require_once '../repository/repository_view.php';
}
/* PAYLOAD */
if ($is_snort) {
echo '<div class="siem_detail_table">
<div class="siem_detail_section">' . _("Payload");
echo showShellcodeAnalysisLink($eid, $plugin_sid_name);
echo '</div>';
} else {
echo '<div class="siem_detail_table">
<div class="siem_detail_section">' . _("Raw Log") . '</div>';
}
echo ' <div class="siem_detail_content siem_border">';
if ($payload) {
/* print the packet based on encoding type */
PrintPacketPayload($payload, $encoding, 1, $plugin_id == $otx_plugin_id ? true : false);
if ($layer4_proto == "1") {
if ($ICMPitype == "4" && $ICMPicode == "0" || $ICMPitype == "5" || $ICMPitype == "12" && $ICMPicode == "0" || ($ICMPitype == "3" || $ICMPitype == "11") && $ICMPicode == "0" || $ICMPicode == "1" || $ICMPicode == "3" || $ICMPicode == "4" || $ICMPicode == "9" || $ICMPicode == "13") {
/* 0 == hex, 1 == base64, 2 == ascii; cf. snort-2.4.4/src/plugbase.h */
if ($encoding == 1) {
/* encoding is base64 */
$work = bin2hex(base64_decode(str_replace("\n", "", Util::htmlentities($payload))));
} else {
/* assuming that encoding is hex */
$work = str_replace("\n", "", Util::htmlentities($payload));
}
/*
* - depending on how the packet logged, 32-bits of NULL padding after
* the checksum may still be present.
*/
if (substr($work, 0, 8) == "00000000") {
function ExportPacket($sid, $cid, $db)
{
global $action, $action_arg;
/* Event */
$sql2 = "SELECT signature, timestamp FROM acid_event WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$s = "------------------------------------------------------------------------------\n";
$s = $s . "#({$sid} - {$cid}) [{$myrow2['1']}] " . BuildSigByID($myrow2[0], $sid, $cid, $db, 2) . "\r\n";
$sql4 = "SELECT hostname, interface, filter FROM sensor WHERE sid='" . $sid . "'";
$result4 = $db->baseExecute($sql4);
$myrow4 = $result4->baseFetchRow();
$result4->baseFreeRows();
$result2->baseFreeRows();
/* IP */
$sql2 = "SELECT ip_src, ip_dst, " . "ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum, ip_proto" . " FROM iphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$layer4_proto = $myrow2[11];
if ($myrow2[0] != "") {
$sql3 = "SELECT * FROM opt WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='0'";
$result3 = $db->baseExecute($sql3);
$num_opt = $result3->baseRecordCount();
$s = $s . "IPv{$myrow2['2']}: " . baseLong2IP($myrow2[0]) . " -> " . baseLong2IP($myrow2[1]) . "\n" . " hlen={$myrow2['3']} TOS={$myrow2['4']} dlen={$myrow2['5']} ID={$myrow2['6']}" . " flags={$myrow2['7']} offset={$myrow2['8']} TTL={$myrow2['9']} chksum={$myrow2['10']}\n";
if ($num_opt > 0) {
$s = $s . " Options\n";
for ($i = 0; $i < $num_opt; $i++) {
$myrow3 = $result3->baseFetchRow();
$s = $s . " #" . ($i + 1) . " - " . IPOption2str($myrow3[4]) . " len={$myrow3['5']}";
if ($myrow3[5] != 0) {
$s = $s . " data={$myrow3['6']}";
}
$s = $s . "\n";
}
}
$result3->baseFreeRows();
}
$result2->baseFreeRows();
/* TCP */
if ($layer4_proto == "6") {
$sql2 = "SELECT tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, " . " tcp_csum, tcp_urp FROM tcphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$sql3 = "SELECT * FROM opt WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='6'";
$result3 = $db->baseExecute($sql3);
$num_opt = $result3->baseRecordCount();
$s = $s . "TCP: port={$myrow2['0']} -> dport: {$myrow2['1']} flags=";
if (($myrow2[6] & 128) != 0) {
$s = $s . '2';
} else {
$s = $s . '*';
}
if (($myrow2[6] & 64) != 0) {
$s = $s . '1';
} else {
$s = $s . '*';
}
if (($myrow2[6] & 32) != 0) {
$s = $s . 'U';
} else {
$s = $s . '*';
}
if (($myrow2[6] & 16) != 0) {
$s = $s . 'A';
} else {
$s = $s . '*';
}
