function ProcessSelectedAlerts($action, &$action_op, $action_arg, $action_param, $context, $action_lst, &$num_alert, $action_sql, $db, $limit_start = -1, $limit_offset = -1)
{
global $debug_mode;
$action_cnt = 0;
$dup_cnt = 0;
$action_desc = "";
if ($action == "ag_by_id") {
$action_desc = gettext("ADD to AG (by ID)");
} else {
if ($action == "ag_by_name") {
$action_desc = gettext("ADD to AG (by Name)");
} else {
if ($action == "del_alert") {
$action_desc = gettext("Delete event(s)");
} else {
if ($action == "email_alert") {
$action_desc = gettext("Email event(s) (full)");
} else {
if ($action == "email_alert2") {
$action_desc = gettext("Email event(s) (summary)");
} else {
if ($action == "csv_alert") {
$action_desc = gettext("Email event(s) (csv)");
} else {
if ($action == "clear_alert") {
$action_desc = gettext("Clear from AG");
} else {
if ($action == "archive_alert") {
$action_desc = gettext("Archive event(s) (copy)");
} else {
if ($action == "archive_alert2") {
$action_desc = gettext("Archive event(s) (move)");
} else {
if ($action == "add_new_ag") {
$action_desc = gettext("ADD-New-AG");
}
}
}
}
}
}
}
}
}
}
if ($action == "") {
return;
}
if ($debug_mode > 0) {
echo "<BR>==== {$action_desc} Alerts ========<BR>\n num_alert = {$num_alert}<BR>\n action_sql = {$action_sql}<BR>\n action_op = {$action_op}<BR>\n action_arg = {$action_arg}<BR>\n action_param = {$action_param}<BR>\n context = {$context}<BR>\n limit_start = {$limit_start}<BR>\n limit_offset = {$limit_offset}<BR>";
}
/* Depending from which page/listing the action was spawned,
* the entities selected may not necessarily be specific
* alerts. For example, sensors or alert names may be
* selected. Thus, each one of these entities referred to as
* alert_blobs, the specific alerts associated with them must
* be explicitly extracted. This blob structures SQL must be
* used to extract the list, where the passed selected keyed
* will be the criteria in this SQL.
*
* Note: When acting on any page where gettext("Delete Entire Query") is
* selected this is also a blob.
*/
/* if only manipulating specific alerts --
* (in the Query results or AG contents list)
*/
if ($context == PAGE_QRY_ALERTS || $context == PAGE_QRY_AG || $context == PAGE_ALERT_DISPLAY) {
$num_alert_blobs = 1;
if ($action_op == gettext("Delete Entire Query")) {
$using_blobs = true;
} else {
$using_blobs = false;
}
} else {
$num_alert_blobs = $num_alert;
$using_blobs = true;
}
$blob_alert_cnt = $num_alert;
if ($debug_mode > 0) {
echo "using_blobs = {$using_blobs}<BR>";
}
/* ******* SOME PRE ACTION ********* */
$function_pre = "Action_" . $action . "_Pre";
$action_ctx = $function_pre($action_arg, $action_param, $db);
if ($debug_mode > 0) {
echo "<BR>Gathering elements from " . sizeof($action_lst) . " alert blobs<BR>";
}
/* Loop through all the alert blobs */
if ($action == "del_alert") {
$count = count($action_lst);
$interval = $action_op == "Selected" ? 100 / $count : 100 / $blob_alert_cnt;
$rnd = rand(0, 99999);
$deltmp = "/var/tmp/delsql_{$rnd}";
$f = fopen($deltmp, "w+");
//fputs($f, "/* count=$count interval=$interval blob_alert_cnt=$blob_alert_cnt num_alert_blobs=$num_alert_blobs num_alert=$num_alert */\n");
fputs($f, "CREATE TABLE IF NOT EXISTS `deletetmp` (`id` int(11) NOT NULL,`perc` int(11) NOT NULL, PRIMARY KEY (`id`));\n");
fputs($f, "INSERT INTO deletetmp (id,perc) VALUES ({$rnd},1) ON DUPLICATE KEY UPDATE perc=1;\n");
}
for ($j = 0; $j < $num_alert_blobs; $j++) {
/* If acting on a blob construct, or on the_ENTIREQUERY
* of a non-blob structure (which is equivalent to 1-blob)
* run a query to get the results.
