function make_sensor_filter($conn, $alias = "acid_event")
{
$sensor_where = "";
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
$snortsensors = GetSnortSensorSids($conn);
$sids = array();
foreach ($user_sensors as $user_sensor) {
//echo "Sids de $user_sensor ".$snortsensors[$user_sensor][0]."<br>";
if (count($snortsensors[$user_sensor]) > 0) {
foreach ($snortsensors[$user_sensor] as $sid) {
if ($sid != "") {
$sids[] = $sid;
}
}
}
}
$sensor_where = count($sids) > 0 ? " AND {$alias}.sid in (" . implode(",", $sids) . ")" : " AND {$alias}.sid in (0)";
// Vacio
}
return $sensor_where;
}
if (!empty($error_message)) {
$config_nt = array('content' => $error_message, 'options' => array('type' => 'nf_error', 'cancel_button' => false), 'style' => 'width: 80%; margin: 20px auto; text-align: left;');
$nt = new Notification('nt_1', $config_nt);
$nt->show();
exit(1);
}
$db = new ossim_db();
$conn = $db->connect();
$tsensors = explode(',', Session::allowedSensors());
$sensor_ids = array();
$conn->SetFetchMode(ADODB_FETCH_BOTH);
foreach ($tsensors as $s_ip) {
$sensor_ids[$s_ip] = $conn->GetOne("SELECT HEX(id) FROM sensor WHERE INET_NTOA( CONV( HEX( ip ) , 16, 10 ) ) LIKE '{$s_ip}'");
}
// check permissions for selected server
if (!(valid_hex32($scan_server) && (Session::allowedSensors() == "" || in_array($scan_server, array_values($sensor_ids))))) {
$scan_server = "";
}
$message_pre_scan = _("Pre-scan localy");
$message_force_pre_scan = _("Error: Need to force pre-scan locally");
$ctest = array();
// to save connection test to servers
$ttargets = array();
// to save check for targets
$sensor_error = false;
?>
<style type="text/css">
.sstatus{
text-align:center;
$chart['chart_rect'] = array('x' => 20, 'y' => -40, 'width' => 350, 'height' => 220, 'positive_alpha' => 0);
$chart['chart_transition'] = array('type' => "zoom", 'delay' => 0.1, 'duration' => 0.5, 'order' => "series");
$chart['chart_type'] = "3d column";
$chart['chart_value'] = array('position' => "cursor", 'size' => 10, 'color' => "000000", 'alpha' => 90, 'background_color' => "444444");
$chart['draw'] = array(array('type' => "image", 'url' => "/ossim/graphs/charts.swf??timeout=120&library_path=" . urlencode("/ossim/graphs/charts_library") . "&php_source=" . urlencode("/ossim/graphs/alarms_events_data2.php?bypassexpirationupdate=1")));
$chart['legend_label'] = array('layout' => "vertical", 'bullet' => "square", 'size' => 11, 'color' => "202020", 'alpha' => 85);
$chart['legend_rect'] = array('x' => 20, 'y' => 75, 'width' => 20, 'height' => 20, 'fill_alpha' => 0);
$chart['series_color'] = array("cc9944", "556688");
$chart['link_data'] = array('url' => "/ossim/graphs/handle.php?target_url=alarms_events&target_var=series", 'target' => "main");
$db = new ossim_db();
$conn = $db->connect();
$conn2 = $db->snort_connect();
$sensor_where = "";
$sensor_where_ossim = "";
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
$snortsensors = GetSensorSids($conn2);
$sids = array();
foreach ($user_sensors as $user_sensor) {
//echo "Sids de $user_sensor ".$snortsensors[$user_sensor][0]."<br>";
if (count($snortsensors[$user_sensor]) > 0) {
foreach ($snortsensors[$user_sensor] as $sid) {
if ($sid != "") {
$sids[] = $sid;
}
}
}
}
if (count($sids) > 0) {
$sensor_where = " AND sid in (" . implode(",", $sids) . ")";
$sensor_where_ossim = " AND alarm.snort_sid in (" . implode(",", $sids) . ")";
}
$buffer .= "]";
if ($buffer == "[]") {
$buffer = "[{title:'" . _("No Network Groups Found") . "', noLink:true}]";
}
echo $buffer;
} else {
if (preg_match("/^u_(.*)_net\$/", $key)) {
echo Net::draw_nets_by_class($conn, $key, $filter, $length_name);
} else {
if (preg_match("/^u_(.*)_.class_(.*)/", $key)) {
echo Net::draw_nets_by_class($conn, $key, $filter, $length_name);
} else {
if (preg_match("/u_(.*)_sensor/", $key, $found)) {
$sensor_list = Sensor::get_list($conn);
$allowedSensors = Session::allowedSensors($found[1]);
$sensors_allowed = array_fill_keys(explode(",", $allowedSensors), 1);
$j = 0;
$buffer .= "[";
foreach ($sensor_list as $sensor) {
if ($allowedSensors == "" || $sensors_allowed[$sensor->get_ip()]) {
$sensor_name = $sensor->get_name();
$s_title = Util::htmlentities($sensor_name);
$title = strlen($sensor_name) > $length_name ? substr($sensor_name, 0, $length_name) . "..." : $sensor_name;
$title = Util::htmlentities($title);
$tooltip = $s_title;
$li = "h:'{$h}', url:'../sensor/interfaces.php?sensor=" . $sensor->get_ip() . "&name=" . urlencode($sensor_name) . "', icon:'../../pixmaps/theme/server.png', title:'{$title}', tooltip:'{$tooltip}'\n";
$buffer .= ($j > 0 ? "," : "") . "{ {$li} }";
$j++;
}
}
function showWindowContents()
{
require_once 'ossim_db.inc';
require_once 'classes/Event_viewer.inc';
$dbname = $this->get('cloud_db');
$link = $this->get('cloud_link');
$max_len = $this->get('cloud_tag_max_len');
$resolv_hostname = $this->get('cloud_resolv_ip');
if (ossim_error()) {
die(ossim_error());
}
$method = $dbname == 'snort' ? 'snort_connect' : 'connect';
$db = new ossim_db();
$conn = $db->{$method}();
// User sensor filtering
$sensor_where = "";
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
$snortsensors = Event_viewer::GetSensorSids($conn);
$sensor_str = "";
foreach ($user_sensors as $user_sensor) {
if (count($snortsensors[$user_sensor]) > 0) {
$sensor_str .= $sensor_str != "" ? "," . implode(",", $snortsensors[$user_sensor]) : implode(",", $snortsensors[$user_sensor]);
}
}
if ($sensor_str == "") {
$sensor_str = "0";
}
$sensor_where = " sid in (" . $sensor_str . ")";
}
$sql = $this->get('cloud_sql');
if (!preg_match('/^\\s*\\(?\\s*SELECT\\s/i', $sql) || preg_match('/\\sFOR\\s+UPDATE/i', $sql) || preg_match('/\\sINTO\\s+OUTFILE/i', $sql) || preg_match('/\\sLOCK\\s+IN\\s+SHARE\\s+MODE/i', $sql)) {
return _("SQL Query invalid due security reasons");
}
if ($sensor_where != "") {
if (preg_match("/where/", $sql)) {
$sql = str_replace("where", "where " . $sensor_where . " AND ", $sql);
} else {
$sql = str_replace("GROUP BY", "where " . $sensor_where . " GROUP BY", $sql);
}
}
//echo "Ejecutando en $dbname: $sql";
if (!($rs = $conn->Execute($sql))) {
return "Error was: " . $conn->ErrorMsg() . "\n\nQuery was: " . $sql;
}
if ($resolv_hostname) {
require_once "classes/Host.inc";
}
$tags = array();
while (!$rs->EOF) {
if ($resolv_hostname) {
$tag_names[$rs->fields[0]] = Host::ip2hostname($conn, $rs->fields[0], $is_sensor = false, $force_no_dns = true);
}
$tags[$rs->fields[0]] = $rs->fields[1];
$rs->MoveNext();
}
$db->close($conn);
if (!count($tags)) {
return "";
}
// Default font sizes
$min_font_size = 8;
$max_font_size = 35;
$minimum_count = min(array_values($tags));
$maximum_count = max(array_values($tags));
$spread = $maximum_count - $minimum_count;
if ($spread == 0) {
$spread = 1;
}
if ($link == '') {
$link = '#';
}
$cloud_html = '';
$cloud_tags = array();
// create an array to hold tag code
foreach ($tags as $tag => $count) {
$local_link = str_replace("_TAG_", $tag, $link);
$local_name = $tag;
if ($resolv_hostname) {
$local_name = $tag_names[$tag];
}
if ($max_len > 0) {
$tag = substr($tag, 0, $max_len);
}
$size = count($tags) == 1 ? $max_font_size : $min_font_size + ($count - $minimum_count) * ($max_font_size - $min_font_size) / $spread;
$cloud_tags[] = '<a style="font-size: ' . floor($size) . 'px' . '" class="tag_cloud" href="' . htmlspecialchars($local_link) . '" title="\'' . $tag . '\' returned a count of ' . $count . '">' . htmlspecialchars(stripslashes($local_name)) . '</a> ';
}
$cloud_html = join("\n", $cloud_tags) . "\n";
return $cloud_html;
}
ossim_valid($type, "hn", "freetext", "service", OSS_NULLABLE, 'illegal: type');
if (ossim_error()) {
die(ossim_error());
}
$net = "";
$hosts = array();
if ($type == "net" && preg_match("/\\d+\\.\\d+\\.\\d+\\.\\d+\\/\\d+/", $value)) {
$net = $value;
}
//for autocomplete input
$autocnetworks = $autochosts = $autocsensors = "";
list($_sensors, $_hosts) = Host::get_ips_and_hostname($dbconn, true);
$_nets = Net::get_all($dbconn, true);
//echo "ok"; exit;
$sensor_list = Sensor::get_list($dbconn);
$allowedSensors = Session::allowedSensors();
foreach ($_hosts as $_ip => $_hostname) {
if ($_hostname != $_ip) {
$autochosts .= '{ txt:"' . $_hostname . ' [Host:' . $_ip . ']", id: "' . $_ip . '" },';
} else {
$autochosts .= '{ txt:"' . $_ip . '", id: "' . $_ip . '" },';
}
}
foreach ($_nets as $_net) {
$autocnetworks .= '{ txt:"' . $_net->get_name() . ' [Net:' . $_net->get_ips() . ']", id: "' . $_net->get_ips() . '" },';
}
foreach ($sensor_list as $sensor) {
if (in_array($sensor->get_ip(), explode(",", $allowedSensors)) || $allowedSensors == "") {
$autocsensors .= '{ txt:"' . $sensor->get_name() . ' [Sensor:' . $sensor->get_ip() . ']", id: "' . $sensor->get_ip() . '" },';
}
}
function server_get_sensors($conn)
{
require_once 'ossim_conf.inc';
$allowed_sensors = explode(",", Session::allowedSensors());
$ossim_conf = $GLOBALS["CONF"];
/* get the port and IP address of the server */
$address = $ossim_conf->get_conf("server_address");
$port = $ossim_conf->get_conf("server_port");
/* create socket */
$socket = socket_create(AF_INET, SOCK_STREAM, 0);
if ($socket < 0) {
echo _("socket_create() failed: reason: ") . socket_strerror($socket) . "\n";
return array($list, $err);
}
$list = array();
/* connect */
socket_set_block($socket);
socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array('sec' => 4, 'usec' => 0));
socket_set_option($socket, SOL_SOCKET, SO_SNDTIMEO, array('sec' => 4, 'usec' => 0));
$result = @socket_connect($socket, $address, $port);
if (!$result) {
$err = "<p><b>" . _("socket error") . "</b>: " . gettext("Is OSSIM server running at") . " {$address}:{$port}?</p>";
return array($list, $err);
}
/* first send a connect message to server */
$in = 'connect id="1" type="web"' . "\n";
$out = '';
socket_write($socket, $in, strlen($in));
$out = @socket_read($socket, 2048, PHP_BINARY_READ);
