$sort_sql[1] = " ORDER BY ossim_reliability ASC,timestamp DESC";
} elseif ($sort_order == "oreli_d") {
$sort_sql[1] = " ORDER BY ossim_reliability DESC,timestamp DESC";
} elseif ($sort_order == "proto_a") {
$sort_sql[1] = " ORDER BY ip_proto ASC,timestamp DESC";
$where = preg_replace("/1 AND \\( timestamp/", "ip_proto > 0 AND ( timestamp", $where);
} elseif ($sort_order == "proto_d") {
$sort_sql[1] = " ORDER BY ip_proto DESC,timestamp DESC";
$where = preg_replace("/1 AND \\( timestamp/", "ip_proto > 0 AND ( timestamp", $where);
}
$save_sql = "SELECT acid_event.id " . $sort_sql[0] . $from . $where . $sort_sql[1];
//print_r($save_sql);
if ($event_cache_auto_update == 1) {
UpdateAlertCache($db);
}
GetNewResultID($submit, $seq, $eid);
/* Verify that have extracted (eid, seq) correctly */
if (empty($eid)) {
ErrorMessage(_("Invalid row-id pair") . " (" . $seq . "," . $eid . ")");
exit;
}
$tmp_sql = $sort_sql[1];
if (!array_key_exists("minimal_view", $_GET)) {
echo "<!-- END HEADER TABLE -->\n </div> </TD>\n </TR>\n </TABLE>";
}
echo "<FORM METHOD=\"GET\" ID='alertform' ACTION=\"base_qry_alert.php\">\n";
/* Make Selected */
echo "\n<INPUT TYPE=\"hidden\" NAME=\"action_chk_lst[0]\" VALUE=\"{$submit}\">\n";
echo "\n<INPUT TYPE=\"hidden\" NAME=\"action\" id=\"alertaction\" VALUE=\"\">\n";
$empty = "<span style='color:gray'>" . _("N/A") . "</span>";
//IMPORTANT!!! iF YOU CHANGE THE VALUE, CHANGE IT ALSO IN THE KDB, (THIS DOCUMENT DOWN HERE)
function ProcessSelectedAlerts($action, &$action_op, $action_arg, $action_param, $context, $action_lst, &$num_alert, $action_sql, $db, $limit_start = -1, $limit_offset = -1)
{
global $debug_mode;
$action_cnt = 0;
$dup_cnt = 0;
$action_desc = "";
if ($action == "ag_by_id") {
$action_desc = gettext("ADD to AG (by ID)");
} else {
if ($action == "ag_by_name") {
$action_desc = gettext("ADD to AG (by Name)");
} else {
if ($action == "del_alert") {
$action_desc = gettext("Delete event(s)");
} else {
if ($action == "email_alert") {
$action_desc = gettext("Email event(s) (full)");
} else {
if ($action == "email_alert2") {
$action_desc = gettext("Email event(s) (summary)");
} else {
if ($action == "csv_alert") {
$action_desc = gettext("Email event(s) (csv)");
} else {
if ($action == "clear_alert") {
$action_desc = gettext("Clear from AG");
} else {
if ($action == "archive_alert") {
$action_desc = gettext("Archive event(s) (copy)");
} else {
if ($action == "archive_alert2") {
$action_desc = gettext("Archive event(s) (move)");
} else {
if ($action == "add_new_ag") {
$action_desc = gettext("ADD-New-AG");
}
}
}
}
}
}
}
}
}
}
if ($action == "") {
return;
}
// if ($debug_mode > 0) {
// echo "<BR>==== $action_desc Alerts ========<BR>
// num_alert = $num_alert<BR>
// action_sql = $action_sql<BR>
// action_op = $action_op<BR>
// action_arg = $action_arg<BR>
// action_param = $action_param<BR>
// context = $context<BR>
// limit_start = $limit_start<BR>
// limit_offset = $limit_offset<BR>";
// }
/* Depending from which page/listing the action was spawned,
* the entities selected may not necessarily be specific
* alerts. For example, sensors or alert names may be
* selected. Thus, each one of these entities referred to as
* alert_blobs, the specific alerts associated with them must
* be explicitly extracted. This blob structures SQL must be
* used to extract the list, where the passed selected keyed
* will be the criteria in this SQL.
*
* Note: When acting on any page where gettext("Delete Entire Query") is
* selected this is also a blob.
*/
// Main blobs/elements to process (Single events, Unique events, Sensors, Ports...)
