function make_asset_filter($type = 'event', $alias = 'acid_event') { $where = ''; $join = ''; $hosts = Session::get_host_where(); $nets = Session::get_net_where(); if ($hosts != '') { if ($type == 'event') { $where = " AND ({$alias}.src_host in ({$hosts}) OR {$alias}.dst_host in ({$hosts})"; if ($nets != '') { $where .= " OR {$alias}.src_net in ({$nets}) OR {$alias}.dst_net in ({$nets}))"; } else { $where .= ')'; } } else { $where = " AND alarm.backlog_id=alarm_hosts.id_alarm"; if ($nets != '') { $where .= " AND alarm.backlog_id=alarm_nets.id_alarm AND (alarm_hosts.id_host in ({$hosts}) OR alarm_nets.id_net in ({$nets}))"; $join = ",alarm_hosts, alarm_nets "; } else { $where .= " AND alarm_hosts.id_host in ({$hosts})"; $join = ",alarm_hosts "; } } } elseif ($nets != '') { if ($type == 'event') { $where = " AND ({$alias}.src_net in ({$nets}) OR {$alias}.dst_net in ({$nets}))"; } else { $where = " AND alarm.backlog_id=alarm_nets.id_alarm AND alarm_nets.id_net in ({$nets})"; $join = ",alarm_nets "; } } return array($join, $where); }
function GetPerms($alias = "acid_event") { $perms_sql = ""; $domain = Session::get_ctx_where(); if ($domain != "") { $perms_sql .= " AND {$alias}.ctx in ({$domain})"; } // Asset filter $host_perms = Session::get_host_where(); $net_perms = Session::get_net_where(); if ($host_perms != "") { $perms_sql .= " AND ({$alias}.src_host in ({$host_perms}) OR {$alias}.dst_host in ({$host_perms})"; if ($net_perms != "") { $perms_sql .= " OR {$alias}.src_net in ({$net_perms}) OR {$alias}.dst_net in ({$net_perms}))"; } else { $perms_sql .= ")"; } } elseif ($net_perms != "") { $perms_sql .= " AND ({$alias}.src_net in ({$net_perms}) OR {$alias}.dst_net in ({$net_perms}))"; } return $perms_sql; }
function import_assets_from_csv($filename, $iic, $ctx, $import_type) { //Process status $summary = array('general' => array('status' => '', 'data' => '', 'statistics' => array('total' => 0, 'warnings' => 0, 'errors' => 0, 'saved' => 0)), 'by_nets' => array()); $db = new ossim_db(); $conn = $db->connect(); $str_data = file_get_contents($filename); if ($str_data === FALSE) { $summary['general']['status'] = 'error'; $summary['general']['data']['errors'] = _('Failed to read data from CSV file'); $summary['general']['statistics']['errors'] = 1; return $summary; } $array_data = preg_split('/\\n|\\r/', $str_data); foreach ($array_data as $k => $v) { if (trim($v) != '') { $data[] = explode('";"', trim($v)); } } set_time_limit(360); /********************************************************************************************************************* * From net section: * - Version 4.x.x: "Netname"*;"CIDRs(CIDR1,CIDR2,...)"*;"Description";"Asset value"*;"Net ID" * - Version 3.x.x: "Netname"*;"CIDRs(CIDR1,CIDR2,...)"*;"Description";"Asset value";"Sensors(Sensor1,Sensor2,...)"* * * From welcome wizard: * - Version 4.x.x: "Netname"*;"CIDRs(CIDR1,CIDR2,...)"*;"Description" * *********************************************************************************************************************/ //Check file size if (count($data) <= 0 || count($data) == 1 && preg_match('/Netname/', $data[0][0])) { $summary['general']['status'] = 'error'; $summary['general']['data'] = _('CSV file is empty'); $summary['general']['statistics']['errors'] = 1; return $summary; } //Check importation type and headers $csv_headers = array(); if ($import_type == 'networks') { if (preg_match('/Net ID/', $data[0][4]) || preg_match('/Sensors/', $data[0][4])) { $csv_headers = array_shift($data); } else { $summary['general']['status'] = 'error'; $summary['general']['data'] = _('Headers not found'); $summary['general']['statistics']['errors'] = 1; return $summary; } } //Setting total nets to import $summary['general']['statistics']['total'] = count($data); //Allowed sensors $filters = array('where' => "acl_sensors.entity_id = UNHEX('{$ctx}')"); $a_sensors = Av_sensor::get_basic_list($conn, $filters); $sensor_ids = array_keys($a_sensors); if (count($sensor_ids) == 0) { $summary['general']['status'] = 'error'; $s_error_msg = Session::is_pro() ? _('There is no sensor for this context') : _('There is no sensor for this net'); $summary['general']['data'] = $s_error_msg; $summary['general']['statistics']['errors'] = 1; return $summary; } Util::disable_perm_triggers($conn, TRUE); foreach ($data as $k => $v) { //Clean previous errors ossim_clean_error(); $num_line = $k + 1; //Set default status $summary['by_nets'][$num_line]['status'] = 'error'; //Check file format $cnd_1 = $import_type == 'networks' && count($v) < 5; $cnd_2 = $import_type == 'welcome_wizard_nets' && count($v) < 3; if ($cnd_1 || $cnd_2) { $summary['by_nets'][$num_line]['errors']['Format'] = _('Number of fields is incorrect'); $summary['general']['statistics']['errors']++; continue; } //Clean values $param = array(); foreach ($v as $field) { $parameter = trim($field); $pattern = '/^\\"|\\"$|^\'|\'$/'; $param[] = preg_replace($pattern, '', $parameter); } //Values $is_in_db = FALSE; $net_id = ''; $name = $param[0]; $cidrs = preg_replace("/[\n\r\t]+/", '', $param[1]); $descr = $param[2]; $asset_value = $param[3] == '' ? 2 : intval($param[3]); $sensors = $sensor_ids; //Permissions $can_i_create_assets = Session::can_i_create_assets(); $can_i_modify_ips = TRUE; //CIDRs if (!ossim_valid($cidrs, OSS_IP_CIDR, 'illegal:' . _('CIDR'))) { $summary['by_nets'][$num_line]['errors']['CIDRs'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } //Check Net ID �Is there a net registered in the System? $net_ids = Asset_net::get_id_by_ips($conn, $cidrs, $ctx); $net_id = key($net_ids); if (!empty($net_id)) { $is_in_db = TRUE; } else { $net_id = Util::uuid(); } // Special case: Forced Net ID [Version 4.x.x] if ($import_type == 'networks' && preg_match('/Net ID/', $csv_headers[4])) { $csv_net_id = strtoupper($param[4]); if ($is_in_db == TRUE && $csv_net_id != $net_id) { $id_error_msg = _('Net is already registered in the System with another Net ID'); $summary['by_nets'][$num_line]['errors']['Net'] = $id_error_msg; $summary['general']['statistics']['errors']++; continue; } } //Netname if (!empty($iic)) { $name = clean_iic($name); } if (!ossim_valid($name, OSS_NOECHARS, OSS_NET_NAME, 'illegal:' . _('Netname'))) { ossim_clean_error(); $name = clean_iic($name); $name = clean_echars($name); $warning_msg = _('Netname has invalid characters') . '<br/>' . _('Netname will be replaced by') . ": <strong>{$name}</strong>"; $summary['by_nets'][$num_line]['warnings']['Netname'] = $warning_msg; $summary['by_nets'][$num_line]['status'] = 'warning'; $summary['general']['statistics']['warnings']++; if (!ossim_valid($name, OSS_NOECHARS, OSS_NET_NAME, 'illegal:' . _('Netname'))) { unset($summary['by_nets'][$num_line]['warnings']); $summary['general']['statistics']['warnings']--; $summary['by_nets'][$num_line]['status'] = 'error'; $summary['by_nets'][$num_line]['errors']['Netname'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } } //Description if (!ossim_valid($descr, OSS_NULLABLE, OSS_AT, OSS_TEXT, '\\t', 