$acid_link = Util::get_acid_events_link($s_since, $s_date, "time_a"); echo "<a href=\"{$acid_link}\" class='stop'><span style='color:black' class='tip' title='" . _("First") . ": {$s_since} " . Util::timezone($tz) . "<br>" . _("Last") . ": {$s_last} " . Util::timezone($tz) . "'>" . $ago . "</span></a>"; ?> </td> <?php } else { ?> <td class="nobborder" style='<?php echo $bgcolor; ?> text-align: center' width='12%'> <?php $now = gmdate("Y-m-d H:i:s", gmdate("U") + 3600 * $tz); $ago = get_alarm_life($s_since, $now); $acid_link = Util::get_acid_events_link($s_since, $now, "time_a"); echo "<a href=\"{$acid_link}\" class='stop'>\n \t\t\t\t <span style='color:black' class='tip' title='" . _("First") . ": {$s_since} " . Util::timezone($tz) . "'>" . $ago . "</span>\n \t\t\t\t </a>\n \t\t\t\t <img src='/ossim/alarm/style/img/correlating.gif' class='img_cor tip' title='" . _("This alarm is still being correlated and therefore it can not be modified") . "'/>"; ?> </td> <?php } ?> <td class="left" style="padding-left:10px"><?php echo $source_balloon; ?> </td> <td class="left" style="padding-left:10px"><?php echo $dest_balloon; ?> </td>
</td> </tr> </table> </tr> <tr><td style="padding-left:10px;padding-right:10px" colspan="5" class="nobborder"><table class="transparent" width="100%" cellpadding=0 cellspacing=0 border=0><tr><td class="nobborder" style="background:url('../pixmaps/points.gif') repeat-x"><img src="../pixmaps/points.gif"></td></tr></table></td></tr> <tr> <td class="nobborder" style="padding:10px" valign="top"> <table class="transparent" width="100%"> <tr> <td class="nobborder"> <table class="transparent"> <tr> <?php $txtzone = "<a href=\"javascript:;\" class=\"scriptinfoimg\" style=\"color:black\" txt=\"<img src='../pixmaps/timezones/" . rawurlencode(Util::timezone($tz)) . ".png' border=0>\">" . Util::timezone($tz) . "</a>"; ?> <td class="nobborder" nowrap style="font-size:11px;font-family:arial"><?php echo _("Time frame selection") . " {$txtzone}"; ?> :</td> <td class="nobborder"> <div id="widget"> <a href="javascript:;"><img src="../pixmaps/calendar.png" id='imgcalendar' border="0"></a> <div id="widgetCalendar"></div> </div> </td> <td class="nobborder" nowrap> <?php if ($param_start != "" && $param_end != "" && date_parse($param_start) && date_parse($param_end)) { ?>
$et->Mark("Initialization"); $qs->RunAction($submit, PAGE_STAT_UADDR, $db); $et->Mark("Alert Action"); /* Run the query to determine the number of rows (No LIMIT)*/ //$cnt_sql = "SELECT count(DISTINCT $addr_type_name) " . $from . $where; $et->Mark("Counting Result size"); /* Setup the Query Results Table */ $qro = new QueryResultsOutput("base_stat_uaddr.php?caller=" . $caller . "&addr_type=" . $addr_type); $qro->AddTitle(" "); $qro->AddTitle($results_title, "addr_a", " ", " ORDER BY {$addr_type_name} ASC", "addr_d", " ", " ORDER BY {$addr_type_name} DESC"); $qro->AddTitle(gettext("OTX")); if ($resolve_IP == 1) { $qro->AddTitle("FQDN"); } $qro->AddTitle(Session::show_entities() ? gettext("Context") : gettext("Sensor")); $qro->AddTitle(gettext("Events") . " # <span class='idminfo' txt='" . Util::timezone(Util::get_timezone()) . "'>(*)</span>", "occur_a", " ", " ORDER BY num_events ASC", "occur_d", " ", " ORDER BY num_events DESC"); $qro->AddTitle(gettext("Unique Events"), "sig_a", " ", " ORDER BY num_sig ASC", "sig_d", " ", " ORDER BY num_sig DESC"); if ($addr_type == DEST_IP) { $displaytitle = gettext("Displaying unique destination addresses %d-%d of <b>%s</b> matching your selection."); $qro->AddTitle(gettext("Unique Src. Contacted."), "saddr_a", " ", " ORDER BY num_sip ASC", "saddr_d", " ", " ORDER BY num_sip DESC"); } else { $displaytitle = gettext("Displaying unique source addresses %d-%d of <b>%s</b> matching your selection."); $qro->AddTitle(gettext("Unique Dst. Contacted"), "daddr_a", " ", " ORDER BY num_dip ASC", "daddr_d", " ", " ORDER BY num_dip DESC"); } if (file_exists("../kml/GoogleEarth.php")) { $qro->AddTitle(gettext("Geo Tools") . " <a href='' onclick='window.open(\"../kml/TourConfig.php?type={$addr_type_name}&ip={$currentIP}\",\"IP {$currentIP} " . ($addr_type == 2 ? _("sources") : _("destinations")) . " - Goggle Earth API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img title='" . _("Geolocation Tour") . "' align='absmiddle' src='../pixmaps/google_earth_icon.png' border='0'></a> <a href='' onclick='window.open(\"../kml/IPGoogleMap.php?type={$addr_type_name}&ip={$currentIP}\",\"IP {$currentIP} " . ($addr_type == 2 ? _("sources") : _("destinations")) . " - Goggle Maps API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img title='" . _("Geolocation Map") . "' align='absmiddle' src='../pixmaps/google_maps_icon.png' border='0'></a>", "geotools"); } if (!Session::am_i_admin()) { $displaytitle = preg_replace("/\\. <b>.*/", ".", $displaytitle); } $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());
<!--<tr><td style="padding-top:5px"><table width="100%" cellpadding=0 cellspacing=0 border=0><tr><td style="background:url('../pixmaps/points.gif') repeat-x"><img src="../pixmaps/points.gif"></td></tr></table></td></tr>--> <?php $urltimecriteria = $_SERVER['SCRIPT_NAME']; $params = ""; // Clicked from qry_alert or clicked from Time profile must return to main if (preg_match("/base_qry_alert|base_stat_time/", $urltimecriteria)) { $urltimecriteria = "base_qry_main.php"; } if ($_GET["addr_type"] != "") { $params .= "&addr_type=" . $_GET["addr_type"]; } if ($_GET["sort_order"] != "") { $params .= "&sort_order=" . $_GET["sort_order"]; } $txtzone = "<a href=\"javascript:;\" class=\"scriptinfoimg\" txt=\"<img src='../pixmaps/timezones/" . rawurlencode(Util::timezone($GLOBALS["tz"])) . ".png' border=0>\">" . Util::timezone($GLOBALS["tz"]) . "</a>"; ?> <tr> <td> <table> <tr> <td> <table width='100%'><tr> <td> <table cellpadding="0" cellspacing="0"> <tr> <td><?php echo _("Time frame selection") . " {$txtzone}"; ?> : </td>
