/** * @remotable */ public function read($id, $cat) { $out = array(); if ($cat == "projects") { $projects = $this->db->select("SELECT id, name, dir, date FROM projects ORDER BY date DESC"); foreach ($projects as $item) { $children = array(); $text = "<b>Date</b>: {$item['date']}<br>"; $text .= "<b>Dir/File</b>: {$item['dir']}<br>"; if (is_dir($item['dir'])) { array_push($children, array('id' => $item['dir'], 'text' => 'Work Directory', 'cat' => 'dir', 'qtip' => $item['dir'], iconCls => 'work-dir', 'leaf' => false)); } elseif (is_file($item['dir'])) { array_push($children, array('id' => $item['dir'], 'text' => basename($item['dir']), 'hash' => md5($item['dir']), 'iconCls' => 'php-file', 'leaf' => true)); } array_push($children, array('id' => 'scans' . $item['id'], 'text' => 'Scannings', 'cat' => 'scans', 'iconCls' => 'scannings', 'leaf' => false)); array_push($children, array('id' => 'vulns' . $item['id'], 'text' => 'Vulnerabilities', 'cat' => 'vulns', 'iconCls' => 'vulns', 'leaf' => false)); array_push($out, array('id' => $item['id'], 'text' => $item['name'], 'iconCls' => 'project', 'cat' => 'project', 'qtipCfg' => array('shadow' => 'frame', 'text' => $text, 'dismissDelay' => 10000), 'leaf' => false, 'children' => $children)); } } elseif ($cat == "dir") { include 'Files.php'; $f = new Files(); $out = $f->getList($id); } elseif ($cat == "scans") { include 'ScanHistory.php'; $s = new ScanHistory(); $out = $s->read(substr($id, 5)); } elseif ($cat == "vulns") { include 'Vulnerabilities.php'; $v = new Vulnerabilities(); $out = $v->read(substr($id, 5)); } return $out; }
function main_page($viewall, $sortby, $sortdir) { global $uroles, $username, $dbconn, $hosts; global $arruser, $user; $dbconn->SetFetchMode(ADODB_FETCH_BOTH); $tz = Util::get_timezone(); if ($sortby == "") { $sortby = "id"; } if ($sortdir == "") { $sortdir = "DESC"; } $sql_order = "order by {$sortby} {$sortdir}"; if (Session::menu_perms("environment-menu", "EventsVulnerabilitiesScan")) { ?> <div style="width:50%; position: relative; height: 5px; float:left"> <div style="width:100%; position: absolute; top: -41px;left:0px;"> <div style="float:left; height:28px; margin:5px 5px 0px 0px;"> <a class="button" href="<?php echo Menu::get_menu_url(AV_MAIN_PATH . '/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1', 'environment', 'vulnerabilities', 'scan_jobs'); ?> "> <?php echo _("New Scan Job"); ?> </a> </div> <div style="float:left;height:28px;margin:5px 5px 0px -2px;"> <a class="greybox button av_b_secondary" href="import_nbe.php" title="<?php echo _("Import nbe file"); ?> "> <?php echo _("Import nbe file"); ?> </a> </div> </div> </div> <?php } if (intval($_GET['page']) != 0) { $page = intval($_GET['page']); } else { $page = 1; } $pagesize = 10; if ($username == "admin") { $query = "SELECT count(id) as num FROM vuln_jobs"; } else { $query = "SELECT count(id) as num FROM vuln_jobs where username='******'"; } $result = $dbconn->Execute($query); $jobCount = $result->fields["num"]; $num_pages = ceil($jobCount / $pagesize); //echo "num_pages:[".$num_pages."]"; //echo "jobCount:[".$jobCount."]"; //echo "page:[".$page."]"; if (Vulnerabilities::scanner_type() == "omp") { // We can display scan status with OMP protocol echo Vulnerabilities::get_omp_running_scans($dbconn); } else { // Nessus all_jobs(0, 10, "R"); } ?> <?php $schedulejobs = _("Scheduled Jobs"); echo <<<EOT <table style='margin-top:20px;' class='w100 transparent'><tr><td class='sec_title'>{$schedulejobs}</td></tr></table> <table summary="Job Schedules" class='w100 table_list'> EOT; if ($sortdir == "ASC") { $sortdir = "DESC"; } else { $sortdir = "ASC"; } $arr = array("name" => "Name", "schedule_type" => "Schedule Type", "time" => "Time", "next_CHECK" => "Next Scan", "enabled" => "Status"); // modified by hsh to return all scan schedules if (empty($arruser)) { $query = "SELECT t2.name as profile, t1.meth_TARGET, t1.id, t1.name, t1.schedule_type, t1.meth_VSET, t1.meth_TIMEOUT, t1.username, t1.enabled, t1.next_CHECK, t1.email\n FROM vuln_job_schedule t1 LEFT JOIN vuln_nessus_settings t2 ON t1.meth_VSET=t2.id "; } else { $query = "SELECT t2.name as profile, t1.meth_TARGET, t1.id, t1.name, t1.schedule_type, t1.meth_VSET, t1.meth_TIMEOUT, t1.username, t1.enabled, t1.next_CHECK, t1.email\n FROM vuln_job_schedule t1 LEFT JOIN vuln_nessus_settings t2 ON t1.meth_VSET=t2.id WHERE username in ({$user}) "; } $query .= $sql_order; $result = $dbconn->execute($query); if ($result->EOF) { echo "<tr><td class='empty_results' height='20' style='text-align:center;'>" . _("No Scheduled Jobs") . "</td></tr>"; } if (!$result->EOF) { echo "<tr>"; foreach ($arr as $order_by => $value) { echo "<th><a href=\"manage_jobs.php?sortby={$order_by}&sortdir={$sortdir}\">" . _($value) . "</a></th>"; } if (Session::menu_perms("environment-menu", "EventsVulnerabilitiesScan")) { echo "<th>" . _("Action") . "</th></tr>"; } } $colors = array("#FFFFFF", "#EEEEEE"); $color = 0; while (!$result->EOF) { list($profile, $targets, $schedid, $schedname, $schedtype, $sid, $timeout, $user, $schedstatus, $nextscan, $servers) = $result->fields; $name = Av_sensor::get_name_by_id($dbconn, $servers); $servers = $name != '' ? $name : "unknown"; $targets_to_resolve = explode("\n", $targets); $ttargets = array(); foreach ($targets_to_resolve as $id_ip) { if (preg_match("/^([a-f\\d]{32})#\\d+\\.\\d+\\.\\d+\\.\\d+\\/\\d{1,2}/i", $id_ip, $found) && Asset_net::is_in_db($dbconn, $found[1])) { $ttargets[] = preg_replace("/^([a-f\\d]{32})#/i", "", $id_ip) . " (" . Asset_net::get_name_by_id($dbconn, $found[1]) . ")"; } else { if (preg_match("/^([a-f\\d]{32})#\\d+\\.\\d+\\.\\d+\\.\\d+/i", $id_ip, $found) && Asset_host::is_in_db($dbconn, $found[1])) { $ttargets[] = preg_replace("/^([a-f\\d]{32})#/i", "", $id_ip) . " (" . Asset_host::get_name_by_id($dbconn, $found[1]) . ")"; } else { $ttargets[] = preg_replace("/[a-f\\d]{32}/i", "", $id_ip); } } } $targets = implode("<BR/>", $ttargets); $tz = intval($tz); $nextscan = gmdate("Y-m-d H:i:s", Util::get_utc_unixtime($nextscan) + 3600 * $tz); preg_match("/\\d+\\-\\d+\\-\\d+\\s(\\d+:\\d+:\\d+)/", $nextscan, $found); $time = $found[1]; switch ($schedtype) { case "N": $stt = _("Once (Now)"); break; case "O": $stt = _("Once"); break; case "D": $stt = _("Daily"); break; case "W": $stt = _("Weekly"); break; case "M": $stt = _("Monthly"); break; case "Q": $stt = _("Quarterly"); break; case "H": $stt = _("On Hold"); break; case "NW": $stt = _("N<sup>th</sup> weekday of the month"); break; default: $stt = " "; break; } switch ($schedstatus) { case "1": $itext = _("Disable Scheduled Job"); $isrc = "images/stop_task.png"; $ilink = "manage_jobs.php?disp=setstatus&schedid={$schedid}&enabled=0"; break; default: $itext = _("Enable Scheduled Job"); $isrc = "images/play_task.png"; $ilink = "manage_jobs.php?disp=setstatus&schedid={$schedid}&enabled=1"; break; } if (!Session::menu_perms("environment-menu", "EventsVulnerabilitiesScan")) { $ilink = "javascript:return false;"; } if ($schedstatus) { $txt_enabled = "<td><a href=\"{$ilink}\"><font color=\"green\">" . _("Enabled") . "</font></a></td>"; } else { $txt_enabled = "<td><a href=\"{$ilink}\"><font color=\"red\">" . _("Disabled") . "</font></a></td>"; } require_once 'classes/Security.inc'; if (valid_hex32($user)) { $user = Session::get_entity_name($dbconn, $user); } echo "<tr bgcolor=\"" . $colors[$color % 2] . "\">"; if ($profile == "") { $profile = _("Default"); } echo "<td><span class=\"tip\" title=\"<b>" . _("Owner") . ":</b> {$user}<br><b>" . _("Server") . ":</b> {$servers}<br /><b>" . _("Scheduled Job ID") . ":</b> {$schedid}<br><b>" . _("Profile") . ":</b> {$profile}<br><b>" . _("Targets") . ":</b><br>" . $targets . "\">{$schedname}</span></td>"; ?