Esempio n. 1
0
function baseGetHostByAddr($ipaddr, $db, $cache_lifetime)
{
    $ip32 = baseIP2long($ipaddr);
    $current_unixtime = time();
    $sql = "SELECT ipc_ip,ipc_fqdn,ipc_dns_timestamp" . " FROM acid_ip_cache " . " WHERE ipc_ip = '{$ip32}' ";
    $result = $db->Execute($sql);
    $ip_cache = $result->FetchRow();
    /* cache miss */
    if ($ip_cache == '') {
        $tmp = gethostbyaddr($ipaddr);
    } else {
        /* cache hit */
        if ($ip_cache[2] != '' && strtotime($ip_cache[2]) / 60 + $cache_lifetime >= $current_unixtime / 60) {
            /* valid entry */
            if ($ip_cache[2] != '' && $ip_cache[2] != 0) {
                $tmp = $ip_cache[1];
            } else {
                /* name could not be resolved */
                $tmp = $ipaddr;
            }
        } else {
            $tmp = gethostbyaddr($ipaddr);
        }
    }
    if ($tmp == $ipaddr) {
        return "&nbsp;<I>" . _('Unable to resolve address') . "</I>&nbsp;";
    } else {
        return $tmp;
    }
}
Esempio n. 2
0
function UniqueEventsByAddr($db, $i, $ip)
{
    $ip32 = baseIP2long($ip);
    $result = $db->baseExecute("SELECT DISTINCT plugin_id,plugin_sid FROM acid_event WHERE " . "(ip_src='{$ip32}') OR (ip_dst='{$ip32}')");
    while ($myrow = $result->baseFetchRow()) {
        $sig[] = array($myrow[0], $myrow[1]);
    }
    $result->baseFreeRows();
    return $sig[$i];
}
Esempio n. 3
0
function baseGetWhois($ipaddr, $db, $cache_lifetime)
{
    $ip32 = baseIP2long($ipaddr);
    $current_unixtime = time();
    $current_time = date("Y-m-d H:i:s", $current_unixtime);
    $sql = "SELECT ipc_ip,ipc_whois,ipc_whois_timestamp" . " FROM acid_ip_cache " . " WHERE ipc_ip = '{$ip32}' ";
    $result = $db->baseExecute($sql);
    $whois_cache = $result->baseFetchRow();
    /* cache miss */
    if ($whois_cache == "") {
        $tmp = CallWhoisServer($ipaddr, $whois_server);
        /* add to cache regardless of whether can resolve */
        if ($db->DB_type == "oci8") {
            $sql = "INSERT INTO acid_ip_cache (ipc_ip, ipc_whois, ipc_whois_timestamp) " . "VALUES ({$ip32}, '" . $db->getSafeSQLString($tmp) . "', to_date( '{$current_time}','YYYY-MM-DD HH24:MI:SS' ) )";
        } else {
            $sql = "INSERT INTO acid_ip_cache (ipc_ip, ipc_whois, ipc_whois_timestamp) " . "VALUES ({$ip32}, '" . $db->getSafeSQLString($tmp) . "', '{$current_time}')";
        }
        $db->baseExecute($sql);
    } else {
        /* cache valid */
        if ($whois_cache[2] != "" && strtotime($whois_cache[2]) / 60 + $cache_lifetime >= $current_unixtime / 60) {
            $tmp = $whois_cache[1];
            if (strstr($tmp, "RIPE ")) {
                $whois_server = "RIPE";
            } else {
                if (strstr($tmp, "www.apnic.net")) {
                    $whois_server = "AP";
                } else {
                    if (strstr($tmp, "JPNIC database")) {
                        $whois_server = "JPNIC";
                    } else {
                        $whois_server = "ARIN";
                    }
                }
            }
        } else {
            $tmp = CallWhoisServer($ipaddr, $whois_server);
            /* Update entry in cache regardless of whether can resolve */
            if ($db->DB_type == "oci8") {
                $sql = "UPDATE acid_ip_cache SET ipc_whois='" . $db->getSafeSQLString($tmp) . "', " . " ipc_whois_timestamp=to_date( '{$current_time}','YYYY-MM-DD HH24:MI:SS' ) WHERE ipc_ip='{$ip32}'";
            } else {
                $sql = "UPDATE acid_ip_cache SET ipc_whois='" . $db->getSafeSQLString($tmp) . "', " . " ipc_whois_timestamp='{$current_time}' WHERE ipc_ip='{$ip32}'";
            }
            $db->baseExecute($sql);
        }
    }
    return $tmp;
}
Esempio n. 4
0
function StopTimeForUniqueEventByAddr($db, $ip, $current_event)
{
    $ip32 = baseIP2long($ip);
