function UpdateWhoisCache($db)
{
global $debug_mode, $whois_cache_lifetime;
$cnt = 0;
$ip_result = $db->baseExecute("SELECT DISTINCT ip_src FROM acid_event " . "LEFT JOIN acid_ip_cache ON ipc_ip = ip_src " . "WHERE ipc_whois IS NULL");
while (($row = $ip_result->baseFetchRow()) != NULL) {
//if ($debug_mode > 0) echo $row[0] . " - " . baseLong2IP($row[0]) . "<BR>";
baseGetWhois(baseLong2IP($row[0]), $db, $whois_cache_lifetime);
++$cnt;
}
$ip_result->baseFreeRows();
$ip_result = $db->baseExecute("SELECT DISTINCT ip_dst FROM acid_event " . "LEFT JOIN acid_ip_cache ON ipc_ip = ip_dst " . "WHERE ipc_whois IS NULL");
while (($row = $ip_result->baseFetchRow()) != NULL) {
//if ($debug_mode > 0) echo $row[0] . " - " . baseLong2IP($row[0]) . "<BR>";
baseGetWhois(baseLong2IP($row[0]), $db, $whois_cache_lifetime);
++$cnt;
}
$ip_result->baseFreeRows();
ErrorMessage(gettext("Added ") . $cnt . gettext(" hostnames to the Whois cache"));
}
function ExportPacket_summary($sid, $cid, $db, $export_type = 0)
{
global $action, $action_arg;
/* Event */
$sql2 = "SELECT signature, timestamp FROM acid_event WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$alert_timestamp = $myrow2[1];
$alert_sig = BuildSigByID($myrow2[0], $sid, $cid, $db, 2);
$result2->baseFreeRows();
/* IP */
$src_ip = $dst_ip = $src_port = $dst_port = "";
$sql2 = "SELECT ip_src, ip_dst, ip_proto" . " FROM iphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
$layer4_proto = "";
if ($myrow2[0] != "") {
$src_ip = baseLong2IP($myrow2[0]);
$dst_ip = baseLong2IP($myrow2[1]);
$layer4_proto = $myrow2[2];
}
$result2->baseFreeRows();
/* TCP */
if ($layer4_proto == "6") {
$sql2 = "SELECT tcp_sport, tcp_dport FROM tcphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
if ($export_type == 0) {
$src_port = ":" . $myrow2[0] . " -> ";
$dst_port = ":" . $myrow2[1];
} else {
$src_port = $myrow2[0];
$dst_port = $myrow2[1];
}
$result2->baseFreeRows();
}
/* UDP */
if ($layer4_proto == "17") {
$sql2 = "SELECT * FROM udphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
$result2 = $db->baseExecute($sql2);
$myrow2 = $result2->baseFetchRow();
if ($export_type == 0) {
$src_port = ":" . $myrow2[2] . " -> ";
$dst_port = ":" . $myrow2[3];
} else {
$src_port = $myrow2[2];
$dst_port = $myrow2[3];
}
$result2->baseFreeRows();
}
/* ICMP */
if ($layer4_proto == "1") {
if ($export_type == 0) {
$src_ip = $src_ip . " -> ";
}
$src_port = $dst_port = "";
}
/* Portscan Traffic */
if ($layer4_proto == "255") {
if ($export_type == 0) {
$src_ip = $src_ip . " -> ";
}
}
if ($export_type == 0) {
$s = sprintf("#%d-%d| [%s] %s%s%s%s %s\r\n", $sid, $cid, $alert_timestamp, $src_ip, $src_port, $dst_ip, $dst_port, $alert_sig);
} else {
$s = sprintf("\"%d\", \"%d\", \"%s\", \"%s\", \"%s\", \"%s\", \"%s\", \"%s\"\r\n", $sid, $cid, $alert_timestamp, $src_ip, $src_port, $dst_ip, $dst_port, $alert_sig);
}
return $s;
}
//$qs->PrintResultCnt();
$country_acc = array();
$country_uhn = array();
$countries = array();
// Ordered
$hosts_ips = array_keys($hosts);
if (is_array($_SESSION["server"]) && $_SESSION["server"][0] != "") {
$_conn = $dbo->custom_connect($_SESSION["server"][0], $_SESSION["server"][2], $_SESSION["server"][3]);
} else {
$_conn = $dbo->connect();
}
while ($myrow = $result->baseFetchRow()) {
if ($myrow[0] == NULL) {
continue;
}
$currentIP = baseLong2IP($myrow[0]);
$ip_type = $myrow[1];
$num_events = $myrow[2];
$field = $ip_type == 'S' ? 'srcnum' : 'dstnum';
//if (geoip_country_name_by_addr($gi, $currentIP)=="" && (Net::is_ip_in_cache_cidr($_conn, $currentIP) || in_array($currentIP, $hosts_ips))) {