'illegal:' . _('Description'))) { $summary['by_nets'][$num_line]['errors']['Description'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } else { if (mb_detect_encoding($descr . ' ', 'UTF-8,ISO-8859-1') == 'UTF-8') { $descr = mb_convert_encoding($descr, 'HTML-ENTITIES', 'UTF-8'); } } //Sensor if ($is_in_db == FALSE) { //Only update net sensors with unregistered nets if ($import_type == 'networks' && preg_match('/Sensors/', $csv_headers[4])) { //Special case: Sensors in CSV file //[Version 3.x.x] $sensors = array(); $_sensors = explode(',', $param[4]); if (is_array($_sensors) && !empty($_sensors)) { $_sensors = array_flip($_sensors); if (is_array($a_sensors) && !empty($a_sensors)) { foreach ($a_sensors as $s_id => $s_data) { if (array_key_exists($s_data['ip'], $_sensors)) { $sensors[] = $s_id; } } } } if (!is_array($sensors) || empty($sensors)) { $s_error_msg = Session::is_pro() ? _('There is no sensors for this context') : _('There is no sensors for this IP'); $summary['by_nets'][$num_line]['errors']['Sensors'] = $s_error_msg; $summary['general']['statistics']['errors']++; continue; } } } /*********************************************************** ********** Only for importation from net section ********** ***********************************************************/ if ($import_type == 'networks') { //Asset if (!ossim_valid($asset_value, OSS_DIGIT, 'illegal:' . _('Asset value'))) { $summary['by_nets'][$num_line]['errors']['Asset value'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } } //Insert/Update net in database if (count($summary['by_nets'][$num_line]['errors']) == 0) { try { $net = new Asset_net($net_id); if ($is_in_db == TRUE) { $net->load_from_db($conn, $net_id); $can_i_modify_ips = Asset_net::can_i_modify_ips($conn, $net_id); } else { if ($can_i_create_assets == FALSE) { $n_error_msg = _('Net') . ' ' . $name . ' ' . _("not allowed. You don't have permissions to import this net"); $summary['by_nets'][$num_line]['errors']['Net'] = $n_error_msg; $summary['general']['statistics']['errors']++; continue; } } //Check CIDRs if ($can_i_modify_ips == TRUE) { $aux_cidr = explode(',', $cidrs); foreach ($aux_cidr as $cidr) { $net_ids = Asset_net::get_id_by_ips($conn, $cidr, $ctx); unset($net_ids[$net_id]); if (!empty($net_ids)) { $c_error_msg = _('CIDR') . ' ' . $cidrs . ' ' . _("not allowed. CIDR {$cidr} already exists for this entity"); $summary['by_nets'][$num_line]['errors']['CIDRs'] = $c_error_msg; $summary['general']['statistics']['errors']++; break; } else { if (Session::get_net_where() != '') { if (!Asset_net::is_cidr_in_my_nets($conn, $cidr, $ctx)) { $c_error_msg = _('CIDR') . ' ' . $cidrs . ' ' . _("not allowed. CIDR {$cidr} out of range. Check your asset filter"); $summary['by_nets'][$num_line]['errors']['CIDRs'] = $c_error_msg; $summary['general']['statistics']['errors']++; break; } } } } } else { $c_error_msg = _('Net') . ' ' . $name . ': ' . _("CIDRs not allowed. CIDRs wasn't be modified"); $summary['by_nets'][$num_line]['status'] = 'warning'; $summary['general']['warnings']['errors']++; $summary['by_nets'][$num_line]['warnings']['CIDRs'] = $c_error_msg; } //Setting new values if (count($summary['by_nets'][$num_line]['errors']) == 0) { $net->set_ctx($ctx); $net->set_name($name); $net->set_descr($descr); if ($is_in_db == FALSE) { if ($can_i_modify_ips == TRUE) { $net->set_ips($cidrs); } $net->set_sensors($sensors); } $net->set_asset_value($asset_value); $net->save_in_db($conn, FALSE); $summary['general']['statistics']['saved']++; $summary['by_nets'][$num_line]['data'] = $is_in_db == TRUE ? _('Net updated') : _('New new inserted'); //Keep warnings if ($summary['by_nets'][$num_line]['status'] != 'warning') { $summary['by_nets'][$num_line]['status'] = 'success'; } } } catch (Exception $e) { $summary['by_nets'][$num_line]['errors']['Database error'] = $e->getMessage(); $summary['general']['statistics']['errors']++; } } } if ($summary['general']['statistics']['saved'] > 0) { if ($summary['general']['statistics']['errors'] == 0) { $summary['general']['status'] = 'success'; $summary['general']['data'] = _('All nets have been imported successfully'); } else { $summary['general']['status'] = 'warning'; $summary['general']['data'] = _('Some nets could not be imported successfully'); } Util::disable_perm_triggers($conn, FALSE); try { Asset_net::report_changes($conn, 'nets'); } catch (Exception $e) { error_log($e->getMessage(), 0); } } else { $summary['general']['statistics']['errors'] = count($data); //CSV file is not empty, but all lines are wrong if (empty($summary['general']['status'])) { $summary['general']['status'] = 'error'; $summary['general']['data'] = _('Nets could not be imported'); } } $db->close(); return $summary; }
if ((Session::get_host_where() != "" || Session::get_net_where() != "") && (GET('from') == "ANY" || GET('from_list') == "")) { $_GET["from"] = "LIST"; $assets_aux = array(); $_list_data = Asset_host::get_basic_list($conn); $_host_aux = array_keys($_list_data[1]); foreach ($_host_aux as $h_id) { $assets_aux[] = Util::uuid_format($h_id); } $_list_data = Asset_net::get_list($conn); $_net_aux = array_keys($_list_data[0]); foreach ($_net_aux as $n_id) { $assets_aux[] = Util::uuid_format($n_id); } $_GET["from_list"] = implode(",", $assets_aux); } if ((Session::get_host_where() != "" || Session::get_net_where() != "") && (GET('to') == "ANY" || GET('to_list') == "")) { $_GET["to"] = "LIST"; $assets_aux = array(); $_list_data = Asset_host::get_basic_list($conn); $_host_aux = array_keys($_list_data[1]); foreach ($_host_aux as $h_id) { $assets_aux[] = Util::uuid_format($h_id); } $_list_data = Asset_net::get_list($conn); $_net_aux = array_keys($_list_data[0]); foreach ($_net_aux as $n_id) { $assets_aux[] = Util::uuid_format($n_id); } $_GET["to_list"] = implode(",", $assets_aux); } if (GET("from") == "LIST") {
function top_siem_events($conn, $limit) { $data = array(); $perms_sql = "WHERE 1=1"; $domain = Session::get_ctx_where(); if ($domain != "") { $perms_sql .= " AND ac.ctx in ({$domain})"; } // Asset filter $hosts = Session::get_host_where(); $nets = Session::get_net_where(); if ($hosts != "") { $perms_sql .= " AND (ac.src_host in ({$hosts}) OR ac.dst_host in ({$hosts})"; if ($nets != "") { $perms_sql .= " OR ac.src_net in ({$nets}) OR ac.dst_net in ({$nets}))"; } else { $perms_sql .= ")"; } } elseif ($nets != "") { $perms_sql .= " AND (ac.src_net in ({$nets}) OR ac.dst_net in ({$nets}))"; } $query = "SELECT sum(ac.cnt) as num, plugin_sid.name FROM alienvault_siem.ac_acid_event AS ac LEFT JOIN alienvault.plugin_sid ON plugin_sid.plugin_id=ac.plugin_id AND plugin_sid.sid=ac.plugin_sid {$perms_sql} GROUP BY name ORDER BY num DESC LIMIT {$limit}"; $rs = $conn->Execute($query); if (!$rs) { echo "error"; die($conn->ErrorMsg()); } while (!$rs->EOF) { $data[Util::signaturefilter($rs->fields["name"])] = $rs->fields["num"]; $rs->MoveNext(); } return $data; }