    $result = $db->baseExecute("SELECT max(timestamp) FROM acid_event WHERE " . "((ip_src='{$ip32}' OR ip_dst='{$ip32}') AND plugin_id='" . $current_event[0] . "' and plugin_sid='" . $current_event[1] . "');");
    $myrow = $result->baseFetchRow();
    $stop_time = $myrow[0];
    $result->baseFreeRows();
    return $stop_time;
}
Esempio n. 5
0
function ProcessCriteria()
{
    global $db, $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode, $caller, $DBtype;
    /* XXX-SEC */
    global $cs, $timetz;
    /* the JOIN criteria */
    $ip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid ";
    $tcp_join_sql = " LEFT JOIN tcphdr ON acid_event.sid=tcphdr.sid AND acid_event.cid=tcphdr.cid ";
    $udp_join_sql = " LEFT JOIN udphdr ON acid_event.sid=udphdr.sid AND acid_event.cid=udphdr.cid ";
    $icmp_join_sql = " LEFT JOIN icmphdr ON acid_event.sid=icmphdr.sid AND acid_event.cid=icmphdr.cid ";
    $rawip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid ";
    $sig_join_sql = " LEFT JOIN ossim.plugin_sid ON acid_event.plugin_id=plugin_sid.plugin_id AND acid_event.plugin_sid=plugin_sid.sid ";
    $sig_join = false;
    //$data_join_sql = " LEFT JOIN extra_data ON acid_event.sid=extra_data.sid AND acid_event.cid=extra_data.cid ";
    $data_join_sql = "";
    $ag_join_sql = " LEFT JOIN acid_ag_alert ON acid_event.sid=acid_ag_alert.ag_sid AND acid_event.cid=acid_ag_alert.ag_cid ";
    //$sig_join_sql = "";
    //$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.userdata1,extra_data.userdata2,extra_data.userdata3,extra_data.userdata4,extra_data.userdata5,extra_data.userdata6,extra_data.userdata7,extra_data.userdata8,extra_data.userdata9,extra_data.username,extra_data.password,extra_data.filename FROM acid_event";
    $sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.* FROM acid_event";
    // This needs to be examined!!! -- Kevin
    $where_sql = " WHERE ";
    //$where_sql = "";
    // $criteria_sql = " acid_event.sid > 0";
    // Initially show last 24hours events
    if ($_GET['time_range'] == "") {
        $criteria_sql = " ( timestamp >='" . gmdate("Y-m-d", $timetz) . "' ) ";
    } else {
        $criteria_sql = " 1 ";
    }
    //$criteria_sql = " ( timestamp <= CURDATE() ) ";
    //$criteria_sql = " 1 ";
    $join_sql = "";
    /* ********************** Meta Criteria ******************************************** */
    $sig = $cs->criteria['sig']->criteria;
    $sig_type = $cs->criteria['sig']->sig_type;
    $sig_class = $cs->criteria['sig_class']->criteria;
    $sig_priority = $cs->criteria['sig_priority']->criteria;
    $ag = $cs->criteria['ag']->criteria;
    $sensor = $cs->criteria['sensor']->criteria;
    $plugin = $cs->criteria['plugin']->criteria;
    $plugingroup = $cs->criteria['plugingroup']->criteria;
    $networkgroup = $cs->criteria['networkgroup']->criteria;
    $userdata = $cs->criteria['userdata']->criteria;
    $sourcetype = $cs->criteria['sourcetype']->criteria;
    $category = $cs->criteria['category']->criteria;
    $time = $cs->criteria['time']->GetUTC();
    //$cs->criteria['time']->criteria;
    //print_r($time);print_r($cs->criteria['time']->criteria);
    $time_cnt = $cs->criteria['time']->GetFormItemCnt();
    $ip_addr = $cs->criteria['ip_addr']->criteria;
    $ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt();
    $layer4 = $cs->criteria['layer4']->criteria;
    $ip_field = $cs->criteria['ip_field']->criteria;
    $ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt();
    $tcp_port = $cs->criteria['tcp_port']->criteria;
    $tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt();
    $tcp_flags = $cs->criteria['tcp_flags']->criteria;
    $tcp_field = $cs->criteria['tcp_field']->criteria;
    $tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt();
    $udp_port = $cs->criteria['udp_port']->criteria;
    $udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt();