*
* For each unique blob construct two SQL statement are
* generated: one to retrieve the alerts ($sql), and another
* to count the number of actual alerts in this blob
*/
if ($using_blobs) {
$sql = $action_sql;
/* Unique Signature listing */
if ($context == PAGE_STAT_ALERTS) {
if (!isset($action_lst[$j])) {
$tmp = array(0, 0);
} else {
$tmp = preg_split("/[\\s;]+/", $action_lst[$j]);
}
$sql = "SELECT acid_event.sid, acid_event.cid " . $action_sql . " AND acid_event.plugin_id='" . $tmp[0] . "' AND acid_event.plugin_sid='" . $tmp[1] . "'";
$sql2 = "SELECT count(acid_event.sid) " . $action_sql . " AND acid_event.plugin_id='" . $tmp[0] . "' AND acid_event.plugin_sid='" . $tmp[1] . "'";
} else {
if ($context == PAGE_STAT_SENSOR) {
if (!isset($action_lst[$j])) {
$tmp = -1;
} else {
$tmp = $action_lst[$j];
}
$sql = "SELECT sid, cid FROM acid_event WHERE sid='" . $tmp . "'";
$sql2 = "SELECT count(sid) FROM acid_event WHERE sid='" . $tmp . "'";
} else {
if ($context == PAGE_STAT_CLASS) {
if (!isset($action_lst[$j])) {
$tmp = -1;
} else {
$tmp = $action_lst[$j];
}
$sql = "SELECT acid_event.sid, acid_event.cid " . $action_sql . " AND sig_class_id='" . $tmp . "'";
$sql2 = "SELECT count(acid_event.sid) " . $action_sql . " AND sig_class_id='" . $tmp . "'";
} else {
if ($context == PAGE_STAT_IPLINK) {
if (!isset($action_lst[$j])) {
$tmp = -1;
} else {
$tmp = $action_lst[$j];
$tmp_sip = strtok($tmp, "_");
$tmp_dip = strtok("_");
$tmp_proto = strtok("_");
$tmp = $tmp_sip . "' AND ip_dst='" . $tmp_dip . "' AND ip_proto='" . $tmp_proto;
}
$sql = "SELECT acid_event.sid, acid_event.cid " . $action_sql . " AND ip_src='" . $tmp . "'";
$sql2 = "SELECT count(acid_event.sid) " . $action_sql . " AND ip_src='" . $tmp . "'";
} else {
if ($context == PAGE_STAT_UADDR) {
if (!isset($action_lst[$j])) {
$tmp = "ip_src='-1'";
} else {
$tmp = $action_lst[$j];
if ($tmp[0] != "_") {
$tmp_sip = substr($tmp, 0, strlen($tmp) - 1);
} else {
$tmp_dip = substr($tmp, 1, strlen($tmp) - 1);
}
$tmp_sip != "" ? $tmp = "ip_src='" . $tmp_sip . "'" : ($tmp = "ip_dst='" . $tmp_dip . "'");
}
$sql = "SELECT acid_event.sid, acid_event.cid " . $action_sql . " AND " . $tmp;
$sql2 = "SELECT count(acid_event.sid) " . $action_sql . " AND " . $tmp;
} else {
if ($context == PAGE_STAT_PORTS) {
if (!isset($action_lst[$j])) {
$tmp = "ip_proto='-1'";
} else {
$tmp = $action_lst[$j];
$tmp_proto = strtok($tmp, "_");
$tmp_porttype = strtok("_");
$tmp_ip = strtok("_");
if ($proto == TCP) {
$tmp = "ip_proto='" . TCP . "'";
} else {
if ($proto == UDP) {
$tmp = "ip_proto='" . UDP . "'";
} else {
$tmp = "ip_proto IN (" . TCP . ", " . UDP . ")";
}
}
$tmp_porttype == SOURCE_PORT ? $tmp .= " AND layer4_sport='" . $tmp_ip . "'" : ($tmp .= " AND layer4_dport='" . $tmp_ip . "'");
}
$sql = "SELECT acid_event.sid, acid_event.cid FROM acid_event WHERE " . $tmp;
$sql2 = "SELECT count(acid_event.sid) FROM acid_event WHERE " . $tmp;
}
}
}
}
}
}
/* if acting on alerts by signature or sensor, count the
* the number of alerts
*/
if ($context == PAGE_STAT_ALERTS || $context == PAGE_STAT_SENSOR || $context == PAGE_STAT_CLASS || $context == PAGE_STAT_IPLINK || $context == PAGE_STAT_UADDR || $context == PAGE_STAT_PORTS) {