if (($myrow2[6] & 8) != 0) {
$s = $s . 'P';
} else {
$s = $s . '*';
}
if (($myrow2[6] & 4) != 0) {
$s = $s . 'R';
} else {
$s = $s . '*';
}
if (($myrow2[6] & 2) != 0) {
$s = $s . 'S';
} else {
$s = $s . '*';
}
if (($myrow2[6] & 1) != 0) {
$s = $s . 'F';
} else {
$s = $s . '*';
}
$s = $s . " seq={$myrow2['2']}\n" . " ack={$myrow2['3']} off={$myrow2['4']} res={$myrow2['5']} win={$myrow2['7']} urp={$myrow2['9']} " . "chksum={$myrow2['8']}\n";
if ($num_opt != 0) {
$s = $s . " Options:\n";
for ($i = 0; $i < $num_opt; $i++) {
$myrow3 = $result3->baseFetchRow();
$s = $s . " #" . ($i + 1) . " - " . TCPOption2str($myrow3[4]) . " len={$myrow3['5']}";
if ($myrow3[5] != 0) {
$s = $s . " data=" . $myrow3[6];
}
$s = $s . "\n";
}
}
$result2->baseFreeRows();
$result3->baseFreeRows();
}
/* UDP */
if ($layer4_proto == "17") {
$sql2 = "SELECT * FROM udphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$s = $s . "UDP: port={$myrow2['2']} -> dport: {$myrow2['3']} len={$myrow2['4']}\n";
$result2->baseFreeRows();
}
/* ICMP */
if ($layer4_proto == "1") {
$sql2 = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq FROM icmphdr " . "WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$s = $s . "ICMP: type=" . ICMPType2str($myrow2[0]) . " code=" . ICMPCode2str($myrow2[0], $myrow2[1]) . "\n" . " checksum={$myrow2['2']} id={$myrow2['3']} seq={$myrow2['4']}\n";
$result2->baseFreeRows();
}
/* Print the Payload */
$sql2 = "SELECT data_payload FROM data WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
/* get encoding information and detail_level on the payload */
$sql3 = 'SELECT encoding, detail FROM sensor WHERE sid=' . $sid;
$result3 = $db->baseExecute($sql3);
$myrow3 = $result3->baseFetchRow();
$s = $s . "Payload: ";
$myrow2 = $result2->baseFetchRow();
if ($myrow2) {
/* print the packet based on encoding type */
$s = $s . PrintPacketPayload($myrow2[0], $myrow3[0], 2) . "\n";
$result3->baseFreeRows();
} else {
/* Don't have payload so lets print out why by checking the detail level */
/* if have fast detail level */
if ($myrow3[1] == "0") {
$s = $s . "Fast logging used so payload was discarded\n";
} else {
$s = $s . "none\n";
}
}
$result2->baseFreeRows();
return $s;
}
echo '<br><div class="siem_detail_table">
<div class="siem_detail_section">' . _("Payload") . '
';
//echo ("<br>" . PrintCleanURL());
//echo ("<br>" . PrintBinDownload($db, $eid));
echo showShellcodeAnalysisLink($eid, $plugin_sid_name);
echo "</div>";
} else {
echo '<br><div class="siem_detail_table">
<div class="siem_detail_section">' . _("Raw Log") . '</div>';
echo "<style type='text/css'>\n pre.nowrapspace { white-space: -moz-pre-wrap !important; white-space: -pre-wrap;white-space: -o-pre-wrap;white-space: pre-wrap;white-space: normal; min-height:20px; }\n </style>\n";
}
echo ' <div class="siem_detail_content">';
if ($payload) {
/* print the packet based on encoding type */
PrintPacketPayload($payload, $encoding, 1);
if ($layer4_proto == "1") {
if ($ICMPitype == "4" && $ICMPicode == "0" || $ICMPitype == "5" || $ICMPitype == "12" && $ICMPicode == "0" || ($ICMPitype == "3" || $ICMPitype == "11") && $ICMPicode == "0" || $ICMPicode == "1" || $ICMPicode == "3" || $ICMPicode == "4" || $ICMPicode == "9" || $ICMPicode == "13") {
/* 0 == hex, 1 == base64, 2 == ascii; cf. snort-2.4.4/src/plugbase.h */
if ($encoding == 1) {
/* encoding is base64 */
$work = bin2hex(base64_decode(str_replace("\n", "", $payload)));
} else {
/* assuming that encoding is hex */
$work = str_replace("\n", "", $payload);
}
/*
* - depending on how the packet logged, 32-bits of NULL padding after
* the checksum may still be present.
*/
if (substr($work, 0, 8) == "00000000") {