> <td><?php echo $stt; ?> </td> <td><?php echo $time; ?> </td> <td><?php echo $nextscan; ?> </td> <?php echo <<<EOT {$txt_enabled} <td style="padding-top:2px;"><a href="{$ilink}"><img alt="{$itext}" src="{$isrc}" border=0 title="{$itext}"></a> EOT; if (Session::menu_perms("environment-menu", "EventsVulnerabilitiesScan")) { echo "<a href='" . Menu::get_menu_url(AV_MAIN_PATH . '/vulnmeter/sched.php?disp=edit_sched&sched_id=' . $schedid, 'environment', 'vulnerabilities', 'scan_jobs') . "'><img src='images/pencil.png' title='" . _("Edit Scheduled") . "'></a> "; echo "<a href='manage_jobs.php?disp=delete&schedid={$schedid}' onclick='return confirmDelete();'><img src='images/delete.gif' title='" . gettext("Delete Scheduled") . "'></a>"; } echo "</td>"; echo <<<EOT </tr> EOT; $result->MoveNext(); $color++; } echo <<<EOT </table> EOT; ?> <br /> <?php $out = all_jobs(($page - 1) * $pagesize, $pagesize); ?> <table width="100%" align="center" class="transparent" cellspacing="0" cellpadding="0"> <tr> <td class="nobborder" valign="top" style="padding-top:5px;"> <div class="fright"> <?php if ($out != 0 && $num_pages != 1) { $page_url = "manage_jobs.php"; if ($page == 1 && $page == $num_pages) { echo '<a href="" class="link_paginate_disabled" onclick="return false">< ' . _("PREVIOUS") . '</a>'; echo '<a class="lmargin link_paginate_disabled" href="" onclick="return false">' . _("NEXT") . ' ></a>'; } elseif ($page == 1) { echo '<a href="" class="link_paginate_disabled" onclick="return false">< ' . _("PREVIOUS") . '</a>'; echo '<a class="lmargin" href="' . $page_url . '?page=' . ($page + 1) . '">' . _("NEXT") . ' ></a> '; } elseif ($page == $num_pages) { echo '<a href="' . $page_url . '?page=' . ($page - 1) . '">< ' . _("PREVIOUS") . '</a>'; echo '<a class="lmargin link_paginate_disabled" href="" onclick="return false">' . _("NEXT") . ' ></a>'; } else { echo '<a href="' . $page_url . '?page=' . ($page - 1) . '">< ' . _("PREVIOUS") . '</a><a class="lmargin" href="' . $page_url . '?page=' . ($page + 1) . '">' . _("NEXT") . ' ></a>'; } } ?> </div> </td> </tr> </table> <?php }
// Property filter $filters = array('limit' => "{$from}, {$maxrows}", 'order_by' => "{$order} {$torder}"); if ($search_str != '') { $search_str = escape_sql($search_str, $conn); $filters['where'] = 'p.name LIKE "%' . $search_str . '%"'; } list($vulns, $total) = $asset_object->get_vulnerabilities($conn, '', $filters); } else { Av_exception::throw_error(Av_exception::USER_ERROR, _('Error retrieving information')); } } catch (Exception $e) { $db->close(); Util::response_bad_request($e->getMessage()); } // DATA $data = array(); foreach ($vulns as $_asset_id => $asset_vulns) { $_host_aux = Asset_host::get_object($conn, $_asset_id); foreach ($asset_vulns as $vuln) { $_host = $class_name == 'asset_host' ? $vuln['ip'] : $_host_aux->get_name() . " (" . $_host_aux->get_ips()->get_ips('string') . ")"; $data[] = array(date("Y-m-d H:i:s", strtotime($vuln['date'])), $_host, $vuln['plugin'], $vuln['plugin_id'], $vuln['service'], Vulnerabilities::get_severity_by_risk($vuln['risk'])); } } $response['sEcho'] = $sec; $response['iTotalRecords'] = $total; $response['iTotalDisplayRecords'] = $total; $response['aaData'] = $data; echo json_encode($response); $db->close(); /* End of file dt_vulnerabilities.php */ /* Location: /av_asset/common/providers/dt_vulnerabilities.php */
* along with this package; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, * MA 02110-1301 USA * * * On Debian GNU/Linux systems, the complete text of the GNU General * Public License can be found in `/usr/share/common-licenses/GPL-2'. * * Otherwise you can read it here: http://www.gnu.org/licenses/gpl-2.0.txt * */ require_once 'av_init.php'; Session::logcheck("environment-menu", "EventsVulnerabilities"); $tasks = GET("tasks"); if (!preg_match("/^[\\d\\#]+\$/", $tasks)) { die; } if (Vulnerabilities::scanner_type() == "omp") { $tresult = array(); $omp = new Omp(); $ids = explode("#", $tasks); foreach ($ids as $id) { $sparkline_count = 0; $details = $omp->get_task_detail_by_id("Running|Paused|Pause Requested|Requested", $id, true); if (preg_match("/(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)\\|(\\d+)/", $details["total"], $found)) { $sparkline_count = $found[1] + $found[2] + $found[3] + $found[4] + $found[5]; } $tresult[] = $id . "|" . $sparkline_count . "|" . str_replace("|", ";", $details["detail"]); } echo implode("-", $tresult); }
} } break; } $offset = intval($offset); // latest results table $roffset = intval($roffset); // reports table $sreport = intval($sreport); // to show reports //for autocomplete input $autocomplete_keys = array('hosts_ips', 'nets_cidrs', 'sensors'); $assets = Autocomplete::get_autocomplete($dbconn, $autocomplete_keys); // ctx permissions $perms_where = Session::get_ctx_where() != "" ? " AND ctx in (" . Session::get_ctx_where() . ")" : ""; list($arruser, $user) = Vulnerabilities::get_users_and_entities_filter($conn); // Delete Section if (!empty($delete) && !empty($scantime)) { // a single scan in latest results tables $params = array($delete, $scantime); $query = "SELECT hostIP, HEX(ctx) as ctx, sid, username FROM vuln_nessus_latest_reports WHERE report_key=? and scantime=? {$perms_where}"; $result = $dbconn->execute($query, $params); if (Session::hostAllowed_by_ip_ctx($dbconn, $result->fields["hostIP"], $result->fields["ctx"])) { $dhostIP = $result->fields["hostIP"]; $dctx = $result->fields["ctx"]; $dusername = $result->fields["username"]; $dsid = $result->fields["sid"]; $query = "DELETE FROM vuln_nessus_latest_reports WHERE report_key=? and scantime=? {$perms_where}"; $result = $dbconn->execute($query, $params); $params = array($dhostIP, $dctx, $dusername, $dsid, $scantime); $query = "DELETE FROM vuln_nessus_latest_results WHERE hostIP=? and ctx=UNHEX(?) and username=? and sid=? and scantime=? {$perms_where}";
function select_profile() { global $sid, $username, $dbconn, $version, $nessus_path; $args = ""; if (!Session::am_i_admin()) { list($owners, $sqlowners) = Vulnerabilities::get_users_and_entities_filter($dbconn); $owners[] = '0'; $sql_perms .= " OR owner IN('" . implode("', '", $owners) . "')"; $args = "WHERE name='Default' OR name='Deep' OR name='Ultimate' " . $sql_perms; } $layouts = array(); $query = "SELECT id, name, description, owner, type FROM vuln_nessus_settings {$args} ORDER BY name"; $dbconn->SetFetchMode(ADODB_FETCH_BOTH); $result = $dbconn->execute($query); echo "<CENTER>"; echo "<table class=\"transparent\"><tr><td class=\"sec_title\">" . _("Vulnerability Scan Profiles") . "</td></tr></table>"; echo "<p>"; echo _("Please select a profile to edit") . ":"; echo "</p>"; echo "<table class='table_list'>"; echo "<tr>"; echo "<th>" . _("Available for") . "</th>"; echo "<th>" . _("Profile") . "</th>"; echo "<th>" . _("Description") . "</th>"; echo "<th>" . _("Action") . "</th>"; echo "</tr>"; $color = 0; while (!