if (strncmp($out, "ok id=", 4)) {
$err = "<p><b>" . gettext("Bad response from server") . "</b></p>";
$err .= "<p><b>" . _("socket error") . "</b>: " . gettext("Is OSSIM server running at") . " {$address}:{$port}?</p>";
return array($list, $err);
}
/* get sensors from server */
$in = 'server-get-sensor-plugins id="2"' . "\n";
$output = '';
socket_write($socket, $in, strlen($in));
//$pattern = '/sensor host="([^"]*)" state="([^"]*)"/ ';
$pattern = '/sensor="([^"]*)" plugin_id="([^"]*)" state="([^"]*)" enabled="([^"]*)"/ ';
$plugins = array();
while ($output = socket_read($socket, 2048, PHP_BINARY_READ)) {
$lines = explode("\n", $output);
foreach ($lines as $out) {
if (preg_match($pattern, $out, $regs)) {
//if (Session::hostAllowed($conn, $regs[1])) {
if (in_array($regs[1], $allowed_sensors) || Session::allowedSensors() == "") {
//$s["sensor"] = $regs[1];
//$s["state"] = $regs[3];
//# This should be checked in the server TODO FIXME
//if (!in_array($s, $list)) $list[] = $s;
$list[$regs[1]][$regs[2]]['enabled'] = $regs[4];
$list[$regs[1]][$regs[2]]['state'] = $regs[3];
}
} elseif (!strncmp($out, "ok id=", 4)) {
break;
}
}
}
socket_close($socket);
return array($list, "");
}
echo "User '{$login}' has OpenSource perms. Trying to migrate...\n";
foreach ($net_list as $net) {
$net_cidr = $net['ips'];
$net_name = $net['name'];
if (false !== strpos(Session::allowedNets($login), $net_cidr)) {
if ($nets == "") {
$nets = $net_cidr;
} else {
$nets .= "," . $net_cidr;
}
}
}
foreach ($sensor_list as $sensor) {
$sensor_name = $sensor['name'];
$sensor_ip = $sensor['ip'];
if (false !== strpos(Session::allowedSensors($login), $sensor_ip)) {
if ($sensors == "") {
$sensors = $sensor_ip;
} else {
$sensors .= "," . $sensor_ip;
}
}
}
foreach ($ACL_MAIN_MENU as $mainmenu => $menus) {
foreach ($menus as $key => $menu) {
if ($gacl->acl_check($mainmenu, $key, ACL_DEFAULT_USER_SECTION, $login)) {
$perm_id = $permids[$mainmenu][$key];
if ($perm_id > 0) {
$perms[$perm_id] = true;
}
}
function ProcessCriteria()
{
global $db, $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode, $caller, $DBtype;
/* XXX-SEC */
global $cs, $timetz;
/* the JOIN criteria */
$ip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid ";
$tcp_join_sql = " LEFT JOIN tcphdr ON acid_event.sid=tcphdr.sid AND acid_event.cid=tcphdr.cid ";
$udp_join_sql = " LEFT JOIN udphdr ON acid_event.sid=udphdr.sid AND acid_event.cid=udphdr.cid ";
$icmp_join_sql = " LEFT JOIN icmphdr ON acid_event.sid=icmphdr.sid AND acid_event.cid=icmphdr.cid ";
$rawip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid ";
$sig_join_sql = " LEFT JOIN ossim.plugin_sid ON acid_event.plugin_id=plugin_sid.plugin_id AND acid_event.plugin_sid=plugin_sid.sid ";
$sig_join = false;
//$data_join_sql = " LEFT JOIN extra_data ON acid_event.sid=extra_data.sid AND acid_event.cid=extra_data.cid ";
$data_join_sql = "";
$ag_join_sql = " LEFT JOIN acid_ag_alert ON acid_event.sid=acid_ag_alert.ag_sid AND acid_event.cid=acid_ag_alert.ag_cid ";
//$sig_join_sql = "";
//$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.userdata1,extra_data.userdata2,extra_data.userdata3,extra_data.userdata4,extra_data.userdata5,extra_data.userdata6,extra_data.userdata7,extra_data.userdata8,extra_data.userdata9,extra_data.username,extra_data.password,extra_data.filename FROM acid_event";
$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.* FROM acid_event";
// This needs to be examined!!! -- Kevin
$where_sql = " WHERE ";
//$where_sql = "";
// $criteria_sql = " acid_event.sid > 0";
// Initially show last 24hours events
if ($_GET['time_range'] == "") {
$criteria_sql = " ( timestamp >='" . gmdate("Y-m-d", $timetz) . "' ) ";
} else {
$criteria_sql = " 1 ";
}
//$criteria_sql = " ( timestamp <= CURDATE() ) ";
//$criteria_sql = " 1 ";
$join_sql = "";
/* ********************** Meta Criteria ******************************************** */
$sig = $cs->criteria['sig']->criteria;
$sig_type = $cs->criteria['sig']->sig_type;
$sig_class = $cs->criteria['sig_class']->criteria;
$sig_priority = $cs->criteria['sig_priority']->criteria;
$ag = $cs->criteria['ag']->criteria;
$sensor = $cs->criteria['sensor']->criteria;
$plugin = $cs->criteria['plugin']->criteria;
$plugingroup = $cs->criteria['plugingroup']->criteria;
$networkgroup = $cs->criteria['networkgroup']->criteria;
$userdata = $cs->criteria['userdata']->criteria;
$sourcetype = $cs->criteria['sourcetype']->criteria;
$category = $cs->criteria['category']->criteria;
$time = $cs->criteria['time']->GetUTC();
//$cs->criteria['time']->criteria;
//print_r($time);print_r($cs->criteria['time']->criteria);
$time_cnt = $cs->criteria['time']->GetFormItemCnt();
$ip_addr = $cs->criteria['ip_addr']->criteria;
$ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt();
$layer4 = $cs->criteria['layer4']->criteria;
$ip_field = $cs->criteria['ip_field']->criteria;
$ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt();
$tcp_port = $cs->criteria['tcp_port']->criteria;
$tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt();
$tcp_flags = $cs->criteria['tcp_flags']->criteria;
$tcp_field = $cs->criteria['tcp_field']->criteria;
$tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt();
$udp_port = $cs->criteria['udp_port']->criteria;
$udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt();
$udp_field = $cs->criteria['udp_field']->criteria;
$udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt();
$icmp_field = $cs->criteria['icmp_field']->criteria;
$icmp_field_cnt = $cs->criteria['icmp_field']->GetFormItemCnt();
$rawip_field = $cs->criteria['rawip_field']->criteria;
$rawip_field_cnt = $cs->criteria['rawip_field']->GetFormItemCnt();
$data = $cs->criteria['data']->criteria;
$data_cnt = $cs->criteria['data']->GetFormItemCnt();
$cs->criteria['data']->data_encode;
//$data_encode[0] = "ascii"; $data_encode[1] = "hex";
/* OSSIM */
$ossim_type = $cs->criteria['ossim_type']->criteria;
$ossim_priority = $cs->criteria['ossim_priority']->criteria;
$ossim_reliability = $cs->criteria['ossim_reliability']->criteria;
$ossim_asset_dst = $cs->criteria['ossim_asset_dst']->criteria;
$ossim_risk_a = $cs->criteria['ossim_risk_a']->criteria;
$tmp_meta = "";
/* Sensor */
if ($sensor != "" && $sensor != " ") {
$tmp_meta = $tmp_meta . " AND acid_event.sid in (" . $sensor . ")";
} else {
$cs->criteria['sensor']->Set("");
// Filter by user perms if no criteria
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
$snortsensors = GetSensorSids($db);
$sensor_str = "";
foreach ($user_sensors as $user_sensor) {
if (count($snortsensors[$user_sensor]) > 0) {
$sensor_str .= $sensor_str != "" ? "," . implode(",", $snortsensors[$user_sensor]) : implode(",", $snortsensors[$user_sensor]);
}
}
if ($sensor_str == "") {
$sensor_str = "0";
}
$tmp_meta .= " AND acid_event.sid in (" . $sensor_str . ")";
}
}
/* Plugin */
if ($plugin != "" && $plugin != " ") {
$tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . $plugin . ")";
}
/* Plugin Group */
if ($plugingroup != "" && $plugingroup != " ") {
$pg_ids = QueryOssimPluginGroup($plugingroup);
if ($pg_ids != "") {
$tmp_meta = $tmp_meta . " AND ({$pg_ids}) ";
} else {
$tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=-1 AND acid_event.plugin_sid=-1)";
}
}
/* Network Group */
if ($networkgroup != "" && $networkgroup != " ") {
$ng_ids = QueryOssimNetworkGroup($networkgroup);
if ($ng_ids != "") {
$tmp_meta = $tmp_meta . " AND ({$ng_ids}) ";
}
}
/* User Data */
//print_r($_SESSION);
//echo "User Data:$userdata";
if (trim($userdata[2]) != "") {
$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.* FROM acid_event";
$data_join_sql = ",extra_data ";
$flt = "extra_data." . $userdata[0] . " " . $userdata[1] . " " . ($userdata[1] == "like" ? "'%" . str_replace("'", "\\'", $userdata[2]) . "%'" : "'" . $userdata[2] . "'");
$tmp_meta .= " AND acid_event.sid=extra_data.sid AND acid_event.cid=extra_data.cid AND ({$flt})";
}
/* Source Type */
if (trim($sourcetype) != "") {
$tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . GetPluginListBySourceType($sourcetype) . ")";
}
/* Category */
if ($category[0] != 0) {
$sig_join = true;
$tmp_meta = $tmp_meta . GetPluginListByCategory($category);
}
/* Alert Group */
if ($ag != "" && $ag != " ") {
$tmp_meta = $tmp_meta . " AND ag_id =" . $ag;
$join_sql = $join_sql . $ag_join_sql;
} else {
$cs->criteria['ag']->Set("");
}
/* Signature */
if (isset($sig[0]) && $sig[0] != " " && $sig[0] != "" && (isset($sig[1]) && $sig[1] != "")) {
if ($sig_type == 1) {
// sending sig[1]=plugin_id;plugin_sid
$pidsid = preg_split("/[\\s;]+/", $sig[1]);
$tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=" . intval($pidsid[0]) . " AND acid_event.plugin_sid=" . intval($pidsid[1]) . ")";
} else {
// free string
$sig_ids = QueryOssimSignature($sig[1], $sig[0], $sig[2]);
$sig_join = true;
$tmp_meta = $tmp_meta . " AND ({$sig_ids})";
//if ($sig_ids != "")
// $tmp_meta = $tmp_meta . " AND ($sig_ids) ";
//else
// $tmp_meta = $tmp_meta." AND (plugin_id=-1 AND plugin_sid=-1)";
}
} else {
$cs->criteria['sig']->Set("");
}
/* Signature Classification
if ($sig_class != " " && $sig_class != "" && $sig_class != "0") {
$tmp_meta = $tmp_meta . " AND sig_class_id = '" . $sig_class . "'";
} else if ($sig_class == "0") {
$tmp_meta = $tmp_meta . " AND (sig_class_id is null OR sig_class_id = '0')";
} else $cs->criteria['sig_class']->Set(""); */
/* Signature Priority
if ($sig_priority[1] != " " && $sig_priority[1] != "" && $sig_priority[1] != "0") {
$tmp_meta = $tmp_meta . " AND sig_priority " . $sig_priority[0] . " '" . $sig_priority[1] . "'";
} else if ($sig_priority[1] == "0") {
$tmp_meta = $tmp_meta . " AND (sig_priority is null OR sig_priority = '0')";
} else $cs->criteria['sig_priority']->Set("");*/
/* Date/Time
if ( DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0 )
$cs->criteria['time']->SetFormItemCnt(0); */
/*