$process_list = array();
if ($action_op == _('Delete Entire Query')) {
$process_list[] = 1;
$action_cnt = $num_alert;
} else {
// Compact action_lst into process_list
foreach ($action_lst as $_key => $_value) {
$process_list[] = $_value;
}
}
/* if only manipulating specific alerts --
* (in the Query results or AG contents list)
*/
if ($context == PAGE_QRY_ALERTS || $context == PAGE_QRY_AG || $context == PAGE_ALERT_DISPLAY) {
$num_alert_blobs = 1;
$using_blobs = $action_op == gettext("Delete Entire Query") ? TRUE : FALSE;
} else {
$num_alert_blobs = $num_alert;
$using_blobs = TRUE;
}
$blob_alert_cnt = $num_alert;
if (file_exists('/tmp/debug_siem')) {
file_put_contents("/tmp/siem", "ProcessSelectedAlerts [action={$action} action_op={$action_op} context={$context} num_alert={$num_alert} action_sql={$action_sql} using_blobs={$using_blobs} process_list=" . json_encode($process_list) . "]\n", FILE_APPEND);
}
/* ******* SOME PRE ACTION ********* */
$function_pre = "Action_" . $action . "_Pre";
$action_ctx = $function_pre($action_arg, $action_param, $db);
// Background Delete: Create delete temporary file delsql_<TIME>
if ($action == "del_alert") {
$block = 50000;
$del_total = count($process_list);
$del_total = $del_total > 0 ? $del_total : 1;
$interval = 100 / $del_total;
$db_name = $_SESSION["server"][4] != "" ? $_SESSION["server"][4] : "alienvault_siem";
$rnd = time();
$_SESSION["deletetask"] = $rnd;
$deltmp = "/var/tmp/del_{$rnd}";
$f = fopen($deltmp, "w");
fputs($f, "/* ****************Background Purge Execution*************** */\n");
if ($_SESSION["server"][4] != "") {
fputs($f, "USE " . $db_name . ";\n");
}
fputs($f, "CREATE TABLE IF NOT EXISTS `deletetmp` (`id` int(11) NOT NULL,`perc` int(11) NOT NULL, PRIMARY KEY (`id`));\n");
fputs($f, "INSERT INTO deletetmp (id,perc) VALUES ({$rnd},1) ON DUPLICATE KEY UPDATE perc=1;\n");
fputs($f, "CREATE TABLE IF NOT EXISTS del_{$rnd} ( id binary(16) NOT NULL,timestamp DATETIME NOT NULL, PRIMARY KEY ( id ) );\n");
}
// Loop through all the alert blobs
for ($j = 0; $j < count($process_list); $j++) {
$perc = round($j * 100 / count($process_list), 0);
if ($perc > 99) {
$perc = 99;
}
/* If acting on a blob construct, or on the_ENTIREQUERY
* of a non-blob structure (which is equivalent to 1-blob)
* run a query to get the results.
*
* For each unique blob construct two SQL statement are
* generated: one to retrieve the alerts ($sql), and another
* to count the number of actual alerts in this blob
*/
if ($using_blobs) {
$sql = $action_sql;
/* Unique Signature listing */
if ($context == PAGE_STAT_ALERTS) {
$tmp = !isset($process_list[$j]) ? array(0, 0) : preg_split("/[\\s;]+/", $process_list[$j]);
$sql = "SELECT hex(acid_event.id) as id " . $action_sql . " \n AND acid_event.plugin_id='" . $tmp[0] . "' AND acid_event.plugin_sid='" . $tmp[1] . "'";
$sql2 = "SELECT count(acid_event.id) " . $action_sql . " \n AND acid_event.plugin_id='" . $tmp[0] . "' AND acid_event.plugin_sid='" . $tmp[1] . "'";
} else {
if ($context == PAGE_STAT_SENSOR) {
$tmp = !isset($process_list[$j]) ? -1 : $process_list[$j];
$sql = "SELECT hex(acid_event.id) as id " . $action_sql . " AND device_id='{$tmp}'";
$sql2 = "SELECT count(acid_event.id) " . $action_sql . " AND device_id='{$tmp}'";
} else {
if ($context == PAGE_STAT_CLASS) {
$sql = $sql2 = "";
} else {
if ($context == PAGE_STAT_IPLINK) {
$sql = $sql2 = "";
} else {
if ($context == PAGE_STAT_UADDR) {
if (!isset($process_list[$j])) {
$tmp = " AND ip_src=NULL AND ip_dst=NULL";
} else {
$aux = explode("_", $process_list[$j]);
$tmp = "";
if (preg_match("/\\d+\\.\\d+\\.\\d+\\.\\d+/", $aux[0])) {
$tmp .= " AND ip_src=unhex('" . bin2hex(@inet_pton($aux[0])) . "')";
}
if (preg_match("/\\d+\\.\\d+\\.\\d+\\.\\d+/", $aux[1])) {
$tmp .= " AND ip_dst=unhex('" . bin2hex(@inet_pton($aux[1])) . "')";
}
if (preg_match("/[0-9a-fA-F]+/", $aux[2])) {
$tmp .= " AND ctx=unhex('" . $aux[2] . "')";
}
}