echo gettext("Sensor"); ?> </a></td> <td style="background-color:#9DD131;font-weight:bold"> <?php echo gettext("Since") . "<br>" . Util::timezone($tz); ?> </td> <td style="background-color:#9DD131;font-weight:bold"><a href="<?php echo $_SERVER["SCRIPT_NAME"]; ?> ?order=<?php echo ossim_db::get_order("timestamp", $order) . "&inf={$inf}&sup={$sup}&src_ip={$src_ip}&dst_ip={$dst_ip}&num_alarms_page={$num_alarms_page}&date_from={$date_from}&date_to={$date_to}&hide_closed={$hide_closed}&norefresh={$norefresh}&query={$query}&directive_id={$directive_id}&no_resolv={$no_resolv}&sensor_query={$sensor_query}&num_events={$num_events}&num_events_op={$num_events_op}"; ?> "> <?php echo gettext("Last") . "<br>" . Util::timezone($tz); ?> </a></td> <td style="background-color:#9DD131;font-weight:bold"><a href="<?php echo $_SERVER["SCRIPT_NAME"]; ?> ?order=<?php echo ossim_db::get_order("src_ip", $order) . "&inf={$inf}&sup={$sup}&src_ip={$src_ip}&dst_ip={$dst_ip}&num_alarms_page={$num_alarms_page}&date_from={$date_from}&date_to={$date_to}&hide_closed={$hide_closed}&norefresh={$norefresh}&query={$query}&directive_id={$directive_id}&no_resolv={$no_resolv}&sensor_query={$sensor_query}&num_events={$num_events}&num_events_op={$num_events_op}"; ?> "> <?php echo gettext("Source"); ?> </a></td> <td style="background-color:#9DD131;font-weight:bold"><a href="<?php echo $_SERVER["SCRIPT_NAME"]; ?>
} $debug_time_mode >= 1 ? $et->Mark("Counting Result size") : ''; /* Setup the Query Results Table */ $qro = new QueryResultsOutput("base_stat_alerts.php?caller=" . $caller); $qro->AddTitle(" "); $qro->AddTitle(gettext("Signature"), "sig_a", " ", " ORDER BY plugin_id ASC,plugin_sid", "sig_d", " ", " ORDER BY plugin_id DESC,plugin_sid"); //if ($db->baseGetDBversion() >= 103) $qro->AddTitle(gettext("Classification"), "class_a", ", MIN(sig_class_id) ", " ORDER BY sig_class_id ASC ", "class_d", ", MIN(sig_class_id) ", " ORDER BY sig_class_id DESC "); $qro->AddTitle(gettext("Total") . " #", "occur_a", " ", " ORDER BY sig_cnt ASC", "occur_d", " ", " ORDER BY sig_cnt DESC"); $qro->AddTitle(gettext("Sensor") . " #"); $qro->AddTitle(_("Src. Addr."), "saddr_a", ", count(DISTINCT ip_src) AS saddr_cnt ", " ORDER BY saddr_cnt ASC", "saddr_d", ", count(DISTINCT ip_src) AS saddr_cnt ", " ORDER BY saddr_cnt DESC"); $qro->AddTitle(_("Dst. Addr."), "daddr_a", ", count(DISTINCT ip_dst) AS daddr_cnt ", " ORDER BY daddr_cnt ASC", "daddr_d", ", count(DISTINCT ip_dst) AS daddr_cnt ", " ORDER BY daddr_cnt DESC"); $qro->AddTitle(_("First") . " " . Util::timezone($tz), "first_a", ", min(timestamp) AS first_timestamp ", " ORDER BY first_timestamp ASC", "first_d", ", min(timestamp) AS first_timestamp ", " ORDER BY first_timestamp DESC"); if ($show_previous_alert == 1) { $qro->AddTitle("Previous"); } $qro->AddTitle(_("Last") . " " . Util::timezone($tz), "last_a", ", max(timestamp) AS last_timestamp ", " ORDER BY last_timestamp ASC", "last_d", ", max(timestamp) AS last_timestamp ", " ORDER BY last_timestamp DESC"); $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort()); /* mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY */ /* mstone 20050405 add sid & ip counts */ //$sql = "SELECT DISTINCT signature, count(signature) as sig_cnt, " . "min(timestamp), max(timestamp), sig_name, count(DISTINCT(acid_event.sid)), count(DISTINCT(ip_src)), count(DISTINCT(ip_dst)), sig_class_id " . $sort_sql[0] . $from . $where . " GROUP BY signature, sig_name, sig_class_id " . $sort_sql[1]; $sql = "SELECT DISTINCT acid_event.plugin_id, acid_event.plugin_sid, count(acid_event.plugin_sid) as sig_cnt, " . "min(timestamp) as first_timestamp, max(timestamp) as last_timestamp, count(DISTINCT(acid_event.sid)) as sid_cnt, count(DISTINCT(ip_src)) as saddr_cnt, count(DISTINCT(ip_dst)) as daddr_cnt " . $sort_sql[0] . $from . $where . " GROUP BY plugin_id, plugin_sid " . $sort_sql[1]; //echo $sql."<br>"; // use accumulate tables only with timestamp criteria if ($use_ac) { $where = $more = $sqla = $sqlb = $sqlc = ""; if (preg_match("/timestamp/", $criteria_clauses[1])) { $where = "AND " . str_replace("timestamp", "day", $criteria_clauses[1]); $sqla = " and ac_alerts_signature.day=ac_alerts_sid.day"; $sqlb = " and ac_alerts_signature.day=ac_alerts_ipsrc.day"; $sqlc = " and ac_alerts_signature.day=ac_alerts_ipdst.day"; }