* OSSIM Code
*/
/* OSSIM Type */
if ($ossim_type[1] != " " && $ossim_type[1] != "" && $ossim_type[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_type = '" . $ossim_type[1] . "'";
} else {
if ($ossim_type[1] == "0") {
$tmp_meta = $tmp_meta . " AND (acid_event.ossim_type is null OR acid_event.ossim_type = '0')";
} else {
$cs->criteria['ossim_type']->Set("");
}
}
/* OSSIM Priority */
if ($ossim_priority[1] != " " && $ossim_priority[1] != "" && $ossim_priority[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_priority " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'";
} else {
if ($ossim_priority[1] == "0") {
$tmp_meta = $tmp_meta . " AND (acid_event.ossim_priority is null OR acid_event.ossim_priority = '0')";
} else {
$cs->criteria['ossim_priority']->Set("");
}
}
/* OSSIM Reliability */
if ($ossim_reliability[1] != " " && $ossim_reliability[1] != "" && $ossim_reliability[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'";
} else {
if ($ossim_reliability[1] == "0") {
$tmp_meta = $tmp_meta . " AND (acid_event.ossim_reliability is null OR acid_event.ossim_reliability = '0')";
} else {
$cs->criteria['ossim_reliability']->Set("");
}
}
/* OSSIM Asset DST */
if ($ossim_asset_dst[1] != " " && $ossim_asset_dst[1] != "" && $ossim_asset_dst[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'";
} else {
if ($ossim_asset_dst[1] == "0") {
$tmp_meta = $tmp_meta . " AND (acid_event.ossim_asset_dst is null OR acid_event.ossim_asset_dst = '0')";
} else {
$cs->criteria['ossim_asset_dst']->Set("");
}
}
/* OSSIM Risk A */
if ($ossim_risk_a != " " && $ossim_risk_a != "" && $ossim_risk_a != "0") {
if ($ossim_risk_a == "low") {
//$tmp_meta = $tmp_meta." AND ossim_risk_a >= 1 AND ossim_risk_a <= 4 ";
$tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a < 1 ";
} else {
if ($ossim_risk_a == "medium") {
//$tmp_meta = $tmp_meta." AND ossim_risk_a >= 5 AND ossim_risk_a <= 7 ";
$tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a = 1 ";
} else {
if ($ossim_risk_a == "high") {
//$tmp_meta = $tmp_meta." AND ossim_risk_a >= 8 AND ossim_risk_a <= 10 ";
$tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a > 1 ";
}
}
}
} else {
$cs->criteria['ossim_risk_a']->Set("");
}
/* Date/Time */
if (DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0) {
$cs->criteria['time']->SetFormItemCnt(0);
}
$criteria_sql = $criteria_sql . $tmp_meta;
/* ********************** IP Criteria ********************************************** */
/* IP Addresses */
$tmp2 = "";
for ($i = 0; $i < $ip_addr_cnt; $i++) {
$tmp = "";
if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] != " ") {
if ($ip_addr[$i][3] != "" && $ip_addr[$i][4] != "" && $ip_addr[$i][5] != "" && $ip_addr[$i][6] != "") {
/* if use illegal 256.256.256.256 address then
* this is the special case where need to search for portscans
*/
if ($ip_addr[$i][3] == "256" && $ip_addr[$i][4] == "256" && $ip_addr[$i][5] == "256" && $ip_addr[$i][6] == "256") {
$tmp = $tmp . " acid_event." . $ip_addr[$i][1] . " IS NULL" . " ";
} else {
if ($ip_addr[$i][10] == "") {
$tmp = $tmp . " acid_event." . $ip_addr[$i][1] . $ip_addr[$i][2] . "'" . baseIP2long($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6]) . "' ";
} else {
$mask = getIPMask($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6], $ip_addr[$i][10]);
if ($ip_addr[$i][2] == "!=") {
$tmp_op = " NOT ";
} else {
$tmp_op = "";
}
$tmp = $tmp . $tmp_op . " (acid_event." . $ip_addr[$i][1] . ">= '" . baseIP2long($mask[0]) . "' AND " . "acid_event." . $ip_addr[$i][1] . "<= '" . baseIP2long($mask[1]) . "')";
}
}
}
/* if have chosen the address type to be both source and destination */
if (ereg("ip_both", $tmp)) {
$tmp_src = ereg_replace("ip_both", "ip_src", $tmp);
$tmp_dst = ereg_replace("ip_both", "ip_dst", $tmp);
if ($ip_addr[$i][2] == '=') {
$tmp = "(" . $tmp_src . ') OR (' . $tmp_dst . ')';
} else {
$tmp = "(" . $tmp_src . ') AND (' . $tmp_dst . ')';
}
}
if ($tmp != "") {
$tmp = $ip_addr[$i][0] . "(" . $tmp . ")" . $ip_addr[$i][8] . $ip_addr[$i][9];
}
} else {
if (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" || $ip_addr[$i][1] != " ") {
/* IP_addr_type, but MALFORMED IP address */
if ($ip_addr[$i][1] != " " && $ip_addr[$i][3] == "" && ($ip_addr[$i][4] != "" || $ip_addr[$i][5] != "" || $ip_addr[$i][6] != "")) {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Invalid IP address criteria") . " ' *." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . " '");
}
/* ADDRESS, but NO IP_addr_type was given */
if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] == " ") {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("A IP address of") . " '" . $ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . "' " . gettext("was entered for as a criteria value, but the type of address (e.g. source, destination) was not specified."));
}
/* IP_addr_type IS FILLED, but no ADDRESS */
if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "") {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("An IP address of type") . " '" . $ip_addr[$i][1] . "' " . gettext("was selected (at #") . $i . ") " . gettext("indicating that an IP address should be a criteria, but no address on which to match was specified."));
}
}
}
$tmp2 = $tmp2 . $tmp;
if ($i > 0 && $ip_addr[$i - 1][9] == ' ' && $ip_addr[$i - 1][3] != "") {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Multiple IP address criteria entered without a boolean operator (e.g. AND, OR) between IP Criteria") . " #{$i} and #" . ($i + 1) . ".");
}
}
if ($tmp2 != "") {
$criteria_sql = $criteria_sql . " AND ( " . $tmp2 . " )";
} else {
$cs->criteria['ip_addr']->SetFormItemCnt(0);
}
/* IP Fields */
if (FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0) {
$cs->criteria['ip_field']->SetFormItemCnt(0);
}
/* Layer-4 encapsulation */
if ($layer4 == "TCP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '6'";
} else {
if ($layer4 == "UDP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '17'";
} else {
if ($layer4 == "ICMP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '1'";
} else {
if ($layer4 == "RawIP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '255'";
} else {
$cs->criteria['layer4']->Set("");
}
}
}
}
/* Join the iphdr table if necessary */
if (!$cs->criteria['ip_field']->isEmpty()) {
$join_sql = $ip_join_sql . $join_sql;
}
/* ********************** TCP Criteria ********************************************** */
if ($layer4 == "TCP") {
$proto_tmp = "";
/* TCP Ports */
if (FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0) {
$cs->criteria['tcp_port']->SetFormItemCnt(0);
}
$criteria_sql = $criteria_sql . $proto_tmp;
$proto_tmp = "";
/* TCP Flags */
if (isset($tcp_flags) && sizeof($tcp_flags) == 8) {
if ($tcp_flags[0] == "contains" || $tcp_flags[0] == "is") {
$flag_tmp = $tcp_flags[1] + $tcp_flags[2] + $tcp_flags[3] + $tcp_flags[4] + $tcp_flags[5] + $tcp_flags[6] + $tcp_flags[7] + $tcp_flags[8];
if ($tcp_flags[0] == "is") {
$proto_tmp = $proto_tmp . ' AND tcp_flags=' . $flag_tmp;
} else {
if ($tcp_flags[0] == "contains") {
$proto_tmp = $proto_tmp . ' AND (tcp_flags & ' . $flag_tmp . ' = ' . $flag_tmp . " )";
} else {
$proto_tmp = "";
}
}
}
}
/* TCP Fields */
if (FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0) {
$cs->criteria['tcp_field']->SetFormItemCnt(0);
}
/* TCP Options
* - not implemented
*/
if (!$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
if (!$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) {
$join_sql = $tcp_join_sql . $join_sql;
}
}
}
/* ********************** UDP Criteria ********************************************* */
if ($layer4 == "UDP") {
$proto_tmp = "";
/* UDP Ports */
if (FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0) {
$cs->criteria['udp_port']->SetFormItemCnt(0);
}
$criteria_sql = $criteria_sql . $proto_tmp;
$proto_tmp = "";
/* UDP Fields */
if (FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0) {
$cs->criteria['udp_field']->SetFormItemCnt(0);
}
if (!$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
if (!$cs->criteria['udp_field']->isEmpty()) {
$join_sql = $udp_join_sql . $join_sql;
}
}
}
/* ********************** ICMP Criteria ******************************************** */
if ($layer4 == "ICMP") {
$proto_tmp = "";
/* ICMP Fields */
if (FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0) {
$cs->criteria['icmp_field']->SetFormItemCnt(0);
}
if (!$cs->criteria['icmp_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
$join_sql = $icmp_join_sql . $join_sql;
}
}
/* ********************** Packet Scan Criteria ************************************* */
if ($layer4 == "RawIP") {
$proto_tmp = "";
/* RawIP Fields */
if (FieldRows2sql($rawip_field, $rawip_field_cnt, $proto_tmp) == 0) {
$cs->criteria['rawip_field']->SetFormItemCnt(0);
}
if (!$cs->criteria['rawip_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
$join_sql = $rawip_join_sql . $join_sql;
}
}
/* ********************** Payload Criteria ***************************************** */
//$tmp_payload = "";
if (DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload) == 0) {
$cs->criteria['data']->SetFormItemCnt(0);
}
//echo "<br><br><br>";
//print_r($data);
//print_r("data_cnt: [".$data_cnt."]");
//print_r($cs->criteria['data']->isEmpty());
//print_r("criteria_ sql: [".$criteria_sql."]");
//print_r("tmp_payload: [".$tmp_payload."]");
if (!$cs->criteria['data']->isEmpty()) {
$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.* FROM acid_event";
$data_join_sql = ",extra_data ";
$criteria_sql = $criteria_sql . $tmp_payload;
}
if ($sig_join) {
$join_sql = $join_sql . $sig_join_sql;
}
$join_sql = $join_sql . $data_join_sql;
$csql[0] = $join_sql;
$criteria_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria_sql));
$csql[1] = $criteria_sql;
//print_r($csql);
return $csql;
}
function PrintBASESubHeader($page_title, $page_name, $back_link, $refresh = 0, $page = "")
{