$sql = "SELECT hex(acid_event.id) as id " . preg_replace("/.._acid_event (as)?/", '', $action_sql) . $tmp;
$cnt = preg_match("/.._acid_event/", $action_sql) ? "sum(acid_event.cnt) " : "count(acid_event.id) ";
$sql2 = "SELECT " . $cnt . $action_sql . $tmp;
} else {
if ($context == PAGE_STAT_PORTS) {
if (!isset($process_list[$j])) {
$tmp = "ip_proto='-1'";
} else {
$tmp = $process_list[$j];
$tmp_proto = strtok($tmp, "_");
$tmp_porttype = strtok("_");
$tmp_ip = strtok("_");
$ctx = strtok("_");
if ($tmp_proto == TCP) {
$tmp = "ip_proto='" . TCP . "'";
} else {
if ($tmp_proto == UDP) {
$tmp = "ip_proto='" . UDP . "'";
} else {
$tmp = "ip_proto IN (" . TCP . ", " . UDP . ")";
}
}
$tmp .= $tmp_porttype == SOURCE_PORT ? " AND layer4_sport='" . $tmp_ip . "'" : " AND layer4_dport='" . $tmp_ip . "'";
$tmp .= " AND ctx=unhex('{$ctx}')";
}
$sql = "SELECT hex(acid_event.id) as id FROM acid_event WHERE " . $tmp;
$sql2 = "SELECT count(acid_event.id) FROM acid_event WHERE " . $tmp;
}
}
}
}
}
}
if (file_exists('/tmp/debug_siem')) {
file_put_contents("/tmp/siem", "Delete: {$sql}\n{$sql2}\n", FILE_APPEND);
}
// If acting on alerts by signature or sensor, count the number of alerts
if ($context == PAGE_STAT_ALERTS || $context == PAGE_STAT_SENSOR || $context == PAGE_STAT_CLASS || $context == PAGE_STAT_IPLINK || $context == PAGE_STAT_UADDR || $context == PAGE_STAT_PORTS) {
$result_blob = $db->baseExecute($sql2);
$myrow_blob = $result_blob->baseFetchRow();
$blob_alert_cnt = $myrow_blob[0];
$action_cnt += $blob_alert_cnt;
$result_blob->baseFreeRows();
}
/* Limit the number of alerts acted on if in "top x alerts" */
if ($limit_start != -1) {
$blob_alert_cnt = $limit_offset;
}
// Call background purge if using blobs (Delete Entire Query, Grouped by...)
if ($action == 'del_alert') {
$total_aux = $blob_alert_cnt > 0 ? $blob_alert_cnt : 1;
$f = fopen($deltmp, "a");
fputs($f, "INSERT IGNORE INTO del_{$rnd} " . str_replace("hex(acid_event.id) as id", "acid_event.id,DATE_FORMAT(acid_event.timestamp, '%Y-%m-%d %H:00:00')", $sql) . ";\n");
fputs($f, "SELECT min(timestamp),max(timestamp) FROM del_{$rnd} INTO @date_from,@date_to;\n");
fputs($f, "CREATE TEMPORARY TABLE tmp_delete (id binary(16) NOT NULL, PRIMARY KEY (`id`)) ENGINE=MEMORY;\n");
fputs($f, "SET AUTOCOMMIT=0;\n");
for ($k = 0; $k < $total_aux; $k += $block) {
// Increase percent progress in subintervals
if ($total_aux > $block) {
$sub_perc = round(($k + $block) * 100 / $total_aux, 0);
$sub_perc = $perc + $sub_perc * $interval / 100;
if ($sub_perc > 99) {
$sub_perc = 99;
}
}
fputs($f, "UPDATE deletetmp SET perc='{$sub_perc}' WHERE id='{$rnd}';COMMIT;\n");
fputs($f, "INSERT INTO tmp_delete SELECT id FROM del_{$rnd} LIMIT {$block};\n");
fputs($f, "DELETE aux FROM acid_event aux LEFT JOIN tmp_delete t ON aux.id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "DELETE aux FROM idm_data aux LEFT JOIN tmp_delete t ON aux.event_id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "DELETE aux FROM reputation_data aux LEFT JOIN tmp_delete t ON aux.event_id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "DELETE aux FROM otx_data aux LEFT JOIN tmp_delete t ON aux.event_id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "DELETE aux FROM extra_data aux LEFT JOIN tmp_delete t ON aux.event_id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "DELETE d FROM del_{$rnd} d, tmp_delete t WHERE t.id=d.id;TRUNCATE TABLE tmp_delete;\n\n");
fputs($f, "COMMIT;\n");
}
fputs($f, "DELETE aux FROM acid_event aux LEFT JOIN del_{$rnd} t ON aux.id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "DELETE aux FROM idm_data aux LEFT JOIN del_{$rnd} t ON aux.event_id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "DELETE aux FROM reputation_data aux LEFT JOIN del_{$rnd} t ON aux.event_id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "DELETE aux FROM otx_data aux LEFT JOIN del_{$rnd} t ON aux.event_id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "DELETE aux FROM extra_data aux LEFT JOIN del_{$rnd} t ON aux.event_id=t.id WHERE t.id IS NOT NULL;\n");