if (Session::get_net_where() != '') { if (!Asset_net::is_cidr_in_my_nets($conn, $ips_string, $ctx)) { $validation_errors['cidr'] = _('The CIDR is not allowed. Please check with your account admin for more information'); } } //Validating CIDRs $aux_ips = explode(',', $ips_string); if (empty($validation_errors['cidr'])) { foreach ($aux_ips as $cidr) { $net_ids = Asset_net::get_id_by_ips($conn, $cidr, $ctx); unset($net_ids[$id]); if (!empty($net_ids)) { $validation_errors['cidr'] = sprintf(_("The CIDR %s is not allowed. Please check with your account admin for more information"), $cidr); break; } else { if (Session::get_net_where() != '') { if (!Asset_net::is_cidr_in_my_nets($conn, $cidr, $ctx)) { $validation_errors['cidr'] = sprintf(_("The CIDR %s is not allowed. Please check with your account admin for more information"), $cidr); break; } } } } } //Validating Sensors if (is_array($sensors) && !empty($sensors)) { foreach ($sensors as $sensor) { if (!Av_sensor::is_allowed($conn, $sensor)) { $validation_errors['sboxs[]'] .= sprintf(_("Error! Sensor %s cannot be assigned to this network"), Av_sensor::get_name_by_id($conn, $sensor)) . "<br/>"; } }
function import_assets_from_csv($filename, $iic, $ctx, $import_type) { //Process status $summary = array('general' => array('status' => '', 'data' => '', 'statistics' => array('total' => 0, 'warnings' => 0, 'errors' => 0, 'saved' => 0)), 'by_hosts' => array()); $db = new ossim_db(); $conn = $db->connect(); $str_data = file_get_contents($filename); if ($str_data === FALSE) { $summary['general']['status'] = 'error'; $summary['general']['data']['errors'] = _('Failed to read data from CSV file'); $summary['general']['statistics']['errors'] = 1; return $summary; } $array_data = preg_split('/\\n|\\r/', $str_data); foreach ($array_data as $k => $v) { if (trim($v) != '') { $data[] = explode('";"', trim($v)); } } /************************************************************************************************************************************* * From asset section: * - Version 4.x.x or higher: "IP (IP1,IP2,...)";"Hostname";"FQDNs(FQDN1,FQDN2,...)";"Description";"Asset value";"Operating System"; * "Latitude";"Longitude";"Host ID";"External Asset";"Device Types(Type1,Type2,...)" * * - Version 3.x.x: "IP"*;"Hostname";"FQDNs(FQDN1,FQDN2,...)";"Description";"Asset value";"Sensors(Sensor1,Sensor2,...)"; * "Operating System";"Latitude";"Longitude" * * From welcome wizard: * - Version 4.x.x or higher: "IP (IP1,IP2,...)";"Hostname";"Description";"Operating System";"Device Type(Type1,Type2,...)" * **************************************************************************************************************************************/ //Check file size if (count($data) <= 0 || count($data) == 1 && preg_match('/IP/', $data[0][0])) { $summary['general']['status'] = 'error'; $summary['general']['data'] = _('CSV file is empty'); $summary['general']['statistics']['errors'] = 1; return $summary; } //Check importation type and headers $csv_headers = array(); if ($import_type == 'hosts') { if (preg_match('/Operating System/', $data[0][5]) || preg_match('/Sensors/', $data[0][5])) { $csv_headers = array_shift($data); } else { $summary['general']['status'] = 'error'; $summary['general']['data'] = _('Headers not found'); $summary['general']['statistics']['errors'] = 1; return $summary; } } //Setting total hosts to import $summary['general']['statistics']['total'] = count($data); //Getting all Operating System $all_os = Properties::get_all_os(); //Getting devices types $all_devices = array(); $aux_all_devices = Devices::get_all_for_filter($conn); $_all_devices = $aux_all_devices[0]; foreach ($_all_devices as $d_data) { $d_key = $d_data['type_name']; $d_key .= $d_data['subtype_id'] != 0 ? ':' . $d_data['subtype_name'] : ''; $all_devices[$d_key] = $d_data['type_id'] . ':' . $d_data['subtype_id']; } //Allowed sensors $filters = array('where' => "acl_sensors.entity_id = UNHEX('{$ctx}')"); $a_sensors = Av_sensor::get_basic_list($conn, $filters); $sensor_ids = array_keys($a_sensors); if (count($sensor_ids) == 0) { $summary['general']['status'] = 'error'; $s_error_msg = Session::is_pro() ? _('There is no sensors for this context') : _('There is no sensors for this IP address'); $summary['general']['data'] = $s_error_msg; $summary['general']['statistics']['errors'] = 1; return $summary; } Util::disable_perm_triggers($conn, TRUE); foreach ($data as $k => $v) { //Clean previous errors ossim_clean_error(); $num_line = $k + 1; //Set default status $summary['by_hosts'][$num_line]['status'] = 'error'; //Check file format $cnd_1 = $import_type == 'hosts' && count($v) < 9; $cnd_2 = $import_type == 'welcome_wizard_hosts' && count($v) < 5; if ($cnd_1 || $cnd_2) { $summary['by_hosts'][$num_line]['errors']['Format'] = _('Number of fields is incorrect'); $summary['general']['statistics']['errors']++; continue; } //Clean values $param = array(); $index = 0; $max_index = count($v) - 1; foreach ($v as $field) { $parameter = trim($field); if ($index == 0) { $pattern = '/^\\"|^\'/'; $param[] = preg_replace($pattern, '', $parameter); } else { if ($index == $max_index) { $pattern = '/\\"$|\'$/'; $param[] = preg_replace($pattern, '', $parameter); } else { $param[] = $parameter; } } $index++; } //Values $is_in_db = FALSE; $host_id = ''; $sensors = $sensor_ids; $csv_ips = preg_replace("/\\s+/", '', $param[0]); if (!empty($param[1])) { $name = $param[1]; } else { $aux_name = str_replace(' ', '', $csv_ips); $aux_name = str_replace(',', '-', $aux_name); $name = Asset_host::get_autodetected_name($aux_name); } if ($import_type == 'hosts') { $fqdns = $param[2]; $descr = $param[3]; $asset_value = !empty($param[4]) ? $param[4] : 2; if (preg_match('/Host ID/', $csv_headers[8])) { $os = $param[5]; $latitude = floatval($param[6]); $longitude = floatval($param[7]); $external = empty($param[9]) ? 0 : intval($param[9]); $csv_devices = $param[10]; } else { $os = $param[6]; $latitude = floatval($param[7]); $longitude = floatval($param[8]); $external = 0; $csv_devices = ''; } } else { $descr = $param[2]; $os = $param[3]; $latitude = 0; $longitude = 0; $asset_value = 2; $external = 0; $csv_devices = $param[4]; } //Permissions $can_i_create_assets = Session::can_i_create_assets(); $can_i_modify_ips = TRUE; //IPs if (!ossim_valid($csv_ips, OSS_IP_ADDR, 'illegal:' . _('IP'))) { $summary['by_hosts'][$num_line]['errors']['IP'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } //Check Host ID: Is there a host registered in the System? $host_ids = Asset_host::get_id_by_ips($conn, $csv_ips, $ctx); $host_id = key($host_ids); if (!empty($host_id)) { $is_in_db = TRUE; } else { $host_id = Util::uuid(); } // Special case: Forced Host ID [Version 4.x.x or higher] if ($import_type == 'hosts' && preg_match('/Host ID/', $csv_headers[8]) && valid_hex32($param[8])) { $csv_hosts_id = strtoupper($param[8]); if ($is_in_db == TRUE && $csv_hosts_id != $host_id) { $id_error_msg = _('Host is already registered in the System with another Host ID'); $summary['by_hosts'][$num_line]['errors']['Host'] = $id_error_msg; $summary['general']['statistics']['errors']++; continue; } else { if ($is_in_db == FALSE) { $host_id = $csv_hosts_id; // Save host ID to insert it } } } //Hostname if (!empty($iic)) { $name = clean_iic($name); } if (!ossim_valid($name, OSS_HOST_NAME, 