$alert_user = $_SESSION["server"][2]; $alert_password = $_SESSION["server"][3]; $alert_dbname = $_SESSION["server"][4]; require_once "{$BASE_path}/includes/base_db.inc.php"; $dbtest = NewBASEDBConnection($DBlib_path, $DBtype); $dbtest->DB = NewADOConnection(); error_reporting(E_ERROR | E_PARSE); if (!$dbtest->DB->PConnect($alert_port == "" ? $alert_host : $alert_host . ":" . $alert_port, $alert_user, $alert_password, $alert_dbname)) { unset($_SESSION['server']); echo "<br> <font style='font-family:arial;font-size:11px'><b>ERROR</b>: " . _("Unable to connect") . " " . $alert_dbname . " ({$alert_host}). Connection restored to local."; echo "<br> <a href='base_qry_main.php?clear_allcriteria=1&num_result_rows=-1&submit=Query+DB¤t_view=-1&sort_order=time_d' style='font-family:arial;font-size:11px'><u>Click here to continue</u></a>"; exit; } error_reporting(E_ALL ^ E_NOTICE); } $current_url = Util::get_ossim_url(); $events_report_type = 33; $graph_report_type = 34; $criteria_report_type = 35; $unique_events_report_type = 36; $unique_iplinks_report_type = 37; $sensors_report_type = 38; $unique_addr_report_type = 40; $src_port_report_type = 42; $dst_port_report_type = 44; $unique_plugins_report_type = 46; $unique_country_events_report_type = 48; // $current_cols_titles = array("SIGNATURE" => _("Signature"), "DATE" => _("Date") . " " . Util::timezone($tz), "IP_PORTSRC" => _("Source"), "IP_PORTDST" => _("Dest."), "SENSOR" => _("Sensor"), "IP_SRC" => _("Src IP"), "IP_DST" => _("Dst IP"), "IP_SRC_FQDN" => _("Src IP FQDN"), "IP_DST_FQDN" => _("Dst IP FQDN"), "PORT_SRC" => _("Src Port"), "PORT_DST" => _("Dst Port"), "ASSET" => _("Asset <br>S<img src='images/arrow-000-small.gif' border=0 align=absmiddle>D"), "PRIORITY" => _("Prio"), "RELIABILITY" => _("Rel"), "RISK" => _("Risk"), "IP_PROTO" => _("L4-proto"), "USERDATA1" => _("Userdata1"), "USERDATA2" => _("Userdata2"), "USERDATA3" => _("Userdata3"), "USERDATA4" => _("Userdata4"), "USERDATA5" => _("Userdata5"), "USERDATA6" => _("Userdata6"), "USERDATA7" => _("Userdata7"), "USERDATA8" => _("Userdata8"), "USERDATA9" => _("Userdata9"), "USERNAME" => _("Username"), "FILENAME" => _("Filename"), "PASSWORD" => _("Password"), "PAYLOAD" => _("Payload"), "SID" => _("SID"), "CID" => _("CID"), "PLUGIN_ID" => _("Data Source ID"), "PLUGIN_SID" => _("Event Type ID"), "PLUGIN_DESC" => _("Data Source Description"), "PLUGIN_NAME" => _("Data Source Name"), "PLUGIN_SOURCE_TYPE" => _("Source Type"), "PLUGIN_SID_CATEGORY" => _("Category"), "PLUGIN_SID_SUBCATEGORY" => _("SubCategory"), 'CONTEXT' => _("Context")); $current_cols_widths = array("SIGNATURE" => "45mm", "IP_PORTSRC" => "25mm", "IP_PORTDST" => "25mm", "ASSET" => "12mm", "PRIORITY" => "12mm", "RELIABILITY" => "12mm", "RISK" => "12mm", "IP_PROTO" => "10mm"); $siem_events_title = _("SIEM Events events");
$buffer .= "<td><b>"; if ($view && $href_sim) { $buffer .= "<a class='greybox' href='{$href_sim}'>"; } $buffer .= "{$risk}"; if ($view && $href_sim) { $buffer .= "</a>"; } $buffer .= "</b></td>"; } $buffer .= "<td class='td_date' nowrap='nowrap'>"; if ($view) { if ($event_date == $orig_date || $event_date == $date) { $buffer .= "<a class='greybox' href='" . Util::get_acid_date_link($date, $src_ip, "ip_src") . "'><font color='black'>{$date}</font></a>"; } else { $buffer .= "\n\n\t\t\t\t\t\t\t<a class='greybox' href='" . Util::get_acid_date_link($date, $src_ip, "ip_src") . "'>\n\t\t\t\t\t\t\t <font color='black'>{$date}</font>\n\t\t\t\t\t\t\t</a>\n\t\t\t\t\t\t\t<div style='display: none;'>\n <table class='t_white'> \n <tr>\n <td>" . _('Sensor date') . ":</td>\n <td>{$event_date}</td>\n </tr>\n \n <tr>\n <td>" . _("Timezone") . ":</td>\n <td>" . Util::timezone($alarm->get_tzone()) . "</td>\n </tr>\n </table>\n </div>\t\t\n\t\t\t\t"; } } else { $buffer .= "<span style='color:gray'>{$date}</span>"; } $buffer .= "</td>"; // Src if ($no_resolv || !$src_host) { $src_name = $src_ip; $ctx_src = $ctx; } elseif ($src_host) { $src_name = $src_host->get_name(); $ctx_src = $src_host->get_ctx(); } // Src icon and bold $src_output = Asset_host::get_extended_name($conn, $geoloc, $src_ip, $ctx_src, $event_info["src_host"], $event_info["src_net"]);
</a> <span class="tooltip"> <span class="top"></span> <span class="middle ne1 center"> <b><?php echo _("Sensor date"); ?> :</b><br><?php echo $event_date; ?> <br> <b><?php echo _("Timezone"); ?> :</b> <?php echo Util::timezone($alarm->get_tzone()); ?> <br> </span> <span class="bottom"></span> </span> </div> <?php } ?> </td> <?php $src_link = "../report/host_report.php?host={$src_ip}"; $src_title = _("Src Asset") . ": <b>{$asset_src}</b><br>" . _("IP") . ": <b>{$src_ip}</b>"; $dst_link = "../report/host_report.php?host={$dst_ip}";
// } arsort($countries); // Not found if (count($countries) == 0) { echo "<tr><td><table class='transparent' style='width:100%'><tr><td colspan='5' style='padding:6px'><b>"._("No external IP addresses were found in the SIEM events")."</b></td></tr></table></td></tr>\n"; } // Results else { echo '<br/><TABLE class="table_list">'; echo '<tr><th style="text-align:left" width="25%">Country</th> <th width="15%">' . gettext("Events") . " # <span class='idminfo' txt='".Util::timezone(Util::get_timezone())."'>(*)</span>". '</th> <th width="10%">' . gettext("Unique Src. #") . '</th> <th width="10%">' . gettext("Unique Dst. #") . '</th> <th></th></TR>'; $max_cnt = 1; $i = 0; foreach ($countries as $country=>$num) { if ($max_cnt == 1 && $num > 0) $max_cnt = $num; $data = $country_acc[$country]; if ($data['srcnum']+$data['dstnum'] == 0) $entry_width = 0; else $entry_width = round($data['events'] / $max_cnt * 100); if ($data['code']=="") $data['code']="unknown"; ?> <tr> <td style="padding:7px;text-align:left"><?=$data['flag']." ".$country?></td>