fputs($f, "CALL fill_tables(DATE_FORMAT(@date_from, '%Y-%m-%d %H:00:00'),DATE_FORMAT(@date_to, '%Y-%m-%d %H:59:59'));\n");
fputs($f, "TRUNCATE TABLE del_{$rnd};\nDROP TABLE tmp_delete;\n");
fputs($f, "COMMIT;\n");
} else {
/* Execute the SQL to get the alert listing */
if ($limit_start == -1) {
$result = $db->baseExecute($sql, -1, -1, FALSE);
} else {
$result = $db->baseExecute($sql, $limit_start, $limit_offset, FALSE);
}
if ($db->baseErrorMessage() != "") {
ErrorMessage("Error retrieving alert list to {$action_desc} " . $db->baseErrorMessage());
return -1;
}
for ($i = 0; $i < $blob_alert_cnt; $i++) {
/* Verify that have a selected alert */
if (is_object($result)) {
$myrow = $result->baseFetchRow();
$id = $myrow[0];
if ($id != "") {
/* **** SOME ACTION on Event ID ********** */
if (file_exists('/tmp/debug_siem')) {
file_put_contents("/tmp/siem", "Action [{$action}] on specific event in particular blob ID:{$id}\n", FILE_APPEND);
}
$function_op = "Action_" . $action . "_op";
$action_ctx =& $action_ctx;
$tmp = $function_op($id, $db, $action_arg, $action_ctx);
if ($tmp == 0) {
++$dup_cnt;
} else {
if ($tmp == 1) {
++$action_cnt;
}
}
}
}
}
/* If acting on a blob, free the result set used to get alert list */
if (is_object($result)) {
$result->baseFreeRows();
}
}
} else {
GetNewResultID($process_list[$j], $seq, $id);
if ($id != "") {
/* **** SOME ACTION on Event ID ********** */
if (file_exists('/tmp/debug_siem')) {
file_put_contents("/tmp/siem", "Action [{$action}] on single event ID:{$id}\n", FILE_APPEND);
}
$function_op = "Action_" . $action . "_op";
$action_ctx =& $action_ctx;
if ($action == "del_alert") {
$tmp = $function_op($id, $db, $deltmp, $action_cnt, $perc, $f);
} else {
$tmp = $function_op($id, $db, $action_arg, $action_ctx);
}
if ($tmp == 0) {
++$dup_cnt;
} else {
if ($tmp == 1) {
++$action_cnt;
}
}
}
}
}
// POST ACTION AND FLUSH MEMCACHE
if ($action == 'del_alert') {
fputs($f, "DROP TABLE del_{$rnd};\n");
fputs($f, "UPDATE deletetmp SET perc='100' WHERE id='{$rnd}';\nCOMMIT;\n");
fclose($f);
$cmd = "/usr/share/ossim/scripts/forensics/bg_purge_from_siem.sh ? > /var/tmp/latest_siem_events_purge.log 2>&1 &";
if (file_exists('/tmp/debug_siem')) {
file_put_contents("/tmp/siem", "Action [{$action}] background delete ({$action_cnt} events):{$cmd}\n", FILE_APPEND);
}
Util::execute_command($cmd, array("del_{$rnd}"));
echo "<script>bgtask();</script>\n";
}
/* **** SOME POST-ACTION ******* */
$function_post = "Action_" . $action . "_post";
if ($action == "del_alert") {
$function_post($action_arg, $action_ctx, $db, $num_alert, $action_cnt, $context, $deltmp);
} else {
$function_post($action_arg, $action_ctx, $db, $num_alert, $action_cnt);
}
if ($dup_cnt > 0) {
ErrorMessage(gettext("Ignored ") . $dup_cnt . gettext(" duplicate event(s)"));
}
if ($action_cnt > 0) {
/*
* Print different message if alert action units (e.g. sensor
* or signature) are not individual alerts
*/
//if (($context == PAGE_STAT_ALERTS) || ($context == PAGE_STAT_SENSOR) || ($context == PAGE_STAT_CLASS) || ($context == PAGE_STAT_IPLINK) || ($context == PAGE_STAT_UADDR) || ($context == PAGE_STAT_PORTS)) {
// if ($action == "del_alert") ErrorMessage(_("Deleting") . " " . $action_cnt . gettext(" event(s)"));
// else ErrorMessage(gettext("Successful") . " $action_desc - " . gettext("on") . " $action_cnt " . gettext(" event(s)") . " (" . gettext("in") . " $num_alert_blobs blobs)");
//} else {
// if ($action == "del_alert") ErrorMessage(_("Deleting") . " " . $action_cnt . gettext(" event(s)"));
// else ErrorMessage(gettext("Successful") . " $action_desc - " . $action_cnt . gettext(" event(s)"));
//}
} else {
if ($action_cnt == 0) {
ErrorMessage(gettext("No events were selected or the") . " {$action_desc} " . gettext("was not successful"));
}
}
$db->baseCacheFlush();
// if ($debug_mode > 0) {
// echo "-------------------------------------<BR>