    $udp_field = $cs->criteria['udp_field']->criteria;
    $udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt();
    $icmp_field = $cs->criteria['icmp_field']->criteria;
    $icmp_field_cnt = $cs->criteria['icmp_field']->GetFormItemCnt();
    $rawip_field = $cs->criteria['rawip_field']->criteria;
    $rawip_field_cnt = $cs->criteria['rawip_field']->GetFormItemCnt();
    $data = $cs->criteria['data']->criteria;
    $data_cnt = $cs->criteria['data']->GetFormItemCnt();
    $cs->criteria['data']->data_encode;
    //$data_encode[0] = "ascii"; $data_encode[1] = "hex";
    /* OSSIM */
    $ossim_type = $cs->criteria['ossim_type']->criteria;
    $ossim_priority = $cs->criteria['ossim_priority']->criteria;
    $ossim_reliability = $cs->criteria['ossim_reliability']->criteria;
    $ossim_asset_dst = $cs->criteria['ossim_asset_dst']->criteria;
    $ossim_risk_a = $cs->criteria['ossim_risk_a']->criteria;
    $tmp_meta = "";
    /* Sensor */
    if ($sensor != "" && $sensor != " ") {
        $tmp_meta = $tmp_meta . " AND acid_event.sid in (" . $sensor . ")";
    } else {
        $cs->criteria['sensor']->Set("");
        // Filter by user perms if no criteria
        if (Session::allowedSensors() != "") {
            $user_sensors = explode(",", Session::allowedSensors());
            $snortsensors = GetSensorSids($db);
            $sensor_str = "";
            foreach ($user_sensors as $user_sensor) {
                if (count($snortsensors[$user_sensor]) > 0) {
                    $sensor_str .= $sensor_str != "" ? "," . implode(",", $snortsensors[$user_sensor]) : implode(",", $snortsensors[$user_sensor]);
                }
            }
            if ($sensor_str == "") {
                $sensor_str = "0";
            }
            $tmp_meta .= " AND acid_event.sid in (" . $sensor_str . ")";
        }
    }
    /* Plugin */
    if ($plugin != "" && $plugin != " ") {
        $tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . $plugin . ")";
    }
    /* Plugin Group */
    if ($plugingroup != "" && $plugingroup != " ") {
        $pg_ids = QueryOssimPluginGroup($plugingroup);
        if ($pg_ids != "") {
            $tmp_meta = $tmp_meta . " AND ({$pg_ids}) ";
        } else {
            $tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=-1 AND acid_event.plugin_sid=-1)";
        }
    }
    /* Network Group */
    if ($networkgroup != "" && $networkgroup != " ") {
        $ng_ids = QueryOssimNetworkGroup($networkgroup);
        if ($ng_ids != "") {
            $tmp_meta = $tmp_meta . " AND ({$ng_ids}) ";
        }
    }
    /* User Data */
    //print_r($_SESSION);
    //echo "User Data:$userdata";
    if (trim($userdata[2]) != "") {
        $sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.* FROM acid_event";
        $data_join_sql = ",extra_data ";
        $flt = "extra_data." . $userdata[0] . " " . $userdata[1] . " " . ($userdata[1] == "like" ? "'%" . str_replace("'", "\\'", $userdata[2]) . "%'" : "'" . $userdata[2] . "'");
        $tmp_meta .= " AND acid_event.sid=extra_data.sid AND acid_event.cid=extra_data.cid AND ({$flt})";
    }
    /* Source Type */
    if (trim($sourcetype) != "") {
        $tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . GetPluginListBySourceType($sourcetype) . ")";
    }
    /* Category */
    if ($category[0] != 0) {
        $sig_join = true;
        $tmp_meta = $tmp_meta . GetPluginListByCategory($category);
    }
    /* Alert Group */
    if ($ag != "" && $ag != " ") {
        $tmp_meta = $tmp_meta . " AND ag_id =" . $ag;
        $join_sql = $join_sql . $ag_join_sql;
    } else {
        $cs->criteria['ag']->Set("");
    }
    /* Signature */
    if (isset($sig[0]) && $sig[0] != " " && $sig[0] != "" && (isset($sig[1]) && $sig[1] != "")) {
        if ($sig_type == 1) {
            // sending sig[1]=plugin_id;plugin_sid
            $pidsid = preg_split("/[\\s;]+/", $sig[1]);