$result->EOF) { $sid = $result->fields[0]; $sname = $result->fields[1]; $sdescription = $result->fields[2]; $sowner = $result->fields[3]; $stype = $result->fields[4]; echo "<tr id='profile{$sid}'>"; if ($sowner == "0") { echo "<td>" . _("All") . "</td>"; } elseif (valid_hex32($sowner)) { echo "<td style='padding:0px 2px 0px 2px;'>" . Session::get_entity_name($dbconn, $sowner) . "</td>"; } else { echo "<td>" . Util::htmlentities($sowner) . "</td>"; } echo "<td width='200'>" . Util::htmlentities($sname) . "</td>"; echo "<td width='450'>" . Util::htmlentities($sdescription) . "</td>"; echo "<td>"; if ($sname == "Default" || $sname == "Deep" || $sname == "Ultimate") { echo "<img src=\"images/pencil.png\" class=\"tip disabled\" title=\"" . _("{$sname} profile can't be edited, clone it to make changes") . "\" />"; echo "<img src=\"images/delete.gif\" class=\"tip disabled\" title=\"" . _("{$sname} profile can't be deleted") . "\" />"; } else { if (Vulnerabilities::can_modify_profile($dbconn, $sname, $sowner)) { echo "<a href='settings.php?disp=edit&sid={$sid}'><img class='hand' id='edit_" . md5($sname . $sowner) . "' src='images/pencil.png' ></a>"; } else { echo "<img class='disabled' src='images/pencil.png'>"; } if (Vulnerabilities::can_delete_profile($dbconn, $sname, $sowner)) { echo "<img class='hand' src='images/delete.gif' id='delete_" . md5($sname . $sowner) . "' onclick='deleteProfile({$sid})'>"; } else { echo "<img class='disabled' src=\"images/delete.gif\" >"; } } echo "</td>"; echo "</tr>"; $result->MoveNext(); $color++; } echo "</table>"; echo "<center>"; echo "<form>"; echo "<br/>"; echo "<input type='button' onclick=\"document.location.href='settings.php?disp=new'\" id=\"new_profile\" value=\"" . _("Create New Profile") . "\"/>"; echo "</form>"; echo "</p>"; echo "</center>"; // end else }
case "new": if (intval($user) != -1) { $owner = $user; } elseif (intval($entity) != -1) { $owner = $entity; } if ($owner == "") { $owner = Session::get_session_user(); } if ($sensor_id != "") { $result = Vulnerabilities::create_sensor_profile($dbconn, $sensor_id, $sname, $owner, $cloneid); // OMP sensor } else { $result = Vulnerabilities::create_db_profile($dbconn, $sname, $sdescription, $sautoenable, $owner, $cloneid, $tracker, $_POST); } break; case "delete_sensor_profile": $result = Vulnerabilities::delete_sensor_config($dbconn, $sensor_id, $sid); break; case "delete_db_profile": $result = Vulnerabilities::delete_db_profile($dbconn, $sid); break; default: $result = array("status" => "error", "message" => _("Invalid option")); } if (preg_match("/Failed to acquire socket/", $result["message"])) { $result["message"] = _("Unable to connect to sensor, please check sensor status and Vuln Scanner Options."); } $result["message"] = preg_replace("/\\s+'\\s*'\\s+/", "", $result["message"]); echo json_encode($result); $dbconn->disconnect();
//Autocomplete data $_hosts_data = Asset_host::get_basic_list($dbconn); $_hosts = $_hosts_data[1]; foreach ($_hosts as $_host_id => $_host_detail) { // get host IPs $hIPs = array(); $hIPs = explode(",", trim($_host_detail['ips'])); foreach ($hIPs as $hIP) { $hIP = trim($hIP); $hosts .= '{ txt:"' . $_host_detail['name'] . ' (' . $hIP . ')", id: "' . $_host_id . '#' . $hIP . '" },'; } } } //Check credentials if ($host_id_ip != "") { $results = Vulnerabilities::check_credential($dbconn, $host_id_ip, $name, $login); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title><?php echo gettext("Vulnmeter Credentials"); ?> </title> <link rel="stylesheet" type="text/css" href="../style/av_common.css?t=<?php echo Util::get_css_id(); ?> "/> <script type="text/javascript" src="../js/jquery.min.js"></script>
$h_level = 'green'; break; default: $h_level = 'gray'; } } catch (Exception $e) { $h_level = 'gray'; } //Setting default sensor if ($asset_type == 'group') { $sensors = $asset_object->get_sensors($conn); } else { $sensors = $asset_object->get_sensors()->get_sensors(); } $sensors = array_keys($sensors); $default_sensor = $sensors[0]; $hids = array('level' => $h_level, 'link' => array(AV_MAIN_PATH . '/ossec/views/ossec_status/status.php?sensor_id=' . $default_sensor, 'environment', 'detection', 'hids')); /* * Getting Vulnerabilities Info */ try { $is_vulns = Vulnerabilities::is_scheduled($conn, $asset_id); $v_level = $is_vulns ? 'green' : 'red'; } catch (Exception $e) { $vulnerabilities = 'gray'; } $vulnerabilities = array('level' => $v_level, 'link' => array(AV_MAIN_PATH . '/vulnmeter/manage_jobs.php', 'environment', 'vulnerabilities', 'scan_jobs')); $data = array('nmap' => $autodetected, 'hids' => $hids, 'vulnerabilities' => $vulnerabilities); $db->close(); echo json_encode($data); /* End of file get_asset_environment.php */
if (!array_key_exists($asset_type, $asset_types)) { Av_exception::throw_error(Av_exception::USER_ERROR, _('Error! Invalid Asset Type')); } $class_name = $asset_types[$asset_type]; // Check Asset Permission if (method_exists($class_name, 'is_allowed') && !$class_name::is_allowed($conn, $asset_id)) { $error = sprintf(_('Error! %s is not allowed'), ucwords($asset_type)); Av_exception::throw_error(Av_exception::USER_ERROR, $error); } $asset_object = $class_name::get_object($conn, $asset_id); $vulns_data = $asset_object->get_vulnerabilities($conn); $vuln_count = $vulns_data[1]; $severities = array(); foreach ($vulns_data[0] as $vuln_asset_id => $asset_vulns) { foreach ($asset_vulns as $vuln) { $_severity = Vulnerabilities::get_severity_by_risk($vuln['risk']); $severities[$_severity]++; } } if ($severities[_('High')] > 0 || $severities[_('Serious')] > 0) { $vuln_level = 3; } elseif ($severities[_('Medium')] > 0 || $severities[_('Low')] > 0) { $vuln_level = 2; } elseif ($severities[_('Info')] > 0) { $vuln_level = 1; } else { $vuln_level = 0; } } else { Av_exception::throw_error(Av_exception::USER_ERROR, _('Error retrieving information')); }
function tab_discovery() { global $component, $uroles, $editdata, $scheduler, $username, $useremail, $dbconn, $disp, $enScanRequestImmediate, $enScanRequestRecur, $timeout, $smethod, $SVRid, $sid, $ip_list, $ip_exceptions_list, $schedule_type, $ROYEAR, $ROday, $ROMONTH, $time_hour, $time_min, $dayofweek, $dayofmonth, $sname, $user, $entity, $hosts_alive, $scan_locally, $version, $nthweekday, $semail, $not_resolve, $time_interval, $ssh_credential, $smb_credential, $net_id; global $pluginOptions, $enComplianceChecks, $profileid; $conf = $GLOBALS["CONF"]; $users = Session::get_users_to_assign($dbconn); $entities_to_assign = Session::get_entities_to_assign($dbconn); $pre_scan_locally_status = $conf->get_conf("nessus_pre_scan_locally"); $user_selected = $user; $entity_selected = $entity; $SVRid_selected = $SVRid; $sid_selected = $sid != "" ? $sid : $editdata['meth_VSET']; $timeout_selected = $editdata["meth_TIMEOUT"]; $ip_list_selected = str_replace("\\r\\n", "\n", str_replace(";;", "\n", $ip_list)); if (count($ip_exceptions_list) > 0) { $ip_list_selected .= "\n" . implode("\n", $ip_exceptions_list); } $ROYEAR_selected = $ROYEAR; $ROday_selected = $ROday; $ROMONTH_selected = $ROMONTH; $time_hour_selected = $time_hour; $time_min_selected = $time_min; $dayofweek_selected = $dayofweek; $dayofmonth_selected = $dayofmonth; $sname_selected = $sname; if (preg_match("/^[a-f\\d]{32}\$/i", $net_id)) { // Autofill new scan job from deployment if (Asset_net::is_in_db($dbconn, $net_id)) { $sname_selected = Asset_net::get_name_by_id($dbconn, $net_id); $schedule_type = "M"; $ip_list = array(); $nips = explode(",", Asset_net::get_ips_by_id($dbconn, $net_id)); foreach ($nips as $nip) { $ip_list[] = $net_id . "#" . trim($nip); } } } if ($schedule_type != "") { $editdata['schedule_type'] = $schedule_type; } $cquery_like = ""; if ($component != "") { $cquery_like = " AND component='{$component}'"; } $today = date("Ymd"); $tyear = substr($today, 0, 4); $nyear = $tyear + 1; $tmonth = substr($today, 4, 2); $tday = substr($today, 6, 2); #SET VALUES UP IF EDIT SCHEDULER if (isset($editdata['notify'])) { $enotify = $editdata['notify']; } else { $enotify = "{$useremail}"; } if (isset($editdata['time'])) { list($time_hour, $time_min, $time_sec) = split(':', $editdata['time']); $tz = Util::get_timezone(); $time_hour = $time_hour + $tz; } $arrTypes = array("N", "O", "D", "W", "M", "NW"); foreach ($arrTypes as $type) { $sTYPE[$type] = ""; } $arrJobTypes = array("C", "M", "R", "S"); foreach ($arrJobTypes as $type) { $sjTYPE[$type] = ""; } if (isset($editdata['schedule_type'])) { $sTYPE[$editdata['schedule_type']] = "selected='selected'"; if ($editdata['schedule_type'] == 'D') { $ni = 2; } elseif ($editdata['schedule_type'] == 'O') { $ni = 3; } elseif ($editdata['schedule_type'] == 'W') { $ni = 4; } elseif ($editdata['schedule_type'] == 'NW') { $ni = 6; } else { $ni = 5; } $show = "<br><script language=javascript>showLayer('idSched', {$ni});</script>"; } else { if ($enScanRequestImmediate) { $sTYPE['N'] = "selected='selected'"; $show = "<br><script language=javascript>showLayer('idSched', 1);</script>"; } else { $sTYPE['O'] = "selected='selected'"; $show = "<br><script language=javascript>showLayer('idSched', 3);</script>"; } } if ($schedule_type != "") { if ($schedule_type == "N") { $show .