global $db, $timetz, $debug_mode, $BASE_VERSION, $BASE_path, $BASE_urlpath, $html_no_cache, $max_script_runtime, $Use_Auth_System, $stat_page_refresh_time, $refresh_stat_page, $ossim_servers, $sensors, $hosts, $database_servers, $DBlib_path, $DBtype, $db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password;
if (ini_get("safe_mode") != true) {
set_time_limit($max_script_runtime);
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php
echo gettext("iso-8859-1");
?>
"/>
<?php
if ($html_no_cache == 1) {
?>
<meta http-equiv="pragma" content="no-cache"/><?php
}
?>
<?php
if ($refresh == 1 && !$_SESSION['norefresh']) {
PrintFreshPage($refresh_stat_page, $stat_page_refresh_time);
}
?>
<!-- Included Styles -->
<link rel="stylesheet" type="text/css" href="/ossim/style/av_common.css?t=<?php
echo Util::get_css_id();
?>
"/>
<link rel="stylesheet" type="text/css" href="/ossim/style/analysis/security_events/security_events.css"/>
<link rel="stylesheet" type="text/css" href="/ossim/style/jquery-ui.css"/>
<link rel="stylesheet" type="text/css" href="/ossim/style/jquery.tag-it.css"/>
<!-- <link rel="stylesheet" type="text/css" href="/ossim/style/flexigrid.css"/> -->
<link rel="stylesheet" type="text/css" href="/ossim/style/jquery.autocomplete.css"/>
<link rel="stylesheet" type="text/css" href="/ossim/style/tipTip.css"/>
<link rel="stylesheet" type="text/css" href="/ossim/style/jslider.css"/>
<link rel="stylesheet" type="text/css" href="/ossim/style/flipswitch.css"/>
<link rel="stylesheet" type="text/css" href="/ossim/style/datepicker.css"/>
<!-- Manual Styles -->
<style type="text/css">
#adv_search_button
{
margin:0px 0px 0px 5px;
}
#views table, #taxonomy table, #mfilters table, #report table {
background:none repeat scroll 0 0 #FAFAFA;
border:1px solid #BBBBBB;
color:black;
text-align:center;
-moz-border-radius:8px 8px 8px 8px;
padding: 2px;
}
#views table tr td, #taxonomy table tr td, #mfilters table tr td, #report table tr td{
padding: 0;
}
#views table tr td input, #views table,
#taxonomy table tr td input, #taxonomy table,
#taxonomy table tr td input, #report table,
#mfilters table tr td input, #mfilters table
{
font-size: 0.9em;
line-height: 0.5em;
}
#views table tr td ul{
padding: 0px;
}
#views table tr td ul li{
padding: 0px 0px 0px 12px;
list-style-type: none;
text-align: left;
margin: 0px;
clear:left;
position: relative;
height: 23px;
line-height: 1em;
}
.margin0
{
margin: 0px;
}
.left_np
{
text-align: left;
}
.par{
background: #f2f2f2;
}
.impar{
background: #fff;
}
.padding_right_5
{
padding: 0px 5px 0px 0px;
}
.padding_top_5
{
padding: 5px 0px 0px 0px;
}
.float_left
{
float: left;
}
.float_right
{
float: right;
}
#views table tr th, #taxonomy table tr th, #mfilters table tr th{
white-space:nowrap;
padding:1px 10px;
border: 1px solid #CCCCCC;
font-size: 11px;
color: #222222;
font-weight: bold;
text-align: center;
background: #E5E5E5;
background: -webkit-linear-gradient(#EFEFEF, #E5E5E5);
background: -moz-linear-gradient(#EFEFEF, #E5E5E5);
background: -o-linear-gradient(#EFEFEF, #E5E5E5);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#EFEFEF', endColorstr='#E5E5E5');
}
#viewbox{
font-size: 1.5em;
margin: 0.5em;
}
#dhtmltooltip{
position: absolute;
width: 150px;
border: 2px solid black;
padding: 2px;
background-color: lightyellow;
visibility: hidden;
z-index: 100;
}
img{
vertical-align:middle;
}
small {
font:12px arial;
}
#maintable{
background-color: white;
}
#viewtable{
background-color: white;
}
.negrita { font-weight:bold; font-size:14px; }
.thickbox { color:gray; font-size:10px; }
.header{
line-height:28px; height: 28px; background: transparent url(../pixmaps/fondo_col.gif) repeat-x scroll 0% 0%; color: rgb(51, 51, 51); font-size: 12px; font-weight: bold; text-align:center;
}
.ne { color:black }
.gr { color:#999999 }
.disabled img {
filter:alpha(opacity=50);
-moz-opacity:0.5;
-khtml-opacity: 0.5;
opacity: 0.5;
}
td.head {
border:1px solid #CCCCCC;
background: #E5E5E5;
background: -webkit-linear-gradient(#EFEFEF, #e5e5e5);
background: -moz-linear-gradient(#EFEFEF, #e5e5e5);
background: -o-linear-gradient(#EFEFEF, #e5e5e5);
filter: progid:DXImageTransform.Microsoft.gradient(startColorstr='#efefef', endColorstr='#e5e5e5');
font-size:14px;font-weight:bold;
color:#333333;
}
.left13 {
text-align:left;
font-size:13px;
}
ul.tagit
{
margin: 0px;
border:none;
}
.separated
{
border-spacing: 0px;
border-collapse: separated;
padding: 0px;
}
.separated td
{
padding: 4px 4px 4px 0px;
}
</style>
<!-- jQuery and Javascript -->
<!--[if IE]><script language="javascript" type="text/javascript" src="../js/jqplot/excanvas.js"></script><![endif]-->
<script type="text/javascript" src="../js/jquery.min.js"></script>
<script type="text/javascript" src="/ossim/js/jquery-ui.min.js"></script>
<script type="text/javascript" src="../js/greybox.js"></script>
<script type="text/javascript" src="../js/jquery.flot.pie.js" language="javascript"></script>
<script type="text/javascript" src="../js/jquery.bgiframe.min.js" language="javascript"></script>
<script type="text/javascript" src="../js/jquery.autocomplete.pack.js" language="javascript"></script>
<!-- <script type="text/javascript" src="../js/jquery.simpletip.js"></script> -->
<script type="text/javascript" src="../js/jquery.tipTip-ajax.js"></script>
<!-- jSlider -->
<script type="text/javascript" src="../js/jslider/jshashtable-2.1_src.js"></script>
<script type="text/javascript" src="../js/jslider/jquery.numberformatter-1.2.3.js"></script>
<script type="text/javascript" src="../js/jslider/tmpl.js"></script>
<script type="text/javascript" src="../js/jslider/jquery.dependClass-0.1.js"></script>
<script type="text/javascript" src="../js/jslider/draggable-0.1.js"></script>
<script type="text/javascript" src="../js/jslider/jquery.slider.js"></script>
<script type="text/javascript" src="../js/jquery.tag-it.js"></script>
<script type="text/javascript" src="../js/jquery.placeholder.js"></script>
<?php
$ipsearch = 1;
include "../host_report_menu.php";
?>
<!-- Javascript functions -->
<script type="text/javascript">
// ***** Variables *****
// Used in tooltips
var url = new Array(50);
// For greybox
var nogb = false;
// Used in calendar
var state = false;
// Selected Tab
var current_section = "<?php
echo preg_match("/base_timeline/", $_SERVER['SCRIPT_NAME']) ? "timeline" : (preg_match("/base_stat/", $_SERVER['SCRIPT_NAME']) && $_SERVER['SCRIPT_NAME'] != '/ossim/forensics/base_stat_ipaddr.php' ? "grouped" : "events");
?>
";
// ***** Functions *****
// Tooltip used in unique events plots
function showTooltip(x, y, contents, link) {
link = link.replace(".","");
link = link.replace(",","");
$('<div id="tooltip" class="tooltipLabel" onclick="load_link(\'' + url[link] + '&submit=Query DB\')"><a href="' + url[link] + '&submit=Query DB" style="font-size:10px;">' + contents + '</a></div>').css( {
position: 'absolute',
display: 'none',
top: y - 28,
left: x - 10,
border: '1px solid #ADDF53',
padding: '1px 2px 1px 2px',
'background-color': '#CFEF95',
opacity: 0.80
}).appendTo("body").fadeIn(200);
}
Array.prototype.in_array = function(p_val) {
for(var i = 0, l = this.length; i < l; i++) {
if(this[i] == p_val) {
return true;
}
}
return false;
}
// Auxiliary function for sensor input autocomplete
function mix_sensors(val) {
var sval = val.split(',');
if ($("#sensor").val() != "") var aval = $("#sensor").val().split(',');
else var aval = [];
var mixed = [];
var ind = 0;
for(var i = 0, l = sval.length; i < l; i++) {
if (aval.length>=0 || aval.in_array(sval[i])) // Before aval.length==0
mixed[ind++] = sval[i];
}
var str = "";
if (mixed.length > 0) {
str = mixed[0];
for(var i = 1, l = mixed.length; i < l; i++) {
str = str + ',' + mixed[i];
}
//alert($("#sensor").val()+" + "+val+" = "+str);
}
// return intersection
$("#sensor").val(str);
}
// Used to delete events in background
function bgtask() {
$.ajax({
type: "GET",
url: "base_bgtask.php",
data: "",
success: function(msg) {
var redirection = false;
if (msg.match(/No pending tasks/)) {
if($("#task").is(":visible")) { // check if there was a pending task
var redirection = true;
}
if ($("#task").is(":visible")) $("#task").toggle();
setTimeout("bgtask()",5000);
if(redirection) {
load_link('./base_qry_main.php?num_result_rows=-1&submit=Query+DB¤t_view=-1');
}
} else {
if ($("#task").is(":hidden")) $("#task").toggle();
$("#task").html("<img style='border: none' src='./images/sandglass.png'> Deleting in background...");
setTimeout("bgtask()",5000);
}
}
});
}
// Used in plot response
function SetIFrameSource(cid, url) {
var myframe = document.getElementById(cid);
if(myframe !== null) {
if(myframe.src){
myframe.src = url; }
else if(myframe.contentWindow !== null && myframe.contentWindow.location !== null){
myframe.contentWindow.location = url; }
else{ myframe.setAttribute('src', url); }
}
}
// Used in top plot toggle
function trendgraph() {
if ($("#iplot").is(":visible") == false) {
$('#graph_arrow').attr("src", "../pixmaps/arrow_green_down.png");
$('#iplot').toggle();
$('#loadingTrend').show();
SetIFrameSource('processframe','base_plot.php')
} else {
$('#graph_arrow').attr("src", "../pixmaps/arrow_green.png");
$('#iplot').toggle();
}
}
function show_search_tooltip()
{
var tooltip =
{
"<?php
echo _('Signature');
?>
" : 1,
"<?php
echo _('Payload');
?>
" : 1,
"<?php
echo _('Src or Dst IP');
?>
" : 1,
"<?php
echo _('Src IP');
?>
" : 1,
"<?php
echo _('Dst IP');
?>
" : 1,
"<?php
echo _('Src or Dst Host');
?>
" : 2,
"<?php
echo _('Src Host');
?>
" : 2,
"<?php
echo _('Dst Host');
?>
" : 2
}
var selected = $(this).val();
if (selected in tooltip)
{
var ul = $('<ul></ul>');
if (tooltip[selected] == 1)
{
$('<li></li>',
{
text: "<?php
echo _('Conjunction: ');
?>
'AND'"
}).appendTo(ul)
$('<li></li>',
{
text: "<?php
echo _('Disjunction: ');
?>
'OR'"
}).appendTo(ul)
}
$('<li></li>',
{
text: "<?php
echo _('Negation: ');
?>
'!'"