// $country_name = _("Local");
// $country = 'local';
//} else {
$country = strtolower(geoip_country_code_by_addr($gi, $currentIP));
$country_name = geoip_country_name_by_addr($gi, $currentIP);
//}
if ($country_name == "") {
$country_name = _("Unknown Country");
}
//echo "IP $currentIP $country_name <br>";
if ($country_name != _("Unknown Country")) {
function GetCountryDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
{
global $db, $debug_mode, $Geo_IPfree_file_ascii, $IP2CC;
$country_method = 0;
if ($chart_type == 14 || $chart_type == 15) {
$sql = "SELECT DISTINCT ip_src, COUNT(acid_event.cid) " . "FROM acid_event " . $criteria[0] . "WHERE " . $criteria[1] . " AND ip_src is NOT NULL " . "GROUP BY ip_src ORDER BY ip_src";
} else {
if ($chart_type == 16 || $chart_type == 17) {
$sql = "SELECT DISTINCT ip_dst, COUNT(acid_event.cid) " . "FROM acid_event " . $criteria[0] . "WHERE " . $criteria[1] . " AND ip_dst is NOT NULL " . "GROUP BY ip_dst ORDER BY ip_dst";
}
}
// if ($debug_mode > 0) echo $sql . "<BR>";
$result = $db->baseExecute($sql);
if (!isset($Geo_IPfree_file_ascii) && !isset($IP2CC)) {
ErrorMessage("ERROR: Neither \$Geo_IPfree_file_ascii nor \$IP2CC has been configured in base_conf.php.<BR>\n");
return 0;
} else {
if (isset($Geo_IPfree_file_ascii)) {
if (empty($Geo_IPfree_file_ascii)) {
ErrorMessage("ERROR: \$Geo_IPfree_file_ascii is an empty string.<BR>\n");
return 0;
} else {
if (!is_file($Geo_IPfree_file_ascii)) {
ErrorMessage("ERROR: " . $Geo_IPfree_file_ascii . " could not be found. Wrong path, perhaps?<BR>\n");
return 0;
} else {
if (!is_readable($Geo_IPfree_file_ascii)) {
ErrorMessage("ERROR: " . $Geo_IPfree_file_ascii . " does exist, but is not readable. Wrong permissions, perhaps?<BR>\n");
return 0;
} else {
$country_method = 1;
// if ($debug_mode > 0) {
// print "<BR>\ncountry method 1: We use the database of Geo::IPfree<BR>\n<BR>\n";
// }
// Read in database with country data for ip addresses
ReadGeoIPfreeFileAscii($Geo_IPfree_array);
}
}
}
} else {
if (isset($IP2CC)) {
if (empty($IP2CC)) {
ErrorMessage("ERROR: \$IP2CC is an empty string.<BR>\n");
return 0;
} else {
if (!is_file($IP2CC)) {
ErrorMessage("ERROR: " . $IP2CC . " could not be found. Wrong path, perhaps?<BR>\n");
$rv = ini_get("safe_mode");
if ($rv == 1) {
print "In "safe_mode" " the file " . $Geo_IPfree_file_ascii . "" must be owned by the user under which the web server is running. Adding it to both safe_mode_exec_dir and to include_path in /etc/php.ini does NOT seem to be sufficient.<BR>\n";
}
return 0;
} else {
if (!is_executable($IP2CC)) {
ErrorMessage("ERROR: " . $IP2CC . " does exist, but is not executable. Wrong permissions, perhaps?<BR>\n");
$rv = ini_get("safe_mode");
if ($rv == 1) {
ErrorMessage("In "safe_mode" the path "" . dirname($IP2CC) . "" must also be part of safe_mode_exec_dir in /etc/php.ini:<BR><BR>\n" . "safe_mode_exec_dir = "" . dirname($IP2CC) . ""<BR><BR>" . "It seems that not more than ONE SINGLE directory may be assigned to safe_mode_exec_dir.<BR>\n");
}
return 0;
} else {
// if ($debug_mode > 0) {
// print "<BR>\ncountry_method 2: We make use of ip2cc<BR>\n<BR>\n";
// }
$country_method = 2;
}
}
}
}
}
}
if ($country_method == 0) {
// should not be reached
ErrorMessage("ERROR: No \$country_method available.<BR>\n");
return 0;
}
// Loop through all the ip addresses returned by the sql query
$cnt = 0;
while ($myrow = $result->baseFetchRow()) {
if ($myrow[1] >= $min_threshold) {
$addresses[$cnt][0] = baseLong2IP($myrow[0]);
$addresses[$cnt][1] = $myrow[1];
// xxx jl
// Which country belongs this ip address to?