= "<br><script language=javascript>showLayer('idSched', 1);</script>"; } if ($schedule_type == "O") { $show .= "<br><script language=javascript>showLayer('idSched', 3);</script>"; } if ($schedule_type == "D") { $show .= "<br><script language=javascript>showLayer('idSched', 2);</script>"; } if ($schedule_type == "W") { $show .= "<br><script language=javascript>showLayer('idSched', 4);</script>"; } if ($schedule_type == "M") { $show .= "<br><script language=javascript>showLayer('idSched', 5);</script>"; } if ($schedule_type == "NW") { $show .= "<br><script language=javascript>showLayer('idSched', 6);</script>"; } } if (isset($editdata['job_TYPE'])) { $sjTYPE[$editdata['job_TYPE']] = "SELECTED"; } else { $sjTYPE['M'] = "SELECTED"; } if (isset($editdata['day_of_month'])) { $dayofmonth = $editdata['day_of_month']; } if (isset($editdata['day_of_week'])) { $day[$editdata['day_of_week']] = "SELECTED"; } if ($dayofweek_selected != "") { $day[$dayofweek_selected] = "SELECTED"; } if (!$uroles['nessus']) { $name = "sr-" . substr($username, 0, 6) . "-" . time(); $name = $editdata['name'] == "" ? $name : $editdata['name']; $nameout = $name . "<input type=hidden style='width:210px' name='sname' value='{$name}'>"; } else { $nameout = "<input type=text style='width:210px' name='sname' value='" . ($sname_selected != "" ? "{$sname_selected}" : "{$editdata['name']}") . "'>"; } $discovery = "<input type=\"hidden\" name=\"save_scan\" value=\"1\">"; $discovery .= "<input type=\"hidden\" name=\"cred_type\" value=\"N\">"; $discovery .= "<table width=\"80%\" cellspacing=\"4\">"; $discovery .= "<tr>"; $discovery .= "<input type=\"hidden\" name=\"smethod\" value=\"{$smethod}\">"; $discovery .= "<td width=\"25%\" class='job_option'>" . Util::strong(_("Job Name") . ":") . "</td>"; $discovery .= "<td style=\"text-align:left;\">{$nameout}</td>"; $discovery .= "</tr>"; list($sensor_list, $total) = Av_sensor::get_list($dbconn); $discovery .= "<tr>"; $discovery .= "<td class='job_option'>" . Util::strong(_("Select Server") . ":") . "</td>"; $discovery .= "<td style='text-align:left;'><select id='SVRid' style='width:212px' name='SVRid'>"; $discovery .= "<option value='Null'>" . _("First Available Server-Distributed") . "</option>"; foreach ($sensor_list as $_sensor_id => $sensor_data) { if (intval($sensor_data['properties']['has_vuln_scanner']) == 1) { $discovery .= "<option value=\"{$_sensor_id}\" "; if ($editdata['email'] == $_sensor_id || $editdata['scan_ASSIGNED'] == $_sensor_id) { $discovery .= " SELECTED"; } if ($SVRid_selected == $_sensor_id) { $discovery .= " SELECTED"; } $discovery .= ">" . strtoupper($sensor_data['name']) . " [" . $sensor_data['ip'] . "] </option>"; } } $discovery .= <<<EOT </select> </td> </tr> <tr> EOT; $discovery .= "<td class='job_option'>" . Util::strong(_("Profile") . ":") . "</td>"; $discovery .= "<td style='text-align:left;'><select name='sid'>"; $query = ""; if ($username == "admin" || Session::am_i_admin()) { $query = "SELECT distinct(t1.id), t1.name, t1.description \n FROM vuln_nessus_settings t1 WHERE deleted='0'\n ORDER BY t1.name"; } else { if (Session::is_pro()) { $users_and_entities = Acl::get_entities_to_assign($dbconn); if (Acl::am_i_proadmin()) { $users = Acl::get_my_users($dbconn, Session::get_session_user()); foreach ($users as $us) { $users_and_entities[$us->get_login()] = $us->get_login(); } $owner_list['0'] = '0'; $owner_list = array_keys($users_and_entities); $owner_list = implode("','", $owner_list); $query = "SELECT distinct(t1.id), t1.name, t1.description FROM vuln_nessus_settings t1\n WHERE deleted = '0' and (name='Default' or owner in ('" . $owner_list . "')) ORDER BY t1.name"; } else { $owner_list['0'] = '0'; $owner_list[$username] = $username; $owner_list = array_keys($users_and_entities); $owner_list[] = Session::get_session_user(); $owner_list = implode("','", $owner_list); $user_where = "owner in ('" . $owner_list . "')"; $query = "SELECT distinct(t1.id), t1.name, t1.description FROM vuln_nessus_settings t1\n WHERE deleted = '0' and (name='Default' or {$user_where}) ORDER BY t1.name"; } } else { $query = "SELECT distinct(t1.id), t1.name, t1.description FROM vuln_nessus_settings t1\n WHERE deleted = '0' and (name='Default' or owner in ('0','{$username}')) ORDER BY t1.name"; } } $dbconn->SetFetchMode(ADODB_FETCH_BOTH); $result = $dbconn->execute($query); $job_profiles = array(); $id_found = false; $ipr = 0; while (!$result->EOF) { list($sid, $sname, $sdescription) = $result->fields; if ($sid_selected == $sid) { $id_found = true; } $job_profiles[$ipr]["sid"] = $sid; $job_profiles[$ipr]["sname"] = $sname; $job_profiles[$ipr]["sdescription"] = $sdescription; $ipr++; $result->MoveNext(); } foreach ($job_profiles as $profile_data) { $sid = $profile_data["sid"]; $sname = $profile_data["sname"]; $sdescription = $profile_data["sdescription"]; $discovery .= "<option value=\"{$sid}\" "; if ($sid_selected == $sid) { if ($sdescription != "") { $discovery .= "selected>{$sname} - {$sdescription}</option>"; } else { $discovery .= "selected>{$sname}</option>"; } } else { if ($sdescription != "") { $discovery .= (preg_match("/default/i", $sname) && !$id_found ? 'selected="selected"' : "") . ">{$sname} - {$sdescription}</option>"; } else { $discovery .= (preg_match("/default/i", $sname) && !$id_found ? 'selected="selected"' : "") . ">{$sname}</option>"; } } } $discovery .= "</select>  <a href=\"" . Menu::get_menu_url('settings.php', 'environment', 'vulnerabilities', 'scan_jobs') . "\">[" . _("EDIT PROFILES") . "]</a></td>"; $discovery .= "</tr>"; $discovery .= "<tr>"; $discovery .= "<td class='job_option' style='vertical-align: top;'><div>" . Util::strong(_("Schedule Method") . ":") . "</div></td>"; $discovery .= "<td style='text-align:left'><div><select name='schedule_type' id='scheduleM'>"; $discovery .= "<option value='N' {$sTYPE['N']}>" . _("Immediately") . "</option>"; $discovery .= "<option value='O' {$sTYPE['O']}>" . _("Run Once") . "</option>"; $discovery .= "<option value='D' {$sTYPE['D']}>" . _("Daily") . "</option>"; $discovery .= "<option value='W' {$sTYPE['W']}>" . _("Day of the Week") . "</option>"; $discovery .= "<option value='M' {$sTYPE['M']}>" . _("Day of the Month") . "</option>"; $discovery .= "<option value='NW' {$sTYPE['NW']}>" . _("N<sup>th</sup> weekday of the month") . "</option>"; $discovery .= "</select></div></tr>"; $smethods = array("O", "D", "W", "M", "NW"); $smethodtr_display = in_array($editdata['schedule_type'], $smethods) ? "" : "style='display:none'"; $discovery .= "<tr {$smethodtr_display} id='smethodtr'><td> </td>"; $discovery .