            $tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=" . intval($pidsid[0]) . " AND acid_event.plugin_sid=" . intval($pidsid[1]) . ")";
        } else {
            // free string
            $sig_ids = QueryOssimSignature($sig[1], $sig[0], $sig[2]);
            $sig_join = true;
            $tmp_meta = $tmp_meta . " AND ({$sig_ids})";
            //if ($sig_ids != "")
            //  $tmp_meta = $tmp_meta . " AND ($sig_ids) ";
            //else
            //  $tmp_meta = $tmp_meta." AND (plugin_id=-1 AND plugin_sid=-1)";
        }
    } else {
        $cs->criteria['sig']->Set("");
    }
    /* Signature Classification
       if ($sig_class != " " && $sig_class != "" && $sig_class != "0") {
           $tmp_meta = $tmp_meta . " AND sig_class_id = '" . $sig_class . "'";
       } else if ($sig_class == "0") {
           $tmp_meta = $tmp_meta . " AND (sig_class_id is null OR sig_class_id = '0')";
       } else $cs->criteria['sig_class']->Set(""); */
    /* Signature Priority 
       if ($sig_priority[1] != " " && $sig_priority[1] != "" && $sig_priority[1] != "0") {
           $tmp_meta = $tmp_meta . " AND sig_priority " . $sig_priority[0] . " '" . $sig_priority[1] . "'";
       } else if ($sig_priority[1] == "0") {
           $tmp_meta = $tmp_meta . " AND (sig_priority is null OR sig_priority = '0')";
       } else $cs->criteria['sig_priority']->Set("");*/
    /* Date/Time
       if ( DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0 )
       $cs->criteria['time']->SetFormItemCnt(0); */
    /*
     * OSSIM Code
     */
    /* OSSIM Type */
    if ($ossim_type[1] != " " && $ossim_type[1] != "" && $ossim_type[1] != "0") {
        $tmp_meta = $tmp_meta . " AND acid_event.ossim_type = '" . $ossim_type[1] . "'";
    } else {
        if ($ossim_type[1] == "0") {
            $tmp_meta = $tmp_meta . " AND (acid_event.ossim_type is null OR acid_event.ossim_type = '0')";
        } else {
            $cs->criteria['ossim_type']->Set("");
        }
    }
    /* OSSIM Priority */
    if ($ossim_priority[1] != " " && $ossim_priority[1] != "" && $ossim_priority[1] != "0") {
        $tmp_meta = $tmp_meta . " AND acid_event.ossim_priority  " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'";
    } else {
        if ($ossim_priority[1] == "0") {
            $tmp_meta = $tmp_meta . " AND (acid_event.ossim_priority is null OR acid_event.ossim_priority = '0')";
        } else {
            $cs->criteria['ossim_priority']->Set("");
        }
    }
    /* OSSIM Reliability */
    if ($ossim_reliability[1] != " " && $ossim_reliability[1] != "" && $ossim_reliability[1] != "0") {
        $tmp_meta = $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'";
    } else {
        if ($ossim_reliability[1] == "0") {
            $tmp_meta = $tmp_meta . " AND (acid_event.ossim_reliability is null OR acid_event.ossim_reliability = '0')";
        } else {
            $cs->criteria['ossim_reliability']->Set("");
        }
    }
    /* OSSIM Asset DST */
    if ($ossim_asset_dst[1] != " " && $ossim_asset_dst[1] != "" && $ossim_asset_dst[1] != "0") {
        $tmp_meta = $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'";
    } else {
        if ($ossim_asset_dst[1] == "0") {
            $tmp_meta = $tmp_meta . " AND (acid_event.ossim_asset_dst is null OR acid_event.ossim_asset_dst = '0')";
        } else {
            $cs->criteria['ossim_asset_dst']->Set("");
        }
    }
    /* OSSIM Risk A */
    if ($ossim_risk_a != " " && $ossim_risk_a != "" && $ossim_risk_a != "0") {
        if ($ossim_risk_a == "low") {
            //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 1 AND ossim_risk_a <= 4 ";
            $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a < 1 ";
        } else {
            if ($ossim_risk_a == "medium") {
                //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 5 AND ossim_risk_a <= 7 ";