}).appendTo(ul)
var content = $('<div></div>',
{
id : "search_opt_tip",
text: "<?php
echo _('For this search option you can use the following operator(s) to perform complex searches:');
?>
"
})
content.append(ul)
$('#help_tooltip').removeData("tipTip").tipTip(
{
maxWidth: "300px",
content: content
}).show();
}
else
{
$('#help_tooltip').hide().tipTip('destroy');
}
}
function show_calendar()
{
$('#date_from').trigger('focus');
}
// Button more filters button action
function more_filters_toggle()
{
if ($('#more_filters').is(":visible"))
{
$('#more_filters').hide();
$('#more_filters_button').val("+ <?php
echo _("More Filters");
?>
");
}
else
{
$('#more_filters').show();
$('#more_filters_button').val("- <?php
echo _("More Filters");
?>
");
}
}
// Auxiliary format number for plot hovers
function formatNmb(nNmb){
var sRes = "";
for (var j, i = nNmb.length - 1, j = 0; i >= 0; i--, j++)
sRes = nNmb.charAt(i) + ((j > 0) && (j % 3 == 0)? "<?php
echo thousands_locale();
?>
": "") + sRes;
return sRes;
}
// [Events, Grouped, Timeline]
function load_section(section)
{
// Some layer changes when no page reload needed
if (section == "grouped")
{
$('#plot_option').hide();
$('#grouped_option').show();
}
if (section == "events")
{
$('#grouped_option').hide();
$('#plot_option').show();
}
if (section == "timeline")
{
$('#grouped_option').hide();
}
current_section = section;
$('#criteria_tagit').tagit(
{
onlyAllowDelete: true,
beforeTagRemoved: function(event, ui)
{
var url = $(ui.tag).data('info');
if(typeof url != 'undefined' && url != '')
{
load_link(url);
}
}
});
}
function load_link(url)
{
if (typeof(parent.show_overlay_spinner)=='function') parent.show_overlay_spinner();
document.location.href=url;
}
// Custom Views
// Get default view
<?php
require_once "ossim_conf.inc";
$conf = $GLOBALS["CONF"];
$idm_enabled = $conf->get_conf("enable_idm", FALSE) == 1 && Session::is_pro() ? true : false;
$login = Session::get_session_user();
$config = new User_config($db);
$default_view = $config->get($login, 'custom_view_default', 'php', "siem") != "" ? $config->get($login, 'custom_view_default', 'php', "siem") : ($idm_enabled ? 'IDM' : 'default');
?>
var default_view = "<?php
echo $default_view;
?>
";
function set_default_view(name) {
$('#view_star_'+name).attr('src', '../pixmaps/loading.gif');
$.ajax({
type: "GET",
url: "custom_view_save.php",
data: "name="+name+"&set_default=1",
success: function(msg) {
if (msg != "") {
alert(msg);
} else {
$('.view_star').attr('src', '../pixmaps/star-small-empty.png');
$('#view_star_'+name).attr('src', '../pixmaps/star-small.png');
default_view = name;
}
}
});
}
function change_view(view)
{
var url = "base_qry_main.php?num_result_rows=-1&submit=Query+DB¤t_view=-1&custom_view="+view;
load_link(url);
}
function save_view(id_img)
{
var img = $('#'+id_img).attr('src').split('/');
img = img[img.length-1];
var url = '../pixmaps/';
var src1='loading3.gif';
var src2='tick.png';
$('#'+id_img).attr('src', url+src1);
$.ajax({
type: "GET",
url: "custom_view_save.php",
data: "",
success: function(msg) {
$('#'+id_img).attr('src', url+src2);
setTimeout("($('#"+id_img+"').attr('src', '"+url+img+"'))",1000);
}
});
}
function delete_view(name)
{
$.ajax({
type: "GET",
url: "custom_view_delete.php",
data: "name="+name,
success: function(msg) {
if (msg != "") {
alert(msg);
} else {
var url = "base_qry_main.php?num_result_rows=-1&submit=Query+DB";
load_link(url);
}
}
});
}
// Greybox
//function GB_hide() { document.location.reload() }
//function GB_onclose() { nogb=false; }
function GB_onclose()
{
if (typeof(parent.show_overlay_spinner)=='function') parent.show_overlay_spinner();
document.location.reload();
}
// Triggered by custom_view_edit.php when it creates or deletes
function GB_onhide(url, params)
{
if (url.match(/newincident/))
{
document.location.href="../incidents/index.php?m_opt=analysis&sm_opt=tickets&h_opt=tickets"
return false
}
if (typeof(params) == 'object' && typeof params['change_view'] != 'undefined')
{
change_view(params['change_view']);
return false
}
}
// Solera
function solera_deepsee (from,to,src_ip,src_port,dst_ip,dst_port,proto)
{
$('#solera_form input[name=from]').val(from);
$('#solera_form input[name=to]').val(to);
$('#solera_form input[name=src_ip]').val(src_ip);
$('#solera_form input[name=src_port]').val(src_port);
$('#solera_form input[name=dst_ip]').val(dst_ip);
$('#solera_form input[name=dst_port]').val(dst_port);
$('#solera_form input[name=proto]').val(proto);
GB_show_post('Solera DeepSee ™','#solera_form',300,600);
}
// Events grouping button click
function dsgroup_for_selected()
{
var idlist = "";
var sidlist = "";
$("input:checkbox:checked").each(function() {
if(this.className == "trlnks") {
if (idlist != "") idlist += ",";
if (sidlist != "") sidlist += ",";
idlist += this.getAttribute('pid');
sidlist += this.getAttribute('psid');
}
});
if (idlist != "" && sidlist != "") {
GB_show("<?php
echo _("Insert into existing DS Group");
?>
","/policy/insertsid.php?plugin_id="+idlist+"&plugin_sid="+sidlist,'650','65%');
}
}
// Top refresh link
function re_load()
{
if (typeof(parent.show_overlay_spinner)=='function') parent.show_overlay_spinner();
if (typeof(pag_reload)=='function') pag_reload();
}
// Select all when DeleteAllOnScreen button click
function click_all(bt)
{
$("input[name^='action_chk_lst']").each(function() { $(this).attr('checked',true); });
$('#eqbtn'+bt).click()
}
// Group By selection
function group_selected(val)
{
// Reset
$('#group_button').hide();
$('#group_ip_select').css('display', 'none');
$('#group_hostname_select').css('display', 'none');
$('#group_username_select').css('display', 'none');
$('#group_port_select').css('display', 'none');
$('#group_proto_select').css('display', 'none');
// Second level
if (val.match("^ip"))
{
$('#group_ip_select').css('display', 'inline');
}
if (val.match("^hostname"))
{
$('#group_hostname_select').css('display', 'inline');
}
if (val.match("^username"))
{
$('#group_username_select').css('display', 'inline');
}
if (val.match("^port"))
{
$('#group_port_select').css('display', 'inline');
// Third level (Ports)
if ($('#group_port_select').find(":selected").val() != "portempty")
{
if (val.match("port(src|dst)") || val.match("proto") || $('#group_proto_select').find(":selected").val() != "")
{
$('#group_proto_select').css('display', 'inline');
}
}
}
// Show Group Button (All options are ready to go)
if (val == "signature"
|| val == "sensor"
|| val == "ptypes"
|| val == "plugins"
|| val == "country"
|| val == "categories"
|| (val.match("^ip")
&& $('#groupby_ip').find(":selected").val() != "ipempty")
|| (val.match("^hostname")
&& $('#groupby_hostname').find(":selected").val() != "hostnameempty")
|| (val.match("^username")
&& $('#groupby_username').find(":selected").val() != "usernameempty")
|| (val.match("^port")
&& $('#group_port_select').find(":selected").val() != "portempty"
&& $('#group_proto_select').find(":selected").val() != "portprotoempty"))
{
$('#group_button').show();
}
}
// Group by go
function go_stats()
{
if ($('#groupby_1').val() == "ip")
{
if ($('#groupby_ip').val() == "iplink")
{
load_link("base_stat_iplink.php?sort_order=events_d&fqdn=no");
}
else if ($('#groupby_ip').val() == "iplink_fqdn")
{
load_link("base_stat_iplink.php?sort_order=events_d&fqdn=yes");
}
else if ($('#groupby_ip').val() == "ipsrc")
{
load_link("base_stat_uaddr.php?addr_type=1&sort_order=occur_d");
}
else if ($('#groupby_ip').val() == "ipdst")
{
load_link("base_stat_uaddr.php?addr_type=2&sort_order=occur_d");
}
else if ($('#groupby_ip').val() == "ipboth")
{
load_link("base_stat_uaddress.php?sort_order=occur_d");
}
}
else if ($('#groupby_1').val() == "hostname")
{
if ($('#groupby_hostname').val() == "hostnamesrc")
{
load_link("base_stat_uidmsel.php?addr_type=src_hostname&sort_order=occur_d");
}
else if ($('#groupby_hostname').val() == "hostnamedst")
{
load_link("base_stat_uidmsel.php?addr_type=dst_hostname&sort_order=occur_d");
}
else
{
load_link("base_stat_uidm.php?addr_type=hostname&sort_order=occur_d");
}
}
else if ($('#groupby_1').val() == "username")
{
if ($('#groupby_username').val() == "usernamesrc")
{
load_link("base_stat_uidmsel.php?addr_type=src_userdomain&sort_order=occur_d");
}
else if ($('#groupby_username').val() == "usernamedst")
{
load_link("base_stat_uidmsel.php?addr_type=dst_userdomain&sort_order=occur_d");
}
else
{
load_link("base_stat_uidm.php?addr_type=userdomain&sort_order=occur_d");
}
}
else if ($('#groupby_1').val() == "signature")
{
load_link("base_stat_alerts.php?sort_order=occur_d");
}
else if ($('#groupby_1').val() == "port")
{
if ($('#groupby_port').val() == "portsrc")
{
if ($('#groupby_proto').val() == "portprototcp")
{
load_link("base_stat_ports.php?sort_order=occur_d&port_type=1&proto=6");
}
else if ($('#groupby_proto').val() == "portprotoudp")
{
load_link("base_stat_ports.php?sort_order=occur_d&port_type=1&proto=17");
}
else if ($('#groupby_proto').val() == "portprotoany")
{
load_link("base_stat_ports.php?sort_order=occur_d&port_type=1&proto=-1");
}
}
else if ($('#groupby_port').val() == "portdst")
{
if ($('#groupby_proto').val() == "portprototcp")
{
load_link("base_stat_ports.php?sort_order=occur_d&port_type=2&proto=6");
}
else if ($('#groupby_proto').val() == "portprotoudp")
{
load_link("base_stat_ports.php?sort_order=occur_d&port_type=2&proto=17");
}
else if ($('#groupby_proto').val() == "portprotoany")
{
load_link("base_stat_ports.php?sort_order=occur_d&port_type=2&proto=-1");
}
}
}
else if ($('#groupby_1').val() == "sensor")
{
load_link("base_stat_sensor.php?sort_order=occur_d");
}
else if ($('#groupby_1').val() == "ptypes")
{
load_link("base_stat_ptypes.php?sort_order=occur_d");
}
else if ($('#groupby_1').val() == "plugins")
{
load_link("base_stat_plugins.php?sort_order=occur_d");
}
else if ($('#groupby_1').val() == "country")
{
load_link("base_stat_country.php");
}
else if ($('#groupby_1').val() == "categories")
{
load_link("base_stat_categories.php?sort_order=occur_d");
}
}
// Postload action (call from host_report_menu.php)
function postload() {
if (typeof(parent.hide_overlay_spinner)=='function' && parent.is_loading_box())
{
parent.hide_overlay_spinner();
}
// Show spinner on form submit
$('#go_button,#bsf').on('click',function(){
if (typeof(parent.show_overlay_spinner)=='function') parent.show_overlay_spinner();
});
// CAPTURE ENTER KEY
$("#search_str").bind("keydown", function(event) {
// track enter key
var keycode = (event.keyCode ? event.keyCode : (event.which ? event.which : event.charCode));
if (keycode == 13) { // keycode for enter key
$('#submit').val('<?php
echo _("Signature");
?>
');
$('#go_button').click();
return false;
} else {
return true;
}
});
// TOOLTIPS
$('.scriptinfo').tipTip({
defaultPosition: "right",
content: function (e) {
var ip = $(this).attr('data-title').replace(/\-.*/,'');
var ctx = $(this).attr('data-title').replace(/.*\-/,'');
$.ajax({
url: 'base_netlookup.php?ip=' + ip + ';' + ctx,
success: function (response) {
e.content.html(response); // the var e is the callback function data (see above)
}
});
return '<?php
echo _("Searching") . "...";
?>
'; // We temporary show a Please wait text until the ajax success callback is called.