// action_cnt = $action_cnt<BR>
// dup_cnt = $dup_cnt<BR>
// num_alert = $num_alert<BR>
// ==== $action_desc Alerts END ========<BR>";
// }
}
function ProcessSelectedAlerts($action, &$action_op, $action_arg, $action_param, $context, $action_lst, &$num_alert, $action_sql, $db, $limit_start = -1, $limit_offset = -1)
{
global $debug_mode;
$action_cnt = 0;
$dup_cnt = 0;
$action_desc = "";
if ($action == "ag_by_id") {
$action_desc = gettext("ADD to AG (by ID)");
} else {
if ($action == "ag_by_name") {
$action_desc = gettext("ADD to AG (by Name)");
} else {
if ($action == "del_alert") {
$action_desc = gettext("Delete event(s)");
} else {
if ($action == "email_alert") {
$action_desc = gettext("Email event(s) (full)");
} else {
if ($action == "email_alert2") {
$action_desc = gettext("Email event(s) (summary)");
} else {
if ($action == "csv_alert") {
$action_desc = gettext("Email event(s) (csv)");
} else {
if ($action == "clear_alert") {
$action_desc = gettext("Clear from AG");
} else {
if ($action == "archive_alert") {
$action_desc = gettext("Archive event(s) (copy)");
} else {
if ($action == "archive_alert2") {
$action_desc = gettext("Archive event(s) (move)");
} else {
if ($action == "add_new_ag") {
$action_desc = gettext("ADD-New-AG");
}
}
}
}
}
}
}
}
}
}
if ($action == "") {
return;
}
// if ($debug_mode > 0) {
// echo "<BR>==== $action_desc Alerts ========<BR>
// num_alert = $num_alert<BR>
// action_sql = $action_sql<BR>
// action_op = $action_op<BR>
// action_arg = $action_arg<BR>
// action_param = $action_param<BR>
// context = $context<BR>
// limit_start = $limit_start<BR>
// limit_offset = $limit_offset<BR>";
// }
/* Depending from which page/listing the action was spawned,
* the entities selected may not necessarily be specific
* alerts. For example, sensors or alert names may be
* selected. Thus, each one of these entities referred to as
* alert_blobs, the specific alerts associated with them must
* be explicitly extracted. This blob structures SQL must be
* used to extract the list, where the passed selected keyed
* will be the criteria in this SQL.
*
* Note: When acting on any page where gettext("Delete Entire Query") is
* selected this is also a blob.
*/
/* if only manipulating specific alerts --
* (in the Query results or AG contents list)
*/
if ($context == PAGE_QRY_ALERTS || $context == PAGE_QRY_AG || $context == PAGE_ALERT_DISPLAY) {
$num_alert_blobs = 1;
if ($action_op == gettext("Delete Entire Query")) {
$using_blobs = true;
} else {
$using_blobs = false;
}
} else {
$num_alert_blobs = $num_alert;
$using_blobs = true;
}
$blob_alert_cnt = $num_alert;
if ($debug_mode > 0) {
echo "using_blobs = {$using_blobs}<BR>";
}
/* ******* SOME PRE ACTION ********* */
$function_pre = "Action_" . $action . "_Pre";
$action_ctx = $function_pre($action_arg, $action_param, $db);
//if ($debug_mode > 0) echo "<BR>Gathering elements from " . sizeof($action_lst) . " alert blobs<BR>";
/* Loop through all the alert blobs */
$deltmp = "";
if ($action == "del_alert") {
$count = count($action_lst);
$aux_count = $count > 0 ? $count : 1;
$aux_cnt = $blob_alert_cnt > 0 ? $blob_alert_cnt : 1;
$interval = $action_op == "Selected" ? 100 / $aux_count : 100 / $aux_cnt;
$rnd = time();
$deltmp = "/var/tmp/delsql_{$rnd}";
$f = fopen($deltmp, "w+");
//fputs($f, "/* count=$count interval=$interval blob_alert_cnt=$blob_alert_cnt num_alert_blobs=$num_alert_blobs num_alert=$num_alert */\n");
if ($_SESSION["server"][4] != "") {
fputs($f, "USE " . $_SESSION["server"][4] . ";\n");
}
fputs($f, "CREATE TABLE IF NOT EXISTS `deletetmp` (`id` int(11) NOT NULL,`perc` int(11) NOT NULL, PRIMARY KEY (`id`));\n");
fputs($f, "INSERT INTO deletetmp (id,perc) VALUES ({$rnd},1) ON DUPLICATE KEY UPDATE perc=1;\n");
}
for ($j = 0; $j < $num_alert_blobs; $j++) {
/* If acting on a blob construct, or on the_ENTIREQUERY
* of a non-blob structure (which is equivalent to 1-blob)
* run a query to get the results.