switch ($country_method) {
case 1:
GeoIPfree_IP2Country($Geo_IPfree_array, $addresses[$cnt][0], $mycountry);
break;
case 2:
run_ip2cc($addresses[$cnt][0], $mycountry);
break;
default:
print "WARNING: country_method no. " . $country_method . " is not supported.<BR>\n";
return 0;
}
// if ($debug_mode > 0) {
// print $mycountry . ": " . $addresses[$cnt][1] . " alerts<BR>\n";
// }
// Increase number of alerts for this country
IncreaseCountryValue($countries, $mycountry, $addresses[$cnt][1]);
++$cnt;
}
}
if (!isset($mycountry) || empty($mycountry)) {
ErrorMessage("ERROR: \$mycountry has not been set as expected.<BR>\n");
return 0;
}
// if ($debug_mode > 1) {
// print "<pre>############\n";
// //var_dump($countries);
// print_r($countries);
// print "###########</pre>\n";
// }
// Now setup the chart array:
reset($countries);
$cnt2 = 0;
while (list($key, $val) = each($countries)) {
$xdata[$cnt2][0] = $key;
$xdata[$cnt2][1] = $val;
$cnt2++;
}
$result->baseFreeRows();
// return number of countries rather than number of addresses!
return $cnt2;
}
<th>Prio</th>
<th>Rel</th>
<th>Risk</th>
<th>L4-proto</th>
</tr>
<?php
$i = 0;
foreach ($sim_events as $sim_event) {
if ($i >= 5) {
continue;
}
$color = $i % 2 == 0 ? "#F2F2F2" : "#FFFFFF";
$current_sip32 = $sim_event['sip'];
$current_sip = baseLong2IP($current_sip32);
$current_dip32 = $sim_event['dip'];
$current_dip = baseLong2IP($current_dip32);
$current_oasset_s = $sim_event['oasset_s'];
$current_oasset_d = $sim_event['oasset_d'];
$current_oprio = $sim_event['prio'];
$current_oreli = $sim_event['rel'];
$current_oriskc = $sim_event['risk_c'];
$current_oriska = $sim_event['risk_a'];
$proto = IPProto2str($sim_event['proto']);
if ($current_sip32 != "") {
$country = strtolower(geoip_country_code_by_addr($gi, $current_sip));
$country_name = geoip_country_name_by_addr($gi, $current_sip);
if ($country) {
$country_img = " <img src=\"/ossim/pixmaps/flags/" . $country . ".png\" alt=\"{$country_name}\" title=\"{$country_name}\">";
} else {
$country_img = "";
}
list(, $my_offset, ) = unpack("n", pack("S", $myrow2[8]));
echo ' <TD class="plfield">' . $my_offset * 8 . '</TD>';
echo ' <TD class="plfield">' . htmlspecialchars($myrow2[9]) . '</TD>';
echo ' <TD class="plfield">' . htmlspecialchars($myrow2[10]) . '<BR>= 0x' . dechex($myrow2[10]) . '</TD></TR>';
}
echo ' </TABLE>';
if ($resolve_IP == 1) {
echo ' <TR>
<TD>
<TABLE BORDER=0 CELLPADDING=4>
<TR><TD CLASS="iptitle" ALIGN=CENTER ROWSPAN=2>FQDN</TD>
<TD class="header">' . gettext("Source Name") . '</TD>
<TD class="header">' . gettext("Dest. Name") . '</TD>
