if (is_array($_SESSION["server"]) && $_SESSION["server"][0] != "") { $_conn = $dbo->custom_connect($_SESSION["server"][0], $_SESSION["server"][2], $_SESSION["server"][3]); } else { $_conn = $dbo->connect(); } while (($myrow = $result->baseFetchRow()) && $i < $qs->GetDisplayRowCnt()) { $device_id = $myrow['device_id']; list($myrow['name'], $myrow['sensor_ip']) = explode(' - ', GetSensorName($myrow['sensor_id'], $db, true)); $sensor_ip = $myrow['name'] == 'N/A' ? 'N/A' : $myrow['sensor_ip']; $device_ip = $myrow['device_ip'] != '' ? $myrow['device_ip'] . ($myrow['interface'] != '' ? ':' . $myrow['interface'] : '') : '-'; $sname = $myrow['name']; $event_cnt = $myrow['event_cnt']; $unique_event_cnt = $myrow['sig_cnt'] != "" ? $myrow['sig_cnt'] : "-"; $num_src_ip = $myrow['saddr_cnt'] != "" ? $myrow['saddr_cnt'] : "-"; $num_dst_ip = $myrow['daddr_cnt'] != "" ? $myrow['daddr_cnt'] : "-"; $_country_aux = $geoloc->get_country_by_host($conn, $sensor_ip); $country = strtolower($_country_aux[0]); $country_name = $_country_aux[1]; $homelan = ""; if ($country) { $country_img = " <img src=\"/ossim/pixmaps/flags/" . $country . ".png\" alt=\"{$country_name}\" title=\"{$country_name}\">"; $slnk = $current_url . "/pixmaps/flags/" . $country . ".png"; } else { $country_img = ""; $slnk = ""; } /* Print out */ qroPrintEntryHeader($i); $tmp_rowid = $device_id; echo ' <TD><INPUT TYPE="checkbox" NAME="action_chk_lst[' . $i . ']" VALUE="' . $tmp_rowid . '">'; echo ' <INPUT TYPE="hidden" NAME="action_lst[' . $i . ']" VALUE="' . $tmp_rowid . '"></TD>';
$where = Security_report::make_where($conn, $date_from, $date_to, $plugin_list, $dDB); $ejoin = preg_match('/plist_[a-z]+/', $where) ? preg_replace('/.*(plist_[a-z]+)\\.id .*/', ',\\1', $where) : ''; $query = "SELECT DISTINCT ip_src AS ip FROM alienvault_siem.acid_event {$ejoin} WHERE 1=1 {$where}\n UNION SELECT DISTINCT ip_dst as ip FROM alienvault_siem.acid_event {$ejoin} WHERE 1=1 {$where}"; $rs = $conn->Execute($query); if (!$rs) { Av_exception::throw_error(Av_exception::DB_ERROR, $conn->ErrorMsg()); } $already = array(); while (!$rs->EOF) { $ip = inet_ntop($rs->fields['ip']); if (!isset($already[$ip])) { //Session::hostAllowed($conn,$ip) => not necessary here? $already[$ip]++; if (!Asset_host::is_ip_in_cache_cidr($conn, $ip)) { // geoip $_country_aux = $geoloc->get_country_by_host($conn, $ip); $s_country = strtolower($_country_aux[0]); $s_country_name = $_country_aux[1]; if ($s_country == '') { $ips[':Unknown']++; } else { $ips["{$s_country}:{$s_country_name}"]++; } } } $rs->MoveNext(); } // arsort($ips); $ips = array_slice($ips, 0, $limit); $totalValue = array_sum($ips);
</th> </tr> </thead> <tbody> <?php if (!empty($allowed_users) && is_array($allowed_users)) { foreach ($allowed_users as $user) { if ($user->get_id() == $my_session) { $me = "style='font-weight: bold;'"; $action = "<img class='info_logout dis_logout' src='../pixmaps/menu/logout.gif' alt='" . $user->get_login() . "' title='" . $user->get_login() . "'/>"; } else { $action = "<a onclick=\"logout('" . $user->get_id() . "');\">\n\t\t\t\t\t\t\t <img