}
});
$('.task_info').tipTip({
defaultPosition: "down",
delay_load: 100,
maxWidth: "auto",
edgeOffset: 3,
keepAlive:false,
content: function (e) {
$.ajax({
type: 'GET',
url: 'base_bgtask.php',
success: function (response) {
e.content.html(response); // the var e is the callback function data (see above)
}
});
return '<?php
echo _("Waiting status") . "...";
?>
'; // We temporary show a Please wait text until the ajax success callback is called.
}
});
$('.riskinfo').tipTip({
defaultPosition: "left",
content: function (e) {
return $(this).attr('txt')
}
});
$('.idminfo').tipTip({
defaultPosition: "top",
content: function (e) {
return $(this).attr('txt')
}
});
$('.scriptinfoimg').tipTip({
defaultPosition: "right",
content: function (e) {
return $(this).attr('txt')
}
});
$(".tztooltip").tipTip({
defaultposition: 'right',
content: function (e) {
return $(this).attr('txt')
}
});
$('.scriptinf').tipTip({
defaultPosition: "bottom",
content: function (e) {
return $(this).attr('txt')
}
});
// AUTOCOMPLETE SEARCH FACILITY FOR SENSOR
<?php
$snortsensors = GetSensorSids($db);
$sns = array();
$sensor_keys = array();
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
foreach ($user_sensors as $user_sensor) {
$sensor_keys[$user_sensor]++;
}
} else {
$sensor_keys['all'] = 1;
}
foreach ($snortsensors as $ip => $sids) {
//$ip = preg_replace ("/^\[.+\]\s*/","",$ip);
$sid = implode(",", $sids);
$sname = $sensors[$ip] != "" ? $sensors[$ip] : $ip;
$sns[$sname] = array($ip, $sid);
}
// sort by sensor name
$sensor = $_GET["sensor"] != "" ? $_GET["sensor"] : $_SESSION["sensor"];
ksort($sns);
$str = $notstr = $ipsel = $ents = "";
foreach ($sns as $sname => $ip) {
if ($sensor_keys['all'] || $sensor_keys[$ip[0]]) {
$ip[0] = $sname != "" && $sname != $ip[0] ? "{$sname} [" . $ip[0] . "]" : $ip[0];
$ip[0] = preg_replace("/^\\[(.+)\\]\\s*(.+)/", "\\1 [\\2]", $ip[0]);
if ($ipsel == "") {
if ($ip[1] != "" && $sensor == "!" . $ip[1]) {
$ipsel = "\$('#sip').val('!" . $ip[0] . "');";
} elseif ($ip[1] != "" && $sensor == $ip[1]) {
$ipsel = "\$('#sip').val('" . $ip[0] . "');";
}
}
$notstr .= '{ txt:"!' . $ip[0] . '", id: "!' . $ip[1] . '" },';
$str .= '{ txt:"' . $ip[0] . '", id: "' . $ip[1] . '" },';
}
}
// IP Selected
echo $ipsel;
$db_aux = new ossim_db();
$conn_aux = $db_aux->connect();
if (Session::is_pro()) {
$my_entities = Acl::get_entities_to_assign($conn_aux);
foreach ($my_entities as $e_id => $e_name) {
if (Session::get_entity_type($conn_aux, $e_id) != 'context') {
continue;
}
$ents .= '{ txt:"' . _('Context') . ': ' . $e_name . '", id: "' . $e_id . '" },';
}
}
$db_aux->close($conn_aux);
?>
var sensors = [
<?php
echo preg_replace("/,\$/", "", $str . $notstr . $ents);
?>
];
$("#sip").autocomplete(sensors, {
minChars: 0,
width: 175,
max: 100,
matchContains: "word",
autoFill: true,
formatItem: function(row, i, max) {
return row.txt;
}
}).result(function(event, item) {
mix_sensors(item.id);
$("#bsf").click();
});
<?php
if (Session::is_pro()) {
?>
// AUTOCOMPLETE FOR DEVICE IP
<?php
// Load IPs for autocomplete
$device_ips = "";
$_already = array();
$_device_ips_aux = GetDeviceIPs($db);
foreach ($_device_ips_aux as $_s_id => $_ip) {
if (!$_already[$_ip]) {
if ($device_ips != "") {
$device_ips .= ",";
}
$device_ips .= "{ txt:\"{$_ip}\", id: \"{$_ip}\" }";
$_already[$_ip]++;
}
}
?>
var device_ips = [<?php
echo $device_ips;
?>
];
$("#device_input").autocomplete(device_ips, {
minChars: 0,
width: 175,
max: 100,
matchContains: "word",
autoFill: true,
formatItem: function(row, i, max) {
return row.txt;
}
}).result(function(event, item) {
$("#device_input").val(item.id);
$("#bsf").click();
});
<?php
}
?>
var dayswithevents = [ <?php
echo GetDatesWithEvents($db);
?>
];
/* CALENDAR PLUGIN */
$('.date_filter').datepicker(
{
buttonText: "",
showOn: "both",
dateFormat: "yy-mm-dd",
buttonImage: "/ossim/pixmaps/calendar.png",
// Color of the cells
beforeShowDay: function ( date )
{
var classname = '';
// With-Events color
var withevents = (dayswithevents.in_array(date.getTime())) ? ' evented-date' : ''
return [true, classname + withevents];
},
onClose: function(selectedDate)
{
// End date must be greater than the start date
if ($(this).attr('id') == 'date_from')
{
$('#date_to').datepicker('option', 'minDate', selectedDate );
}
else
{
$('#date_from').datepicker('option', 'maxDate', selectedDate );
}
var from = $('#date_from').val();
var to = $('#date_to').val();
if (from != '' && to != '')
{
var url = "&time_range=range&time_cnt=2&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=AND&time%5B1%5D%5B1%5D=%3C%3D"
var f1 = from.split(/\-/);
url = url + '&time%5B0%5D%5B2%5D=' + f1[1]; // month
url = url + '&time%5B0%5D%5B3%5D=' + f1[2]; // day
url = url + '&time%5B0%5D%5B4%5D=' + f1[0]; // year
url = url + '&time%5B0%5D%5B5%5D=00&time%5B0%5D%5B6%5D=00&time%5B0%5D%5B7%5D=00';
var f2 = to.split(/\-/);
url = url + '&time%5B1%5D%5B2%5D=' + f2[1]; // month
url = url + '&time%5B1%5D%5B3%5D=' + f2[2]; // day
url = url + '&time%5B1%5D%5B4%5D=' + f2[0]; // year
url = url + '&time%5B1%5D%5B5%5D=23&time%5B1%5D%5B6%5D=59&time%5B1%5D%5B7%5D=59';
<?php
$uri = Util::htmlentities_url(Util::get_sanitize_request_uri($_SERVER['REQUEST_URI']));
$actual_url = str_replace("?clear_allcriteria=1&", "?", str_replace("&clear_allcriteria=1", "", $uri)) . (preg_match("/\\?.*/", $uri) ? "&" : "?");
?>
// Go
load_link('<?php
echo $actual_url;
?>
'+url);
}
}
});
$('.ndc').disableTextSelect();
// timeline
if (typeof load_tree == 'function') load_tree();
// timeline
if (typeof gen_timeline == 'function') gen_timeline();
// report
if (typeof parent.launch_form == 'function') parent.launch_form();
// Some link handlers
$('a.trlnk,a.trlnka').each(function() {
$(this).click(function() {
nogb=true;
});
});
$('a.trlnks,input.trlnks').each(function() {
$(this).click(function() {
nogb=true;
setTimeout("nogb=false",1000);
});
});
$('.greybox').click(function(){
var t = this.title || $(this).text() || this.href;
GB_show(t,this.href, 550,'85%');
return false;
});
// Clean search box
$('#frm').submit(function() {
if ($('#search_str').attr('class') == "gr")
{
$('#search_str').val("");
}
});
// Risk slider
/*
$("#risk_slider").slider({
from: 1,
to: 5,
smooth: false,
callback: function( event, ui ) { alert('yeah'); }
});
*/
$('#more_filters_button').click(function(){
more_filters_toggle();
});
$('#adv_search_button').click(function(){
GB_show("<?php
echo _("Advanced Search");
?>
","/forensics/base_qry_form.php", 550, 900);
return false;
});
<?php
if ($_POST['gbhide'] == "1") {
?>
var params = new Array();
params['nostop'] = 1;
parent.GB_hide(params);
<?php
}
?>
// Select Section Tab
load_section(current_section);
if (current_section == 'grouped')
{
var selected_tab = 1;
}
else if (current_section == 'timeline')
{
var selected_tab = 2;
}
else
{
var selected_tab = 0;
}
/* Activating the tab plugin */
$("#tab_siem").tabs(
{
selected: selected_tab,
select: function(event, ui)
{
var action_id = $(ui.tab).data('action_id');
switch(action_id)
{
case 0:
load_section('events');
break;
case 1:
load_link('base_qry_main.php?submit=Query+DB');
break;
case 2:
load_link('<?php
echo $_SESSION["siem_default_group"] != "" ? $_SESSION["siem_default_group"] : "base_stat_alerts.php?sort_order=occur_d";
?>
');
break;
case 3:
load_section('timeline');
break;
case 4:
load_link('base_timeline.php');
break;
}
}
});
}
function report_launcher(data,type) {
var url = '<?php
echo urlencode((preg_match("/\\?/", $_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $_SERVER["REQUEST_URI"] . "?" . $_SERVER["QUERY_STRING"]) . "&complete=1");
?>
';
var dates = '<?php
echo $y1 != "" ? "&date_from=" . urlencode("{$y1}-{$m11}-{$d1}") : "&date_from=";
echo $y2 != "" ? "&date_to=" . urlencode("{$y2}-{$m21}-{$d2}") : "&date_to=";
?>
';
GB_show("<?php
echo _("Report options");
?>
",'/forensics/report_launcher.php?url='+url+'&data='+data+'&type='+type+dates,200,'40%');
return false;
}
// bgtask check
<?php
if ($_SESSION["deletetask"] != "") {
echo "bgtask();\n";
} else {
echo "// Not running";
}
?>
$('document').ready(function()
{
$('#search_type_combo').on('change', show_search_tooltip);
$('#search_type_combo').trigger('change');
$('.pholder').placeholder();
});
</script>
</head>
<body>
<?php
// Include search form, current criteria box, and stats box
if (!array_key_exists("minimal_view", $_GET) && !array_key_exists("noheader", $_GET)) {
include "base_header.php";
}
}
function top_siem_events($conn, $limit)
{
$data = array();
$sensor_where = "";
$sensor_join = "";
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
$snortsensors = get_sensor_sids($conn);
$sids = array();
foreach ($user_sensors as $user_sensor) {
//echo "Sids de $user_sensor ".$snortsensors[$user_sensor][0]."<br>";
if (count($snortsensors[$user_sensor]) > 0) {
foreach ($snortsensors[$user_sensor] as $sid) {
if ($sid != "") {
$sids[] = $sid;
}
}
}
}
if (count($sids) > 0) {
$sensor_where = " AND acid_event.plugin_id=alarm.plugin_id AND acid_event.plugin_sid=alarm.plugin_sid AND acid_event.sid in (" . implode(",", $sids) . ")";
$sensor_where_ac = " WHERE acid_event.sid in (" . implode(",", $sids) . ")";
} else {
$sensor_where = " AND acid_event.plugin_id=alarm.plugin_id AND acid_event.plugin_sid=alarm.plugin_sid AND acid_event.sid in (0)";