} if ($plugin == "") { $plugin = intval($matches[4]); } $_SESSION["_plugins"][$matches[4]] = $plugin; } } if ($htmlResult) { $red = 0; $color = "black"; } // para coger $date = $matches[2]; $event_date = $matches[2]; $tzone = intval($matches[10]); $txtzone = Util::timezone($tzone); $event_date_uut = Util::get_utc_unixtime($conn, $event_date); // Special case: old events $eventhour = gmdate("H", $event_date_uut); $ctime = explode("/", $logfile); $storehour = $ctime[count($ctime) - 3]; // hours $warning = $storehour - $eventhour != 0 ? "<a href='javascript:;' style='text-decoration:none' txt='" . _("Date may not be normalized") . "' class='scriptinfotxt'><img src='../pixmaps/warning.png' align='absmiddle' border='0' style='margin-left:3px;margin-right:3px'></a>" : ""; // Event date timezone if ($tzone != 0) { $event_date = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tzone); } // Apply user timezone if ($tz != 0) { $date = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tz); }
<BLOCKQUOTE> <TABLE BORDER=0 cellpadding=2 cellspacing=0 class="bborder" WIDTH="100%"> <TR><TD CLASS="header3" WIDTH=50 ALIGN=CENTER ROWSPAN=4>Meta</TD> <TD> <TABLE BORDER=0 CELLPADDING=4> <TR><TD CLASS="header" >' . _("ID") . ' #</TD> <TD CLASS="header" nowrap>' . _("Date") . " " . Util::timezone($tz) . '</TD> ' . ($tzcell ? '<TD CLASS="header" nowrap>' . _("Event date") . '</TD>' : '') . ' <TD CLASS="header">' . _("Triggered Signature") . '</TD> <TD CLASS="header" nowrap>' . _("Data Source Name") . '</TD> <TD CLASS="header" nowrap>' . _("Data Source ID") . '</TD> <TD CLASS="header" nowrap>' . _("Event Type ID") . '</TD> <TD></td></TR> <TR><TD CLASS="plfield" nowrap>' . ($sid . " - " . $cid) . '</TD> <TD CLASS="plfield" nowrap>' . htmlspecialchars($tzdate) . '</TD> ' . ($tzcell ? '<TD CLASS="plfield" nowrap>' . $event_date . '<br>' . Util::timezone($tzone) . '</TD>' : '') . ' <TD CLASS="plfield">'; $htmlTriggeredSignature = html_entity_decode(htmlspecialchars(str_replace("##", "", BuildSigByPlugin($plugin_id, $plugin_sid, $db)))); echo $htmlTriggeredSignature . '</TD> <TD CLASS="plfield">' . $plugin_name . '</TD> <TD CLASS="plfield">' . $plugin_id . '</TD> <TD CLASS="plfield">' . $plugin_sid . '</TD> ' . ($_GET['minimal_view'] == "" ? '<TD CLASS="plfield"><a href="javascript:;" onclick="GB_show(\'' . _("Modify Rel/Prio") . '\',\'modify_relprio.php?id=' . $plugin_id . '&sid=' . $plugin_sid . '\',280,450)" class="greybox"><img src="../vulnmeter/images/pencil.png" border="0" alt="' . _("Modify Rel/Prio") . '" title="' . _("Modify Rel/Prio") . '"></a></td>' : ''); '<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0033" target="_blank"><img src="manage_references_icon.php?id=5" alt="cve" title="cve" border="0"></a> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5976" target="_blank"><img src="manage_references_icon.php?id=5" alt="cve" title="cve" border="0"></a> pads: New service detectedArray '; //<-- $return; foreach (explode('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', $htmlTriggeredSignature) as $key => $value) { if ($key != 0) { $posIni = strpos($value, "'"); if ($posIni !== false) {
require_once 'av_init.php'; Session::logcheck('analysis-menu', 'EventsForensics'); Session::logcheck('report-menu', 'ReportsReportServer'); $rtype = GET('rtype'); $pro = Session::is_pro(); ossim_valid($rtype, OSS_DIGIT, 'illegal:' . _('Report type')); if (ossim_error()) { $config_nt = array('content' => _("Invalid report type"), 'options' => array('type' => 'nf_error', 'cancel_button' => FALSE), 'style' => 'margin: 20px auto; width: 80%; text-align: center;'); $nt = new Notification('nt_1', $config_nt); $nt->show(); exit; } $addr_type = intval(GET('addr_type')); $type = array("33" => "Events", "38" => "Sensors", "36" => "Unique_Events", "46" => "Unique_Plugins", "40" => "Unique_Addresses", "42" => "Source_Port", "44" => "Destination_Port", "37" => "Unique_IP_links", "48" => "Unique_Country_Events"); $tz = Util::get_timezone(); $current_cols_titles = array("SIGNATURE" => _("Signature"), "ENTITY" => _("Context"), "DATE" => _("Date") . " " . Util::timezone($tz), "IP_PORTSRC" => _("Source"), "IP_PORTDST" => _("Destination"), "SENSOR" => _("Sensor"), "OTX" => _("OTX"), "IP_SRC" => _("Src IP"), "IP_DST" => _("Dst IP"), "IP_SRC_FQDN" => _("Src IP FQDN"), "IP_DST_FQDN" => _("Dst IP FQDN"), "PORT_SRC" => _("Src Port"), "PORT_DST" => _("Dst Port"), "ASSET" => _("Asset S->D"), "PRIORITY" => _("Prio"), "RELIABILITY" => _("Rel"), "RISK" => _("Risk"), "IP_PROTO" => _("L4-proto"), "USERDATA1" => _("Userdata1"), "USERDATA2" => _("Userdata2"), "USERDATA3" => _("Userdata3"), "USERDATA4" => _("Userdata4"), "USERDATA5" => _("Userdata5"), "USERDATA6" => _("Userdata6"), "USERDATA7" => _("Userdata7"), "USERDATA8" => _("Userdata8"), "USERDATA9" => _("Userdata9"), "USERNAME" => _("Username"), "FILENAME" => _("Filename"), "PASSWORD" => _("Password"), "PAYLOAD" => _("Payload"), "PLUGIN_ID" => _("Data Source ID"), "PLUGIN_SID" => _("Event Type ID"), "PLUGIN_DESC" => _("Data Source Description"), "PLUGIN_NAME" => _("Data Source Name"), "PLUGIN_SOURCE_TYPE" => _("Source Type"), "PLUGIN_SID_CATEGORY" => _("Category"), "PLUGIN_SID_SUBCATEGORY" => _("SubCategory"), 'SRC_USERDOMAIN' => _("IDM User@Domain Src IP"), 'DST_USERDOMAIN' => _("IDM User@Domain Dst IP"), 'SRC_HOSTNAME' => _("IDM Source"), 'DST_HOSTNAME' => _("IDM Destination"), 'SRC_MAC' => _("IDM MAC Src IP"), 'DST_MAC' => _("IDM MAC Dst IP"), 'REP_PRIO_SRC' => _("Rep Src IP Prio"), 'REP_PRIO_DST' => _("Rep Dst IP Prio"), 'REP_REL_SRC' => _("Rep Src IP Rel"), 'REP_REL_DST' => _("Rep Dst IP Rel"), 'REP_ACT_SRC' => _("Rep Src IP Act"), 'REP_ACT_DST' => _("Rep Dst IP Act"), 'DEVICE' => _("Device IP")); $user = $_SESSION["_user"]; $path_conf = $GLOBALS["CONF"]; /* database connect */ $db = new ossim_db(true); $conn = $db->connect(); //$conn = $db->custom_connect('localhost',$path_conf->get_conf("ossim_user"),$path_conf->get_conf("ossim_pass")); $config = new User_config($conn); $default_view = $config->get($login, 'custom_view_default', 'php', "siem") != "" ? $config->get($login, 'custom_view_default', 'php', "siem") : ($idm_enabled ? 