function UpdateWhoisCache($db) { global $debug_mode, $whois_cache_lifetime; $cnt = 0; $ip_result = $db->baseExecute("SELECT DISTINCT ip_src FROM acid_event " . "LEFT JOIN acid_ip_cache ON ipc_ip = ip_src " . "WHERE ipc_whois IS NULL"); while (($row = $ip_result->baseFetchRow()) != NULL) { //if ($debug_mode > 0) echo $row[0] . " - " . baseLong2IP($row[0]) . "<BR>"; baseGetWhois(baseLong2IP($row[0]), $db, $whois_cache_lifetime); ++$cnt; } $ip_result->baseFreeRows(); $ip_result = $db->baseExecute("SELECT DISTINCT ip_dst FROM acid_event " . "LEFT JOIN acid_ip_cache ON ipc_ip = ip_dst " . "WHERE ipc_whois IS NULL"); while (($row = $ip_result->baseFetchRow()) != NULL) { //if ($debug_mode > 0) echo $row[0] . " - " . baseLong2IP($row[0]) . "<BR>"; baseGetWhois(baseLong2IP($row[0]), $db, $whois_cache_lifetime); ++$cnt; } $ip_result->baseFreeRows(); ErrorMessage(gettext("Added ") . $cnt . gettext(" hostnames to the Whois cache")); }
function ExportPacket_summary($sid, $cid, $db, $export_type = 0) { global $action, $action_arg; /* Event */ $sql2 = "SELECT signature, timestamp FROM acid_event WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $alert_timestamp = $myrow2[1]; $alert_sig = BuildSigByID($myrow2[0], $sid, $cid, $db, 2); $result2->baseFreeRows(); /* IP */ $src_ip = $dst_ip = $src_port = $dst_port = ""; $sql2 = "SELECT ip_src, ip_dst, ip_proto" . " FROM iphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $layer4_proto = ""; if ($myrow2[0] != "") { $src_ip = baseLong2IP($myrow2[0]); $dst_ip = baseLong2IP($myrow2[1]); $layer4_proto = $myrow2[2]; } $result2->baseFreeRows(); /* TCP */ if ($layer4_proto == "6") { $sql2 = "SELECT tcp_sport, tcp_dport FROM tcphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); if ($export_type == 0) { $src_port = ":" . $myrow2[0] . " -> "; $dst_port = ":" . $myrow2[1]; } else { $src_port = $myrow2[0]; $dst_port = $myrow2[1]; } $result2->baseFreeRows(); } /* UDP */ if ($layer4_proto == "17") { $sql2 = "SELECT * FROM udphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); if ($export_type == 0) { $src_port = ":" . $myrow2[2] . " -> "; $dst_port = ":" . $myrow2[3]; } else { $src_port = $myrow2[2]; $dst_port = $myrow2[3]; } $result2->baseFreeRows(); } /* ICMP */ if ($layer4_proto == "1") { if ($export_type == 0) { $src_ip = $src_ip . " -> "; } $src_port = $dst_port = ""; } /* Portscan Traffic */ if ($layer4_proto == "255") { if ($export_type == 0) { $src_ip = $src_ip . " -> "; } } if ($export_type == 0) { $s = sprintf("#%d-%d| [%s] %s%s%s%s %s\r\n", $sid, $cid, $alert_timestamp, $src_ip, $src_port, $dst_ip, $dst_port, $alert_sig); } else { $s = sprintf("\"%d\", \"%d\", \"%s\", \"%s\", \"%s\", \"%s\", \"%s\", \"%s\"\r\n", $sid, $cid, $alert_timestamp, $src_ip, $src_port, $dst_ip, $dst_port, $alert_sig); } return $s; }