= <<<EOT </td> <td><div> <div id="idSched1" class="forminput"> </div> EOT; // div to select start day $discovery .= "<div id=\"idSched8\" class=\"forminput\">"; $discovery .= "<table cellspacing=\"2\" cellpadding=\"0\" width=\"100%\">"; $discovery .= "<tr><th width='35%'>" . _("Begin in") . "</th><td class='noborder' nowrap='nowrap'>" . gettext("Year") . " <select name='biyear'>"; $discovery .= "<option value=\"{$tyear}\" selected>{$tyear}</option>"; $discovery .= "<option value=\"{$nyear}\" >{$nyear}</option>"; $discovery .= "</select> " . gettext("Month") . " <select name='bimonth'>"; for ($i = 1; $i <= 12; $i++) { $discovery .= "<option value=\"{$i}\" "; if ($i == $tmonth) { $discovery .= "selected"; } $discovery .= ">{$i}</option>"; } $discovery .= "</select> " . gettext("Day") . " <select name=\"biday\">"; for ($i = 1; $i <= 31; $i++) { $discovery .= "<option value=\"{$i}\" "; if ($i == $tday) { $discovery .= "selected"; } $discovery .= ">{$i}</option>"; } $discovery .= "</select></td>"; $discovery .= "</tr>"; $discovery .= "</table>"; $discovery .= "</div>"; $discovery .= <<<EOT <div id="idSched3" class="forminput"> <table cellspacing="2" cellpadding="0" width="100%"> EOT; $discovery .= "<tr><th width='35%'>" . _("Day") . "</th><td colspan='6' class='noborder' nowrap='nowrap'>" . gettext("Year") . " <select name='ROYEAR'>"; $discovery .= "<option value=\"{$tyear}\" " . ($ROYEAR_selected == "" || $ROYEAR_selected == $tyear ? "selected" : "") . ">{$tyear}</option>"; $discovery .= "<option value=\"{$nyear}\" " . ($ROYEAR_selected == $nyear ? "selected" : "") . ">{$nyear}</option>"; $discovery .= "</select> " . gettext("Month") . " <select name='ROMONTH'>"; for ($i = 1; $i <= 12; $i++) { $discovery .= "<option value=\"{$i}\" "; if ($i == $tmonth && $ROMONTH_selected == "" || $ROMONTH_selected == $i) { $discovery .= "selected"; } $discovery .= ">{$i}</option>"; } $discovery .= "</select> " . gettext("Day") . " <select name=\"ROday\">"; for ($i = 1; $i <= 31; $i++) { $discovery .= "<option value=\"{$i}\" "; if ($i == $tday && $ROday_selected == "" || $ROday_selected == $i) { $discovery .= "selected"; } $discovery .= ">{$i}</option>"; } $discovery .= <<<EOT </select></td> </tr> </table> </div> <div id="idSched4" class="forminput" > <table width="100%"> <tr> EOT; $discovery .= "<th align=\"right\" width=\"35%\">" . _("Weekly") . "</th><td colspan=\"2\" class=\"noborder\">"; $discovery .= "<select name=\"dayofweek\">"; $discovery .= "<option value=\"Su\" SELECTED >" . gettext("Select week day to run") . "</option>"; $discovery .= "<option value=\"Su\" {$day['Su']} >" . gettext("Sunday") . "</option>"; $discovery .= "<option value=\"Mo\" {$day['Mo']} >" . gettext("Monday") . "</option>"; $discovery .= "<option value=\"Tu\" {$day['Tu']} >" . gettext("Tuesday") . "</option>"; $discovery .= "<option value=\"We\" {$day['We']} >" . gettext("Wednesday") . "</option>"; $discovery .= "<option value=\"Th\" {$day['Th']} >" . gettext("Thursday") . "</option>"; $discovery .= "<option value=\"Fr\" {$day['Fr']} >" . gettext("Friday") . "</option>"; $discovery .= "<option value=\"Sa\" {$day['Sa']} >" . gettext("Saturday") . "</option>"; $discovery .= "</select>"; $discovery .= "</td>"; $discovery .= <<<EOT </tr> </table> </div> <div id="idSched5" class="forminput"> <table width="100%"> <tr> EOT; $discovery .= "<th width='35%'>" . gettext("Select Day") . "</td>"; $discovery .= <<<EOT <td colspan="2" class="noborder"><select name="dayofmonth">" EOT; for ($i = 1; $i <= 31; $i++) { $discovery .= "<option value=\"{$i}\""; if ($dayofmonth == $i && $dayofmonth_selected == "" || $dayofmonth_selected == $i) { $discovery .= " selected"; } $discovery .= ">{$i}</option>"; } $discovery .= <<<EOT </select></td> </tr> </table> </div> <div id="idSched6" class="forminput"> <table width="100%"> <tr> EOT; $discovery .= "<th width=\"35%\">" . gettext("Day of week") . "</th><td colspan=\"2\" class=\"noborder\">"; $discovery .= "<select name=\"nthdayofweek\">"; $discovery .= "<option value=\"Su\" SELECTED >" . gettext("Select week day to run") . "</option>"; $discovery .= "<option value=\"Su\" {$day['Su']} >" . gettext("Sunday") . "</option>"; $discovery .= "<option value=\"Mo\" {$day['Mo']} >" . gettext("Monday") . "</option>"; $discovery .= "<option value=\"Tu\" {$day['Tu']} >" . gettext("Tuesday") . "</option>"; $discovery .= "<option value=\"We\" {$day['We']} >" . gettext("Wednesday") . "</option>"; $discovery .= "<option value=\"Th\" {$day['Th']} >" . gettext("Thursday") . "</option>"; $discovery .= "<option value=\"Fr\" {$day['Fr']} >" . gettext("Friday") . "</option>"; $discovery .= "<option value=\"Sa\" {$day['Sa']} >" . gettext("Saturday") . "</option>"; $discovery .= "</select>"; $discovery .= "</td>"; $discovery .= <<<EOT </tr> </table> <br> <table width="100%"> <tr> EOT; $discovery .= "<th align='right'>" . gettext("N<sup>th</sup> weekday") . "</th><td colspan='2' class='noborder'>"; $discovery .= "<select name='nthweekday'>"; $discovery .= "<option value='1'>" . gettext("Select nth weekday to run") . "</option>"; $discovery .= "<option value='1'" . ($dayofmonth == 1 ? " selected" : "") . ">" . gettext("First") . "</option>"; $discovery .= "<option value='2'" . ($dayofmonth == 2 ? " selected" : "") . ">" . gettext("Second") . "</option>"; $discovery .= "<option value='3'" . ($dayofmonth == 3 ? " selected" : "") . ">" . gettext("Third") . "</option>"; $discovery .= "<option value='4'" . ($dayofmonth == 4 ? " selected" : "") . ">" . gettext("Fourth") . "</option>"; $discovery .= "<option value='5'" . ($dayofmonth == 5 ? " selected" : "") . ">" . gettext("Fifth") . "</option>"; $discovery .= "<option value='6'" . ($dayofmonth == 6 ? " selected" : "") . ">" . gettext("Sixth") . "</option>"; $discovery .= "<option value='7'" . ($dayofmonth == 7 ? " selected" : "") . ">" . gettext("Seventh") . "</option>"; $discovery .= "<option value='8'" . ($dayofmonth == 8 ? " selected" : "") . ">" . gettext("Eighth") . "</option>"; $discovery .= "<option value='9'" . ($dayofmonth == 9 ? " selected" : "") . ">" . gettext("Ninth") . "</option>"; $discovery .= "<option value='10'" . ($dayofmonth == 10 ? " selected" : "") . ">" . gettext("Tenth") . "</option>"; $discovery .= <<<EOT </select> </td> </tr> </table> </div> EOT; $discovery .= "<div id='idSched7' class='forminput' style=margin-bottom:3px;>"; $discovery .= "<table width='100%'>"; $discovery .= "<tr>"; $discovery .= "<th width='35%'>" . _("Frequency") . "</th>"; $discovery .= "<td width='100%' style='text-align:center;' class='nobborder'>"; $discovery .= "<span style='margin-right:5px;'>" . _("Every") . "</span>"; $discovery .= "<select name='time_interval'>"; for ($itime = 1; $itime <= 30; $itime++) { $discovery .= "<option value='" . $itime . "'" . ($editdata['time_interval'] == $itime ? " selected" : "") . ">" . $itime . "</option>"; } $discovery .= "</select>"; $discovery .= "<span id='days' style='margin-left:5px'>" . _("day(s)") . "</span><span id='weeks' style='margin-left:5px'>" . _("week(s)") . "</span>"; $discovery .= "</td>"; $discovery .= "</tr>"; $discovery .= "</table>"; $discovery .= "</div>"; $discovery .= <<<EOT <div id="idSched2" class="forminput"> <table width="100%"> EOT; $discovery .= "<tr>"; $discovery .= "<th rowspan='2' align='right' width='35%'>" . gettext("Time") . "</td>"; $discovery .= "<td align='right'>" . gettext("Hour") . "</td>"; $discovery .= <<<EOT <td align="left" class="noborder"><select name="time_hour"> EOT; for ($i = 0; $i <= 23; $i++) { $discovery .= "<option value=\"{$i}\""; if ($time_hour == $i && $time_hour_selected == "" || $time_hour_selected == $i) { $discovery .