*
* For each unique blob construct two SQL statement are
* generated: one to retrieve the alerts ($sql), and another
* to count the number of actual alerts in this blob
*/
if ($using_blobs) {
$sql = $action_sql;
/* Unique Signature listing */
if ($context == PAGE_STAT_ALERTS) {
if (!isset($action_lst[$j])) {
$tmp = array(0, 0);
} else {
$tmp = preg_split("/[\\s;]+/", $action_lst[$j]);
}
$sql = "SELECT hex(acid_event.id) as id " . $action_sql . " AND acid_event.plugin_id='" . $tmp[0] . "' AND acid_event.plugin_sid='" . $tmp[1] . "'";
$sql2 = "SELECT count(acid_event.id) " . $action_sql . " AND acid_event.plugin_id='" . $tmp[0] . "' AND acid_event.plugin_sid='" . $tmp[1] . "'";
} else {
if ($context == PAGE_STAT_SENSOR) {
if (!isset($action_lst[$j])) {
$tmp = -1;
} else {
$tmp = $action_lst[$j];
}
$sql = "SELECT hex(acid_event.id) as id FROM acid_event WHERE device_id='{$tmp}'";
$sql2 = "SELECT count(acid_event.id) FROM acid_event WHERE device_id='{$tmp}'";
} else {
if ($context == PAGE_STAT_CLASS) {
$sql = $sql2 = "";
} else {
if ($context == PAGE_STAT_IPLINK) {
$sql = $sql2 = "";
} else {
if ($context == PAGE_STAT_UADDR) {
if (!isset($action_lst[$j])) {
$tmp = " AND ip_src=NULL AND ip_dst=NULL";
} else {
$aux = explode("_", $action_lst[$j]);
$tmp = "";
if (preg_match("/\\d+\\.\\d+\\.\\d+\\.\\d+/", $aux[0])) {
$tmp .= " AND ip_src=unhex('" . bin2hex(@inet_pton($aux[0])) . "')";
}
if (preg_match("/\\d+\\.\\d+\\.\\d+\\.\\d+/", $aux[1])) {
$tmp .= " AND ip_dst=unhex('" . bin2hex(@inet_pton($aux[1])) . "')";
}
if (preg_match("/[0-9a-fA-F]+/", $aux[2])) {
$tmp .= " AND ctx=unhex('" . $aux[2] . "')";
}
}
$sql = "SELECT hex(acid_event.id) as id " . $action_sql . $tmp;
$sql2 = "SELECT count(acid_event.id) " . $action_sql . $tmp;
} else {
if ($context == PAGE_STAT_PORTS) {
if (!isset($action_lst[$j])) {
$tmp = "ip_proto='-1'";
} else {
$tmp = $action_lst[$j];
$tmp_proto = strtok($tmp, "_");
$tmp_porttype = strtok("_");
$tmp_ip = strtok("_");
$ctx = strtok("_");
if ($tmp_proto == TCP) {
$tmp = "ip_proto='" . TCP . "'";
} else {
if ($tmp_proto == UDP) {
$tmp = "ip_proto='" . UDP . "'";
} else {
$tmp = "ip_proto IN (" . TCP . ", " . UDP . ")";
}
}
$tmp_porttype == SOURCE_PORT ? $tmp .= " AND layer4_sport='" . $tmp_ip . "'" : ($tmp .= " AND layer4_dport='" . $tmp_ip . "'");
$tmp .= " AND ctx=unhex('{$ctx}')";
}
$sql = "SELECT hex(acid_event.id) as id FROM acid_event WHERE " . $tmp;
$sql2 = "SELECT count(acid_event.id) FROM acid_event WHERE " . $tmp;
}
}
}
}
}
}
/* if acting on alerts by signature or sensor, count the
* the number of alerts
*/
if ($context == PAGE_STAT_ALERTS || $context == PAGE_STAT_SENSOR || $context == PAGE_STAT_CLASS || $context == PAGE_STAT_IPLINK || $context == PAGE_STAT_UADDR || $context == PAGE_STAT_PORTS) {
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$blob_alert_cnt = $myrow2[0];
$result2->baseFreeRows();
}
//if ($debug_mode > 0) echo "$j = [using SQL $num_alert for blob " . (isset($action_lst[$j]) ? $action_lst[$j] : "") . "]: $sql<BR>";
/* Execute the SQL to get the alert listing */
if ($action != "del_alert" || $blob_alert_cnt <= 10000) {
// only if not is a raw delete
if ($limit_start == -1) {