'IDM' : 'default'); $output_name = $type[$rtype] . "_" . $user . "_" . date("Y-m-d", time()) . ".csv"; $csv_header = ""; $csv_body = ""; $var_data = Session::show_entities() ? "Context" : "Sensor"; if ($type[$rtype] == "Events") { $sql = "SELECT dataV1, dataV2, dataV11, dataV3, dataV5, dataV10, cell_data\n FROM datawarehouse.report_data WHERE id_report_data_type={$rtype} and user='******'"; if ($_SESSION['current_cview'] != $default_view) {
// 4- Timestamp //qroPrintEntry($myrow["timestamp"], "center"); $tzone = $myrow['tzone']; $event_date = $myrow['timestamp']; $tzdate = $event_date; $event_date_uut = get_utc_unixtime($db, $event_date); // Event date timezone if ($tzone != 0) { $event_date = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tzone); } // Apply user timezone if ($tz != 0) { $tzdate = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tz); } $cell_data['DATE'] = $tzdate; $cell_tooltip['DATE'] = $event_date == $myrow['timestamp'] || $event_date == $tzdate ? "" : _("Event date") . ": " . htmlspecialchars("<b>" . $event_date . "</b><br>" . _("Timezone") . ": <b>" . Util::timezone($tzone) . "</b>"); $cell_pdfdata['DATE'] = str_replace(" ", "<br>", $tzdate); $cell_align['DATE'] = "center"; $cell_more['DATE'] = "nowrap"; //$tmp_iplookup = 'base_qry_main.php?sig%5B0%5D=%3D' . '&num_result_rows=-1' . '&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=+' . '&submit=' . gettext("Query+DB") . '&current_view=-1&ip_addr_cnt=2'; /* TCP or UDP show the associated port # if ( ($current_proto == TCP) || ($current_proto == UDP) ) $result4 = $db->baseExecute("SELECT layer4_sport, layer4_dport FROM acid_event ". "WHERE sid='".$myrow[0]."' AND cid='".$myrow[1]."'"); if ( ($current_proto == TCP) || ($current_proto == UDP) ) { $myrow4 = $result4->baseFetchRow(); if ( $myrow4[0] != "" ) $current_sport = ":".$myrow4[0]; if ( $myrow4[1] != "" ) $current_dport = ":".$myrow4[1];
* along with this package; if not, write to the Free Software * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, * MA 02110-1301 USA * * * On Debian GNU/Linux systems, the complete text of the GNU General * Public License can be found in `/usr/share/common-licenses/GPL-2'. * * Otherwise you can read it here: http://www.gnu.org/licenses/gpl-2.0.txt * */ require 'general.php'; if (Session::menu_perms("analysis-menu", "EventsForensics")) { //Timezone $tz = Util::get_timezone(); $text_tz = Util::timezone($tz); $htmlPdfReport->pageBreak(); $htmlPdfReport->setBookmark($title); $htmlPdfReport->set($htmlPdfReport->newTitle($title, $date_from, $date_to, null)); $htmlPdfReport->set("\n<br/><br/>\n"); $db = new ossim_db(); $conn = $db->connect(); $conn->SetFetchMode(ADODB_FETCH_ASSOC); $rs = $conn->Execute($query, $params); if (!$rs) { $htmlPdfReport->set("<table class='w100' cellpadding='0' cellspacing='0'>\n <tr><td class='w100' align='center' valign='top'>" . _("No data available") . "</td></tr>\n </table>\n"); } else { // Plugins $htmlPdfReport->set("<table style='width: 193mm;' cellpadding='0' cellspacing='0'>\n <tr><th style='width: 193mm;' align='center'>" . _("SIEM Unique Plugins") . "</th></tr>\n </table><br/>\n"); $htmlPdfReport->set("<table style='width: 193mm; margin:auto;' cellpadding='0' cellspacing='2'>"); //Headers
$txtzone = "<a href=\"javascript:;\" class=\"scriptinfoimg\" txt=\"<img src='../pixmaps/timezones/" . rawurlencode(Util::timezone($tz)) . ".png' border=0>\">" . Util::timezone($tz) . "</a>"; list($cat, $subcat) = GetCategorySubCategory($plugin_id, $plugin_sid, $db); echo ' <div class="siem_detail_table"> <div class="siem_detail_section">Normalized<br>Event</div> <div class="siem_detail_content"> <TABLE class="table_list"> <TR> <th>' . _("Date") . '</th> ' . ($tzcell ? '<th>' . _("Event date") . '</th>' : '') . ' <th>' . gettext("Alienvault Sensor") . '</th> <th>' . gettext("Interface") . '</th> </TR> <TR> <TD> ' . htmlspecialchars($tzdate) . " " . $txtzone . '</TD> ' . ($tzcell ? '<TD nowrap>' . $event_date . ' ' . Util::timezone($tzone) . '</TD>' : '') . ' <TD>' . htmlspecialchars(@inet_ntop($myrow4["ip"]) ? $myrow4["name"] . " [" . inet_ntop($myrow4["ip"]) . "]" : _("Unknown")) . '</TD> <TD>' . ($myrow4["interface"] == "" ? " <I>-</I> " : $myrow4["interface"]) . '</TD> </TR> </TABLE> <br/> <TABLE class="table_list"> <TR> <th>' . _("Triggered Signature") . '</th> <th>' . _("Event Type ID") . '</th> <th>' . _("Category") . '</th> <th>' . _("Sub-Category") . '</th> </TR> <TR> <TD><a href="javascript:;" class="trlnka" id="' . $plugin_id . ';' . $plugin_sid . '">'; $htmlTriggeredSignature = str_replace("##", "", BuildSigByPlugin($plugin_id, $plugin_sid, $db));