                $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a = 1 ";
            } else {
                if ($ossim_risk_a == "high") {
                    //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 8 AND ossim_risk_a <= 10 ";
                    $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a > 1 ";
                }
            }
        }
    } else {
        $cs->criteria['ossim_risk_a']->Set("");
    }
    /* Date/Time */
    if (DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0) {
        $cs->criteria['time']->SetFormItemCnt(0);
    }
    $criteria_sql = $criteria_sql . $tmp_meta;
    /* ********************** IP Criteria ********************************************** */
    /* IP Addresses */
    $tmp2 = "";
    for ($i = 0; $i < $ip_addr_cnt; $i++) {
        $tmp = "";
        if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] != " ") {
            if ($ip_addr[$i][3] != "" && $ip_addr[$i][4] != "" && $ip_addr[$i][5] != "" && $ip_addr[$i][6] != "") {
                /* if use illegal 256.256.256.256 address then
                 *  this is the special case where need to search for portscans
                 */
                if ($ip_addr[$i][3] == "256" && $ip_addr[$i][4] == "256" && $ip_addr[$i][5] == "256" && $ip_addr[$i][6] == "256") {
                    $tmp = $tmp . " acid_event." . $ip_addr[$i][1] . " IS NULL" . " ";
                } else {
                    if ($ip_addr[$i][10] == "") {
                        $tmp = $tmp . " acid_event." . $ip_addr[$i][1] . $ip_addr[$i][2] . "'" . baseIP2long($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6]) . "' ";
                    } else {
                        $mask = getIPMask($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6], $ip_addr[$i][10]);
                        if ($ip_addr[$i][2] == "!=") {
                            $tmp_op = " NOT ";
                        } else {
                            $tmp_op = "";
                        }
                        $tmp = $tmp . $tmp_op . " (acid_event." . $ip_addr[$i][1] . ">= '" . baseIP2long($mask[0]) . "' AND " . "acid_event." . $ip_addr[$i][1] . "<= '" . baseIP2long($mask[1]) . "')";
                    }
                }
            }
            /* if have chosen the address type to be both source and destination */
            if (ereg("ip_both", $tmp)) {
                $tmp_src = ereg_replace("ip_both", "ip_src", $tmp);
                $tmp_dst = ereg_replace("ip_both", "ip_dst", $tmp);
                if ($ip_addr[$i][2] == '=') {
                    $tmp = "(" . $tmp_src . ') OR (' . $tmp_dst . ')';
                } else {
                    $tmp = "(" . $tmp_src . ') AND (' . $tmp_dst . ')';
                }
            }
            if ($tmp != "") {
                $tmp = $ip_addr[$i][0] . "(" . $tmp . ")" . $ip_addr[$i][8] . $ip_addr[$i][9];
            }
        } else {
            if (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" || $ip_addr[$i][1] != " ") {
                /* IP_addr_type, but MALFORMED IP address */
                if ($ip_addr[$i][1] != " " && $ip_addr[$i][3] == "" && ($ip_addr[$i][4] != "" || $ip_addr[$i][5] != "" || $ip_addr[$i][6] != "")) {
                    ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Invalid IP address criteria") . " ' *." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . " '");
                }
                /* ADDRESS, but NO IP_addr_type was given */
                if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] == " ") {
                    ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("A IP address of") . " '" . $ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . "' " . gettext("was entered for as a criteria value, but the type of address (e.g. source, destination) was not specified."));
                }