//$qs->PrintResultCnt(); $country_acc = array(); $country_uhn = array(); $countries = array(); // Ordered $hosts_ips = array_keys($hosts); if (is_array($_SESSION["server"]) && $_SESSION["server"][0] != "") { $_conn = $dbo->custom_connect($_SESSION["server"][0], $_SESSION["server"][2], $_SESSION["server"][3]); } else { $_conn = $dbo->connect(); } while ($myrow = $result->baseFetchRow()) { if ($myrow[0] == NULL) { continue; } $currentIP = baseLong2IP($myrow[0]); $ip_type = $myrow[1]; $num_events = $myrow[2]; $field = $ip_type == 'S' ? 'srcnum' : 'dstnum'; //if (geoip_country_name_by_addr($gi, $currentIP)=="" && (Net::is_ip_in_cache_cidr($_conn, $currentIP) || in_array($currentIP, $hosts_ips))) { // $country_name = _("Local"); // $country = 'local'; //} else { $country = strtolower(geoip_country_code_by_addr($gi, $currentIP)); $country_name = geoip_country_name_by_addr($gi, $currentIP); //} if ($country_name == "") { $country_name = _("Unknown Country"); } //echo "IP $currentIP $country_name <br>"; if ($country_name != _("Unknown Country")) {
function GetCountryDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria) { global $db, $debug_mode, $Geo_IPfree_file_ascii, $IP2CC; $country_method = 0; if ($chart_type == 14 || $chart_type == 15) { $sql = "SELECT DISTINCT ip_src, COUNT(acid_event.cid) " . "FROM acid_event " . $criteria[0] . "WHERE " . $criteria[1] . " AND ip_src is NOT NULL " . "GROUP BY ip_src ORDER BY ip_src"; } else { if ($chart_type == 16 || $chart_type == 17) { $sql = "SELECT DISTINCT ip_dst, COUNT(acid_event.cid) " . "FROM acid_event " . $criteria[0] . "WHERE " . $criteria[1] . " AND ip_dst is NOT NULL " . "GROUP BY ip_dst ORDER BY ip_dst"; } } // if ($debug_mode > 0) echo $sql . "<BR>"; $result = $db->baseExecute($sql); if (!isset($Geo_IPfree_file_ascii) && !isset($IP2CC)) { ErrorMessage("ERROR: Neither \$Geo_IPfree_file_ascii nor \$IP2CC has been configured in base_conf.php.<BR>\n"); return 0; } else { if (isset($Geo_IPfree_file_ascii)) { if (empty($Geo_IPfree_file_ascii)) { ErrorMessage("ERROR: \$Geo_IPfree_file_ascii is an empty string.<BR>\n"); return 0; } else { if (!is_file($Geo_IPfree_file_ascii)) { ErrorMessage("ERROR: " . $Geo_IPfree_file_ascii . " could not be found. Wrong path, perhaps?<BR>\n"); return 0; } else { if (!is_readable($Geo_IPfree_file_ascii)) { ErrorMessage("ERROR: " . $Geo_IPfree_file_ascii . " does exist, but is not readable. Wrong permissions, perhaps?<BR>\n"); return 0; } else { $country_method = 1; // if ($debug_mode > 0) { // print "<BR>\ncountry method 1: We use the database of Geo::IPfree<BR>\n<BR>\n"; // } // Read in database with country data for ip addresses ReadGeoIPfreeFileAscii($Geo_IPfree_array); } } } } else { if (isset($IP2CC)) { if (empty($IP2CC)) { ErrorMessage("ERROR: \$IP2CC is an empty string.<BR>\n"); return 0; } else { if (!is_file($IP2CC)) { ErrorMessage("ERROR: " . $IP2CC . " could not be found. Wrong path, perhaps?<BR>\n"); $rv = ini_get("safe_mode"); if ($rv == 1) { print "In "safe_mode" " the file " . $Geo_IPfree_file_ascii . "" must be owned by the user under which the web server is running. Adding it to both safe_mode_exec_dir and to include_path in /etc/php.ini does NOT seem to be sufficient.<BR>\n"; } return 0; } else { if (!is_executable($IP2CC)) { ErrorMessage("ERROR: " . $IP2CC . " does exist, but is not executable. Wrong permissions, perhaps?