->criteria;
$_SESSION['ip_addr_cnt'] =& $this->criteria_cnt;
}
$errorMsg = '';
/* build array of languages */
$i = 0;
if ($handle = opendir('../languages')) {
while (false !== ($file = readdir($handle))) {
if ($file != "." && $file != ".." && $file != "CVS" && $file != "index.php") {
$filename = explode(".", $file);
$languages[$i] = $filename[0];
$i++;
}
}
closedir($handle);
}
if (@$_GET['action'] == "check") {
// form has been submitted. Check answers.
$_SESSION['language'] = ImportHTTPVar("language", "", $languages);
//Check path to ADODB
$adodbexists = file_exists($_POST['adodbpath'] . "/adodb.inc.php");
if ($adodbexists != 1) {
$errorMsg = $errorMsg . "<br>The Path to ADODB does not appear to be correct!<br>";
$errorMsg = $errorMsg . "Please correct.";
$error = 1;
} else {
$_SESSION['adodbpath'] = $_POST['adodbpath'];
$error = 0;
}
if ($error != 1) {
header("Location: setup2.php");
}
exit;
}
**
** Built upon work by Roman Danyliw <*****@*****.**>, <*****@*****.**>
** Built upon work by the BASE Project Team <*****@*****.**>
*/
include_once 'base_conf.php';
include_once "{$BASE_path}/includes/base_constants.inc.php";
include_once "{$BASE_path}/includes/base_include.inc.php";
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
#$BUser = new BaseUser();
#if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) {
# base_header("Location: " . $BASE_urlpath . "/index.php");
# exit();
#}
$id = ImportHTTPVar("id", VAR_DIGIT | VAR_LETTER);
$download = ImportHTTPVar("download", VAR_DIGIT);
if ($download == 1) {
/* Connect to the Alert database */
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
/* Get the Payload from the database: */
$sql2 = "SELECT data_payload,binary_data FROM alienvault_siem.extra_data WHERE event_id=unhex('{$id}')";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$result2->baseFreeRows();
if (empty($myrow2)) {
$sql2 = "SELECT data_payload,binary_data FROM alienvault.extra_data WHERE event_id=unhex('{$id}')";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$result2->baseFreeRows();
}
$xdata = $_SESSION['xdata'];
$width = ImportHTTPVar("width", VAR_DIGIT);
$height = ImportHTTPVar("height", VAR_DIGIT);
$pmargin0 = ImportHTTPVar("pmargin0", VAR_DIGIT);
$pmargin1 = ImportHTTPVar("pmargin1", VAR_DIGIT);
$pmargin2 = ImportHTTPVar("pmargin2", VAR_DIGIT);
$pmargin3 = ImportHTTPVar("pmargin3", VAR_DIGIT);
$title = ImportHTTPVar("title", VAR_ALPHA | VAR_SPACE);
$xaxis_label = ImportHTTPVar("xaxis_label", VAR_ALPHA | VAR_SPACE);
$yaxis_label = ImportHTTPVar("yaxis_label", VAR_ALPHA | VAR_SPACE);
$yaxis_scale = ImportHTTPVar("yaxis_scale", VAR_DIGIT);
$xaxis_grid = ImportHTTPVar("xaxis_grid", VAR_DIGIT);
$yaxis_grid = ImportHTTPVar("yaxis_grid", VAR_DIGIT);
$rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl", VAR_DIGIT);
$style = ImportHTTPVar("style", VAR_ALPHA);
$chart_type = ImportHTTPVar("chart_type", VAR_DIGIT);
if ($chart_type == 15 || $chart_type == 17) {
// Number of alerts spread over a worldmap: width and height
// MUST be constant. At least as of Image_Graph-0.7.2
// Otherwise the coordinates file must be regenerated. And this
// is NOT possible during runtime (as of version 0.7.2)
$Graph =& Image_Graph::factory('graph', array(1800, 913));
//$Graph =& Image_Graph::factory('graph', array(600, 300));
} elseif ($yaxis_scale == 1 && $style != 'pie') {
// the old form of instantiation does not seem to work
// any more with PEAR::Image_Canvas-0.3.1 with logarithmic
// y-axes. So factory-method is required.