                /* IP_addr_type IS FILLED, but no ADDRESS */
                if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "") {
                    ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("An IP address of type") . " '" . $ip_addr[$i][1] . "' " . gettext("was selected (at #") . $i . ") " . gettext("indicating that an IP address should be a criteria, but no address on which to match was specified."));
                }
            }
        }
        $tmp2 = $tmp2 . $tmp;
        if ($i > 0 && $ip_addr[$i - 1][9] == ' ' && $ip_addr[$i - 1][3] != "") {
            ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Multiple IP address criteria entered without a boolean operator (e.g. AND, OR) between IP Criteria") . " #{$i} and #" . ($i + 1) . ".");
        }
    }
    if ($tmp2 != "") {
        $criteria_sql = $criteria_sql . " AND ( " . $tmp2 . " )";
    } else {
        $cs->criteria['ip_addr']->SetFormItemCnt(0);
    }
    /* IP Fields */
    if (FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0) {
        $cs->criteria['ip_field']->SetFormItemCnt(0);
    }
    /* Layer-4 encapsulation */
    if ($layer4 == "TCP") {
        $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '6'";
    } else {
        if ($layer4 == "UDP") {
            $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '17'";
        } else {
            if ($layer4 == "ICMP") {
                $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '1'";
            } else {
                if ($layer4 == "RawIP") {
                    $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '255'";
                } else {
                    $cs->criteria['layer4']->Set("");
                }
            }
        }
    }
    /* Join the iphdr table if necessary */
    if (!$cs->criteria['ip_field']->isEmpty()) {
        $join_sql = $ip_join_sql . $join_sql;
    }
    /* ********************** TCP Criteria ********************************************** */
    if ($layer4 == "TCP") {
        $proto_tmp = "";
        /* TCP Ports */
        if (FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0) {
            $cs->criteria['tcp_port']->SetFormItemCnt(0);
        }
        $criteria_sql = $criteria_sql . $proto_tmp;
        $proto_tmp = "";
        /* TCP Flags */
        if (isset($tcp_flags) && sizeof($tcp_flags) == 8) {
            if ($tcp_flags[0] == "contains" || $tcp_flags[0] == "is") {
                $flag_tmp = $tcp_flags[1] + $tcp_flags[2] + $tcp_flags[3] + $tcp_flags[4] + $tcp_flags[5] + $tcp_flags[6] + $tcp_flags[7] + $tcp_flags[8];
                if ($tcp_flags[0] == "is") {
                    $proto_tmp = $proto_tmp . ' AND tcp_flags=' . $flag_tmp;
                } else {
                    if ($tcp_flags[0] == "contains") {
                        $proto_tmp = $proto_tmp . ' AND (tcp_flags & ' . $flag_tmp . ' = ' . $flag_tmp . " )";
                    } else {
                        $proto_tmp = "";
                    }
                }
            }
        }
        /* TCP Fields */
        if (FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0) {
            $cs->criteria['tcp_field']->SetFormItemCnt(0);
        }
        /* TCP Options
         *  - not implemented
         */
        if (!$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) {
            $criteria_sql = $criteria_sql . $proto_tmp;
            if (!$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) {
                $join_sql = $tcp_join_sql . $join_sql;
            }
        }
    }
    /* ********************** UDP Criteria ********************************************* */
    if ($layer4 == "UDP") {
        $proto_tmp = "";
        /* UDP Ports */
        if (FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0) {
            $cs->criteria['udp_port']->SetFormItemCnt(0);
        }