= " selected"; } $discovery .= ">{$i}</option>"; } $discovery .= "</select></td><td align='right'>" . gettext("Minutes") . "</td>\n <td class='noborder' align='left'><select name='time_min'>"; for ($i = 0; $i < 60; $i = $i + 15) { $discovery .= "<option value=\"{$i}\""; if ($time_min == $i && $time_min_selected == "" || $time_min_selected == $i) { $discovery .= " selected"; } $discovery .= ">{$i}</option>"; } $discovery .= <<<EOT </select></td> </tr> </table> </div> </tr> EOT; $discovery .= "<tr>"; $discovery .= "\t\t<td class='madvanced'><a class='section'><img id='advanced_arrow' border='0' align='absmiddle' src='../pixmaps/arrow_green.gif'>" . _("ADVANCED") . "</a></td>"; $discovery .= "\t\t<td> </td>"; $discovery .= "</tr>"; if ($_SESSION["scanner"] == "omp") { $credentials = Vulnerabilities::get_credentials($dbconn, 'ssh'); preg_match("/(.*)\\|(.*)/", $editdata["credentials"], $found); $discovery .= "<tr class='advanced'>"; $discovery .= "<td class='job_option'>" . Util::strong(_("SSH Credential:")) . "</td>"; $discovery .= "<td style='text-align:left'><select id='ssh_credential' name='ssh_credential'>"; $discovery .= "<option value=''>--</option>"; foreach ($credentials as $cred) { $login_text = $cred["login"]; if ($cred["login"] == '0') { $login_text = _("All"); } elseif (valid_hex32($cred["login"])) { $login_text = Session::get_entity_name($dbconn, $cred["login"]); } $selected = $found[1] == $cred["name"] . "#" . $cred["login"] || $cred["name"] . "#" . $cred["login"] == $ssh_credential ? " selected='selected'" : ""; $discovery .= "<option value='" . $cred["name"] . "#" . $cred["login"] . "' {$selected}>" . $cred["name"] . " (" . $login_text . ")</option>"; } $discovery .= "</select></td>"; $discovery .= "</tr>"; $credentials = Vulnerabilities::get_credentials($dbconn, 'smb'); $discovery .= "<tr class='advanced'>"; $discovery .= "<td class='job_option'>" . Util::strong(_("SMB Credential:")) . "</td>"; $discovery .= "<td style='text-align:left'><select id='smb_credential' name='smb_credential'>"; $discovery .= "<option value=''>--</option>"; foreach ($credentials as $cred) { $login_text = $cred["login"]; if ($cred["login"] == '0') { $login_text = _("All"); } elseif (valid_hex32($cred["login"])) { $login_text = Session::get_entity_name($dbconn, $cred["login"]); } $selected = $found[2] == $cred["name"] . "#" . $cred["login"] || $cred["name"] . "#" . $cred["login"] == $smb_credential ? " selected='selected'" : ""; $discovery .= "<option value='" . $cred["name"] . "#" . $cred["login"] . "' {$selected}>" . $cred["name"] . " (" . $login_text . ")</option>"; } $discovery .= "</select></td>"; $discovery .= "</tr>"; } $discovery .= "<tr class='job_option advanced'>"; $discovery .= "<td class='job_option'>" . Util::strong(_("Timeout:")) . "</td>"; $discovery .= "<td style=\"text-align:left;\" nowrap><input type='text' style='width:80px' name='timeout' value='" . ($timeout_selected == "" ? "{$timeout}" : "{$timeout_selected}") . "'>"; $discovery .= "<font color='black'> " . _("Max scan run time in seconds") . " </font></td>"; $discovery .= "</tr>"; $discovery .= "<tr class='advanced'><td class='job_option'>" . Util::strong(_("Send an email notification:")); $discovery .= "</td>"; $discovery .= "<td style=\"text-align:left;\">"; $discovery .= "<input type=\"radio\" name=\"semail\" value=\"0\"" . (count($editdata) <= 1 && intval($semail) == 0 || intval($editdata['meth_Wfile']) == 0 ? " checked" : "") . "/>" . _("No"); $discovery .= "<input type=\"radio\" name=\"semail\" value=\"1\"" . (count($editdata) <= 1 && intval($semail) == 1 || intval($editdata['meth_Wfile']) == 1 ? " checked" : "") . "/>" . _("Yes"); $discovery .= "</td></tr>"; $discovery .= "<tr class='advanced'>\n\t\t\t\t\t\t<td class='job_option'>" . Util::strong(_("Scan job visible for:")) . "</td>\n\t\t\t\t\t\t<td style='text-align: left'>\n\t\t\t\t\t\t\t<table cellspacing='0' cellpadding='0' class='transparent' style='margin: 5px 0px;'>\n\t\t\t\t\t\t\t\t<tr>\n\t\t\t\t\t\t\t\t\t<td class='nobborder'><span style='margin-right:3px'>" . _('User:'******'nobborder'>\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t<select name='user' id='user' onchange=\"switch_user('user');return false;\">"; $num_users = 0; foreach ($users as $k => $v) { $login = $v->get_login(); $selected = $editdata["username"] == $login || $user_selected == $login ? "selected='selected'" : ""; $options .= "<option value='" . $login . "' {$selected}>{$login}</option>\n"; $num_users++; } if ($num_users == 0) { $discovery .= "<option value='' style='text-align:center !important;'>- " . _("No users found") . " -</option>"; } else { $discovery .= "<option value='' style='text-align:center !important;'>- " . _("Select one user") . " -</option>\n"; $discovery .= $options; } $discovery .= "\t\t\t\t\t\t</select>\n\t\t\t\t\t\t\t\t\t</td>"; if (!empty($entities_to_assign)) { $discovery .= "\t \t\t\t<td style='text-align:center; border:none; !important'><span style='padding:5px;'>" . _("OR") . "<span></td>\n\t\t\t\t\t\t\t\t\t<td class='nobborder'><span style='margin-right:3px'>" . _("Entity:") . "</span></td>\n\t\t\t\t\t\t\t\t\t<td class='nobborder'>\t\n\t\t\t\t\t\t\t\t\t\t<select name='entity' id='entity' onchange=\"switch_user('entity');return false;\">\n\t\t\t\t\t\t\t\t\t\t\t<option value='' style='text-align:center !important;'>-" . _("Select one entity") . "-</option>"; foreach ($entities_to_assign as $k => $v) { $selected = $editdata["username"] == $k || $entity_selected == $k ? "selected='selected'" : ""; $discovery .= "<option value='{$k}' {$selected}>{$v}</option>"; } $discovery .= "\t\t\t\t\t</select>\n\t\t\t\t\t\t\t\t\t</td>"; } $discovery .= " \t \t</tr>\n\t\t\t\t\t\t\t</table>\n\t\t\t\t\t\t</td>\n\t\t\t\t\t</tr>"; $discovery .= "<tr><td valign=\"top\" width=\"15%\" class=\"job_option noborder\"><br>"; // conditions to exclude IPs $condition1 = count($editdata) <= 1 && intval($hosts_alive) == 1 ? TRUE : FALSE; $condition2 = preg_match('/' . EXCLUDING_IP2 . '/', trim($editdata["meth_TARGET"])); $condition3 = intval($editdata['meth_CRED']) == 1 ? TRUE : FALSE; $condition4 = count($ip_exceptions_list) > 0 ? TRUE : FALSE; $host_alive_check = $condition1 || $condition2 || $condition3 || $condition4 ? ' checked' : ''; $host_alive_status = $condition2 || $condition4 ? ' disabled=\\"disabled\\"' : ''; $discovery .= "<input onclick=\"toggle_scan_locally()\" type=\"checkbox\" id=\"hosts_alive\" name=\"hosts_alive\" value=\"1\"" . $host_alive_check . $host_alive_status . ">" . Util::strong(_("Only scan hosts that are alive")) . "<br>(" . Util::strong(_("greatly speeds up the scanning process")) . ")<br><br>"; $discovery .= "<input type=\"checkbox\" id=\"scan_locally\" name=\"scan_locally\" value=\"1\"" . ($pre_scan_locally_status == 0 ? " disabled=\"disabled\"" : "") . ($pre_scan_locally_status == 1 && (intval($editdata['authorized']) == 1 || intval($scan_locally) == 1) ? " checked" : "") . ">" . Util::strong(_("Pre-Scan locally")) . "<br>(" . Util::strong(_("do not pre-scan from scanning sensor")) . ")<br><br>"; $discovery .= "<input type=\"checkbox\" id=\"not_resolve\" name=\"not_resolve\" value=\"1\" " . ($editdata['resolve_names'] === "0" || $not_resolve == "1" ? "checked=\"checked\"" : "") . "/>" . Util::strong(_("Do not resolve names")); $discovery .= <<<EOT </td> EOT; $discovery .= ' <td class="noborder" valign="top">'; $discovery .= ' <table width="100%" class="transparent" cellspacing="0" cellpadding="0">'; $discovery .= ' <tr>'; $discovery .= ' <td class="nobborder" style="vertical-align: top;text-align:left;padding:10px 0px 0px 0px;">'; $discovery .