'illegal:' . _('Hostname'))) { ossim_clean_error(); $name = Asset_host::create_valid_name($name); $warning_msg = _('Hostname does not match with RFC 1123 specifications') . '<br/>' . _('Hostname will be replaced by') . ": <strong>{$name}</strong>"; $summary['by_hosts'][$num_line]['warnings']['Hostname'] = $warning_msg; $summary['by_hosts'][$num_line]['status'] = 'warning'; $summary['general']['statistics']['warnings']++; if (!ossim_valid($name, OSS_HOST_NAME, 'illegal:' . _('Hostname'))) { unset($summary['by_hosts'][$num_line]['warnings']); $summary['general']['statistics']['warnings']--; $summary['by_hosts'][$num_line]['status'] = 'error'; $summary['by_hosts'][$num_line]['errors']['Hostname'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } } //Description if (!ossim_valid($descr, OSS_NULLABLE, OSS_ALL, 'illegal:' . _('Description'))) { $summary['by_hosts'][$num_line]['errors']['Description'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } else { if (mb_detect_encoding($descr . ' ', 'UTF-8,ISO-8859-1') == 'UTF-8') { $descr = mb_convert_encoding($descr, 'HTML-ENTITIES', 'UTF-8'); } } //Operating System $os_pattern = '/' . preg_quote(implode('|', $all_os), '/') . '/'; $os_pattern = str_replace('\\|', '|', $os_pattern); if (!empty($os) && !preg_match($os_pattern, $os)) { $warning_msg = _('Operating System unknown'); $summary['by_hosts'][$num_line]['warnings']['Operating System'] = $warning_msg; $summary['by_hosts'][$num_line]['status'] = 'warning'; $summary['general']['statistics']['warnings']++; $os = 'Unknown'; } //Devices Types $devices = array(); $unallowed_devices = array(); if (!empty($csv_devices)) { $aux_devices = explode(',', $csv_devices); if (is_array($aux_devices) && !empty($aux_devices)) { foreach ($aux_devices as $d_name) { $d_name = trim($d_name); if (array_key_exists($d_name, $all_devices)) { $devices[] = $all_devices[$d_name]; } else { $unallowed_devices[] = $d_name; } } if (!empty($unallowed_devices)) { $warning_msg = _('Some devices could not be added (Type and/or subtype unknown)') . ': ' . implode(',', $unallowed_devices); $summary['by_hosts'][$num_line]['warnings']['Devices'] = $warning_msg; $summary['by_hosts'][$num_line]['status'] = 'warning'; $summary['general']['statistics']['warnings']++; } } } //Sensor if ($is_in_db == FALSE) { //Only update host sensors with unregistered hosts if ($import_type == 'hosts' && preg_match('/Sensors/', $csv_headers[5])) { //Special case: Sensors in CSV file //[Version 3.x.x] $sensors = array(); $_sensors = explode(',', $param[4]); if (is_array($_sensors) && !empty($_sensors)) { $_sensors = array_flip($_sensors); if (is_array($a_sensors) && !empty($a_sensors)) { foreach ($a_sensors as $s_id => $s_data) { if (array_key_exists($s_data['ip'], $_sensors)) { $sensors[] = $s_id; } } } } if (!is_array($sensors) || empty($sensors)) { $s_error_msg = Session::is_pro() ? _('There is no sensors for this context') : _('There is no sensors for this IP address'); $summary['by_hosts'][$num_line]['errors']['Sensors'] = $s_error_msg; $summary['general']['statistics']['errors']++; continue; } } } /*********************************************************** ********** Only for importation from host section ********** ***********************************************************/ if ($import_type == 'hosts') { //FQDNs if (!ossim_valid($fqdns, OSS_FQDNS, OSS_NULLABLE, 'illegal:' . _('FQDN/Aliases'))) { $summary['by_hosts'][$num_line]['errors']['FQDN/Aliases'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } //Asset if (!ossim_valid($asset_value, OSS_DIGIT, 'illegal:' . _('Asset value'))) { $summary['by_hosts'][$num_line]['errors']['Asset value'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } //Latitude if (!empty($latitude)) { if (!ossim_valid(trim($latitude), OSS_NULLABLE, OSS_DIGIT, OSS_DOT, '\\-', 'illegal:' . _('Latitude'))) { $summary['by_hosts'][$num_line]['errors']['Latitude'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } } //Longitude if (!empty($longitude)) { if (!ossim_valid(trim($longitude), OSS_NULLABLE, OSS_DIGIT, OSS_DOT, '\\-', 'illegal:' . _('Longitude'))) { $summary['by_hosts'][$num_line]['errors']['Longitude'] = ossim_get_error_clean(); $summary['general']['statistics']['errors']++; continue; } } } //Insert/Update host in database if (count($summary['by_hosts'][$num_line]['errors']) == 0) { try { $host = new Asset_host($conn, $host_id); if ($is_in_db == TRUE) { $host->load_from_db($conn, $host_id); $can_i_modify_ips = Asset_host::can_i_modify_ips($conn, $host_id); } else { if ($can_i_create_assets == FALSE) { $n_error_msg = _('Host') . ' ' . $name . ' ' . _("not allowed. You don't have permissions to import this host"); $summary['by_hosts'][$num_line]['errors']['Net'] = $n_error_msg; $summary['general']['statistics']['errors']++; continue; } } //Check IPs if ($can_i_modify_ips == TRUE) { $aux_ips = explode(',', $csv_ips); foreach ($aux_ips as $ip) { $host_ids = Asset_host::get_id_by_ips($conn, $ip, $ctx); unset($host_ids[$host_id]); if (!empty($host_ids)) { $c_error_msg = _('IP') . ' ' . $csv_ips . ' ' . _("not allowed. IP {$ip} already exists for this entity"); $summary['by_hosts'][$num_line]['errors']['IP'] = $c_error_msg; $summary['general']['statistics']['errors']++; break; } else { $cnd_1 = Session::get_net_where() != '' && !Session::only_ff_net(); $cnd_2 = Asset_host::is_ip_in_cache_cidr($conn, $ip, $ctx, TRUE); if ($cnd_1 && !$cnd_2) { $c_error_msg = sprintf(_("Error! The IP %s is not allowed. Please check with your account admin for more information"), $csv_ips); $summary['by_hosts'][$num_line]['errors']['IP'] = $c_error_msg; $summary['general']['statistics']['errors']++; break; } } } } else { $c_error_msg = _('Host') . ' ' . $name . ': ' . _("IP address not allowed. IP address cannot be modified"); $summary['by_hosts'][$num_line]['status'] = 'warning'; $summary['general']['warnings']['errors']++; $summary['by_hosts'][$num_line]['warnings']['IP'] = $c_error_msg; } //Setting new values if (count($summary['by_hosts'][$num_line]['errors']) == 0) { $host->set_ctx($ctx); $host->set_name($name); $host->set_descr($descr); if ($is_in_db == FALSE) { if ($can_i_modify_ips == TRUE) { if (is_array($aux_ips) && !empty($aux_ips)) { $ips = array(); foreach ($aux_ips as $ip) { $ips[$ip] = array('ip' => $ip, 'mac' => NULL); } $host->set_ips($ips); } } $host->set_sensors($sensors); } if (!empty($fqdns)) { $host->set_fqdns($fqdns); } $host->set_external($external); $host->set_location($latitude, $longitude); $host->set_asset_value($asset_value); $host->set_devices($devices); $host->save_in_db($conn, FALSE); //Save Operating System if (!empty($os)) { Asset_host_properties::save_property_in_db($conn, $host_id, 3, $os, 2); } $summary['general']['statistics']['saved']++; $summary['by_hosts'][$num_line]['data'] = $is_in_db == TRUE ? _('Asset updated') : _('New asset inserted'); //Keep warnings if ($summary['by_hosts'][$num_line]['status'] != 'warning') { $summary['by_hosts'][$num_line]['status'] = 'success'; } } } catch (Exception $e) { $summary['by_hosts'][$num_line]['errors']['Database