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$blob_alert_cnt = $myrow2[0];
$result2->baseFreeRows();
}
if ($debug_mode > 0) {
echo "{$j} = [using SQL {$num_alert} for blob " . (isset($action_lst[$j]) ? $action_lst[$j] : "") . "]: {$sql}<BR>";
}
/* Execute the SQL to get the alert listing */
if ($limit_start == -1) {
$result = $db->baseExecute($sql, -1, -1, false);
} else {
$result = $db->baseExecute($sql, $limit_start, $limit_offset, false);
}
if ($db->baseErrorMessage() != "") {
ErrorMessage("Error retrieving alert list to {$action_desc}");
if ($debug_mode > 0) {
ErrorMessage($db->baseErrorMessage());
}
return -1;
}
}
/* Limit the number of alerts acted on if in "top x alerts" */
if ($limit_start != -1) {
$blob_alert_cnt = $limit_offset;
}
$interval2 = $blob_alert_cnt > 0 ? 100 / $blob_alert_cnt : 100;
/* Call background purge if num of alerts is too high */
if ($action == "del_alert" && $blob_alert_cnt > 10000) {
fclose($f);
unlink($deltmp);
$listtmp = "/var/tmp/siem_action_list_{$rnd}.data";
$flist = fopen($listtmp, "w+");
$total_aux = 0;
if ($using_blobs) {
for ($i = 0; $i < $blob_alert_cnt; $i++) {
$myrow = $result->baseFetchRow();
$sid = $myrow[0];
$cid = $myrow[1];
if ($sid != "") {
fputs($flist, "{$sid}-{$cid}\n");
$total_aux++;
}
}
} else {
foreach ($action_lst as $action_lst_element) {
GetQueryResultID($action_lst_element, $seq, $sid, $cid);
fputs($flist, "{$sid}-{$cid}\n");
$total_aux++;
}
}
fclose($flist);
if ($total_aux < 1) {
$total_aux = 1;
}
$interval_param = 100 / $total_aux;
$_SESSION["deletetask"] = $rnd;
shell_exec("nohup /usr/bin/php /usr/share/ossim/www/forensics/scripts/background_purge.php '{$deltmp}' '{$listtmp}' {$interval_param} {$num_alert} > /var/tmp/latest_siem_events_purge.log 2>&1 &");
echo "<script>bgtask();</script>\n";
return;
}
/* Loop through the specific alerts in a particular blob */
for ($i = 0; $i < $blob_alert_cnt; $i++) {
/* Verify that have a selected alert */
if (isset($action_lst[$i]) || $using_blobs) {
/* If acting on a blob */
if ($using_blobs) {
$myrow = $result->baseFetchRow();
$sid = $myrow[0];
$cid = $myrow[1];
} else {
GetQueryResultID($action_lst[$i], $seq, $sid, $cid);
}
if ($sid != "") {
if ($debug_mode > 0) {
echo $sid . ' - ' . $cid . '<BR>';
}
/* **** SOME ACTION on (sid, cid) ********** */
$function_op = "Action_" . $action . "_op";
$action_ctx =& $action_ctx;
if ($action == "del_alert") {
$tmp = $function_op($sid, $cid, $db, $deltmp, $action_cnt, $interval2 < $interval ? $interval2 : $interval, $f);
} else {
$tmp = $function_op($sid, $cid, $db, $action_arg, $action_ctx);
}
if ($tmp == 0) {
++$dup_cnt;
} else {
if ($tmp == 1) {
++$action_cnt;
}
}
}
}
}
/* If acting on a blob, free the result set used to get alert list */
if ($using_blobs) {
$result->baseFreeRows();
}
}
if ($action == "del_alert") {
fputs($f, "UPDATE deletetmp SET perc=100 WHERE id={$rnd};\n");
fclose($f);
}
/* **** SOME POST-ACTION ******* */
$function_post = "Action_" . $action . "_post";
if ($action == "del_alert") {