$result = $db->baseExecute($sql, -1, -1, false);
} else {
$result = $db->baseExecute($sql, $limit_start, $limit_offset, false);
}
if ($db->baseErrorMessage() != "") {
ErrorMessage("Error retrieving alert list to {$action_desc} " . $db->baseErrorMessage());
return -1;
}
}
}
/* Limit the number of alerts acted on if in "top x alerts" */
if ($limit_start != -1) {
$blob_alert_cnt = $limit_offset;
}
$interval2 = $blob_alert_cnt > 0 ? 100 / $blob_alert_cnt : 100;
/* Call background purge if num of alerts is too high */
if ($action == "del_alert" && $blob_alert_cnt > 10000) {
fclose($f);
unlink($deltmp);
$total_aux = 0;
// Create table with uuids to delete
$db->baseExecute("CREATE TABLE IF NOT EXISTS del_{$rnd} ( id binary(16) NOT NULL, PRIMARY KEY ( id ) )");
if ($using_blobs) {
$total_aux = $blob_alert_cnt;
/*for ($i = 0; $i < $blob_alert_cnt; $i++) {
$myrow = $result->baseFetchRow();
$id = $myrow[0];
if ($id != "") {
$db->baseExecute("INSERT IGNORE INTO del_$rnd VALUES (UNHEX('$id'))");
$total_aux++;
}
}*/
} elseif (is_array($action_lst)) {
foreach ($action_lst as $action_lst_element) {
GetNewResultID($action_lst_element, $seq, $id);
$db->baseExecute("INSERT IGNORE INTO del_{$rnd} VALUES (UNHEX('{$id}'))");
$total_aux++;
}
}
if ($total_aux < 1) {
$total_aux = 1;
}
$block = 5000;
$_SESSION["deletetask"] = $rnd;
$deltmp = "del_{$rnd}";
$db_name = $_SESSION["server"][4] != "" ? $_SESSION["server"][4] : "alienvault_siem";
$f = fopen("/var/tmp/{$deltmp}", "w+");
fputs($f, "/* ****************Background Purge Execution*************** */\n");
fputs($f, "USE " . $db_name . ";\n");
if ($using_blobs) {
fputs($f, "CREATE TABLE IF NOT EXISTS del_{$rnd} ( id binary(16) NOT NULL, PRIMARY KEY ( id ) );\n");
fputs($f, "INSERT IGNORE INTO del_{$rnd} " . str_replace("hex(acid_event.id) as id", "acid_event.id", $sql) . ";\n");
}
fputs($f, "CREATE TABLE IF NOT EXISTS `deletetmp` (`id` int(11) NOT NULL,`perc` int(11) NOT NULL, PRIMARY KEY (`id`));\n");
fputs($f, "INSERT INTO deletetmp (id,perc) VALUES ({$rnd},1) ON DUPLICATE KEY UPDATE perc=1;\n");
fputs($f, "SET AUTOCOMMIT=0;\n");
for ($j = 0; $j < $total_aux; $j += $block) {
fputs($f, "DELETE FROM acid_event WHERE id in (select id from {$deltmp}) limit {$block};\n");
fputs($f, "DELETE FROM idm_data WHERE event_id in (select id from {$deltmp}) limit {$block};\n");
fputs($f, "DELETE FROM reputation_data WHERE event_id in (select id from {$deltmp}) limit {$block};\n");
fputs($f, "DELETE FROM extra_data WHERE event_id in (select id from {$deltmp}) limit {$block};\n");
fputs($f, "DELETE FROM {$deltmp} limit {$block};\n");
fputs($f, "COMMIT;\n");
$perc = round(($j + $block) * 100 / $total_aux, 0);
if ($perc > 99) {
$perc = 99;
}
fputs($f, "UPDATE deletetmp SET perc={$perc} WHERE id={$rnd};\n");
}
fputs($f, "DELETE FROM acid_event WHERE id in (select id from {$deltmp}) limit {$block};\n");
fputs($f, "DELETE FROM idm_data WHERE event_id in (select id from {$deltmp}) limit {$block};\n");
fputs($f, "DELETE FROM reputation_data WHERE event_id in (select id from {$deltmp}) limit {$block};\n");
fputs($f, "DELETE FROM extra_data WHERE event_id in (select id from {$deltmp}) limit {$block};\n");