error'] = $e->getMessage(); $summary['general']['statistics']['errors']++; } } } if ($summary['general']['statistics']['saved'] > 0) { if ($summary['general']['statistics']['errors'] == 0) { $summary['general']['status'] = 'success'; $summary['general']['data'] = _('All assets have been successfully imported '); } else { $summary['general']['status'] = 'warning'; $summary['general']['data'] = _('Some assets cannot be imported'); } Util::disable_perm_triggers($conn, FALSE); try { Asset_host::report_changes($conn, 'hosts'); } catch (Exception $e) { Av_exception::write_log(Av_exception::USER_ERROR, $e->getMessage()); } } else { $summary['general']['statistics']['errors'] = count($data); //CSV file is not empty, but all lines are wrong if (empty($summary['general']['status'])) { $summary['general']['status'] = 'error'; $summary['general']['data'] = _('Assets cannot be imported'); } } @$conn->Execute("REPLACE INTO alienvault.host_net_reference SELECT host.id,net_id FROM alienvault.host, alienvault.host_ip, alienvault.net_cidrs WHERE host.id = host_ip.host_id AND host_ip.ip >= net_cidrs.begin AND host_ip.ip <= net_cidrs.end"); $db->close(); return $summary; }
//////////////////////////////////////////////////////////////// $sql = "SELECT hex(net_id) as net_id FROM net_group_reference"; if (!($rs =& $conn->Execute($sql))) { die($conn->ErrorMsg()); } $nets_grouped = array(); while (!$rs->EOF) { $nets_grouped[$rs->fields['net_id']]++; $rs->MoveNext(); } $net_where = ""; if ($ctxs != "") { $net_where = " AND net.ctx in ({$ctxs})"; } // Asset filter $nets = Session::get_net_where(); if ($nets != "") { $net_where .= " AND net.id in ({$nets})"; } $sql = "SELECT\n net.name as net_name,\n HEX(net.id) as net_id,\n net.threshold_c as net_threshold_c,\n net.threshold_a as net_threshold_a,\n net.ips as net_address\n FROM\n net\n WHERE\n 1=1 {$net_where} {$net_limit}"; if (!($rs =& $conn->Execute($sql))) { die($conn->ErrorMsg()); } $networks = array(); $count = 1; while (!$rs->EOF) { $has_perms = true; $net = $rs->fields['net_id']; if ($nets_grouped[$net] != "" || $count > $max) { $rs->MoveNext(); continue;
function ProcessCriteria() { global $db, $join_sql, $perms_sql, $where_sql, $criteria_sql, $sql, $debug_mode, $caller, $DBtype; /* XXX-SEC */ global $cs, $timetz; $db_aux = new ossim_db(); $conn_aux = $db_aux->connect(); /* the JOIN criteria */ $ip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid "; // *************** DEPRECATED: TCP UDP ICMP join ********************* //$tcp_join_sql = " LEFT JOIN tcphdr ON acid_event.sid=tcphdr.sid AND acid_event.cid=tcphdr.cid "; //$udp_join_sql = " LEFT JOIN udphdr ON acid_event.sid=udphdr.sid AND acid_event.cid=udphdr.cid "; //$icmp_join_sql = " LEFT JOIN icmphdr ON acid_event.sid=icmphdr.sid AND acid_event.cid=icmphdr.cid "; $rawip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid "; $sig_join_sql = " LEFT JOIN alienvault.plugin_sid ON acid_event.plugin_id=plugin_sid.plugin_id AND acid_event.plugin_sid=plugin_sid.sid "; $sig_join = false; //$data_join_sql = " LEFT JOIN extra_data ON acid_event.sid=extra_data.sid AND acid_event.cid=extra_data.cid "; $data_join_sql = ""; $ag_join_sql = " LEFT JOIN acid_ag_alert ON acid_event.sid=acid_ag_alert.ag_sid AND acid_event.cid=acid_ag_alert.ag_cid "; //$sig_join_sql = ""; //SQL_CALC_FOUND_ROWS $sql = "SELECT acid_event.*, HEX(acid_event.ctx) AS ctx, HEX(acid_event.src_host) AS src_host, HEX(acid_event.dst_host) AS dst_host, HEX(acid_event.src_net) AS src_net, HEX(acid_event.dst_net) AS dst_net FROM acid_event"; $where_sql = " WHERE "; //$where_sql = ""; // $criteria_sql = " acid_event.sid > 0"; // Initially show last 24hours events if ($_GET['time_range'] == "") { $criteria_sql = " ( timestamp >='" . gmdate("Y-m-d", $timetz) . "' ) "; } else { $criteria_sql = " 1 "; } //$criteria_sql = " ( timestamp <= CURDATE() ) "; //$criteria_sql = " 1 "; $join_sql = ""; $use_ac = true; // Use ac_acid_event or not /* ********************** Meta Criteria ******************************************** */ $sig = $cs->criteria['sig']->criteria; $sig_type = $cs->criteria['sig']->sig_type; $sig_class = $cs->criteria['sig_class']->criteria; $sig_priority = $cs->criteria['sig_priority']->criteria; $ag = $cs->criteria['ag']->criteria; $sensor = $cs->criteria['sensor']->criteria; $sensor_op = $cs->criteria['sensor']->param ? "not in" : "in"; $plugin = $cs->criteria['plugin']->criteria; $plugingroup = $cs->criteria['plugingroup']->criteria; $networkgroup = $cs->criteria['networkgroup']->criteria; $userdata = $cs->criteria['userdata']->criteria; $idm_username = $cs->criteria['idm_username']->criteria; $idm_hostname = $cs->criteria['idm_hostname']->criteria; $idm_domain = $cs->criteria['idm_domain']->criteria; $sourcetype = $cs->criteria['sourcetype']->criteria; $category = $cs->criteria['category']->criteria; $rep = $cs->criteria['rep']->criteria; $time = $cs->criteria['time']->GetUTC(); $real_time = $cs->criteria['time']->criteria; //print_r($time); $time_cnt = $cs->criteria['time']->GetFormItemCnt(); $hostid = $cs->criteria['hostid']->criteria; $netid = $cs->criteria['netid']->criteria; $ctx = $cs->criteria['ctx']->criteria; $device = $cs->criteria['device']->criteria; $ip_addr = $cs->criteria['ip_addr']->criteria; $ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt(); $layer4 = $cs->criteria['layer4']->criteria; $ip_field = $cs->criteria['ip_field']->criteria; $ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt(); $tcp_port = $cs->criteria['tcp_port']->criteria; $tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt(); // DEPRECATED tcp flags //$tcp_flags = $cs->criteria['tcp_flags']->criteria; //$tcp_field = $cs->criteria['tcp_field']->criteria; //$tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt(); $udp_port = $cs->criteria['udp_port']->criteria; $udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt(); // DEPRECATED udp field icmp field //$udp_field = $cs->criteria['udp_field']->criteria; //$udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt(); //$icmp_field = $cs->criteria['icmp_field']->criteria; //$icmp_field_cnt = $cs->criteria['icmp_field']->GetFormItemCnt(); $rawip_field = $cs->criteria['rawip_field']->criteria; $rawip_field_cnt = $cs->criteria['rawip_field']->GetFormItemCnt(); $data = $cs->criteria['data']->criteria; $data_cnt = $cs->criteria['data']->GetFormItemCnt(); $cs->criteria['data']->data_encode; //$data_encode[0] = "ascii"; $data_encode[1] = "hex"; /* OSSIM */ $ossim_type = $cs->criteria['ossim_type']->criteria; $ossim_priority = $cs->criteria['ossim_priority']->criteria; $ossim_reliability = $cs->criteria['ossim_reliability']->criteria; $ossim_asset_dst = $cs->criteria['ossim_asset_dst']->criteria; $ossim_risk_a = $cs->criteria['ossim_risk_a']->criteria; $tmp_meta = ""; /* Sensor */ if ($sensor != "" && $sensor != " ") { $tmp_meta = $tmp_meta . " AND acid_event.device_id {$sensor_op} ( " . preg_replace("/^\\!/", "", $sensor) . " )"; } else { $cs->criteria['sensor']->Set(""); } /* Device */ if ($device != "") { $_ip = bin2hex(inet_pton($device)); $tmp_meta .