Example #1
0
function ExportPacket($sid, $cid, $db)
{
    global $action, $action_arg;
    /* Event */
    $sql2 = "SELECT signature, timestamp FROM acid_event WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
    $result2 = $db->baseExecute($sql2);
    $myrow2 = $result2->baseFetchRow();
    $s = "------------------------------------------------------------------------------\n";
    $s = $s . "#({$sid} - {$cid}) [{$myrow2['1']}] " . BuildSigByID($myrow2[0], $sid, $cid, $db, 2) . "\r\n";
    $sql4 = "SELECT hostname, interface, filter FROM sensor  WHERE sid='" . $sid . "'";
    $result4 = $db->baseExecute($sql4);
    $myrow4 = $result4->baseFetchRow();
    $result4->baseFreeRows();
    $result2->baseFreeRows();
    /* IP */
    $sql2 = "SELECT ip_src, ip_dst, " . "ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum, ip_proto" . " FROM iphdr  WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
    $result2 = $db->baseExecute($sql2);
    $myrow2 = $result2->baseFetchRow();
    $layer4_proto = $myrow2[11];
    if ($myrow2[0] != "") {
        $sql3 = "SELECT * FROM opt  WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='0'";
        $result3 = $db->baseExecute($sql3);
        $num_opt = $result3->baseRecordCount();
        $s = $s . "IPv{$myrow2['2']}: " . baseLong2IP($myrow2[0]) . " -> " . baseLong2IP($myrow2[1]) . "\n" . "      hlen={$myrow2['3']} TOS={$myrow2['4']} dlen={$myrow2['5']} ID={$myrow2['6']}" . " flags={$myrow2['7']} offset={$myrow2['8']} TTL={$myrow2['9']} chksum={$myrow2['10']}\n";
        if ($num_opt > 0) {
            $s = $s . "    Options\n";
            for ($i = 0; $i < $num_opt; $i++) {
                $myrow3 = $result3->baseFetchRow();
                $s = $s . "      #" . ($i + 1) . " - " . IPOption2str($myrow3[4]) . " len={$myrow3['5']}";
                if ($myrow3[5] != 0) {
                    $s = $s . " data={$myrow3['6']}";
                }
                $s = $s . "\n";
            }
        }
        $result3->baseFreeRows();
    }
    $result2->baseFreeRows();
    /* TCP */
    if ($layer4_proto == "6") {
        $sql2 = "SELECT tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, " . "       tcp_csum, tcp_urp FROM tcphdr  WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
        $result2 = $db->baseExecute($sql2);
        $myrow2 = $result2->baseFetchRow();
        $sql3 = "SELECT * FROM opt  WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='6'";
        $result3 = $db->baseExecute($sql3);
        $num_opt = $result3->baseRecordCount();
        $s = $s . "TCP:  port={$myrow2['0']} -> dport: {$myrow2['1']}  flags=";
        if (($myrow2[6] & 128) != 0) {
            $s = $s . '2';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 64) != 0) {
            $s = $s . '1';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 32) != 0) {
            $s = $s . 'U';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 16) != 0) {
            $s = $s . 'A';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 8) != 0) {
            $s = $s . 'P';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 4) != 0) {
            $s = $s . 'R';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 2) != 0) {
            $s = $s . 'S';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 1) != 0) {
            $s = $s . 'F';
        } else {
            $s = $s . '*';
        }
        $s = $s . " seq={$myrow2['2']}\n" . "      ack={$myrow2['3']} off={$myrow2['4']} res={$myrow2['5']} win={$myrow2['7']} urp={$myrow2['9']} " . "chksum={$myrow2['8']}\n";
        if ($num_opt != 0) {
            $s = $s . "      Options:\n";