= ' <table class="transparent" cellspacing="4">'; $discovery .= ' <tr>'; $discovery .= ' <td class="nobborder" style="text-align:left;"><input class="greyfont" type="text" id="searchBox" value="' . _("Type here to search assets (Hosts/Networks)") . '" /></td>'; $discovery .= ' </tr>'; $discovery .= ' <tr>'; $discovery .= ' <td class="nobborder"><select id="targets" name="targets[]" multiple="multiple">'; if (!empty($editdata["meth_TARGET"])) { $ip_list = explode("\n", trim($editdata["meth_TARGET"])); } if (!empty($ip_list)) { foreach ($ip_list as $asset) { if (preg_match("/([a-f\\d]+)#(.*)/i", $asset, $found)) { if (Asset_host::is_in_db($dbconn, $found[1])) { $_asset_name = Asset_host::get_name_by_id($dbconn, $found[1]) . " (" . $found[2] . ")"; } else { $_asset_name = Asset_net::get_name_by_id($dbconn, $found[1]) . " (" . $found[2] . ")"; } $discovery .= '<option value="' . $asset . '">' . $_asset_name . '</option>'; } else { $discovery .= '<option value="' . $asset . '">' . $asset . '</option>'; } } foreach ($ip_exceptions_list as $asset) { $discovery .= '<option value="' . $asset . '">' . $asset . '</option>'; } } $discovery .= ' </select></td>'; $discovery .= ' </tr>'; $discovery .= ' <tr>'; $discovery .= ' <td class="nobborder" style="text-align:right"><input type="button" value=" [X] " id="delete_target" class="av_b_secondary small"/>'; $discovery .= ' <input type="button" style="margin-right:0px;"value="Delete all" id="delete_all" class="av_b_secondary small"/></td>'; $discovery .= ' </tr>'; $discovery .= ' </table>'; $discovery .= ' </td>'; $discovery .= ' <td class="nobborder" width="450px;" style="vertical-align: top;padding:0px 0px 0px 5px;">'; $discovery .= ' <div id="vtree" style="text-align:left;width:100%;"></div>'; $discovery .= ' </td>'; $discovery .= ' </tr>'; $discovery .= ' </table>'; $discovery .= ' </td>'; $discovery .= '</tr>'; $discovery .= '</table>'; $discovery .= '</tr></td></table>'; $discovery .= $show; return $discovery; }
// HOME IP $vulns = -1; $_ctx = $ctx; $homelan = ''; $hostname = ''; $_net_id = preg_match('/src/', $prefix) ? $event_info['src_net'] : $event_info['dst_net']; $host_obj = Asset_host::get_object($conn, $uuid, TRUE); if (is_object($host_obj)) { $hostname = $host_obj->get_name(); $_ctx = $host_obj->get_ctx(); } $host_output = Asset_host::get_extended_name($conn, $geoloc, $ip, $_ctx, $uuid, $_net_id); $homelan = $host_output['is_internal'] ? 'bold' : ''; if ($homelan) { $location = '<strong>' . _('UNKNOWN') . '</strong>'; $vulns = Vulnerabilities::get_latest_vulns($conn, $ip); } $net = array_shift(Asset_host::get_closest_net($conn, $ip, $_ctx)); if (is_array($net) && !empty($net)) { $location = ''; if ($net['icon'] != '') { $location = "<img src='data:image/png;base64," . base64_encode($net['icon']) . "' border='0'> "; } $location .= '<strong>' . strtoupper($net['name']) . '</strong> (' . $net['ips'] . ')'; } // OTX / Vulns $subfix = str_replace('_t', '_', $prefix); $rep_tooltip = Reputation::getreptooltip($event_info['rep_prio' . $subfix], $event_info['rep_rel' . $subfix], $event_info['rep_act' . $subfix], FALSE); if ($info_ip['rep'] == 1) { $labs = Reputation::getlabslink($ip); $otx = '<a href="' . $labs . '" class="otx" target="_blank" data-title="' . $rep_tooltip . '">' . _('Yes') . '</a>';
function CheckScanner() { $result = ""; $arr_out = array(); $nessus_path = $GLOBALS["CONF"]->get_conf("nessus_path"); $nessus_host = $GLOBALS["CONF"]->get_conf("nessus_host"); $nessus_port = $GLOBALS["CONF"]->get_conf("nessus_port"); $nessus_user = $GLOBALS["CONF"]->get_conf("nessus_user"); $nessus_pass = $GLOBALS["CONF"]->get_conf("nessus_pass"); if (Vulnerabilities::scanner_type() == "omp") { // OMP $command = "export HOME='/tmp';" . escapeshellcmd($nessus_path) . " -h " . escapeshellarg($nessus_host) . " -p " . escapeshellarg($nessus_port) . " -u " . escapeshellarg($nessus_user) . " -w " . escapeshellarg($nessus_pass) . " -iX \"<help/>\" | grep CREATE_TASK 2>&1"; } else { // OpenVAS and nessus $command = "export HOME='/tmp';" . escapeshellcmd($nessus_path) . " -qxP " . escapeshellarg($nessus_host) . " " . escapeshellarg($nessus_port) . " " . escapeshellarg($nessus_user) . " " . escapeshellarg($nessus_pass) . " | grep max_hosts 2>&1"; } //print_r($command); exec($command, $arr_out); $out = implode(" ", $arr_out); //print_r($out); if (preg_match("/host not found|could not open a connection|login failed|could not connect/i", $out)) { return _("Scanner check failed, sensor IP = ") . "<strong>" . $nessus_host . "</strong><br />" . _("Please verify the configuration in Configuration -> Main -> Advanced -> Vulnerability Scanner and retry.") . ":<br>" . implode("<br>", $arr_out); } else { if (!preg_match("/max_hosts/i", $out) && !preg_match("/CREATE_TASK/i", $out)) { return _("Scanner check failed, sensor IP = ") . "<strong>" . $nessus_host . "</strong><br />" . _("Please verify the configuration in Configuration -> Main -> Advanced -> Vulnerability Scanner and retry."); } } return $result; }
$host_id = key($hosts_list); $result = $hosts_list[$host_id]['ctx']; } else { $result = ''; } } } break; case 'get_sensor_ip': $result = Av_sensor::get_ip_by_id($dbconn, $data_1); break; case 'update_vuln_jobs_assets': $action = $data_1; $job_id = $data_2; $job_type = $data_3; $result = Vulnerabilities::update_vuln_job_assets($dbconn, $action, $job_id, $job_type); break; case 'get_system_uuid': $result = Util::get_encryption_key(); break; case 'get_varhex': $result = bin2hex(inet_pton($data_1)); break; case 'insert_host': list($hostip, $ctx, $hostname, $aliases) = explode('|', base64_decode($data_1)); $hostid = key(Asset_host::get_id_by_ips($dbconn, $hostip, $ctx)); if (!Asset_host::is_in_db($dbconn, $hostid)) { list($sensor_list, $total) = Av_sensor::get_list($dbconn, array('where' => "acl_sensors.entity_id=UNHEX('{$ctx}')")); $sensors = array_keys($sensor_list); try { $hostid = Util::uuid();
echo _("Create Credential"); ?> "></td> </tr> </table> </form> </td> <td width="10%"> </td> <?php } // Only admin if (Session::am_i_admin()) { ?> <td <?php echo Vulnerabilities::scanner_type() == "omp" ? "width=\"55%\"" : ""; ?> valign="top"> <form method='post' action='webconfig.php'> <input type='hidden' name='action' value='save_configuration'> <table class='w100 transparent' cellspacing="0" cellpadding="0"> <tr><td class="headerpr_no_bborder"><?php echo _("Settings"); ?> </td></tr> </table> <table class="w100"> <tr> <td><?php