= " AND acid_event.device_id IN (SELECT id FROM device WHERE device_ip=UNHEX('" . $_ip . "'))"; } /* Plugin */ if ($plugin != "" && $plugin != " ") { if (preg_match("/(\\d+)\\-(\\d+)/", $plugin, $match)) { $tmp_meta = $tmp_meta . " AND acid_event.plugin_id between " . $match[1] . " and " . $match[2]; } else { $tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . $plugin . ")"; } } /* Plugin Group */ if ($plugingroup != "" && $plugingroup != " ") { $pg_ids = QueryOssimPluginGroup($plugingroup); if ($pg_ids != "") { $tmp_meta = $tmp_meta . " AND ({$pg_ids}) "; } else { $tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=-1 AND acid_event.plugin_sid=-1)"; } } /* Network Group */ if ($networkgroup != "" && $networkgroup != " ") { $ng_ids = QueryOssimNetworkGroup($networkgroup); if ($ng_ids != "") { $tmp_meta = $tmp_meta . " AND ({$ng_ids}) "; $use_ac = false; } } /* User Data */ //echo "User Data:$userdata"; $rpl = array('EQ' => '=', 'NE' => '!=', 'LT' => '<', 'LOE' => '<=', 'GT' => '>', 'GOE' => '>='); if (trim($userdata[2]) != "") { $_q = parenthesis_encode(escape_sql($userdata[2], $conn_aux)); $sql = "SELECT acid_event.*, HEX(acid_event.ctx) AS ctx, HEX(acid_event.src_host) AS src_host, \n HEX(acid_event.dst_host) AS dst_host, HEX(acid_event.src_net) AS src_net, \n HEX(acid_event.dst_net) AS dst_net,extra_data.* \n FROM acid_event"; $data_join_sql .= ",extra_data "; $_nq = is_numeric($_q) ? $_q : "'" . $_q . "'"; $flt = "extra_data." . $userdata[0] . " " . strtr($userdata[1], $rpl) . " " . ($userdata[1] == "like" ? "'%" . $_q . "%'" : $_nq); $tmp_meta .= " AND acid_event.id=extra_data.event_id AND ({$flt})"; $use_ac = FALSE; } /* IDM */ if (trim($idm_username[0]) != '' || trim($idm_domain[0]) != '') { $data_join_sql .= ",idm_data "; $tmp_meta .= " AND acid_event.id=idm_data.event_id"; $use_ac = FALSE; } if ($idm_username[0] != '') { $_q = parenthesis_encode(escape_sql($idm_username[0], $conn_aux)); if ($idm_username[1] == "both") { $tmpcrit = "idm_data.username='******'"; } else { $tmpcrit = "(idm_data.username='******' AND idm_data.from_src=" . ($idm_username[1] == "src" ? "1" : "0") . ")"; } $tmp_meta .= " AND {$tmpcrit}"; } if ($idm_domain[0] != '') { $_q = parenthesis_encode(escape_sql($idm_domain[0], $conn_aux)); if ($idm_domain[1] == "both") { $tmpcrit = "idm_data.domain='" . $_q . "'"; } else { $tmpcrit = "(idm_data.domain='" . $_q . "' AND idm_data.from_src=" . ($idm_domain[1] == "src" ? "1" : "0") . ")"; } $tmp_meta .= " AND {$tmpcrit}"; } if ($idm_hostname[0] != '') { $_q = parenthesis_encode(escape_sql($idm_hostname[0], $conn_aux)); if ($idm_hostname[1] == "both") { $tmpcrit = "(acid_event.src_hostname='" . $_q . "' OR acid_event.dst_hostname='" . $_q . "')"; } else { $tmpcrit = "acid_event." . $idm_hostname[1] . "_hostname='" . $_q . "'"; } $tmp_meta .= " AND {$tmpcrit}"; $use_ac = FALSE; } /* Reputation */ $rep_data = trim($rep[0]) != "" || trim($rep[1]) != "" ? true : false; if ($rep_data) { $data_join_sql .= ",reputation_data"; $tmp_meta .= " AND acid_event.id=reputation_data.event_id"; $use_ac = false; } if (trim($rep[0]) != "") { # Activity if (intval($rep[0])) { $aname = GetActivityName($rep[0], $db); $tmpcrit = "(reputation_data.rep_act_src like '%" . str_replace("'", "\\'", $aname) . "%' OR reputation_data.rep_act_dst like '%" . str_replace("'", "\\'", $aname) . "%')"; } else { $tmpcrit = "(reputation_data.rep_act_src!='' OR reputation_data.rep_act_dst!='')"; } $tmp_meta .= " AND {$tmpcrit}"; } if (trim($rep[1]) != "") { # Severity switch ($rep[1]) { case "High": $tmpcrit = "(reputation_data.rep_prio_src>6 OR reputation_data.rep_prio_dst>6)"; break; case "Medium": $tmpcrit = "(reputation_data.rep_prio_src in (3,4,5,6) OR reputation_data.rep_prio_dst in (3,4,5,6))"; break; case "Low": $tmpcrit = "(reputation_data.rep_prio_src in (0,1,2) OR reputation_data.rep_prio_dst in (0,1,2))"; break; default: $tmpcrit = "(reputation_data.rep_prio_src>0 OR reputation_data.rep_prio_dst>0)"; } $tmp_meta .= " AND {$tmpcrit}"; } /* Source Type */ if (trim($sourcetype) != "") { $tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . GetPluginListBySourceType($sourcetype) . ")"; } /* Category */ if ($category[0] != 0) { $sig_join = true; $tmp_meta = $tmp_meta . GetPluginListByCategory($category); } /* Signature */ if (isset($sig[0]) && $sig[0] != " " && $sig[0] != "" && (isset($sig[1]) && $sig[1] != "")) { if ($sig_type == 1) { // sending sig[1]=plugin_id;plugin_sid $pidsid = preg_split("/[\\s;]+/", $sig[1]); $tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=" . intval($pidsid[0]) . " AND acid_event.plugin_sid=" . intval($pidsid[1]) . ")"; } else { // free string $sig_ids = QueryOssimSignature($sig[1], $sig[0], $sig[2]); $sig_join = true; $tmp_meta = $tmp_meta . " AND ({$sig_ids})"; //if ($sig_ids != "") // $tmp_meta = $tmp_meta . " AND ($sig_ids) "; //else // $tmp_meta = $tmp_meta." AND (plugin_id=-1 AND plugin_sid=-1)"; } } else { $cs->criteria['sig']->Set(""); } /* * OSSIM Code */ /* OSSIM Type */ if ($ossim_type[1] != " " && $ossim_type[1] != "" && $ossim_type[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_type = '" . $ossim_type[1] . "'"; $use_ac = false; } else { if ($ossim_type[1] == "0") { $tmp_meta = $tmp_meta . " AND (acid_event.ossim_type is null OR acid_event.ossim_type = '0')"; $use_ac = false; } else { $cs->criteria['ossim_type']->Set(""); } } /* OSSIM Priority */ if ($ossim_priority[1] != " " && $ossim_priority[1] != "" && $ossim_priority[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_priority " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'"; $use_ac = false; } else { if ($ossim_priority[1] == "0") { $use_ac = false; $tmp_meta = $ossim_priority[0] == "=" ? $tmp_meta . " AND (acid_event.ossim_priority is null OR acid_event.ossim_priority = '0')" : ($tmp_meta = $tmp_meta . " AND acid_event.ossim_priority " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'"); } else { $cs->criteria['ossim_priority']->Set(""); } } /* OSSIM Reliability */ if ($ossim_reliability[1] != " " && $ossim_reliability[1] != "" && $ossim_reliability[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'"; $use_ac = false; } else { if ($ossim_reliability[1] == "0") { $tmp_meta = $ossim_reliability[0] == "=" ? $tmp_meta . " AND (acid_event.ossim_reliability is null OR acid_event.ossim_reliability = '0')" : $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'"; $use_ac = false; } else { $cs->criteria['ossim_reliability']->Set(""); } } /* OSSIM Asset DST */ if ($ossim_asset_dst[1] != " " && $ossim_asset_dst[1] != "" && $ossim_asset_dst[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'"; $use_ac = false; } else { if ($ossim_asset_dst[1] == "0") { $tmp_meta = $ossim_asset_dst[0] == "=" ? $tmp_meta . " AND (acid_event.ossim_asset_dst is null OR acid_event.ossim_asset_dst = '0')" : $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'"; $use_ac = false; } else { $cs->criteria['ossim_asset_dst']->Set(""); } } /* OSSIM Risk A */ if ($ossim_risk_a != " " && $ossim_risk_a != "" && $ossim_risk_a != "0") { if ($ossim_risk_a == "low") { //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 1 AND ossim_risk_a <= 4 "; $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a < 1 "; $use_ac = false; } else { if ($ossim_risk_a == "medium") { //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 5 AND ossim_risk_a <= 7 "; $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a = 1 "; $use_ac = false; } else { if ($ossim_risk_a == "high") { //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 8 AND ossim_risk_a <= 10 "; $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a > 1 "; $use_ac = false; } } } } else { $cs->criteria['ossim_risk_a']->Set(""); } /* Date/Time */ $time_meta = ""; $real_time_meta = ""; DateTimeRows2sql($real_time, $time_cnt, $real_time_meta); // Time without utc conversion if (DateTimeRows2sql($time, $time_cnt, $time_meta) == 0) { $cs->criteria['time']->SetFormItemCnt(0); } $criteria_sql = $criteria_sql . $tmp_meta; /* ********************** PERMS ************************ */ // Allowed CTX's y Asset Filter $perms_sql = ""; $domain = Session::get_ctx_where(); if ($domain != "") { $perms_sql .= " AND acid_event.ctx in ({$domain})"; } // Asset filter $host_perms = Session::get_host_where(); $net_perms = Session::get_net_where(); if ($host_perms != "") { $perms_sql .= " AND (acid_event.src_host in ({$host_perms}) OR acid_event.dst_host in ({$host_perms})"; if ($net_perms != "") { $perms_sql .= " OR acid_event.src_net in ({$net_perms}) OR acid_event.dst_net in ({$net_perms}))"; } else { $perms_sql .= ")"; } } elseif ($net_perms != "") { $perms_sql .= " AND (acid_event.src_net in ({$net_perms}) OR acid_event.dst_net in ({$net_perms}))"; } $criteria_sql .= $perms_sql; /* Host ID */ $op = $hostid[3] != '' ? $hostid[3] : 'IN'; $and_or = $op == 'NOT IN' ? 'AND' : 'OR'; // src_host, dst_host fields if ($hostid[0] != "") { $hostwhere = "UNHEX('" . implode("',UNHEX('", explode(",", $hostid[0])) . "')"; if ($hostid[2] == "both") { $criteria_sql .= " AND (acid_event.src_host {$op} ({$hostwhere}) {$and_or} acid_event.dst_host {$op} ({$hostwhere}))"; } else { $criteria_sql .= " AND acid_event." . $hostid[2] . "_host {$op} ({$hostwhere})"; } } /* Network ID */ if ($netid[0] != "") { // src_net, dst_net fields $netwhere = "UNHEX('" . implode("',UNHEX('", explode(",", $netid[0])) . "')"; if ($netid[2] == "both") { $criteria_sql .= " AND (acid_event.src_net in ({$netwhere}) OR acid_event.dst_net in ({$netwhere}))"; } else { $criteria_sql .= " AND acid_event." . $netid[2] . "_host in ({$netwhere})"; } } /* ********************** IP Criteria ********************************************** */ /* IP Addresses */ $tmp2 = ""; for ($i = 0; $i < $ip_addr_cnt; $i++) { $tmp = ""; if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] != " " && $ip_addr[$i][1] != "") { if ($ip_addr[$i][3] != "" && $ip_addr[$i][4] != "" && $ip_addr[$i][5] != "" && $ip_addr[$i][6] != "") { /* if use illegal 256.256.256.256 address then * this is the special case where need to search for portscans */ if ($ip_addr[$i][3] == "256" && $ip_addr[$i][4] == "256" && $ip_addr[$i][5] == "256" && $ip_addr[$i][6] == "256") { $tmp = $tmp . " acid_event." . $ip_addr[$i][1] . " IS NULL" . " "; } else { if ($ip_addr[$i][10] == "") { $tmp = $tmp . " acid_event." . $ip_addr[$i][1] . $ip_addr[$i][2] . "unhex('" . baseIP2hex($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6]) . "') "; } else { $mask = getIPMask($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6], $ip_addr[$i][10]); if ($ip_addr[$i][2] == "!=") { $tmp_op = " NOT "; } else { $tmp_op = ""; } $tmp = $tmp . $tmp_op . " acid_event." . $ip_addr[$i][1] . ">= unhex('" . baseIP2hex($mask[0]) . "') AND acid_event." . $ip_addr[$i][1] . "<= unhex('" . baseIP2hex($mask[1]) . "')"; } } } /* if have chosen the address type to be both source and destination */ if (ereg("ip_both", $tmp)) { $tmp_src = ereg_replace("ip_both", "ip_src", $tmp); $tmp_dst = ereg_replace("ip_both", "ip_dst", $tmp); if ($ip_addr[$i][2] == '=') { $tmp = "(" . $tmp_src . ') OR (' . $tmp_dst . ')'; } else { $tmp = "(" . $tmp_src . ') AND (' . $tmp_dst . ')'; } } $aux_op = $ip_addr_cnt > 0 ? $ip_addr[$i][9] == "AND" || $ip_addr[$i][9] == "OR" ? $ip_addr[$i][9] : "AND" : ""; if ($tmp != "") { $tmp = $ip_addr[$i][0] . "(" . $tmp . ")" . $ip_addr[$i][8] . $aux_op; } } else { if (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" || $ip_addr[$i][1] != " " && $ip_addr[$i][1] != "") { /* IP_addr_type, but MALFORMED IP address */ if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "" && ($ip_addr[$i][4] != "" || $ip_addr[$i][5] != "" || $ip_addr[$i][6] != "")) { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Invalid IP address criteria") . " ' *." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . " '"); } /* ADDRESS, but NO IP_addr_type was given */ if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] == " " && $ip_addr[$i][1] == "") { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("A IP address of") . " '" . $ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . "' " . gettext("was entered for as a criteria value, but the type of address (e.g. source, destination) was not specified.")); } /* IP_addr_type IS FILLED, but no ADDRESS */ if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "") { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("An IP address of type") . " '" . $ip_addr[$i][1] . "' " . gettext("was selected (at #") . $i . ") " . gettext("indicating that an IP address should be a criteria, but no address on which to match was specified.")); } } } $tmp2 = $tmp2 . $tmp; if ($i > 0 && ($ip_addr[$i - 1][9] != 'OR' && $ip_addr[$i - 1][9] != 'AND') && $ip_addr[$i - 1][3] != "") { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Multiple IP address criteria entered without a boolean operator (e.g. AND, OR) between IP Criteria") . " #{$i} and #" . ($i + 1) . "."); } } if ($tmp2 != "") { BalanceBrackets($tmp2); $criteria_sql = $criteria_sql . " AND ( " . $tmp2 . " )"; $use_ac = false; } else { $cs->criteria['ip_addr']->SetFormItemCnt(0); } /* IP Fields */ if (FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0) { $cs->criteria['ip_field']->SetFormItemCnt(0); } else { $use_ac = false; } /* CTX */ if ($ctx != "") { $criteria_sql .= " AND acid_event.ctx = UNHEX('{$ctx}')"; } /* Layer-4 encapsulation */ if ($layer4 == "TCP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '6'"; $use_ac = false; } else { if ($layer4 == "UDP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '17'"; $use_ac = false; } else { if ($layer4 == "ICMP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '1'"; $use_ac = false; } else { if ($layer4 == "RawIP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '255'"; $use_ac = false; } else { $cs->criteria['layer4']->Set(""); } } } } /* Join the iphdr table if necessary */ if (!