$qs->RunAction($submit, PAGE_STAT_SENSOR, $db); $et->Mark("Alert Action"); /* create SQL to get Unique Alerts */ $cnt_sql = "SELECT count(DISTINCT acid_event.device_id) " . $from . $where; /* Run the query to determine the number of rows (No LIMIT)*/ if (!$use_ac) { $qs->GetNumResultRows($cnt_sql, $db); } $et->Mark("Counting Result size"); /* Setup the Query Results Table */ $qro = new QueryResultsOutput("base_stat_sensor.php?caller=" . $caller); $qro->AddTitle(" "); $qro->AddTitle(gettext("Sensor"), "sid_a", " ", " ORDER BY acid_event.device_id ASC", "sid_d", " ", " ORDER BY acid_event.device_id DESC"); $qro->AddTitle(gettext("Name"), "", " ", " ", "", " ", " "); $qro->AddTitle(gettext("Device IP"), "", " ", " ", "", " ", " "); $events_title = !$use_ac ? _("Events") . " # <span class='idminfo' txt='" . Util::timezone($tz) . "'>(*)</span>" : _("Events") . " # <span class='idminfo' txt='" . _("Time UTC") . "'>(*)</span>"; $qro->AddTitle($events_title, "occur_a", " ", " ORDER BY event_cnt ASC", "occur_d", " ", " ORDER BY event_cnt DESC"); $qro->AddTitle(gettext("Unique Events"), "", "", "", "", "", ""); $qro->AddTitle(gettext("Unique Src."), "", "", "", "", "", ""); $qro->AddTitle(gettext("Unique Dst."), "", "", "", "", "", ""); /* $qro->AddTitle(gettext("Unique Events"), "sig_a", "", " ORDER BY sig_cnt ASC", "sig_d", "", " ORDER BY sig_cnt DESC"); $qro->AddTitle(gettext("Unique Src."), "saddr_a", "", " ORDER BY saddr_cnt ASC", "saddr_d", "", " ORDER BY saddr_cnt DESC"); $qro->AddTitle(gettext("Unique Dst."), "daddr_a", "", " ORDER BY daddr_cnt ASC", "daddr_d", "", " ORDER BY daddr_cnt DESC"); */ $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), ""); if ($complete) { // incude all fields for pdf/csv reports $sql2 = $sql = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntop(sensor.ip) AS sensor_ip, inet6_ntop(device.device_ip) AS device_ip, device.interface, count(acid_event.id) as event_cnt, count(distinct acid_event.plugin_id, acid_event.plugin_sid) as sig_cnt, count(distinct(acid_event.ip_src)) as saddr_cnt, count(distinct(acid_event.ip_dst)) as daddr_cnt" . $sort_sql[0] . $from1 . $where1 . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id" . $sort_sql[1]; } else { $sql = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntop(sensor.ip) AS sensor_ip, inet6_ntop(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1];
</a></li> <li><a href="#" onclick="learn_more();return false" id="kdb_docs"><?php echo _('Learn More'); ?> </a></li> </ul> </div> </div> </div> <?php // In graybox external minimal view (no pagging) } elseif (!array_key_exists("noback", $_GET)) { $back = str_replace(_('Security Events'), _('Back'), $back); echo "<div align='center'>{$back}</div><br/>"; } $txtzone = "<a href=\"javascript:;\" class=\"tzoneimg\" txt=\"<img src='../pixmaps/timezones/" . rawurlencode(Util::timezone($tz)) . ".png' width='400' height='205' border=0>\">" . Util::timezone($tz) . "</a>"; // Taxonomy list($cat, $subcat) = GetCategorySubCategory($plugin_id, $plugin_sid, $db); // Risk & Proto $ossim_risk = $ossim_risk_c < $ossim_risk_a ? $ossim_risk_a : $ossim_risk_c; $p_name = Protocol::get_protocol_by_number($ip_proto, TRUE); if (FALSE === $p_name) { $p_name = _('UNKNOWN'); } $otx_link = '<a class="trlnk __CLASS__" href="#" txt="__TOOLTIP__" onclick="GB_show(\'' . _("OTX Details") . '\',\'' . str_replace('__EVENTID__', $eid, $otx_detail_url) . '\',500,\'80%\');return false">__VALUE__</a>'; ?> <script type="text/javascript" src="../js/utils.js"></script> <script type="text/javascript" src="../js/av_map.js.php"></script> <script type="text/javascript" src="../js/notification.js"></script> <?php
} }*/ /* create SQL to get Unique Alerts */ $cnt_sql = "SELECT count(DISTINCT acid_event.plugin_id) " . $fromcnt . $where; /* Run the query to determine the number of rows (No LIMIT)*/ $qs->GetNumResultRows($cnt_sql, $db); $debug_time_mode >= 1 ? $et->Mark("Counting Result size") : ''; /* Setup the Query Results Table */ $qro = new QueryResultsOutput("base_stat_ptypes.php?caller=" . $caller); //$qro->AddTitle(" "); $qro->AddTitle(gettext("Product Type")); $events_title = _("Events") . " # <span class='idminfo' txt='" . Util::timezone($tz) . "'>(*)</span>"; $qro->AddTitle($events_title, "occur_a", " ", " ORDER BY events ASC, product_type DESC", "occur_d", ", ", " ORDER BY events DESC, product_type DESC"); $qro->AddTitle(Session::show_entities() ? gettext("Context") : gettext("Sensor")); $qro->AddTitle(gettext("Last Event")); $qro->AddTitle(gettext("Date") . " " . Util::timezone($tz)); $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort()); /* mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY */ /* mstone 20050405 add sid & ip counts */ if (Session::show_entities()) { $sql = "SELECT plugin.product_type,hex(acid_event.ctx) as ctx, {$counter} " . $fromcnt . ",alienvault.plugin " . $where . " AND plugin.id=acid_event.plugin_id\n GROUP BY plugin.product_type,ctx " . $sort_sql[1]; $_SESSION['_siem_plugins_query'] = "SELECT plugin_sid.name as sig_name,timestamp\n {$fromplg}, alienvault.plugin " . $where . " AND acid_event.plugin_id=plugin.id AND plugin.product_type=PLUGIN_ID AND acid_event.ctx=UNHEX('DID')\n ORDER BY timestamp DESC LIMIT 1"; } else { $sql = "SELECT plugin.product_type, device_id as ctx, {$counter} " . $fromcnt . ",device,alienvault.plugin " . $where . " AND device.id=acid_event.device_id AND plugin.id=acid_event.plugin_id\n GROUP BY plugin.product_type,device_id " . $sort_sql[1]; $_SESSION['_siem_plugins_query'] = "SELECT plugin_sid.name as sig_name,timestamp\n {$fromplg}, alienvault.plugin " . $where . " AND acid_event.plugin_id=plugin.id AND plugin.product_type=PLUGIN_ID AND acid_event.device_id=DID\n ORDER BY timestamp DESC LIMIT 1"; } //echo $sql; if (file_exists('/tmp/debug_siem')) { file_put_contents("/tmp/siem", "STATS PTYPES:{$sql}\n" . $_SESSION['_siem_plugins_query'] . "\n", FILE_APPEND); } /* Run the Query again for the actual data (with the LIMIT) */