$Graph =& Image_Graph::factory('graph', array($width, $height));
} else {
// Create the graph area, legends on bottom -- Alejandro
$Graph =& new Image_Graph(array('driver' => 'gd', 'width' => $width, 'height' => $height));
function ReadState()
{
$this->current_canned_query = ImportHTTPVar("caller", VAR_LETTER | VAR_USCORE);
$this->num_result_rows = ImportHTTPVar("num_result_rows", VAR_DIGIT | VAR_SCORE);
$this->current_sort_order = ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE);
$this->current_view = ImportHTTPVar("current_view", VAR_DIGIT);
//echo "CURRENT VIEW: ".$this->current_view;
// New CALC_FOUND_ROWS current_view = 0 initially
//$this->current_view = 1;
$this->action_arg = ImportHTTPVar("action_arg", VAR_ALPHA | VAR_PERIOD | VAR_USCORE | VAR_SCORE | VAR_AT);
$this->action_chk_lst = ImportHTTPVar("action_chk_lst", VAR_ALPHA | VAR_PUNC);
/* array */
$this->action_lst = ImportHTTPVar("action_lst", VAR_ALPHA | VAR_PUNC | VAR_SCORE);
/* array */
$this->action = ImportHTTPVar("action", VAR_ALPHA | VAR_USCORE);
}
function Import()
{
parent::Import();
include dirname(__FILE__) . '/../base_conf.php';
$vals = NULL;
$empty = 1;
/* expand IP into octets */
$this->criteria = $_SESSION['ip_addr'];
$this->criteria_cnt = $_SESSION['ip_addr_cnt'];
for ($i = 0; $i < $this->criteria_cnt; $i++) {
if (isset($this->criteria[$i][3]) && ereg("([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)", $this->criteria[$i][3])) {
// The code below is deprecated and is giving functionality errors
// There's no need to filter here by allowed nets, the main query will do it
/*
if (($use_ossim_session) && (Session::allowedNets())) {
$domain = Session::allowedNets();
if ($domain != "") {
$tmp_myip = $this->criteria[$i][3];
$myip = strtok($tmp_myip, "/");
if (Asset_host::is_ip_in_nets($myip, $domain)) {
$tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3];
$this->criteria[$i][2] = "=";
$this->criteria[$i][3] = strtok($tmp_ip_str, ".");
$this->criteria[$i][4] = strtok(".");
$this->criteria[$i][5] = strtok(".");
$this->criteria[$i][6] = strtok("/");
$this->criteria[$i][10] = strtok("");
$empty = 0;
$vals[] = $this->criteria[$i];
}
}
} else {
*/
$tmp_ip_str = $this->criteria[$i][7] = $this->criteria[$i][3];
$this->criteria[$i][3] = strtok($tmp_ip_str, ".");
$this->criteria[$i][4] = strtok(".");
$this->criteria[$i][5] = strtok(".");
$this->criteria[$i][6] = strtok("/");
$this->criteria[$i][10] = strtok("");
$empty = 0;
$vals[] = $this->criteria[$i];
//}
} elseif (is_array($this->criteria[$i]) && array_key_exists(7, $this->criteria[$i]) && ereg("([0-9]*)\\.([0-9]*)\\.([0-9]*)\\.([0-9]*)", $this->criteria[$i][7])) {
$empty = 0;
$vals[] = $this->criteria[$i];
}
}
//print_r ($this->criteria);
$this->criteria = $vals;
$this->criteria_cnt = count($vals);
/*if (($use_ossim_session) && ($empty)) {
$domain = Session::allowedNets();
if ($domain != "") {
$nets = explode(",", $domain);
$this->criteria = Array();
for ($i = 0; $i < count($nets); $i++) {
$tmp_ip_str = $tmp[7] = $nets[$i];
$tmp[0] = " ";
$tmp[1] = "ip_both";
$tmp[2] = "=";
$tmp[3] = strtok($tmp_ip_str, ".");
$tmp[4] = strtok(".");
$tmp[5] = strtok(".");
$tmp[6] = strtok("/");
$tmp[10] = strtok("");
$tmp[8] = " ";
if ($i == (count($nets) - 1)) $tmp[9] = " ";
else $tmp[9] = "OR";
$this->criteria[$this->criteria_cnt] = $tmp;
$this->criteria_cnt++;
}
}
}*/
$new = ImportHTTPVar("new", VAR_DIGIT);
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
if ($new == 1 && $submit == "") {
// This is commented.