            for ($i = 0; $i < $num_opt; $i++) {
                $myrow3 = $result3->baseFetchRow();
                $s = $s . "       #" . ($i + 1) . " - " . TCPOption2str($myrow3[4]) . " len={$myrow3['5']}";
                if ($myrow3[5] != 0) {
                    $s = $s . " data=" . $myrow3[6];
                }
                $s = $s . "\n";
            }
        }
        $result2->baseFreeRows();
        $result3->baseFreeRows();
    }
    /* UDP */
    if ($layer4_proto == "17") {
        $sql2 = "SELECT * FROM udphdr  WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
        $result2 = $db->baseExecute($sql2);
        $myrow2 = $result2->baseFetchRow();
        $s = $s . "UDP:  port={$myrow2['2']} -> dport: {$myrow2['3']} len={$myrow2['4']}\n";
        $result2->baseFreeRows();
    }
    /* ICMP */
    if ($layer4_proto == "1") {
        $sql2 = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq FROM icmphdr " . "WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
        $result2 = $db->baseExecute($sql2);
        $myrow2 = $result2->baseFetchRow();
        $s = $s . "ICMP: type=" . ICMPType2str($myrow2[0]) . " code=" . ICMPCode2str($myrow2[0], $myrow2[1]) . "\n" . "      checksum={$myrow2['2']} id={$myrow2['3']} seq={$myrow2['4']}\n";
        $result2->baseFreeRows();
    }
    /* Print the Payload */
    $sql2 = "SELECT data_payload FROM data WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
    $result2 = $db->baseExecute($sql2);
    /* get encoding information and detail_level on the payload */
    $sql3 = 'SELECT encoding, detail FROM sensor WHERE sid=' . $sid;
    $result3 = $db->baseExecute($sql3);
    $myrow3 = $result3->baseFetchRow();
    $s = $s . "Payload: ";
    $myrow2 = $result2->baseFetchRow();
    if ($myrow2) {
        /* print the packet based on encoding type */
        $s = $s . PrintPacketPayload($myrow2[0], $myrow3[0], 2) . "\n";
        $result3->baseFreeRows();
    } else {
        /* Don't have payload so lets print out why by checking the detail level */
        /* if have fast detail level */
        if ($myrow3[1] == "0") {
            $s = $s . "Fast logging used so payload was discarded\n";
        } else {
            $s = $s . "none\n";
        }
    }
    $result2->baseFreeRows();
    return $s;
}
Example #2
0
 echo '  <TR>';
 echo '      <TD>';
 echo '         <TABLE BORDER=0 CELLPADDING=4>';
 if (in_array($plugin_id, $snort_ids)) {
     echo '           <TR><TD CLASS="header2" ALIGN=CENTER ROWSPAN=' . ($num_opt != 0 ? $num_opt + 1 : 1) . '>' . gettext("Options") . '</TD>';
 }
 $layer4_proto = $myrow2[11];
 if ($num_opt > 0) {
     echo '            <TD></TD>
                    <TD class="header">' . gettext("code") . '</TD>
                    <TD class="header">' . gettext("length") . '</TD>
                    <TD class="header" ALIGN=CENTER>' . gettext("data") . '</TD>';
     for ($i = 0; $i < $num_opt; $i++) {
         $myrow3 = $result3->baseFetchRow();
         echo '    <TR><TD>#' . ($i + 1) . '</TD>';
         echo '        <TD class="plfield">' . IPOption2str($myrow3[4]) . '</TD>';
         echo '        <TD class="plfield">' . htmlspecialchars($myrow3[5]) . '</TD>';
         echo '        <TD class="plfield">';
         if ($myrow3[6] != "") {
             echo $myrow3[6];
         } else {
             echo '&nbsp;';
         }
         echo '</TD></TR>';
     }
 } else {
     if (in_array($plugin_id, $snort_ids)) {
         echo '             <TD class="plfield"> &nbsp&nbsp&nbsp <I>' . gettext("none") . ' </I></TD></TR>';
     }
 }
 echo '         </TABLE></TD></TR>';