// Vacio
$sensor_where_ac = " WHERE acid_event.sid in (0)";
// Vacio
}
$sensor_join = $counter == 1 ? "snort.acid_event as acid_event," : "snort.acid_event,";
}
if ($sensor_where_ac != "") {
$query = "SELECT count(*) as num, plugin_sid.name FROM " . str_replace(",", "", $sensor_join) . " LEFT JOIN ossim.plugin_sid ON plugin_sid.plugin_id=acid_event.plugin_id AND plugin_sid.sid=acid_event.plugin_sid {$sensor_where_ac} GROUP BY name ORDER BY num DESC LIMIT {$limit}";
} else {
$query = "SELECT sum(ac.sig_cnt) as num, plugin_sid.name FROM snort.ac_alerts_signature AS ac LEFT JOIN ossim.plugin_sid ON plugin_sid.plugin_id=ac.plugin_id AND plugin_sid.sid=ac.plugin_sid GROUP BY name ORDER BY num DESC LIMIT {$limit}";
}
if (!($rs =& $conn->Execute($query))) {
echo "error";
die($conn->ErrorMsg());
}
while (!$rs->EOF) {
$data[Util::signaturefilter($rs->fields["name"])] = $rs->fields["num"];
$rs->MoveNext();
}
return $data;
}
function PrintForm()
{
global $db;
echo '<SELECT NAME="sensor" id="sensor">
<OPTION VALUE="" ' . chk_select($this->criteria, " ") . '>' . gettext("{ any Sensor }");
// Filter by user perms if no criteria
$where_sensor = "";
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
$snortsensors = GetSensorSids($db);
$sensor_str = "";
foreach ($user_sensors as $user_sensor) {
if (count($snortsensors[$user_sensor]) > 0) {
$sensor_str .= ($sensor_str != "" ? ',' : '') . $snortsensors[$user_sensor];
}
}
if ($sensor_str == "") {
$sensor_str = "0";
}
$where_sensor = " AND d.id in (" . $sensor_str . ")";
}
$temp_sql = "SELECT d.id,s.name,s.ip FROM alienvault_siem.device d,alienvault.sensor s WHERE d.sensor_id=s.id {$where_sensor}";
$tmp_result = $this->db->baseExecute($temp_sql);
$varjs = "var sensortext = Array(); var sensorvalue = Array();\n";
$sensor_sid_names = array();
if ($tmp_result->row) {
$i = 0;
while ($myrow = $tmp_result->baseFetchRow()) {
//$sname = GetSensorName($myrow["sid"], $this->db);
$sname = $myrow["name"];
$sensor_sid_names[$sname] .= ($sensor_sid_names[$sname] != "" ? "," : "") . $myrow["id"];
}
foreach ($sensor_sid_names as $name => $sids) {
echo '<OPTION VALUE="' . $sids . '" ' . chk_select($this->criteria, $sids) . '>' . $name;
$varjs .= "sensortext[{$i}] = '{$name}';\n";
$varjs .= "sensorvalue[{$i}] = '" . $sids . "';\n";
$i++;
}
$tmp_result->baseFreeRows();
}
echo '</SELECT><script>' . $varjs . ' var num_sensors=' . $i . ';</script> ';
}
// SENSOR Filter mysql layer (not implemented)
//$query = "SELECT DISTINCT ac_sensor_sid.sid, sum(ac_sensor_sid.cid) as event_cnt, (select count(distinct plugin_id, plugin_sid) from ac_sensor_signature where ac_sensor_signature.sid=ac_sensor_sid.sid and ac_sensor_sid.day=ac_sensor_signature.day) as sig_cnt, (select count(distinct(ip_src)) from ac_sensor_ipsrc where ac_sensor_sid.sid=ac_sensor_ipsrc.sid and ac_sensor_sid.day=ac_sensor_ipsrc.day) as saddr_cnt, (select count(distinct(ip_dst)) from ac_sensor_ipdst where ac_sensor_sid.sid=ac_sensor_ipdst.sid and ac_sensor_sid.day=ac_sensor_ipdst.day) as daddr_cnt, min(ac_sensor_sid.first_timestamp) as first_timestamp, max(ac_sensor_sid.last_timestamp) as last_timestamp FROM ac_sensor_sid FORCE INDEX(primary) GROUP BY ac_sensor_sid.sid ORDER BY event_cnt DESC LIMIT 10";
$query = "SELECT DISTINCT sid, sum(cid) as event_cnt FROM ac_sensor_sid GROUP BY sid ORDER BY event_cnt DESC";
} else {
$query = "SELECT DISTINCT sid, sum(cid) as event_cnt FROM ac_sensor_sid GROUP BY sid ORDER BY event_cnt DESC";
}
if (!($rs =& $conn->Execute($query))) {
print $conn->ErrorMsg();
exit;
}
$s = 0;
$data = array();
while (!$rs->EOF) {
// SENSOR Filter PHP layer
$sensor_plugin = explode("-", GetSensorName($rs->fields["sid"], $conn), 2);
if ($s < 20 && (Session::allowedSensors() == "" || $sensorkeys[$sensor_plugin[0]] > 0)) {
$plugin = $sensor_plugin[1] != "" ? preg_replace("/:.*/", "", $sensor_plugin[1]) : "snort";
if ($plugin == "") {
$plugin = "snort";
}
$plugin = preg_replace("/ossec-.*/", "ossec", $plugin);
$sensor_plugin[0] = preg_replace("/:.*/", "", $sensor_plugin[0]);
$sensor = $sensors[$sensor_plugin[0]] != "" ? $sensors[$sensor_plugin[0]] : $sensor_plugin[0];
$data[$sensor][$plugin] += $rs->fields["event_cnt"];
$s++;
}
$rs->MoveNext();
}
$header = $events = array();
$header[] = "";
// first row blank
foreach ($plgs as $encoded) {
$plugins .= "," . base64_decode($encoded);
}
$plugins = preg_replace("/^,/", "", $plugins);
$risk = GET('risk');
if ($from_snort) {
// read from acid_event
$where = $plugins != "" ? "AND {$acid_table}.sid in ({$plugins}) AND timestamp>" . strtotime("-1 days") : "";
// Limit in second select when sensor is specified (OJO)
$firstlimit = Session::allowedSensors() != "" ? " limit 99999" : " limit {$max_rows}";
$key_index = $plugins != "" ? "" : str_replace("IND", "timestamp", $key_index);
//$sql = 'select "0" as plugin_id,"0" as plugin_sid, unix_timestamp(timestamp) as id, sid, signature.sig_name as plugin_sid_name, inet_ntoa(ip_src) as aux_src_ip, inet_ntoa(ip_dst) as aux_dst_ip, timestamp, ossim_risk_a as risk_a, ossim_risk_c as risk_c, (select substring_index(substring_index(hostname,":",1),"-",1) from sensor where sensor.sid = acid_event.sid) as sensor, layer4_sport as src_port, layer4_dport as dst_port, ossim_priority as priority, ossim_reliability as reliability, ossim_asset_src as asset_src, ossim_asset_dst as asset_dst, ip_proto as protocol, (select interface from sensor where sensor.sid = acid_event.sid) as interface from acid_event force index(' . $index . '), signature WHERE signature.sig_id=acid_event.signature ' . $where . ' order by timestamp desc'.$firstlimit;
$sql = "select {$acid_table}.plugin_id, {$acid_table}.plugin_sid, unix_timestamp(timestamp) as id, {$acid_table}.sid, plugin_sid.name as plugin_sid_name, inet_ntoa(ip_src) as aux_src_ip, inet_ntoa(ip_dst) as aux_dst_ip, convert_tz(timestamp,'+00:00','{$tzc}') as timestamp, ossim_risk_a as risk_a, ossim_risk_c as risk_c, (select substring_index(substring_index(hostname,':',1),'-',1) from sensor where sensor.sid = {$acid_table}.sid) as sensor, layer4_sport as src_port, layer4_dport as dst_port, ossim_priority as priority, ossim_reliability as reliability, ossim_asset_src as asset_src, ossim_asset_dst as asset_dst, ip_proto as protocol, (select interface from sensor where sensor.sid = {$acid_table}.sid) as interface from {$acid_table} {$key_index} LEFT JOIN ossim.plugin_sid ON plugin_sid.plugin_id={$acid_table}.plugin_id AND plugin_sid.sid={$acid_table}.plugin_sid WHERE 1=1 " . $where . " order by timestamp desc" . $firstlimit;
// Reselect when SENSOR is specified (better than join tables)
if (Session::allowedSensors() != "") {
$sensorlist = explode(",", Session::allowedSensors());
foreach ($sensorlist as $s) {
$wheresensor .= $wheresensor != "" ? " OR sensor='{$s}'" : " WHERE sensor='{$s}'";
}
$sql = "SELECT * FROM ({$sql}) as preselect{$wheresensor} LIMIT {$max_rows}";
}
// QUERY DEBUG:
//$f = fopen ("/tmp/sensordebug","w");
//fputs ($f,$sql."\n");
//fclose ($f);
if (!($rs =& $snort_conn->Execute($sql))) {
echo "// Query error: {$sql}\n// " . $snort_conn->ErrorMsg() . "\n";
return;
}
} else {
// read from event_tmp
$conf = $GLOBALS['CONF'];
$conf_threshold = $conf->get_conf('threshold');
$db = new ossim_db();
$conn = $db->connect();
//ajax_set_values();
$host_qualification_cache = get_host_qualification($conn);
$net_qualification_cache = get_net_qualification($conn);
////////////////////////////////////////////////////////////////
// Network Groups
////////////////////////////////////////////////////////////////
// If allowed_nets === null, then permit all
$allowed_nets = Session::allowedNets($user);
if ($allowed_nets) {
$allowed_nets = explode(',', $allowed_nets);
}
$allowed_sensors = Session::allowedSensors($user);
if ($allowed_sensors) {
$allowed_sensors = explode(',', $allowed_sensors);
}
$net_where = "";
if ($allowed_sensors != "" || $allowed_nets != "") {
$nets_aux = Net::get_list($conn);
$networks_str = "";
foreach ($nets_aux as $net) {
$networks_str .= $networks_str != "" ? ",'" . $net->get_name() . "'" : "'" . $net->get_name() . "'";
}
if ($networks_str != "") {
$net_where = " AND net.name in ({$networks_str})";
}
}
//$net_limit = " LIMIT $from,$max";
function PrintForm()
{
global $db;
echo '<SELECT NAME="sensor" id="sensor">
<OPTION VALUE=" " ' . chk_select($this->criteria, " ") . '>' . gettext("{ any Sensor }");
// Filter by user perms if no criteria
$where_sensor = "";
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
$snortsensors = GetSensorSids($db);
$sensor_str = "";
foreach ($user_sensors as $user_sensor) {
if (count($snortsensors[$user_sensor]) > 0) {
$sensor_str .= $sensor_str != "" ? "," . implode(",", $snortsensors[$user_sensor]) : implode(",", $snortsensors[$user_sensor]);
}
}
if ($sensor_str == "") {
$sensor_str = "0";
}
$where_sensor = " WHERE sid in (" . $sensor_str . ")";
}
$temp_sql = "SELECT * FROM sensor{$where_sensor}";
$tmp_result = $this->db->baseExecute($temp_sql);
$varjs = "var sensortext = Array(); var sensorvalue = Array();\n";
$sensor_sid_names = array();
if ($tmp_result->row) {
$i = 0;
while ($myrow = $tmp_result->baseFetchRow()) {
//$sname = GetSensorName($myrow["sid"], $this->db);