// When you return to the search form, you must preserve all criteria. Lately only was reseting the _cnt vars
// Now doesn't reset anything
//$this->criteria = NULL;
//$this->criteria_cnt = 1;
}
if ($this->criteria_cnt == "") {
$this->criteria_cnt = 1;
}
//print_r ($this->criteria);
$_SESSION['ip_addr'] =& $this->criteria;
$_SESSION['ip_addr_cnt'] =& $this->criteria_cnt;
}
include "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/includes/base_action.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_ag_common.php";
$debug_time_mode >= 1 ? $et = new EventTiming($debug_time_mode) : '';
$cs = new CriteriaState("base_ag_main.php");
$cs->ReadState();
$qs = new QueryState();
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY));
$ag_action = ImportHTTPVar("ag_action", VAR_ALPHA | VAR_USCORE);
//$ag_id = ImportHTTPVar("ag_id", VAR_DIGIT);
$ag_id = filterSql(ImportHTTPVar("ag_id", VAR_DIGIT));
$ag_name = filterSql(ImportHTTPVar("ag_name"));
$ag_desc = filterSql(ImportHTTPVar("ag_desc"));
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
$BUser = new BaseUser();
if ($BUser->hasRole($roleneeded) == 0 && $Use_Auth_System == 1) {
base_header("Location: " . $BASE_urlpath . "/index.php");
}
$page_title = gettext("Event Group (AG) Maintenance");
PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1);
/* Connect to the Alert database */
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
/* a browsing button was clicked */
if (is_numeric($submit)) {
if ($debug_mode > 0) {
ErrorMessage("Browsing Clicked ({$submit})");
** Built upon work by the BASE Project Team <*****@*****.**>
*/
require "base_conf.php";
require "vars_session.php";
require "{$BASE_path}/includes/base_constants.inc.php";
require "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_stat_common.php";
if ($_SESSION['siem_current_query_graph'] == "" || $_SESSION['siem_alerts_query'] == "") {
echo "-##-##-";
die;
}
$tz = Util::get_timezone();
$plugin_id = ImportHTTPVar("id", VAR_DIGIT);
$plugin_sid = ImportHTTPVar("sid", VAR_DIGIT);
$sqlgraph = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_current_query_graph']));
$sql = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_alerts_query']));
session_write_close();
$qs = new QueryState();
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$rs = $qs->ExecuteOutputQuery($sql, $db);
if ($row = $rs->baseFetchRow()) {
$addr_link = '&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=' . urlencode($plugin_id . ";" . $plugin_sid);
$src_addrs = BuildUniqueAddressLink(1, $addr_link) . $row[0] . '</A>';
$dst_addrs = BuildUniqueAddressLink(2, $addr_link) . $row[1] . '</A>';
$last = get_utc_unixtime($db, $row[2]);
}
$rs->baseFreeRows();
if ($tz != 0) {
function Action_del_alert_post($action_arg, &$action_ctx, $db, &$num_alert, $action_cnt, $context, $deltmp)
{
$sel_cnt = 0;
$action_lst_cnt = count(ImportHTTPVar("action_lst"));
$action_chk_lst = ImportHTTPVar("action_chk_lst");
/* count the number of check boxes selected */
for ($i = 0; $i < $action_lst_cnt; $i++) {
if (isset($action_chk_lst[$i])) {
$sel_cnt++;
}
}
if ($sel_cnt > 0) {
/* 1 or more check boxes selected ? */
$num_alert -= $sel_cnt;
} elseif ($context == 1) {
/* detail alert list ? */
$num_alert -= $action_cnt;
} else {
$num_alert -= count(ImportHTTPVar("action_chk_lst"));
}
}
echo Util::get_css_id();
?>
">
</head>
<body>
<div style="border:1px solid #AAAAAA;line-height:24px;width:100%;text-align:center;background:url('../pixmaps/fondo_col.gif') 50% 50% repeat-x;color:#222222;font-size:12px;font-weight:bold"> Shellcode Analysis </div>
<?php
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
#$BUser = new BaseUser();
#if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) {
# base_header("Location: " . $BASE_urlpath . "/index.php");
# exit();
#}
$id = ImportHTTPVar("id", VAR_DIGIT | VAR_LETTER);