fputs($f, "DELETE FROM {$deltmp} limit {$block};\n");
fputs($f, "UPDATE deletetmp SET perc=100 WHERE id={$rnd};\nCOMMIT;\n");
fputs($f, "DROP TABLE {$deltmp};\n");
fputs($f, "COMMIT;\n");
fclose($f);
// POST ACTION AND FLUSH MEMCACHE
shell_exec("/usr/share/ossim/scripts/forensics/bg_purge_from_siem.sh {$deltmp} > /var/tmp/latest_siem_events_purge.log 2>&1 &");
echo "<script>bgtask();</script>\n";
return;
}
echo "<script>bgtask();</script>\n";
/* Loop through the specific alerts in a particular blob */
for ($i = 0; $i < $blob_alert_cnt; $i++) {
/* Verify that have a selected alert */
if (isset($action_lst[$i]) || $using_blobs) {
/* If acting on a blob */
if ($using_blobs) {
$myrow = $result->baseFetchRow();
$id = $myrow[0];
} else {
GetNewResultID($action_lst[$i], $seq, $id);
}
if ($id != "") {
//if ($debug_mode > 0) echo $id . '<BR>';
/* **** SOME ACTION on (sid, cid) ********** */
$function_op = "Action_" . $action . "_op";
$action_ctx =& $action_ctx;
if ($action == "del_alert") {
$tmp = $function_op($id, $db, $deltmp, $action_cnt, $interval2 < $interval ? $interval2 : $interval, $f);
} else {
$tmp = $function_op($sid, $cid, $db, $action_arg, $action_ctx);
}
if ($tmp == 0) {
++$dup_cnt;
} else {
if ($tmp == 1) {
++$action_cnt;
}
}
}
}
}
/* If acting on a blob, free the result set used to get alert list */
if ($using_blobs) {
$result->baseFreeRows();
}
}
if ($action == "del_alert") {
fputs($f, "UPDATE deletetmp SET perc=100 WHERE id={$rnd};\nCOMMIT;\n");
fclose($f);
}
/* **** SOME POST-ACTION ******* */
$function_post = "Action_" . $action . "_post";
if ($action == "del_alert") {
$function_post($action_arg, $action_ctx, $db, $num_alert, $action_cnt, $context, $deltmp);
} else {
$function_post($action_arg, $action_ctx, $db, $num_alert, $action_cnt);
}
if ($dup_cnt > 0) {
ErrorMessage(gettext("Ignored ") . $dup_cnt . gettext(" duplicate event(s)"));
}
if ($action_cnt > 0) {
/*
* Print different message if alert action units (e.g. sensor
* or signature) are not individual alerts
*/
//if (($context == PAGE_STAT_ALERTS) || ($context == PAGE_STAT_SENSOR) || ($context == PAGE_STAT_CLASS) || ($context == PAGE_STAT_IPLINK) || ($context == PAGE_STAT_UADDR) || ($context == PAGE_STAT_PORTS)) {
// if ($action == "del_alert") ErrorMessage(_("Deleting") . " " . $action_cnt . gettext(" event(s)"));
// else ErrorMessage(gettext("Successful") . " $action_desc - " . gettext("on") . " $action_cnt " . gettext(" event(s)") . " (" . gettext("in") . " $num_alert_blobs blobs)");
//} else {
// if ($action == "del_alert") ErrorMessage(_("Deleting") . " " . $action_cnt . gettext(" event(s)"));
// else ErrorMessage(gettext("Successful") . " $action_desc - " . $action_cnt . gettext(" event(s)"));
//}
} else {
if ($action_cnt == 0) {
ErrorMessage(gettext("No events were selected or the") . " {$action_desc} " . gettext("was not successful"));
}
}
//error_log("cnt:$action_cnt,dup:$dup_cnt,desc:$action_desc,file:$deltmp\n",3,"/var/tmp/dellog");
$db->baseCacheFlush();
// if ($debug_mode > 0) {
// echo "-------------------------------------<BR>
// action_cnt = $action_cnt<BR>
// dup_cnt = $dup_cnt<BR>
// num_alert = $num_alert<BR>
// ==== $action_desc Alerts END ========<BR>";
// }
}