class='info_logout' src='../pixmaps/menu/logout.gif' alt='" . _('Logout') . " " . $user->get_login() . "' title='" . _('Logout') . " " . $user->get_login() . "'/>\n\t\t\t\t\t\t\t </a>"; $me = NULL; } $_country_aux = $geoloc->get_country_by_host($conn, $user->get_ip()); $s_country = strtolower($_country_aux[0]); $s_country_name = $_country_aux[1]; $geo_code = get_country($s_country); $flag = !empty($geo_code) ? "<img src='" . $geo_code . "' border='0' align='top'/>" : ''; $logon_date = gmdate('Y-m-d H:i:s', Util::get_utc_unixtime($user->get_logon_date()) + 3600 * Util::get_timezone()); $activity_date = Util::get_utc_unixtime($user->get_activity()); $background = Session_activity::is_expired($activity_date) ? 'background:#FFD8D6;' : ''; $expired = Session_activity::is_expired($activity_date) ? "<span style='color:red'>(" . _('Expired') . ")</span>" : ""; $agent = explode('###', $user->get_agent()); if ($agent[1] == 'av report scheduler') { $agent = array('AV Report Scheduler', 'wget'); } $host = @array_shift(Asset_host::get_name_by_ip($conn, $user->get_ip())); $host = $host == '' ? $user->get_ip() : $host; echo " <tr id='" . $user->get_id() . "'>\n\t\t\t\t\t\t\t\t\t<td class='ops_user' {$me}><img class='user_icon' src='" . get_user_icon($user->get_login(), $pro) . "' alt='" . _('User icon') . "' title='" . _('User icon') . "' align='absmiddle'/> " . $user->get_login() . "</td>\n\t\t\t\t\t\t\t\t\t<td class='ops_ip'>" . $user->get_ip() . "</td>\n\t\t\t\t\t\t\t\t\t<td class='ops_host'>" . $host . $flag . "</td>\n\t\t\t\t\t\t\t\t\t<td class='ops_agent'><a title='" . htmlentities($agent[1]) . "' class='info_agent'>" . htmlentities($agent[0]) . "</a></td>\n\t\t\t\t\t\t\t\t\t<td class='ops_id'>" . $user->get_id() . " {$expired}</td>\n\t\t\t\t\t\t\t\t\t<td class='ops_logon'>" . $logon_date . "</td>\t\t\t\t\t\n\t\t\t\t\t\t\t\t\t<td class='ops_activity'>" . _(TimeAgo($activity_date, gmdate('U'))) . "</td>\n\t\t\t\t\t\t\t\t\t<td class='ops_actions'>{$action}</td>\t\n\t\t\t\t\t\t\t\t</tr>";
break; // Honeypot Countries - Last Week // Honeypot Countries - Last Week case "honeypot_countries": $geoloc = new Geolocation("/usr/share/geoip/GeoLiteCity.dat"); $nodata_text .= _(" for <i>Honeypot</i>"); $sqlgraph = "select INET_NTOA(a.ip_src) as ip, sum(cnt) as num_events FROM alienvault_siem.po_acid_event a, alienvault.plugin pl, alienvault.plugin_sid p WHERE p.plugin_id=a.plugin_id AND p.sid=a.plugin_sid AND p.plugin_id=pl.id AND p.category_id=19 AND a.timestamp BETWEEN '" . gmdate("Y-m-d H:i:s", gmdate("U") - $range) . "' AND '" . gmdate("Y-m-d H:i:s") . "' {$sensor_where} group by a.ip_src order by num_events desc"; //echo $sqlgraph; $countries = array(); $country_names = array(); //echo $sqlgraph; if (!($rg = $conn->CacheExecute($sqlgraph))) { print $conn->ErrorMsg(); } else { while (!$rg->EOF && count($countries) < 10) { $_country_aux = $geoloc->get_country_by_host($conn, $rg->fields['ip']); $country = strtolower($_country_aux[0]); $country_name = $_country_aux[1]; if ($country_name != '') { $countries[$country] += $rg->fields['num_events']; $country_names[$country] = $country_name; } $rg->MoveNext(); } } arsort($countries); foreach ($countries as $c => $val) { $url = Menu::get_menu_url("forensics/base_stat_country_alerts.php?cc={$c}&location=alerts&category=19", 'analysis', 'security_events', 'security_events'); $data .= "['<a class=\"no_text_decoration\" href=\"{$url}\">" . $country_names[$c] . "</a>'," . $val . "],"; $urls .= "'{$url}',"; }