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
/* Get the Payload from the database: */
$sql2 = "SELECT data_payload,binary_data FROM extra_data WHERE event_id=unhex('{$id}')";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$result2->baseFreeRows();
//print $myrow2[0]."<br>";
$payload = str_replace("\n", "", $myrow2[0]);
$len = strlen($payload);
$counter = 0;
$tmp = tempnam("/tmp", "bin");
$fh = fopen($tmp, "w");
for ($i = 0; $i < $len + 32; $i += 2) {
$counter++;
** (see the file 'base_main.php' for license details)
**
** Built upon work by Roman Danyliw <*****@*****.**>, <*****@*****.**>
** Built upon work by the BASE Project Team <*****@*****.**>
*/
require "base_conf.php";
require "vars_session.php";
require_once 'classes/Util.inc';
require "{$BASE_path}/includes/base_constants.inc.php";
require "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_stat_common.php";
if ($_SESSION['_siem_sensor_query'] == "") {
echo "-##-##-";
die;
}
$device_id = ImportHTTPVar("id", VAR_DIGIT);
$sql = str_replace("DEVICEID", $device_id, $_SESSION['_siem_sensor_query']);
session_write_close();
$qs = new QueryState();
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$rs = $qs->ExecuteOutputQueryNoCanned($sql, $db);
if ($row = $rs->baseFetchRow()) {
$unique_addrs = BuildUniqueAlertLink("?sensor=" . urlencode($device_id)) . Util::number_format_locale($row[0], 0) . '</A>';
$src_addrs = BuildUniqueAddressLink(1, "&sensor=" . urlencode($device_id)) . Util::number_format_locale($row[1], 0) . '</A>';
$dst_addrs = BuildUniqueAddressLink(2, "&sensor=" . urlencode($device_id)) . Util::number_format_locale($row[2], 0) . '</A>';
}
$rs->baseFreeRows();
echo "{$unique_addrs}##{$src_addrs}##{$dst_addrs}";
$_GET["sort_order"] = "time_d";
$sort_order = "time_d";
//if ($_GET['sensor'] != "") $sort_order = "time_d";
}
}
/* End 'interesting' browser code fixes */
/* Totally new Search */
if ($new == 1 && $submit == "") {
// This is commented.
// When you return to the search form, you must preserve all criteria. Lately only was reseting the _cnt vars
// Now doesn't reset anything
//$cs->InitState();
}
/* is this a new query, invoked from the SEARCH screen ? */
/* if the query string if very long (> 700) then this must be from the Search screen */
$back = ImportHTTPVar("back", VAR_DIGIT);
if ($GLOBALS['maintain_history'] == 1 && $back != 1 && $submit == gettext("Query DB") && (isset($_GET['search']) && $_GET['search'] == 1)) {
!empty($_SESSION['back_list_cnt']) ? $_SESSION['back_list_cnt']-- : ($_SESSION['back_list_cnt'] = 0);
/* save on top of initial blank query screen */
$submit = "";
/* save entered search criteria as if one hit Enter */
$_POST['submit'] = $submit;
$cs->ReadState();
/* save the search criteria */
// Solve error when payload is searched cnt = 1
// if ($_GET{"data"} {
// 0
// } {
// 2
// } != "") $cs->criteria['data']->criteria_cnt = 1;
if ($_GET["data"][0][2] != "") {
include "vars_session.php";
include "{$BASE_path}/includes/base_constants.inc.php";
include "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_common.php";
include_once "{$BASE_path}/base_qry_common.php";
set_time_limit(300);
if (GET('sensor') != "") {
ossim_valid(GET('sensor'), OSS_DIGIT, 'illegal:' . _("sensor"));
}
// Geoip
include "geoip.inc";
$gi = geoip_open("/usr/share/geoip/GeoIP.dat", GEOIP_STANDARD);
//$addr_type = ImportHTTPVar("addr_type", VAR_DIGIT);
$addr_type = 1;
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(gettext("Delete Selected"), gettext("Delete ALL on Screen"), _ENTIREQUERY));
$dst_ip = NULL;
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
$BUser = new BaseUser();
if ($BUser->hasRole($roleneeded) == 0 && $Use_Auth_System == 1) {
base_header("Location: " . $BASE_urlpath . "/index.php");
}
$et = new EventTiming($debug_time_mode);
// The below three lines were moved from line 87 because of the odd errors some users were having