function DisplayProcessing() { global $self; global $ListNOption; global $TopNOption; global $OutputFormatOption; global $IPStatOption; global $IPStatOrder; global $LimitScale; require_once 'av_init.php'; $geoloc = new Geolocation("/usr/share/geoip/GeoLiteCity.dat"); $db_aux = new ossim_db(); $conn_aux = $db_aux->connect(); $aux_ri_interfaces = Remote_interface::get_list($conn_aux, "WHERE status = 1"); $ri_list = $aux_ri_interfaces[0]; $ri_total = $aux_ri_interfaces[1]; $ri_data = array(); if ($ri_total > 0) { foreach ($ri_list as $r_interface) { $ri_data[] = array("name" => $r_interface->get_name(), "id" => "web_interfaces", "target" => "_blank", "url" => $r_interface->get_ip()); } } $type = $detail_opts['type'] == "flows" ? 0 : ($detail_opts['type'] == "packets" ? 1 : 2); if ($ri_total >= 0) { echo '<a name="processing"></a>'; } $detail_opts = $_SESSION['detail_opts']; $process_form = $_SESSION['process_form']; ?> <table style='width:100%;margin-top:15px;margin-bottom:5px;border:none'><tr> <td class='nobborder'><b><?php echo _("Netflow Processing"); ?> </b></td> <td class='noborder nfsen_menu'> <a href='javascript:lastsessions()'><?php echo _("List last 500 sessions"); ?> </a> | <a href='javascript:launch("2","<?php echo $type; ?> ")'><?php echo _("Top 10 Src IPs"); ?> </a> | <a href='javascript:launch("3","<?php echo $type; ?> ")'><?php echo _("Top 10 Dst IPs"); ?> </a> | <a href='javascript:launch("5","<?php echo $type; ?> ")'><?php echo _("Top 10 Src Port"); ?> </a> | <a href='javascript:launch("6","<?php echo $type; ?> ")'><?php echo _("Top 10 Dst Port"); ?> </a> | <a href='javascript:launch("13","<?php echo $type; ?> ")'><?php echo _("Top 10 Proto"); ?> </a> </td></tr></table> <form action="<?php echo $self; ?> " onSubmit="return ValidateProcessForm()" id="FlowProcessingForm" method="POST" laction="<?php echo $self; ?> "> <?php if (preg_match("/^\\d+\$/", $_SESSION['tend'])) { ?> <input type="hidden" name="tend" value="<?php echo intval($_SESSION['tend']); ?> " /> <?php } if (preg_match("/^\\d+\$/", $_SESSION['tleft'])) { ?> <input type="hidden" name="tleft" value="<?php echo intval($_SESSION['tleft']); ?> " /> <?php } if (preg_match("/^\\d+\$/", $_SESSION['tright'])) { ?> <input type="hidden" name="tright" value="<?php echo intval($_SESSION['tright']); ?> " /> <?php } if ($_SESSION["detail_opts"]["cursor_mode"] != "") { ?> <input type="hidden" name="cursor_mode" value="<?php echo Util::htmlentities($_SESSION["detail_opts"]["cursor_mode"]); ?> " /> <?php } if ($_SESSION["detail_opts"]["wsize"] != "") { ?> <input type="hidden" name="wsize" value="<?php echo Util::htmlentities($_SESSION["detail_opts"]["wsize"]); ?> " /> <?php } if ($_SESSION["detail_opts"]["logscale"] != "") { ?> <input type="hidden" name="logscale" value="<?php echo Util::htmlentities($_SESSION["detail_opts"]["logscale"]); ?> " /> <?php } if ($_SESSION["detail_opts"]["linegraph"] != "") { ?> <input type="hidden" name="linegraph" value="<?php echo Util::htmlentities($_SESSION["detail_opts"]["linegraph"]); ?> " /> <?php } ?> <input type="hidden" name="login" value="<?php echo Util::htmlentities($_SESSION["_remote_login"]); ?> " /> <table class='nfsen_filters'> <tr> <th class="thold"><?php echo _("Source"); ?> </th> <th class="thold"><?php echo _("Filter"); ?> </th> <th class="thold"><?php echo _("Options"); ?> </th> </tr> <tr> <td style='vertical-align:top'> <select name="srcselector[]" id='SourceSelector' size="6" style="width: 100%" multiple='multiple'> <?php foreach ($process_form['srcselector'] as $selected_channel) { $_tmp[$selected_channel] = 1; } $i = 0; foreach ($_SESSION['profileinfo']['channel'] as $channel) { $channel_name = $channel['name']; $checked = array_key_exists($channel['id'], $_tmp) ? 'selected' : ''; echo "<OPTION value='" . Util::htmlentities($channel['id']) . "' {$checked}>{$channel_name}</OPTION>\n"; } ?> </select> <div style='margin: 5px auto'> <input class="small av_b_secondary" type="button" name="JSbutton2" value="All Sources" onClick="SelectAllSources()"/> </div> </td> <td style="vertical-align:top;"> <textarea name="filter" id="filter" multiline="true" wrap="phisical" rows="6" cols="50" maxlength="10240"><?php if (is_array($process_form)) { $display_filter = array_key_exists('editfilter', $process_form) ? $process_form['editfilter'] : $process_form['filter']; } else { $display_filter = array(); } if (count($display_filter) < 1 && GET('ip') != "" && GET('ip2') != "") { $display_filter[0] = "(src ip " . GET('ip') . " and dst ip " . GET('ip2') . ") or (src ip " . GET('ip2') . " and dst ip " . GET('ip') . ")"; } elseif (count($display_filter) < 1 && GET('ip') != "") { $display_filter[0] = "src ip " . GET('ip') . " or dst ip " . GET('ip'); } elseif (preg_match("/(\\d+\\.\\d+\\.\\d+\\.\\d+)/", $display_filter[0]) && GET('ip') != "" && GET('ip2') != "") { $ip1 = GET('ip'); $ip2 = GET('ip2'); $filter = "(src ip {$ip1} and dst ip {$ip2}) or (src ip {$ip2} and dst ip {$ip1})"; $display_filter[0] = preg_replace("/\\(src ip \\d+\\.\\d+\\.\\d+\\.\\d+ and dst ip \\d+\\.\\d+\\.\\d+\\.\\d+\\) or \\(src ip \\d+\\.\\d+\\.\\d+\\.\\d+ and dst ip \\d+\\.\\d+\\.\\d+\\.\\d+\\)/", $filter, $display_filter[0]); $display_filter[0] = preg_replace("/src ip \\d+\\.\\d+\\.