/*
$qro->AddTitle(gettext("Unique Events"), "sig_a", "", " ORDER BY sig_cnt ASC", "sig_d", "", " ORDER BY sig_cnt DESC");
$qro->AddTitle(gettext("Unique Src."), "saddr_a", "", " ORDER BY saddr_cnt ASC", "saddr_d", "", " ORDER BY saddr_cnt DESC");
$qro->AddTitle(gettext("Unique Dst."), "daddr_a", "", " ORDER BY daddr_cnt ASC", "daddr_d", "", " ORDER BY daddr_cnt DESC");
*/
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), "");
$sql = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1];
$sql2 = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where2 . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1];
$sqlsensor = "SELECT " . $nevents . " as sig_cnt, count(distinct(acid_event.ip_src)) as saddr_cnt, count(distinct(acid_event.ip_dst)) as daddr_cnt" . $sort_sql[0] . $from2 . $where1 . " AND acid_event.device_id=DEVICEID";
$_SESSION['_siem_sensor_query'] = $sqlsensor;
if (file_exists('/tmp/debug_siem')) {
error_log("STATS SENSORS:{$sql}\nSTATS SENSOR UNIQUE:{$sqlsensor}\n", 3, "/tmp/siem");
}
/* Run the Query again for the actual data (with the LIMIT) */
session_write_close();
$result = $qs->ExecuteOutputQuery($sql, $db);
if ($result->baseRecordCount() == 0 && $use_ac) {
$result = $qs->ExecuteOutputQuery($sql2, $db);
}
$qs->num_result_rows = $result->baseRecordCount();
$et->Mark("Retrieve Query Data");
// if ($debug_mode == 1) {
// $qs->PrintCannedQueryList();
// $qs->DumpState();
// echo "$sql<BR>";
// }
/* Print the current view number and # of rows */
$displaying = gettext("Displaying sensors %d-%d of <b>%s</b> matching your selection.");
$qs->PrintResultCnt("", array(), $displaying);
echo '<FORM METHOD="post" NAME="PacketForm" id="PacketForm" ACTION="base_stat_sensor.php">';
if ($qs->num_result_rows > 0) {
}
if ($ids != "") {
$sql = "DELETE FROM sig_reference WHERE ref_id in ({$ids})";
$qs->ExecuteOutputQueryNoCanned($sql, $db_snort);
}
$sql = "DELETE FROM reference_system WHERE ref_system_id={$delete}";
$qs->ExecuteOutputQueryNoCanned($sql, $db_snort);
$sql = "DELETE FROM reference WHERE ref_system_id={$delete}";
$qs->ExecuteOutputQueryNoCanned($sql, $db_snort);
} else {
$error_msg = ossim_get_error();
ossim_clean_error();
}
}
$sql = "SELECT * FROM reference_system";
$result = $qs->ExecuteOutputQuery($sql, $db_snort);
$ref_types = array();
while ($myrow = $result->baseFetchRow()) {
$ref_types[] = $myrow;
}
?>
<!-- <?php
echo gettext("Forensics Console " . $BASE_installID) . $BASE_VERSION;
?>
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php
** (see the file 'base_main.php' for license details)
**
** Built upon work by Roman Danyliw <*****@*****.**>, <*****@*****.**>
** Built upon work by the BASE Project Team <*****@*****.**>
*/
require "base_conf.php";
require "vars_session.php";
require_once 'classes/Util.inc';
require "{$BASE_path}/includes/base_constants.inc.php";
require "{$BASE_path}/includes/base_include.inc.php";
include_once "{$BASE_path}/base_db_common.php";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_stat_common.php";
if ($_SESSION['siem_sensor_query'] == "") {
echo "-##-##-";
die;
}
$device_id = ImportHTTPVar("id", VAR_DIGIT);
$sql = str_replace("DEVICEID", $device_id, $_SESSION['siem_sensor_query']);
session_write_close();
$qs = new QueryState();
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$rs = $qs->ExecuteOutputQuery($sql, $db);
if ($row = $rs->baseFetchRow()) {
$unique_addrs = BuildUniqueAlertLink("?sensor=" . urlencode($device_id)) . Util::htmlentities($row[0]) . '</A>';
$src_addrs = BuildUniqueAddressLink(1, "&sensor=" . urlencode($device_id)) . Util::htmlentities($row[1]) . '</A>';