<BR>\n"); $rv = ini_get("safe_mode"); if ($rv == 1) { ErrorMessage("In "safe_mode" the path "" . dirname($IP2CC) . "" must also be part of safe_mode_exec_dir in /etc/php.ini:<BR><BR>\n" . "safe_mode_exec_dir = "" . dirname($IP2CC) . ""<BR><BR>" . "It seems that not more than ONE SINGLE directory may be assigned to safe_mode_exec_dir.<BR>\n"); } return 0; } else { // if ($debug_mode > 0) { // print "<BR>\ncountry_method 2: We make use of ip2cc<BR>\n<BR>\n"; // } $country_method = 2; } } } } } } if ($country_method == 0) { // should not be reached ErrorMessage("ERROR: No \$country_method available.<BR>\n"); return 0; } // Loop through all the ip addresses returned by the sql query $cnt = 0; while ($myrow = $result->baseFetchRow()) { if ($myrow[1] >= $min_threshold) { $addresses[$cnt][0] = baseLong2IP($myrow[0]); $addresses[$cnt][1] = $myrow[1]; // xxx jl // Which country belongs this ip address to? switch ($country_method) { case 1: GeoIPfree_IP2Country($Geo_IPfree_array, $addresses[$cnt][0], $mycountry); break; case 2: run_ip2cc($addresses[$cnt][0], $mycountry); break; default: print "WARNING: country_method no. " . $country_method . " is not supported.<BR>\n"; return 0; } // if ($debug_mode > 0) { // print $mycountry . ": " . $addresses[$cnt][1] . " alerts<BR>\n"; // } // Increase number of alerts for this country IncreaseCountryValue($countries, $mycountry, $addresses[$cnt][1]); ++$cnt; } } if (!isset($mycountry) || empty($mycountry)) { ErrorMessage("ERROR: \$mycountry has not been set as expected.<BR>\n"); return 0; } // if ($debug_mode > 1) { // print "<pre>############\n"; // //var_dump($countries); // print_r($countries); // print "###########</pre>\n"; // } // Now setup the chart array: reset($countries); $cnt2 = 0; while (list($key, $val) = each($countries)) { $xdata[$cnt2][0] = $key; $xdata[$cnt2][1] = $val; $cnt2++; } $result->baseFreeRows(); // return number of countries rather than number of addresses! return $cnt2; }
<th>Prio</th> <th>Rel</th> <th>Risk</th> <th>L4-proto</th> </tr> <?php $i = 0; foreach ($sim_events as $sim_event) { if ($i >= 5) { continue; } $color = $i % 2 == 0 ? "#F2F2F2" : "#FFFFFF"; $current_sip32 = $sim_event['sip']; $current_sip = baseLong2IP($current_sip32); $current_dip32 = $sim_event['dip']; $current_dip = baseLong2IP($current_dip32); $current_oasset_s = $sim_event['oasset_s']; $current_oasset_d = $sim_event['oasset_d']; $current_oprio = $sim_event['prio']; $current_oreli = $sim_event['rel']; $current_oriskc = $sim_event['risk_c']; $current_oriska = $sim_event['risk_a']; $proto = IPProto2str($sim_event['proto']); if ($current_sip32 != "") { $country = strtolower(geoip_country_code_by_addr($gi, $current_sip)); $country_name = geoip_country_name_by_addr($gi, $current_sip); if ($country) { $country_img = " <img src=\"/ossim/pixmaps/flags/" . $country . ".png\" alt=\"{$country_name}\" title=\"{$country_name}\">"; } else { $country_img = ""; }