</TR>
<TR><TD class="plfield">' . baseGetHostByAddr(baseLong2IP($myrow2[0]), $db, $dns_cache_lifetime) . '</TD>
<TD class="plfield">' . baseGetHostByAddr(baseLong2IP($myrow2[1]), $db, $dns_cache_lifetime) . '</TD>
</TR>
</TABLE>
</TR>';
}
echo ' <TR>';
echo ' <TD>';
echo ' <TABLE BORDER=0 CELLPADDING=4>';
if (in_array($plugin_id, $snort_ids)) {
echo ' <TR><TD CLASS="header2" ALIGN=CENTER ROWSPAN=' . ($num_opt != 0 ? $num_opt + 1 : 1) . '>' . gettext("Options") . '</TD>';
}
$layer4_proto = $myrow2[11];
if ($num_opt > 0) {
echo ' <TD></TD>
<TD class="header">' . gettext("code") . '</TD>
<TD class="header">' . gettext("length") . '</TD>
$d_country = strtolower(geoip_country_code_by_addr($gi, $ip_dip));
$d_country_name = geoip_country_name_by_addr($gi, $ip_dip);
$homelan_dip = ($match_cidr = Net::is_ip_in_cache_cidr($_conn, $ip_dip)) || in_array($ip_dip, $hosts_ips) ? " <a href='javascript:;' class='scriptinfo' style='text-decoration:none' ip='{$ip_dip}'><img src=\"" . Host::get_homelan_icon($ip_dip, $icons, $match_cidr, $_conn) . "\" border=0></a>" : "";
if ($d_country) {
$d_country_img = " <img src=\"/ossim/pixmaps/flags/" . $d_country . ".png\" title=\"" . $d_country_name . "\">";
$dlnk = $current_url . "/pixmaps/flags/" . $d_country . ".png";
} else {
$d_country_img = "";
$dlnk = $homelan_dip != "" ? $current_url . "/forensics/images/homelan.png" : "";
}
if ($fqdn == "yes") {
qroPrintEntry('<FONT>' . $sip_fqdn . '</FONT>');
}
qroPrintEntry(BuildAddressLink(baseLong2IP($sip), 32) . $ip_sip . '</A>' . $s_country_img . $homelan_sip, "", "", "nowrap");
qroPrintEntry('<img src="images/dash.png" border="0">');
qroPrintEntry(BuildAddressLink(baseLong2IP($dip), 32) . $ip_dip . '</A>' . $d_country_img . $homelan_dip, "", "", "nowrap");
if ($fqdn == "yes") {
qroPrintEntry('<FONT>' . $dip_fqdn . '</FONT>');
}
qroPrintEntry('<FONT>' . IPProto2str($proto) . '</FONT>');
$tmp = '<A HREF="base_stat_ports.php?port_type=2&proto=' . $proto . $tmp_ip_criteria . '">';
qroPrintEntry($tmp . $num_unique_dport . '</A>');
$tmp = '<A HREF="base_stat_alerts.php?foo=1' . $tmp_ip_criteria . '">';
qroPrintEntry($tmp . $num_unique . '</A>');
$tmp = '<A HREF="base_qry_main.php?new=1' . '&num_result_rows=-1' . '&submit=' . gettext("Query+DB") . '&current_view=-1' . $tmp_ip_criteria . '">';
qroPrintEntry($tmp . $num_occurances . '</A>');
qroPrintEntryFooter();
}
$i++;
// report_data
$report_data[] = array($ip_sip, $slnk, $ip_dip, $dlnk, IPProto2str($proto), "", "", "", "", "", "", $num_unique_dport, $num_unique, $num_occurances);