/* Connect to the Alert database */
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$cs = new CriteriaState("base_stat_country.php", "&addr_type=1");
$cs->ReadState();
/* Dump some debugging information on the shared state */
function ReadState()
{
RegisterGlobalState();
/*
* If the BACK button was clicked, shuffle the appropriate
* criteria variables from the $back_list (history) array into
* the current session ($_SESSION)
*/
if ($GLOBALS['maintain_history'] == 1 && ImportHTTPVar("back", VAR_DIGIT) == 1) {
PopHistory();
}
/*
* Import, update and sanitize all persistant criteria variables
*/
$valid_criteria_list = array_keys($this->criteria);
foreach ($valid_criteria_list as $cname) {
$this->criteria[$cname]->Import();
$this->criteria[$cname]->Sanitize();
}
/*
* Check whether criteria elements need to be cleared
*/
$this->clear_criteria_name = ImportHTTPVar("clear_criteria", "", array_keys($this->criteria));
$this->clear_criteria_element = ImportHTTPVar("clear_criteria_element", "", array_keys($this->criteria));
$this->clear_allcriteria = ImportHTTPVar("clear_allcriteria", "1");
if ($this->clear_criteria_name != "") {
$this->ClearCriteriaStateElement($this->clear_criteria_name, $this->clear_criteria_element);
}
if ($this->clear_allcriteria != "") {
$this->ClearAllCriteria();
}
/*
* Save the current criteria into $back_list (history)
*/
if ($GLOBALS['maintain_history'] == 1) {
PushHistory();
}
}
echo " <TD align='center'> <A HREF=\"{$tmp_sensor_lookup}\">" . Util::htmlentities($num_sensors) . "</A> ";
//echo " <TD align='center'> $num_sensors";
echo " <TD align='center'> {$start_time}";
echo " <TD align='center' valign='middle'> {$stop_time}";
echo '</TR>';
}
echo "</TABLE>\n";
}
$et = new EventTiming($debug_time_mode);
$cs = new CriteriaState("base_stat_ipaddr.php");
$cs->ReadState();
$ip = ImportHTTPVar("ip", VAR_DIGIT | VAR_PERIOD);
$ip = Util::htmlentities($ip);
$netmask = ImportHTTPVar("netmask", VAR_DIGIT);
$action = ImportHTTPVar("action", VAR_ALPHA);
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
// Check role out and redirect if needed -- Kevin
$roleneeded = 10000;
#$BUser = new BaseUser();
#if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) base_header("Location: " . $BASE_urlpath . "/index.php");
if ($netmask == '') {
$netmask = "32";
}
$page_title = $ip . '/' . $netmask;
/* Connect to the Alert database */
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
// Include base_header.php
PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1);
if ($event_cache_auto_update == 1) {
UpdateAlertCache($db);
require "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/includes/base_action.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_common.php";
include_once "{$BASE_path}/base_ag_common.php";
include_once "{$BASE_path}/base_qry_common.php";
require_once 'av_init.php';
Session::logcheck("analysis-menu", "EventsForensics");
/* Connect to the Alert database */
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$cs = new CriteriaState("base_qry_main.php", "&new=1&submit=" . gettext("Query+DB"));
$cs->ReadState();
$_submit_param = $_POST['mode'] != '' ? 'mode' : 'submit';
/* This call can include many values. */
$submit = Util::htmlentities(ImportHTTPVar($_submit_param, VAR_DIGIT | VAR_PUNC | VAR_LETTER, array(gettext("Query DB"), gettext("ADD Addr"), gettext("ADD TCP Port"), gettext("ADD UDP Port"))));
if ($submit == "TCP") {
$cs->criteria['layer4']->Set("TCP");
}
if ($submit == "UDP") {
$cs->criteria['layer4']->Set("UDP");
}
/*
if ($submit == "ICMP") {
$cs->criteria['layer4']->Set("ICMP");
}
*/
if ($submit == gettext("no layer4")) {
$cs->criteria['layer4']->Set("");
}
//if ($submit == gettext("ADD TIME") && $cs->criteria['time']->GetFormItemCnt() < $MAX_ROWS) $cs->criteria['time']->AddFormItem($submit, $cs->criteria['layer4']->Get());