list(, $my_offset, ) = unpack("n", pack("S", $myrow2[8])); echo ' <TD class="plfield">' . $my_offset * 8 . '</TD>'; echo ' <TD class="plfield">' . htmlspecialchars($myrow2[9]) . '</TD>'; echo ' <TD class="plfield">' . htmlspecialchars($myrow2[10]) . '<BR>= 0x' . dechex($myrow2[10]) . '</TD></TR>'; } echo ' </TABLE>'; if ($resolve_IP == 1) { echo ' <TR> <TD> <TABLE BORDER=0 CELLPADDING=4> <TR><TD CLASS="iptitle" ALIGN=CENTER ROWSPAN=2>FQDN</TD> <TD class="header">' . gettext("Source Name") . '</TD> <TD class="header">' . gettext("Dest. Name") . '</TD> </TR> <TR><TD class="plfield">' . baseGetHostByAddr(baseLong2IP($myrow2[0]), $db, $dns_cache_lifetime) . '</TD> <TD class="plfield">' . baseGetHostByAddr(baseLong2IP($myrow2[1]), $db, $dns_cache_lifetime) . '</TD> </TR> </TABLE> </TR>'; } echo ' <TR>'; echo ' <TD>'; echo ' <TABLE BORDER=0 CELLPADDING=4>'; if (in_array($plugin_id, $snort_ids)) { echo ' <TR><TD CLASS="header2" ALIGN=CENTER ROWSPAN=' . ($num_opt != 0 ? $num_opt + 1 : 1) . '>' . gettext("Options") . '</TD>'; } $layer4_proto = $myrow2[11]; if ($num_opt > 0) { echo ' <TD></TD> <TD class="header">' . gettext("code") . '</TD> <TD class="header">' . gettext("length") . '</TD>
$d_country = strtolower(geoip_country_code_by_addr($gi, $ip_dip)); $d_country_name = geoip_country_name_by_addr($gi, $ip_dip); $homelan_dip = ($match_cidr = Net::is_ip_in_cache_cidr($_conn, $ip_dip)) || in_array($ip_dip, $hosts_ips) ? " <a href='javascript:;' class='scriptinfo' style='text-decoration:none' ip='{$ip_dip}'><img src=\"" . Host::get_homelan_icon($ip_dip, $icons, $match_cidr, $_conn) . "\" border=0></a>" : ""; if ($d_country) { $d_country_img = " <img src=\"/ossim/pixmaps/flags/" . $d_country . ".png\" title=\"" . $d_country_name . "\">"; $dlnk = $current_url . "/pixmaps/flags/" . $d_country . ".png"; } else { $d_country_img = ""; $dlnk = $homelan_dip != "" ? $current_url . "/forensics/images/homelan.png" : ""; } if ($fqdn == "yes") { qroPrintEntry('<FONT>' . $sip_fqdn . '</FONT>'); } qroPrintEntry(BuildAddressLink(baseLong2IP($sip), 32) . $ip_sip . '</A>' . $s_country_img . $homelan_sip, "", "", "nowrap"); qroPrintEntry('<img src="images/dash.png" border="0">'); qroPrintEntry(BuildAddressLink(baseLong2IP($dip), 32) . $ip_dip . '</A>' . $d_country_img . $homelan_dip, "", "", "nowrap"); if ($fqdn == "yes") { qroPrintEntry('<FONT>' . $dip_fqdn . '</FONT>'); } qroPrintEntry('<FONT>' . IPProto2str($proto) . '</FONT>'); $tmp = '<A HREF="base_stat_ports.php?port_type=2&proto=' . $proto . $tmp_ip_criteria . '">'; qroPrintEntry($tmp . $num_unique_dport . '</A>'); $tmp = '<A HREF="base_stat_alerts.php?foo=1' . $tmp_ip_criteria . '">'; qroPrintEntry($tmp . $num_unique . '</A>'); $tmp = '<A HREF="base_qry_main.php?new=1' . '&num_result_rows=-1' . '&submit=' . gettext("Query+DB") . '&current_view=-1' . $tmp_ip_criteria . '">'; qroPrintEntry($tmp . $num_occurances . '</A>'); qroPrintEntryFooter(); } $i++; // report_data $report_data[] = array($ip_sip, $slnk, $ip_dip, $dlnk, IPProto2str($proto), "", "", "", "", "", "", $num_unique_dport, $num_unique, $num_occurances);