$cs->criteria['ip_field']->isEmpty()) { $join_sql = $ip_join_sql . $join_sql; } /* ********************** TCP Criteria ********************************************** */ if ($layer4 == "TCP") { $proto_tmp = ""; /* TCP Ports */ if (FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0) { $cs->criteria['tcp_port']->SetFormItemCnt(0); } $criteria_sql = $criteria_sql . $proto_tmp; $proto_tmp = ""; // ****************** DEPRECATED: TCP Flags TCP Fields ******************** /* TCP Flags */ /* if (isset($tcp_flags) && sizeof($tcp_flags) == 8) { if ($tcp_flags[0] == "contains" || $tcp_flags[0] == "is") { $flag_tmp = $tcp_flags[1] + $tcp_flags[2] + $tcp_flags[3] + $tcp_flags[4] + $tcp_flags[5] + $tcp_flags[6] + $tcp_flags[7] + $tcp_flags[8]; if ($tcp_flags[0] == "is") $proto_tmp = $proto_tmp . ' AND tcp_flags=' . $flag_tmp; else if ($tcp_flags[0] == "contains") $proto_tmp = $proto_tmp . ' AND (tcp_flags & ' . $flag_tmp . ' = ' . $flag_tmp . " )"; else $proto_tmp = ""; } } */ /* TCP Fields */ //if (FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0) $cs->criteria['tcp_field']->SetFormItemCnt(0); /* TCP Options * - not implemented */ //if (!$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) { //************************************************************************ if (!$cs->criteria['tcp_port']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; // DEPRECATED tcp_join_sql //if (!$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) $join_sql = $tcp_join_sql . $join_sql; } } /* ********************** UDP Criteria ********************************************* */ if ($layer4 == "UDP") { $proto_tmp = ""; /* UDP Ports */ if (FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0) { $cs->criteria['udp_port']->SetFormItemCnt(0); } $criteria_sql = $criteria_sql . $proto_tmp; $proto_tmp = ""; // ********************** DEPRECATED UDP Fields ************************* /* UDP Fields */ //if (FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0) $cs->criteria['udp_field']->SetFormItemCnt(0); //if (!$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty()) { // ********************************************************************** if (!$cs->criteria['udp_port']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; // DEPRECATED udp_join_sql //if (!$cs->criteria['udp_field']->isEmpty()) $join_sql = $udp_join_sql . $join_sql; } } // DEPRECATED: ICMP /* ********************** ICMP Criteria ******************************************** */ /* if ($layer4 == "ICMP") { $proto_tmp = ""; // ICMP Fields if (FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0) $cs->criteria['icmp_field']->SetFormItemCnt(0); if (!$cs->criteria['icmp_field']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; $join_sql = $icmp_join_sql . $join_sql; } } */ /* ********************** Packet Scan Criteria ************************************* */ if ($layer4 == "RawIP") { $proto_tmp = ""; /* RawIP Fields */ if (FieldRows2sql($rawip_field, $rawip_field_cnt, $proto_tmp) == 0) { $cs->criteria['rawip_field']->SetFormItemCnt(0); } if (!$cs->criteria['rawip_field']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; $join_sql = $rawip_join_sql . $join_sql; } } /* ********************** Payload Criteria ***************************************** */ //$tmp_payload = ""; if (DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload) == 0) { $cs->criteria['data']->SetFormItemCnt(0); } else { $use_ac = false; } //echo "<br><br><br>"; //print_r($data); //print_r("data_cnt: [".$data_cnt."]"); //print_r($cs->criteria['data']->isEmpty()); //print_r("criteria_ sql: [".$criteria_sql."]"); //print_r("tmp_payload: [".$tmp_payload."]"); //print_r($data); if (!$cs->criteria['data']->isEmpty()) { $sql = "SELECT acid_event.*, HEX(acid_event.ctx) AS ctx, HEX(acid_event.src_host) AS src_host, HEX(acid_event.dst_host) AS dst_host, HEX(acid_event.src_net) AS src_net, HEX(acid_event.dst_net) AS dst_net, extra_data.* FROM acid_event"; if (!preg_match("/extra_data/", $data_join_sql)) { $data_join_sql .= ",extra_data "; } $criteria_sql = $criteria_sql . $tmp_payload; $use_ac = false; } // special distinct for idm_username if (preg_match("/idm_data/", $data_join_sql)) { $sql = preg_replace("/^SELECT/", "SELECT DISTINCT", $sql); } if ($sig_join) { $join_sql = $join_sql . $sig_join_sql; } $join_sql = $join_sql . $data_join_sql; $csql[0] = $join_sql; // Ready to ac_acid_event $criteria1_sql = $criteria_sql . preg_replace("/ \\d\\d:\\d\\d:\\d\\d/", "", str_replace("timestamp", "day", $real_time_meta)); $criteria1_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria1_sql)); // Ready to ac_acid_event next day $criteria2_sql = $criteria_sql . preg_replace("/ \\d\\d:\\d\\d:\\d\\d/", "", str_replace("timestamp", "day", $time_meta)); $criteria2_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria2_sql)); // to acid_event $criteria_sql = $criteria_sql . $time_meta; $criteria_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria_sql)); $csql[1] = $criteria_sql; $csql[2] = $perms_sql . preg_replace("/ \\d\\d:\\d\\d:\\d\\d/", "", str_replace("timestamp", "day", $time_meta)); // $real_time_criteria $csql[3] = $use_ac; // true if we use ac_acid_event instead acid_event $csql[4] = $criteria1_sql; $csql[5] = $criteria2_sql; $db_aux->close(); //print_r($csql); return $csql; }
} // For taxonomy option, always detector type if (POST('type') == "") { $_POST["type"] = "detector"; } if (POST("plugin_sid") == "LIST") { $_POST["plugin_sid"] = POST("plugin_sid_list"); } if (POST("entity") == "LIST") { $_POST["entity"] = POST("entity_list"); } if (POST("product") == "LIST") { $_POST["product"] = POST("product_list"); } // Force assets when user perms, cannot be ANY $has_perms = Session::get_host_where() != "" || Session::get_net_where() != "" ? TRUE : FALSE; if ($has_perms && (POST('from') == "ANY" || POST('from') == "LIST" && count($_POST["fromselect"]) < 1)) { $_POST["from"] = "LIST"; $assets_aux = array(); $_list_data = Asset_host::get_basic_list($conn); $_host_aux = array_keys($_list_data[1]); foreach ($_host_aux as $h_id) { $assets_aux[] = Util::uuid_format($h_id); } $_list_data = Asset_net::get_list($conn); $_net_aux = array_keys($_list_data[0]); foreach ($_net_aux as $n_id) { $assets_aux[] = Util::uuid_format($n_id); } $_POST["fromselect"] = $assets_aux; }
if ($icon != '') { $image = @imagecreatefromstring($icon); if (!$image || imagesx($image) > 16 || imagesy($image) > 16) { $validation_errors['icon'] = _('Image format is not allowed. Allowed only 16x16 PNG images'); } } //Validating IPs $aux_ips = explode(',', $ips_string); foreach ($aux_ips as $ip) { $host_ids = Asset_host::get_id_by_ips($conn, $ip, $ctx); unset($host_ids[$id]); if (!empty($host_ids)) { $validation_errors['ip'] = _('Error! IP not allowed.') . " IP {$ip} " . _('already exists for this entity'); break; } else { $cnd_1 = Session::get_net_where() != '' && !Session::only_ff_net(); $cnd_2 = Asset_host::is_ip_in_cache_cidr($conn, $ip, $ctx, TRUE); if ($cnd_1 && !$cnd_2) { $validation_errors['ip'] = _("Error! IP {$ip} not allowed. Check your asset filter"); break; } } } //Validating Sensors if (is_array($sensors) && !empty($sensors)) { foreach ($sensors as $sensor) { if (!Av_sensor::is_allowed($conn, $sensor)) { $validation_errors['sboxs[]'] = _('Error! Host could not be saved because there are unallowed sensors'); } } } else {