function submit_scan($SVRid, $job_name, $ssh_credential, $smb_credential, $schedule_type, $not_resolve, $user, $entity, $targets, $scheduled_status, $hosts_alive, $sid, $send_email, $timeout, $scan_locally, $dayofweek, $dayofmonth, $ROYEAR, $ROMONTH, $ROday, $time_hour, $time_min, $time_interval, $sched_id, $biyear, $bimonth, $biday, $nthweekday, $tz, $daysMap) { $db = new ossim_db(); $dbconn = $db->connect(); $credentials = $ssh_credential . '|' . $smb_credential; $username = valid_hex32($entity) ? $entity : $user; if (empty($username)) { $username = Session::get_session_user(); } $btime_hour = $time_hour; // save local time $btime_min = $time_min; $bbiyear = $biyear; $bbimonth = $bimonth; $bbiday = $biday; if ($schedule_type == 'O') { // date and time for run once if (empty($ROYEAR)) { $ROYEAR = gmdate('Y'); } if (empty($ROMONTH)) { $ROMONTH = gmdate('m'); } if (empty($ROday)) { $ROday = gmdate('d'); } list($_y, $_m, $_d, $_h, $_u, $_s, $_time) = Util::get_utc_from_date($dbconn, "{$ROYEAR}-{$ROMONTH}-{$ROday} {$time_hour}:{$time_min}:00", $tz); $ROYEAR = $_y; $ROMONTH = $_m; $ROday = $_d; $time_hour = $_h; $time_min = $_u; } else { if (in_array($schedule_type, array('D', 'W', 'M', 'NW'))) { // date and time for Daily, Day of Week, Day of month, Nth weekday of month list($b_y, $b_m, $b_d, $b_h, $b_u, $b_s, $b_time) = Util::get_utc_from_date($dbconn, "{$biyear}-{$bimonth}-{$biday} {$time_hour}:{$time_min}:00", $tz); $biyear = $b_y; $bimonth = $b_m; $biday = $b_d; $time_hour = $b_h; $time_min = $b_u; } } $resolve_names = $not_resolve == '1' ? 0 : 1; if ($schedule_type != 'N') { // current datetime in UTC $arrTime = explode(":", gmdate('Y:m:d:w:H:i:s')); $year = $arrTime[0]; $mon = $arrTime[1]; $mday = $arrTime[2]; $wday = $arrTime[3]; $hour = $arrTime[4]; $min = $arrTime[5]; $sec = $arrTime[6]; $timenow = $hour . $min . $sec; $run_wday = $daysMap[$dayofweek]['number']; $run_time = sprintf('%02d%02d%02d', $time_hour, $time_min, '00'); $run_mday = $dayofmonth; $time_value = "{$time_hour}:{$time_min}:00"; $ndays = array('Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday', 'Saturday'); $begin_in_seconds = Util::get_utc_unixtime("{$biyear}-{$bimonth}-{$biday} {$time_hour}:{$time_min}:00") - 3600 * $tz; $current_in_seconds = gmdate('U'); // current datetime in UTC if (strlen($bimonth) == 1) { $bimonth = '0' . $bimonth; } if (strlen($biday) == 1) { $biday = '0' . $biday; } } switch ($schedule_type) { case 'N': $requested_run = gmdate('YmdHis'); break; case 'O': $requested_run = sprintf('%04d%02d%02d%06d', $ROYEAR, $ROMONTH, $ROday, $run_time); break; case 'D': if ($begin_in_seconds > $current_in_seconds) { $next_day = $biyear . $bimonth . $biday; // selected date by user } else { if ($run_time > $timenow) { $next_day = $year . $mon . $mday; // today } else { $next_day = gmdate("Ymd", strtotime("+1 day GMT", gmdate("U"))); // next day } } $requested_run = sprintf("%08d%06d", $next_day, $run_time); break; case 'W': if ($begin_in_seconds > $current_in_seconds) { // if it is a future date $wday = date("w", mktime(0, 0, 0, $bimonth, $biday, $biyear)); // make week day for begin day if ($run_wday == $wday) { $next_day = $biyear . $bimonth . $biday; // selected date by user } else { $next_day = gmdate("Ymd", strtotime("next " . $ndays[$run_wday] . " GMT", mktime(0, 0, 0, $bimonth, $biday, $biyear))); } } else { if ($run_wday == $wday && $run_time > $timenow) { $next_day = $year . $mon . $mday; // today } else { $next_day = gmdate("Ymd", strtotime("next " . $ndays[$run_wday] . " GMT", gmdate("U"))); // next week } } preg_match("/(\\d{4})(\\d{2})(\\d{2})/", $next_day, $found); list($b_y, $b_m, $b_d, $b_h, $b_u, $b_s, $b_time) = Util::get_utc_from_date($dbconn, $found[1] . "-" . $found[2] . "-" . $found[3] . " {$btime_hour}:{$btime_min}:00", $tz); $requested_run = sprintf("%04d%02d%02d%02d%02d%02d", $b_y, $b_m, $b_d, $b_h, $b_u, "00"); break; case 'M': if ($begin_in_seconds > $current_in_seconds) { // if it is a future date if ($run_mday >= $biday) { $next_day = $biyear . $bimonth . ($run_mday < 10 ? "0" : "") . $run_mday; // this month } else { $next_day = sprintf("%06d%02d", gmdate("Ym", strtotime("next month GMT", mktime(0, 0, 0, $bimonth, $biday, $biyear))), $run_mday); } } else { if ($run_mday > $mday || $run_mday == $mday && $run_time > $timenow) { $next_day = $year . $mon . ($run_mday < 10 ? "0" : "") . $run_mday; // this month } else { $next_day = sprintf("%06d%02d", gmdate("Ym", strtotime("next month GMT", gmdate("U"))), $run_mday); } } preg_match("/(\\d{4})(\\d{2})(\\d{2})/", $next_day, $found); list($b_y, $b_m, $b_d, $b_h, $b_u, $b_s, $b_time) = Util::get_utc_from_date($dbconn, $found[1] . "-" . $found[2] . "-" . $found[3] . " {$btime_hour}:{$btime_min}:00", $tz); $requested_run = sprintf("%04d%02d%02d%02d%02d%02d", $b_y, $b_m, $b_d, $b_h, $b_u, "00"); break; case 'NW': if ($begin_in_seconds > $current_in_seconds) { // if it is a future date $array_time = array('month' => $bbimonth, 'day' => $bbiday, 'year' => $bbiyear); $requested_run = weekday_month(strtolower($daysMap[$dayofweek]['text']), $nthweekday, $btime_hour, $btime_min, $array_time); } else { $requested_run = weekday_month(strtolower($daysMap[$dayofweek]['text']), $nthweekday, $btime_hour, $btime_min); } preg_match("/(\\d{4})(\\d{2})(\\d{2})(\\d{2})(\\d{2})(\\d{2})/", $requested_run, $found); list($b_y, $b_m, $b_d, $b_h, $b_u, $b_s, $b_time) = Util::get_utc_from_date($dbconn, $found[1] . "-" . $found[2] . "-" . $found[3] . " " . $found[4] . ":" . $found[5] . ":00", $tz); $requested_run = sprintf("%04d%02d%02d%02d%02d%02d", $b_y, $b_m, $b_d, $b_h, $b_u, "00"); $dayofmonth = $nthweekday; break; default: break; } $insert_time = gmdate('YmdHis'); if (!empty($_SESSION['_vuln_targets']) && count($_SESSION['_vuln_targets']) > 0) { $sgr = array(); foreach ($_SESSION['_vuln_targets'] as $target_selected => $server_id) { $sgr[$server_id][] = $target_selected; } ossim_clean_error(); unset($_SESSION['_vuln_targets']); // clean scan targets $resolve_names = $not_resolve == '1' ? 0 : 1; $queries = array(); $bbimonth = strlen($bbimonth) == 1 ? '0' . $bbimonth : $bbimonth; $bbiday = strlen($bbiday) == 1 ? '0' . $bbiday : $bbiday; $qc = 0; if ($schedule_type == 'N') { foreach ($sgr as $notify_sensor => $target_list) { $target_list = implode("\n", $target_list); $params = array($job_name, $username, Session::get_session_user(), $schedule_type, $target_list, $hosts_alive, $sid, $send_email, $timeout, $SVRid, $insert_time, $requested_run, '3', 'S', $notify_sensor, $scan_locally, '', $resolve_names, $credentials); $queries[$qc]['query'] = 'INSERT INTO vuln_jobs ( name, username, fk_name, meth_SCHED, meth_TARGET, meth_CRED, meth_VSET, meth_Wfile, meth_TIMEOUT, scan_ASSIGNED, scan_SUBMIT, scan_next, scan_PRIORITY, status, notify, authorized, author_uname, resolve_names, credentials ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'; $queries[$qc]['params'] = $params; $qc++; } } else { $params = array($bbiyear . $bbimonth . $bbiday, $job_name, $username, Session::get_session_user(), $schedule_type, $dayofweek, $dayofmonth, $time_value, implode("\n", $targets), $hosts_alive, $sid, $send_email, $scan_locally, $timeout, $requested_run, $insert_time, strval($scheduled_status), $resolve_names, $time_interval, '', $credentials, $SVRid); $queries[$qc]['query'] = 'INSERT INTO vuln_job_schedule ( begin, name, username, fk_name, schedule_type, day_of_week, day_of_month, time, meth_TARGET, meth_CRED, meth_VSET, meth_Wfile, meth_Ucheck, meth_TIMEOUT, next_CHECK, createdate, enabled, resolve_names, time_interval, IP_ctx, credentials, email) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) '; $queries[$qc]['params'] = $params; $qc++; } $execute_errors = array(); foreach ($queries as $id => $sql_data) { $rs = $dbconn->execute($sql_data['query'], $sql_data['params']); if ($rs === FALSE) { $execute_errors[] = $dbconn->ErrorMsg(); } } if (empty($execute_errors) && $schedule_type != 'N') { // We have to update the vuln_job_assets if (intval($sched_id) == 0) { $query = ossim_query('SELECT LAST_INSERT_ID() as sched_id'); $rs = $dbconn->Execute($query); if (!$rs) { Av_exception::throw_error(Av_exception::DB_ERROR, $dbconn->ErrorMsg()); } else { $sched_id = $rs->fields['sched_id']; } } Vulnerabilities::update_vuln_job_assets($dbconn, 'insert', $sched_id, 0); } $config_nt = array('content' => '', 'options' => array('type' => 'nf_success', 'cancel_button' => FALSE), 'style' => 'width: 40%; margin: 20px auto; text-align: center;'); $config_nt['content'] = empty($execute_errors) ? _('Successfully Submitted Job') : _('Error creating scan job:') . implode('<br>', $execute_errors); $nt = new Notification('nt_1', $config_nt); $nt->show(); $dbconn->close(); } }