$dst_addrs = BuildUniqueAddressLink(2, "&sensor=" . urlencode($device_id)) . Util::htmlentities($row[2]) . '</A>';
}
$rs->baseFreeRows();
echo "{$unique_addrs}##{$src_addrs}##{$dst_addrs}";
include_once "{$BASE_path}/base_qry_common.php";
include_once "{$BASE_path}/base_stat_common.php";
if ($_SESSION['siem_current_query_graph'] == "" || $_SESSION['siem_alerts_query'] == "") {
echo "-##-##-";
die;
}
$tz = Util::get_timezone();
$plugin_id = ImportHTTPVar("id", VAR_DIGIT);
$plugin_sid = ImportHTTPVar("sid", VAR_DIGIT);
$sqlgraph = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_current_query_graph']));
$sql = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_alerts_query']));
session_write_close();
$qs = new QueryState();
$db = NewBASEDBConnection($DBlib_path, $DBtype);
$db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
$rs = $qs->ExecuteOutputQuery($sql, $db);
if ($row = $rs->baseFetchRow()) {
$addr_link = '&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=' . urlencode($plugin_id . ";" . $plugin_sid);
$src_addrs = BuildUniqueAddressLink(1, $addr_link) . $row[0] . '</A>';
$dst_addrs = BuildUniqueAddressLink(2, $addr_link) . $row[1] . '</A>';
$last = get_utc_unixtime($db, $row[2]);
}
$rs->baseFreeRows();
if ($tz != 0) {
$last = gmdate("Y-m-d H:i:s", $last + 3600 * $tz);
} else {
$last = $row[2];
}
echo "{$src_addrs}##{$dst_addrs}##{$last}##";
$tr = $_SESSION["time_range"] != "" ? $_SESSION["time_range"] : "all";
$trdata = array(0, 0, $tr);
$sqlb = " and ac_alertsclas_classid.day=ac_alertsclas_signature.day";
$sqlc = " and ac_alertsclas_classid.day=ac_alertsclas_ipsrc.day";
$sqld = " and ac_alertsclas_classid.day=ac_alertsclas_ipdst.day";
}
$orderby = str_replace("acid_event.", "", $sort_sql[1]);
$sql = "SELECT SQL_CALC_FOUND_ROWS DISTINCT sig_class_id, sum(cid) as num_events,\n (select count(distinct(sid)) from ac_alertsclas_sid where ac_alertsclas_classid.sig_class_id=ac_alertsclas_sid.sig_class_id {$sqla}) as num_sensors,\n (select count(distinct(signature)) from ac_alertsclas_signature where ac_alertsclas_classid.sig_class_id=ac_alertsclas_signature.sig_class_id {$sqlb}) as num_sig,\n (select count(distinct(ip_src)) from ac_alertsclas_ipsrc where ac_alertsclas_classid.sig_class_id=ac_alertsclas_ipsrc.sig_class_id {$sqlc}) as num_sip,\n (select count(distinct(ip_dst)) from ac_alertsclas_ipdst where ac_alertsclas_classid.sig_class_id=ac_alertsclas_ipdst.sig_class_id {$sqld}) as num_dip,\n min(first_timestamp) as first_timestamp, max(last_timestamp) as last_timestamp\n FROM ac_alertsclas_classid FORCE INDEX(primary) {$where} GROUP BY sig_class_id {$orderby}";
$event_cnt = EventCnt($db, "", "", "SELECT sum(cid) FROM ac_alertsclas_classid {$where}");
$where = "AND " . str_replace("timestamp", "day", $criteria_clauses[1]);
if ($tr != "today" && $tr != "day") {
// we dont have hour interval in ac_* tables
$sqlgraph = "SELECT sum(cid) as num_events, {$interval} FROM ac_alertsclas_classid WHERE sig_class_id=SIGCLASSID {$grpby}";
}
}
//echo $sql."<br>".$sqlgraph."<br>".$interval." ".$tr;
/* Run the Query again for the actual data (with the LIMIT) */
$result = $qs->ExecuteOutputQuery($sql, $db);
if ($use_ac) {
$qs->GetCalcFoundRows($cnt_sql, $db);
}
$et->Mark("Retrieve Query Data");
if ($debug_mode == 1) {
$qs->PrintCannedQueryList();
$qs->DumpState();
echo "{$sql}<BR>";
}
/* Print the current view number and # of rows */
$qs->PrintResultCnt();
echo '
<script src="js/jquery.flot.pack.js" language="javascript" type="text/javascript"></script>
';
echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_class_graph.php">';