$function_post($action_arg, $action_ctx, $db, $num_alert, $action_cnt, $context, $deltmp);
} else {
$function_post($action_arg, $action_ctx, $db, $num_alert, $action_cnt);
}
if ($dup_cnt > 0) {
ErrorMessage(gettext("Ignored ") . $dup_cnt . gettext(" duplicate event(s)"));
}
if ($action_cnt > 0) {
/*
* Print different message if alert action units (e.g. sensor
* or signature) are not individual alerts
*/
if ($context == PAGE_STAT_ALERTS || $context == PAGE_STAT_SENSOR || $context == PAGE_STAT_CLASS || $context == PAGE_STAT_IPLINK || $context == PAGE_STAT_UADDR || $context == PAGE_STAT_PORTS) {
if ($action == "del_alert") {
ErrorMessage(_("Deleting") . " " . $action_cnt . gettext(" event(s)"));
} else {
ErrorMessage(gettext("Successful") . " {$action_desc} - " . gettext("on") . " {$action_cnt} " . gettext(" event(s)") . " (" . gettext("in") . " {$num_alert_blobs} blobs)");
}
} else {
if ($action == "del_alert") {
ErrorMessage(_("Deleting") . " " . $action_cnt . gettext(" event(s)"));
} else {
ErrorMessage(gettext("Successful") . " {$action_desc} - " . $action_cnt . gettext(" event(s)"));
}
}
} else {
if ($action_cnt == 0) {
ErrorMessage(gettext("No events were selected or the") . " {$action_desc} " . gettext("was not successful"));
}
}
//error_log("cnt:$action_cnt,dup:$dup_cnt,desc:$action_desc,file:$deltmp\n",3,"/var/tmp/dellog");
if ($debug_mode > 0) {
echo "-------------------------------------<BR>\n action_cnt = {$action_cnt}<BR>\n dup_cnt = {$dup_cnt}<BR>\n num_alert = {$num_alert}<BR> \n ==== {$action_desc} Alerts END ========<BR>";
}
}
$sort_sql[1] = " ORDER BY ossim_reliability ASC,timestamp DESC";
} elseif ($sort_order == "oreli_d") {
$sort_sql[1] = " ORDER BY ossim_reliability DESC,timestamp DESC";
} elseif ($sort_order == "proto_a") {
$sort_sql[1] = " ORDER BY ip_proto ASC,timestamp DESC";
$where = preg_replace("/1 AND \\( timestamp/", "ip_proto > 0 AND ( timestamp", $where);
} elseif ($sort_order == "proto_d") {
$sort_sql[1] = " ORDER BY ip_proto DESC,timestamp DESC";
$where = preg_replace("/1 AND \\( timestamp/", "ip_proto > 0 AND ( timestamp", $where);
}
$save_sql = "SELECT acid_event.sid, acid_event.cid" . $sort_sql[0] . $from . $where . $sort_sql[1];
//print_r($save_sql);
if ($event_cache_auto_update == 1) {
UpdateAlertCache($db);
}
GetQueryResultID($submit, $seq, $sid, $cid);
if ($debug_mode > 0) {
echo "\n====== Alert Lookup =======<BR>\n submit = {$submit}<br>\n\t\t sid = {$sid}<BR>\n cid = {$cid}<BR>\n seq = {$seq}<BR>\n" . "===========================<BR>\n";
}
/* Verify that have extracted (sid, cid) correctly */
if (!($sid > 0 && $cid > 0)) {
ErrorMessage(gettext("Invalid (sid,cid) pair") . " (" . $sid . "," . $cid . ")");
exit;
}
$tmp_sql = $sort_sql[1];
echo "<!-- END HEADER TABLE -->\n\t\t </div> </TD>\n </TR>\n </TABLE>";
echo "<FORM METHOD=\"GET\" ACTION=\"base_qry_alert.php\">\n";
// Normal view
if (!array_key_exists("minimal_view", $_GET)) {
PrintPacketLookupBrowseButtons2($seq, $tmp_sql, $sort_sql[0] . $from . $where, $db, $previous, $next);
echo "<CENTER>\n<B>" . gettext("Event") . " #" . $seq . "</B><BR>\n{$previous}    \n{$next}\n</CENTER>\n";