$sname = $myrow["sensor"] != "" ? $myrow["sensor"] : preg_replace("/-.*/", "", $myrow["hostname"]);
$sensor_sid_names[$sname] .= ($sensor_sid_names[$sname] != "" ? "," : "") . $myrow["sid"];
//echo '<OPTION VALUE="' . $myrow[0] . '" ' . chk_select($this->criteria, $myrow[0]) . '>' . '[' . $myrow[0] . '] ' . $sname;
//$varjs.= "sensortext[$i] = '$sname';\n";
//$varjs.= "sensorvalue[$i] = '" . $myrow[0] . "';\n";
}
foreach ($sensor_sid_names as $name => $sids) {
echo '<OPTION VALUE="' . $sids . '" ' . chk_select($this->criteria, $sids) . '>' . $name;
$varjs .= "sensortext[{$i}] = '{$name}';\n";
$varjs .= "sensorvalue[{$i}] = '" . $sids . "';\n";
$i++;
}
$tmp_result->baseFreeRows();
}
echo '</SELECT><script>' . $varjs . ' var num_sensors=' . $i . ';</script> ';
}
function import_assets_csv($filename)
{
require_once 'classes/Util.inc';
$response = array();
$db = new ossim_db();
$conn = $db->connect();
if (($content = file($filename, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES)) == false) {
$response['file_errors'] = "Failed to read file";
$response['status'] = false;
return $response;
} else {
foreach ($content as $k => $v) {
$data[] = explode(";", $v);
}
}
$cont = 0;
ini_set('max_execution_time', 180);
ids_valid($data);
if (count($data) <= 0) {
$response['file_errors'] = _("Incompatible file format");
$response['status'] = false;
return $response;
}
$allowed_sensors = Session::allowedSensors();
if (!empty($allowed_sensors)) {
$my_allowed_sensors = explode(',', $allowed_sensors);
} else {
$response['file_errors'] = _("You need at least one sensor assigned");
$response['status'] = false;
return $response;
}
foreach ($data as $k => $v) {
$response['status'] = true;
$response['read_line'] = $cont;
$cont++;
if (count($v) != 8) {
$response['line_errors'][$cont][] = array("Line", _("Format not allowed"));
$response['status'] = false;
}
$param = array();
foreach ($v as $i => $field) {
$parameter = trim($field);
$pattern = '/^\\"|\\"$|^\'|\'$/';
$param[] = preg_replace($pattern, '', $parameter);
}
//IP
if (!ossim_valid($param[0], OSS_IP_ADDR, 'illegal:' . _("IP"))) {
$response['line_errors'][$cont][] = array("IP", ossim_get_error_clean());
$response['status'] = false;
}
//Hostname
if (empty($param[1])) {
$param[1] = $param[0];
} else {
if (!ossim_valid($param[1], OSS_SCORE, OSS_ALPHA, OSS_PUNC, 'illegal:' . _("Hostname"))) {
$response['line_errors'][$cont][] = array("Hostname", ossim_get_error_clean());
$response['status'] = false;
ossim_clean_error();
}
}
//FQDNs
if (!empty($param[2])) {
$fqdns_list = explode(",", $param[2]);
foreach ($fqdns_list as $k => $fqdn) {
if (!ossim_valid(trim($fqdn), OSS_NULLABLE, OSS_ALPHA, OSS_PUNC, 'illegal:' . _("FQDN/Aliases"))) {
$response['line_errors'][$cont][] = array("FQDN/Aliases", ossim_get_error_clean());
$response['status'] = false;
ossim_clean_error();
}
}
}
//Description
if (!ossim_valid($param[3], OSS_NULLABLE, OSS_SCORE, OSS_ALPHA, OSS_PUNC, OSS_AT, 'illegal:' . _("Description"))) {
$response['line_errors'][$cont][] = array("Description", ossim_get_error_clean());
$response['status'] = false;
ossim_clean_error();
}
//Asset
if ($param[4] == '') {
$param[4] = 2;
} else {
if (!ossim_valid($param[4], OSS_NULLABLE, OSS_DIGIT, 'illegal:' . _("Asset value"))) {
$response['line_errors'][$cont][] = array("Asset", ossim_get_error_clean());
$response['status'] = false;
ossim_clean_error();
}
}
//NAT
if (!ossim_valid($param[5], OSS_NULLABLE, OSS_IP_ADDR, 'illegal:' . _("NAT"))) {
$response['line_errors'][$cont][] = array("NAT", ossim_get_error_clean());
$response['status'] = false;
ossim_clean_error();
}
//Sensors
$sensors = array();
if (!empty($param[6])) {
$sensor_name = array();
$list = explode(",", $param[6]);
$sensors_list = array_intersect($list, $my_allowed_sensors);
if (!empty($sensors_list)) {
foreach ($sensors_list as $sensor) {
$sensors[] = Sensor::get_sensor_name($conn, $sensor);
}
} else {
$response['line_errors'][$cont][] = array("Sensors", _("You need at least one allowed Sensor"));
$response['status'] = false;
ossim_clean_error();
}
} else {
$response['line_errors'][$cont][] = array("Sensors", _("Column Sensors is empty"));
$response['status'] = false;
ossim_clean_error();
}
$list_os = array("Windows", "Linux", "FreeBSD", "NetBSD", "OpenBSD", "MacOS", "Solaris", "Cisco", "AIX", "HP-UX", "Tru64", "IRIX", "BSD/OS", "SunOS", "Plan9", "IPhone");
//Operating System
if (!empty($param[7]) && !in_array($param[7], $list_os)) {
$param[7] = "Unknown";
}
if ($response['status'] == true) {
//Parameters
$ip = $param[0];
$hostname = $param[1];
$asset = $param[4];
$threshold_c = 30;
$threshold_a = 30;
$rrd_profile = "";
$alert = 0;
$persistence = 0;
$nat = $param[5];
$descr = $param[3];
$os = $param[7];
$fqdns = $param[2];
$latitude = '';
$longitude = '';
$icon = 0;
if (!Host::in_host($conn, $ip)) {
Host::insert($conn, $ip, $hostname, $asset, $threshold_c, $threshold_a, $rrd_profile, $alert, $persistence, $nat, $sensors, $descr, $os, $mac, $mac_vendor, $latitude, $longitude, $fqdns, $icon);
} else {
Host::update($conn, $ip, $hostname, $asset, $threshold_c, $threshold_a, $rrd_profile, $alert, $persistence, $nat, $sensors, $descr, $os, $mac, $mac_vendor, $latitude, $longitude, $fqdns, $icon);
}
}
}
$response['read_line'] = $cont;
return $response;
}
</table>
</td>
<td class="left" valign="top" style="padding-top:8px; border:none;">
<a href="#" onclick="checkall('sensor');return false;"><?php
echo gettext("Select / Unselect all");
?>
</a>
<hr noshade='noshade'>
<?php
$i = 0;
foreach ($sensor_list as $sensor) {
$sensor_name = $sensor->get_name();
$sensor_ip = $sensor->get_ip();
$input = "<input type=\"checkbox\" class='sensor' name=\"sensor{$i}\" value=\"" . $sensor_ip . "\"";
if (false !== strpos(Session::allowedSensors($user->get_login()), $sensor_ip)) {
$input .= " checked='checked' ";
}
if ($sensors || $user->get_login() == 'admin') {
$input .= " checked='checked' ";
}
if ($user->get_login() == 'admin') {
$input .= "disabled='disabled'";
}
$input .= "/>{$sensor_name}<br/>";
echo $input;
$i++;
}
?>
<input type="hidden" name="nsensors" value="<?php
function server_get_sensors_socket()
{
$allowed_sensors = explode(',', Session::allowedSensors());
$ossim_conf = $GLOBALS['CONF'];
if (!$ossim_conf) {
$ossim_conf = new Ossim_conf();
$GLOBALS['CONF'] = $ossim_conf;
}
/* get the port and IP address of the server */
$address = $ossim_conf->get_conf('server_address');
$port = $ossim_conf->get_conf('server_port');
/* create socket */
$socket = socket_create(AF_INET, SOCK_STREAM, 0);
if ($socket < 0) {
return array($list, '<strong>' . _('socket_create() failed') . '<br/> ' . _('Reason: ') . '</strong>' . socket_strerror($socket));
}
$list = array();
/* connect */
socket_set_block($socket);
socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array('sec' => 4, 'usec' => 0));
socket_set_option($socket, SOL_SOCKET, SO_SNDTIMEO, array('sec' => 4, 'usec' => 0));
$result = @socket_connect($socket, $address, $port);
if (!$result) {
$errmsg = sprintf(_("Unable to connect to %s server. Please, wait until it's available again or check if it's running at %s"), Session::is_pro() ? "USM" : "OSSIM", "{$address}:{$port}");
return array($list, $errmsg);
}
/* first send a connect message to server */
$in = 'connect id="1" type="web"' . "\n";
$out = '';
socket_write($socket, $in, strlen($in));
$out = @socket_read($socket, 2048, PHP_BINARY_READ);
if (strncmp($out, 'ok id=', 4)) {
$errmsg = sprintf(_("Bad response from %s server. Please, wait until it's available again or check if it's running at %s"), Session::is_pro() ? "USM" : "OSSIM", "{$address}:{$port}");
return array($list, $errmsg);
}
/* get sensors from server */
$in = 'server-get-sensor-plugins id="2"' . "\n";
$output = '';
socket_write($socket, $in, strlen($in));
$pattern = '/sensor="([^"]*)" plugin_id="([^"]*)" state="([^"]*)" enabled="([^"]*)"/ ';
// parse results
while ($output = socket_read($socket, 2048, PHP_BINARY_READ)) {
$lines = explode("\n", $output);
foreach ($lines as $out) {
if (preg_match($pattern, $out, $regs)) {
//if (Session::hostAllowed($conn, $regs[1])) {
if (in_array($regs[1], $allowed_sensors) || Session::allowedSensors() == "") {
$list[$regs[1]][$regs[2]]['enabled'] = $regs[4];
$list[$regs[1]][$regs[2]]['state'] = $regs[3];
}
} elseif (!strncmp($out, 'ok id=', 4)) {
break;
}
}
}
socket_close($socket);
return array($list, '');
}
require_once "ossim_db.inc";
$db = new ossim_db();
$conn = $db->connect();
if ($debug) {
echo "Retrieving Assets from entity/user: {$filter_by}...";
}
$allowedNets = "";
$allowedSensors = "";
if ($filter_by != "") {
// Entity
if (preg_match("/^\\d+\$/", $filter_by)) {
$allowedSensors = Session::entityPerm($conn, $filter_by, "sensors");
$allowedNets = Session::entityPerm($conn, $filter_by, "assets");
// Username
} elseif (preg_match("/^[A-Za-z0-9\\_\\-\\.]+\$/", $filter_by)) {
$allowedSensors = Session::allowedSensors($filter_by);
$allowedNets = Session::allowedNets($filter_by);
}
}
if ($allowedNets == "" && $allowedSensors == "") {
if ($debug) {
echo "no filters for {$filter_by}\n";
}
} else {
// 1) GET ALLOWED HOSTS
$sensor_where = "";
if ($allowedSensors != "") {
$user_sensors = explode(",", $allowedSensors);
$sensor_str = "";
foreach ($user_sensors as $user_sensor) {
if ($user_sensor != "") {
