require_once "MSALParser.php";
require_once "MSALDB.php";
$arrayOfLines = file("php://input");
if ($arrayOfLines) {
//$fp = fopen("test.txt","w+");
//fwrite($fp, $msal);
//fclose($fp);
try {
$msal = MSALParser::parse($arrayOfLines, 0, count($arrayOfLines) - 1);
MSALDB::saveMSAL($msal);
} catch (MSALParserException $msalpe) {
// kol kirilir yen icinde kalir
FileLogger::ERROR($msalpe->getMessage());
} catch (MSALDBException $msaldbe) {
// kol kirilir yen icinde kalir
FileLogger::ERROR($msaldbe->getMessage());
}
}
/*
* A NOTE:
*
* in mlogc.conf;
* CollectorRoot "/var/log/mlogc"
* ConsoleURI "http://[serverip]/rpc/auditLogReceiver"
* LogStorageDir "data"
* Keep 1
*
* in modsecurity_crs_10_config.conf;
* SecAuditLogStorageDir /var/log/mlogc/data
*
* Individual log files will be created and rest in;
public static function saveMSAL($msal)
{
if (!isset($msal) || !$msal->isValid()) {
// we should at least print the uniqueid if it exists...
$uniqueid = 'N/A';
if (isset($msal) && $msal->getMSALHeader()) {
$uniqueid = $msal->getMSALHeader()->getUniqueId();
}
FileLogger::WARNING("Error saving to database: MSAL object is not valid with uniqueid: " . $uniqueid);
return;
}
// connect
$conn = self::getConnection();
/*
CREATE TABLE `admin` (
`user` varchar(50) NOT NULL,
`pass` char(50) NOT NULL,
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
*/
/*
INSERT INTO `admin`(`user`, `pass`) VALUES ('admin','4a823245a08c257041938042b728d9f7
');
*/
/*
CREATE TABLE `audit_log` (
`AuditLogID` bigint(20) unsigned NOT NULL auto_increment,
`AuditLogUniqueID` char(32) NOT NULL,
`AuditLogDate` date NOT NULL,
`AuditLogTime` time NOT NULL,
`SourceIP` char(15) NOT NULL,
`SourcePort` int unsigned default NULL,
`DestinationIP` char(15) NOT NULL,
`DestinationPort` int unsigned default NULL,
`Referer` varchar(255) default NULL,
`UserAgent` varchar(255) default NULL,
`WebAppId` varchar(255) DEFAULT NULL,
`HttpMethod` tinyint NOT NULL DEFAULT 0,
`Uri` text,
`QueryString` text,
`HttpProtocol` tinyint NOT NULL DEFAULT 0,
`Host` varchar(255) DEFAULT NULL,
`HttpStatusCode` tinyint NOT NULL DEFAULT 0,
`RequestContentType` varchar(255) DEFAULT NULL,
`ResponseContentType` varchar(255) DEFAULT NULL,
`Blocked` tinyint NOT NULL DEFAULT 0,
`Duration` int NOT NULL,
PRIMARY KEY (`AuditLogID`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
*/
$stmt = $conn->prepare('INSERT INTO audit_log VALUES (
NULL,
?,
?,
?,
?, ?,
?, ?,
?, ?, ?,
?, ?, ?, ?,
?, ?,
?, ?,
?,
?)');
/*
if ($stmt == FALSE) {
FileLogger::ERROR("Error saving MSAL to database: " + $stmt->error);
throw new MSALDBException("Error saving MSAL to database");
}
*/
$msalHeader = $msal->getMSALHeader();
$msalRequestHeaders = $msal->getMSALRequestHeaders();
$msalResponseHeaders = $msal->getMSALResponseHeaders();
$msalTrailer = $msal->getMSALTrailer();
$stmt->bind_param('ssssisisssissisissii', substr($msalHeader->getUniqueId(), 0, 32), $msalTrailer->getDateInYYYY_MM_DD(), $msalTrailer->getTimeInHH_MM_SS(), substr($msalHeader->getSrcIP(), 0, 15), $msalHeader->getSrcPort(), substr($msalHeader->getDstIP(), 0, 15), $msalHeader->getDstPort(), substr($msalRequestHeaders->getRequestReferer(), 0, 255), substr($msalRequestHeaders->getRequestUserAgent(), 0, 255), substr($msalTrailer->getWebappId(), 0, 255), $msalRequestHeaders->getRequestMethod(), $msalRequestHeaders->getRequestUri(), $msalRequestHeaders->getRequestQueryString(), $msalRequestHeaders->getRequestProtocol(), substr($msalRequestHeaders->getRequestHost(), 0, 255), $msalResponseHeaders->getResponseStatusCode(), substr($msalRequestHeaders->getRequestContentType(), 0, 255), substr($msalResponseHeaders->getResponseContentType(), 0, 255), $msalTrailer->isBlocked(), $msalTrailer->getDuration());
if ($stmt->execute()) {
FileLogger::DEBUG("A MSAL object inserted into database : " . $msalHeader->getUniqueId());
} else {
FileLogger::ERROR("Error saving MSAL to database: uniqueid: " . $msalHeader->getUniqueId() . " with Detailed Message: " . $stmt->error);
throw new MSALDBException("Error saving MSAL to database");
}
$stmt->close();
/*
CREATE TABLE `alerts` (
`AuditLogUniqueID` char(32) NOT NULL,
`GeneralMsg` varchar(255) DEFAULT NULL,
`TechnicalMsg` text,
`RuleID` int(10) DEFAULT NULL,
`Rev` varchar(128) DEFAULT NULL,
`Msg` text,
`Severity` tinyint DEFAULT 0,
`Category` tinyint DEFAULT 0,
`Status` tinyint DEFAULT 0,
`Resolution` tinyint DEFAULT 0
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
*/
$stmt2 = $conn->prepare('INSERT INTO alerts VALUES( ?,
?, ?,
?, ?,
?, ?,
?,
?, ?)');
/*
if ($stmt2 == FALSE) {
FileLogger::ERROR("Error saving Alert to database: " + $stmt2->error);
throw new MSALDBException("Error saving Alert to database");
}
*/
foreach ($msalTrailer->getAlertMessages() as $anAlertMessage) {
//FileLogger::DEBUG("Debug: " . AlertCategory::UNDEFINED);
// why not just pass those constants to bind_param method?
// because you can't pass const to a method accepting params by reference
$alertCatUndef = AlertCategory::UNDEFINED;
$alertStatOpen = AlertStatus::OPEN;
$alertResOpen = AlertResolution::UNDEFINED;
$stmt2->bind_param('sssissiiii', substr($msalHeader->getUniqueId(), 0, 32), substr($anAlertMessage->getGeneralMessage(), 0, 255), substr($anAlertMessage->getTechnicalMessage(), 0, 255), $anAlertMessage->getId(), substr($anAlertMessage->getRevision(), 0, 128), $anAlertMessage->getMessage(), $anAlertMessage->getSeverity(), $alertCatUndef, $alertStatOpen, $alertResOpen);
if ($stmt2->execute()) {
FileLogger::DEBUG("An Alert object inserted into database : " . $msalHeader->getUniqueId());
} else {
FileLogger::ERROR("Error saving Alert to database: uniqueid: " . $msalHeader->getUniqueId() . " with Detailed Message: " . $stmt2->error);
throw new MSALDBException("Error saving Alert to database");
}
}
$stmt2->close();
$conn->close();
}
