} else {
while (!$rg->EOF) {
$data[] = $rg->fields["num_events"];
$name = Util::signaturefilter($rg->fields["name"]);
$label[] = $name;
$link = Menu::get_menu_url("/ossim/alarm/alarm_console.php?num_alarms_page=50&hmenu=Alarms&smenu=Alarms&hide_closed=1&query=" . $rg->fields["name"], 'analysis', 'alarms');
$links[] = $link;
$rg->MoveNext();
}
}
$hide_x_axis = TRUE;
$colors = get_widget_colors(count($data));
break;
case "events":
//Filters of assets.
$query_where = Security_report::make_where($conn, '', '', array(), $assets_filters, '', '', false);
//Limit of alarms to show in the widget.
$limit = $chart_info['top'] != '' ? $chart_info['top'] : 5;
//Sql Query
$sqlgraph = "SELECT sum( acid_event.cnt ) as num_events, p.name, p.plugin_id, p.sid from alienvault_siem.ac_acid_event as acid_event, alienvault.plugin_sid p WHERE p.plugin_id=acid_event.plugin_id AND p.sid=acid_event.plugin_sid {$query_where} group by p.name order by num_events desc limit {$limit}";
$rg = $conn->CacheExecute($sqlgraph);
if (!$rg) {
print $conn->ErrorMsg();
} else {
while (!$rg->EOF) {
$data[] = $rg->fields["num_events"];
$name = Util::signaturefilter($rg->fields["name"]);
$label[] = $name;
$link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=all&submit=Query+DB&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=" . $rg->fields["plugin_id"] . "%3B" . $rg->fields["sid"] . "&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
$links[] = $link;
$rg->MoveNext();
//
// select src_ip from alarm table and not defined into nets
//
$ips = array();
$plugin_id = NULL;
$plugin_groups = NULL;
$source_type = NULL;
$category = NULL;
$subcategory = NULL;
$limit = 20;
// Taxonomy filters
$plugin_list = Plugin_sid::get_all_sids($conn, $plugin_id, $source_type, $category, $subcategory, $plugin_groups);
// Data Source events or Source Type events
$selected = "";
// src_ips from acid_event
$where = Security_report::make_where($conn, $date_from, $date_to, $plugin_list, $dDB);
$ejoin = preg_match('/plist_[a-z]+/', $where) ? preg_replace('/.*(plist_[a-z]+)\\.id .*/', ',\\1', $where) : '';
$query = "SELECT DISTINCT ip_src AS ip FROM alienvault_siem.acid_event {$ejoin} WHERE 1=1 {$where}\n UNION SELECT DISTINCT ip_dst as ip FROM alienvault_siem.acid_event {$ejoin} WHERE 1=1 {$where}";
$rs = $conn->Execute($query);
if (!$rs) {
Av_exception::throw_error(Av_exception::DB_ERROR, $conn->ErrorMsg());
}
$already = array();
while (!$rs->EOF) {
$ip = inet_ntop($rs->fields['ip']);
if (!isset($already[$ip])) {
//Session::hostAllowed($conn,$ip) => not necessary here?
$already[$ip]++;
if (!Asset_host::is_ip_in_cache_cidr($conn, $ip)) {
// geoip
$_country_aux = $geoloc->get_country_by_host($conn, $ip);
while (!$rs->EOF) {
$_sip = inet_ntop($rs->fields["sensor_ip"]);
$_dev = $rs->fields["id"];
$_sid = $rs->fields["sensor_id"];
if (Session::sensorAllowed($_sid)) {
$device_ip[$_dev] = $_sip;
$ip_device[$_sip][$_dev] = $_dev;
$ip_name[$_sip] = $rs->fields["name"];
$dev_perms[] = $_dev;
}
$rs->MoveNext();
}
// Allowed Sensors filter
$criteria_sql = "WHERE plugin.id=acid_event.plugin_id AND device_id IN ('" . implode("','", $dev_perms) . "')";
//$query_where
$query_where = Security_report::make_where($conn, '', '', array(), array());
$query_where = preg_replace('/AND \\(timestamp.*/', '', $query_where);
$query = "SELECT DISTINCT device_id, plugin_id, name, sum( acid_event.cnt ) as event_cnt FROM alienvault.plugin, alienvault_siem.ac_acid_event as acid_event {$criteria_sql} {$query_where} GROUP BY device_id, plugin_id ORDER BY event_cnt DESC";
//print_r($query);
if (!($rs =& $conn->Execute($query))) {
print $conn->ErrorMsg();
exit;
}
$s = 0;
$p = 0;
$data = array();
$already_plugin = array();
$already_sensor = array();
$plugin_ids = array();
$header = array();
while (!$rs->EOF) {
/**
* This function gets the SIEM trends in hours
*
* @param $h Number of hours of the trend
* @param $assets_filters [Optional] Asset filter applied
*
* @return An array with the result of the query that contains the data of the trend
*/
function SIEM_trends($h = 24, $assets_filters = '', $first_date = '')
{
global $tz;
//Cache file
$file = '_siem_events_' . Session::get_session_user() . '_';
$file .= md5($h . '_' . serialize($assets_filters));
$data = Cache_file::get_asset_data($file, 300);
if (is_array($data)) {
return $data;
}
$db = new ossim_db(TRUE);
$dbconn = $db->connect();
$tzc = Util::get_tzc($tz);
$data = array();
//Filters of assets
if (empty($assets_filters)) {
$assets_filters['assets'] = array();
$assets_filters['ctxs'] = array();
}
$query_where = Security_report::make_where($dbconn, gmdate("Y-m-d H:00:00", gmdate("U") - 3600 * $h), gmdate("Y-m-d H:59:59"), array(), $assets_filters);
$sqlgraph = "SELECT SUM(cnt) AS num_events, hour(convert_tz(timestamp,'+00:00','{$tzc}')) AS intervalo, day(convert_tz(timestamp,'+00:00','{$tzc}')) AS suf \n FROM alienvault_siem.ac_acid_event as acid_event WHERE 1=1 {$query_where} GROUP BY suf,intervalo";
if ($first_date) {
// Test if we have enough data in ac_acid_event
$query = "select cnt from alienvault_siem.ac_acid_event where timestamp between '{$first_date}:00:00' and '{$first_date}:59:59' limit 1";
$rg = $dbconn->CacheExecute($query);
if (!$rg) {
print $dbconn->ErrorMsg();
}
if ($rg->EOF) {
// Test if we have enough data in acid_event
$query = "select hex(id) from alienvault_siem.acid_event where timestamp between '{$first_date}:00:00' and '{$first_date}:59:59' limit 1";
$rg = $dbconn->CacheExecute($query);
if (!$rg) {
print $dbconn->ErrorMsg();
}
if (!$rg->EOF) {
$sqlgraph = "SELECT COUNT(acid_event.id) AS num_events, hour(convert_tz(timestamp,'+00:00','{$tzc}')) AS intervalo, day(convert_tz(timestamp,'+00:00','{$tzc}')) AS suf \n FROM alienvault_siem.acid_event WHERE 1=1 {$query_where} GROUP BY suf,intervalo";
}
}
}
$rg = $dbconn->CacheExecute($sqlgraph);
if (!$rg) {
print $dbconn->ErrorMsg();
} else {
while (!$rg->EOF) {
$data[$rg->fields['suf'] . ' ' . $rg->fields['intervalo'] . 'h'] = $rg->fields['num_events'];
$rg->MoveNext();
}
}
$db->close();
Cache_file::save_file($file, $data);
return $data;
}