break; case "countries": //Filters of sensors. //Date range. $range = $chart_info['range'] > 0 ? $chart_info['range'] * 86400 : 604800; //Limit of host to show in the widget. $limit = $chart_info['top'] != '' ? $chart_info['top'] : 10; $geoloc = new Geolocation("/usr/share/geoip/GeoLiteCity.dat"); $sqlgraph = "select acid_event.ip_src as ip, count(*) as num_events FROM alienvault_siem.acid_event, alienvault.plugin pl, alienvault.plugin_sid p WHERE p.plugin_id=acid_event.plugin_id AND p.sid=acid_event.plugin_sid AND p.plugin_id=pl.id AND p.category_id in (" . implode(',', $honeypot_category) . ") AND acid_event.timestamp BETWEEN '" . gmdate("Y-m-d H:i:s", gmdate("U") - $range) . "' AND '" . gmdate("Y-m-d H:i:s") . "' {$query_where} group by acid_event.ip_src order by num_events desc"; $countries = array(); $country_names = array(); if (!($rg =& $conn->CacheExecute($sqlgraph))) { print $conn->ErrorMsg(); } else { while (!$rg->EOF && count($countries) < $limit) { $_country_aux = $geoloc->get_country_by_host($conn, inet_ntop($rg->fields['ip'])); $country = strtolower($_country_aux[0]); $country_name = $_country_aux[1]; if ($country_name != "") { $countries[$country] += $rg->fields['num_events']; $country_names[$country] = $country_name; } $rg->MoveNext(); } } arsort($countries); foreach ($countries as $c => $val) { $data[] = $val; $label[] = $country_names[$c]; $link = Menu::get_menu_url("/ossim/forensics/base_stat_country_alerts.php?cc={$c}&location=alerts&category=19", 'analysis', 'security_events'); $links[] = "'{$link}'";
$_conn = $dbo->custom_connect($_SESSION["server"][0],$_SESSION["server"][2],$_SESSION["server"][3]); } else { $_conn = $dbo->connect(); } while (($myrow = $result->baseFetchRow())) { if ($myrow[0] == NULL) continue; $currentIP = inet_ntop($myrow[0]); $ip_type = $myrow[1]; $num_events = $myrow[2]; $field = ($ip_type=='S') ? 'srcnum' : 'dstnum'; $_country_aux = $geoloc->get_country_by_host($_conn, $currentIP); $country = strtolower($_country_aux[0]); $country_name = $_country_aux[1]; if ($country_name == "") $country_name = _("Unknown Country"); //echo "IP $currentIP $country_name <br>"; if ($country_name!=_("Unknown Country")) { $countries[$country_name] += $num_events; $country_acc[$country_name][$field]++; $country_acc[$country_name]['events'] += $num_events; $country_acc[$country_name]['flag'] = ($country_name != _("Unknown Country")) ? (($country=="local") ? "<img src=\"images/homelan.png\" border=0 title=\"$country_name\">" : " <img src=\"/ossim/pixmaps/flags/" . $country . ".png\" title=\"$country_name\">") : ""; $country_acc[$country_name]['flagr'] = ($country_name != _("Unknown Country")) ? (($country=="local") ? $current_url."/forensics/images/homelan.png" : $current_url."/pixmaps/flags/".$country.".png") : ""; $country_acc[$country_name]['code'] = $country; } else { $country_uhn['Unknown'] += $num_events; $country_uhn[$field]++;