        $criteria_sql = $criteria_sql . $proto_tmp;
        $proto_tmp = "";
        /* UDP Fields */
        if (FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0) {
            $cs->criteria['udp_field']->SetFormItemCnt(0);
        }
        if (!$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty()) {
            $criteria_sql = $criteria_sql . $proto_tmp;
            if (!$cs->criteria['udp_field']->isEmpty()) {
                $join_sql = $udp_join_sql . $join_sql;
            }
        }
    }
    /* ********************** ICMP Criteria ******************************************** */
    if ($layer4 == "ICMP") {
        $proto_tmp = "";
        /* ICMP Fields */
        if (FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0) {
            $cs->criteria['icmp_field']->SetFormItemCnt(0);
        }
        if (!$cs->criteria['icmp_field']->isEmpty()) {
            $criteria_sql = $criteria_sql . $proto_tmp;
            $join_sql = $icmp_join_sql . $join_sql;
        }
    }
    /* ********************** Packet Scan Criteria ************************************* */
    if ($layer4 == "RawIP") {
        $proto_tmp = "";
        /* RawIP Fields */
        if (FieldRows2sql($rawip_field, $rawip_field_cnt, $proto_tmp) == 0) {
            $cs->criteria['rawip_field']->SetFormItemCnt(0);
        }
        if (!$cs->criteria['rawip_field']->isEmpty()) {
            $criteria_sql = $criteria_sql . $proto_tmp;
            $join_sql = $rawip_join_sql . $join_sql;
        }
    }
    /* ********************** Payload Criteria ***************************************** */
    //$tmp_payload = "";
    if (DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload) == 0) {
        $cs->criteria['data']->SetFormItemCnt(0);
    }
    //echo "<br><br><br>";
    //print_r($data);
    //print_r("data_cnt: [".$data_cnt."]");
    //print_r($cs->criteria['data']->isEmpty());
    //print_r("criteria_ sql: [".$criteria_sql."]");
    //print_r("tmp_payload: [".$tmp_payload."]");
    if (!$cs->criteria['data']->isEmpty()) {
        $sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.* FROM acid_event";
        $data_join_sql = ",extra_data ";
        $criteria_sql = $criteria_sql . $tmp_payload;
    }
    if ($sig_join) {
        $join_sql = $join_sql . $sig_join_sql;
    }
    $join_sql = $join_sql . $data_join_sql;
    $csql[0] = $join_sql;
    $criteria_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria_sql));
    $csql[1] = $criteria_sql;
    //print_r($csql);
    return $csql;
}
Esempio n. 6
0
        echo $ip . ' (Broadcast)';
    }
}
if (VerifySocketSupport()) {
    echo '&nbsp;&nbsp;( <A HREF="base_stat_ipaddr.php?ip=' . $ip . '&amp;netmask=' . $netmask . '&amp;action=whois">local whois</A> )';
}
echo '</B>
        <TABLE BORDER=0>
        <TR>
           <TD CLASS="headerbasestat">' . gettext("Num of <BR>Sensors") . '</TD>
           <TD CLASS="headerbasestat">' . gettext("Occurances <BR>as Src.") . '</TD>
           <TD CLASS="headerbasestat">' . gettext("Occurances <BR>as Dest.") . '</TD>
           <TD CLASS="headerbasestat">' . gettext("First<BR> Occurrence") . '</TD>
           <TD CLASS="headerbasestat">' . gettext("Last<BR> Occurrence") . '</TD>
        </TR>';
$ip_src32 = baseIP2long($ip);
$ip_dst32 = $ip_src32;
/* Number of Sensors, First, and Last timestamp */
$temp = "SELECT COUNT(DISTINCT sid), MIN(timestamp), MAX(timestamp) FROM acid_event " . "WHERE (ip_src = '{$ip_src32}' OR ip_dst = '{$ip_dst32}' )";
$result2 = $db->baseExecute($temp);
$row2 = $result2->baseFetchRow();
$num_sensors = $row2[0];
$start_time = $row2[1];
$stop_time = $row2[2];
$result2->baseFreeRows();
/* Unique instances as Source Address  */
$temp = "SELECT COUNT(sid) from acid_event WHERE ip_src='{$ip_src32}'";
$result2 = $db->baseExecute($temp);
$row2 = $result2->baseFetchRow();
$num_src_ip = $row2[0];
$result2->baseFreeRows();