\\d+\\.\\d+ or dst ip \\d+\\.\\d+\\.\\d+\\.\\d+/", $filter, $display_filter[0]); } elseif (preg_match("/(\\d+\\.\\d+\\.\\d+\\.\\d+)/", $display_filter[0]) && GET('ip') != "") { $filter = "src ip " . GET('ip') . " or dst ip " . GET('ip'); $display_filter[0] = preg_replace("/\\(src ip \\d+\\.\\d+\\.\\d+\\.\\d+ and dst ip \\d+\\.\\d+\\.\\d+\\.\\d+\\) or \\(src ip \\d+\\.\\d+\\.\\d+\\.\\d+ and dst ip \\d+\\.\\d+\\.\\d+\\.\\d+\\)/", $filter, $display_filter[0]); $display_filter[0] = preg_replace("/src ip \\d+\\.\\d+\\.\\d+\\.\\d+ or dst ip \\d+\\.\\d+\\.\\d+\\.\\d+/", $filter, $display_filter[0]); } foreach ($display_filter as $line) { print str_replace("&", "&", Util::htmlentities(stripslashes($line))) . "\n"; } ?> </textarea> <?php $deletefilter_display_style = is_array($process_form) && array_key_exists('editfilter', $process_form) ? '' : 'style="display:none;"'; ?> <input type="image" name="filter_delete" id="filter_delete" title="<?php echo _("Delete filter"); ?> " align="right" onClick="HandleFilter(3)" value="" src="icons/trash.png" <?php echo $deletefilter_display_style; ?> > <!-- <input type="image" name="filter_save" id="filter_save" title="Save filter" align="right" onClick="HandleFilter(2)" value="" src="icons/save.png"> --> <input type="hidden" name="filter_name" id="filter_name" value="none"> <div style='margin: 5px auto'> <span id="filter_span">and</span> <select name="DefaultFilter" id="DefaultFilter" onChange="HandleFilter(0)" size="1"> <?php print "<option value='-1' label='none'><none></option>\n"; foreach ($_SESSION['DefaultFilters'] as $name) { $checked = $process_form['DefaultFilter'] == $name ? 'selected' : ''; print "<option value='" . Util::htmlentities($name) . "' {$checked}>" . Util::htmlentities($name) . "</option>\n"; } $editfilter_display_style = 'style="display:none;"'; foreach ($_SESSION['DefaultFilters'] as $name) { if ($process_form['DefaultFilter'] == $name) { $editfilter_display_style = ''; } } ?> </select> <input type="image" name="filter_save" id="filter_save" title="<?php echo _("Save filter"); ?> " onClick="HandleFilter(2)" value="" src="icons/save.png" border="0" align="absmiddle"> <input type="image" name="filter_edit" id="filter_edit" title="Edit filter" <?php echo $editfilter_display_style; ?> onClick="HandleFilter(1)" value="" src="icons/edit.png"> </div> <script language="Javascript" type="text/javascript"> var DefaultFilters = new Array(); <?php foreach ($_SESSION['DefaultFilters'] as $name) { print "DefaultFilters.push('" . Util::htmlentities($name) . "');\n"; } if (array_key_exists('editfilter', $process_form)) { print "edit_filter = '" . Util::htmlentities($process_form['DefaultFilter']) . "';\n"; } ?> </script> </td> <!-- Options start here --> <td style='padding: 0px;vertical-align:top;border:none;'> <table border="0" id="ProcessOptionTable" style="font-size:14px;font-weight:bold;width:100%;border:none"> <tr> <td class='TDnfprocLabel' style='white-space:nowrap'> <?php $i = 0; foreach (array('List Flows', 'Stat TopN') as $s) { $checked = $process_form['modeselect'] == $i ? 'checked' : ''; print "<input type='radio' onClick='SwitchOptionTable({$i})' name='modeselect' id='modeselect{$i}' value='{$i}' {$checked}>{$s} "; $i++; } $list_display_style = $process_form['modeselect'] == 0 ? '' : 'style="display:none;"'; $stat_display_style = $process_form['modeselect'] == 0 ? 'style="display:none;"' : ''; $formatselect_display_opts = $process_form['modeselect'] == 1 && $process_form['stattype'] != 0 ? 'style="display:none;"' : ''; ?> </td> <td class='TDnfprocControl' > <table class='noborder' style='margin: auto;'> <tr> <td class='nobborder'><input class="small av_b_secondary" type="button" name="JSbutton1" value="<?php echo _("Clear Form"); ?> " onClick="ResetProcessingForm()"/></td> <td class='nobborder'><input class="small" type="submit" name="process" value="<?php echo _("Process"); ?> " id="process_button" onClick="clean_remote_data();form_ok=true;" size="1"/></td> <?php if (count($RemoteInterfacesData) > 0 && !isset($_POST['login'])) { ?> <td class='nobborder'><input type="button" name="remote_process" value="<?php echo _("Remote Process"); ?> " id="remote_process_button" onclick="$('#rinterfaces').toggle()"/> <div id='container_rmp' style='position:relative;'> <div id="rinterfaces" style="position:absolute; top:0; right:0;display:none; margin:1px 0px 0px 2px; text-align:right;"> <?php foreach ($RemoteInterfacesData as $data) { $short_name = strlen($data['name']) > 12 ? substr($data['name'], 0, 12) . "..." : $data['name']; ?> <input type="button" onclick="remote_interface('<?php echo $data["url"]; ?> ')" style="width:180px; font-size: 11px;" title="<?php echo $data["name"] . " [" . $data["url"] . "]"; ?> " value="<?php echo $short_name . " [" . $data["url"] . "]"; ?> "/><br /> <?php } ?> </div> </div> </td> <?php } ?> </tr> </table> </td> </tr> <tr id="listNRow" <?php echo $list_display_style; ?> > <td class='TDnfprocLabel'><?php echo _("Limit to"); ?> :</td> <td class='TDnfprocControl'> <select name="listN" id="listN" style="margin-left:1" size="1"> <?php for ($i = 0; $i < count($ListNOption); $i++) { $checked = $process_form['listN'] == $i ? 'selected' : ''; print "<OPTION value='{$i}' {$checked}>" . $ListNOption[$i] . "</OPTION>\n"; } ?> </select><?php echo _("Flows"); ?> <br> </td> </tr> <tr id="topNRow" <?php echo $stat_display_style; ?> > <td class='TDnfprocLabel'><?php echo _("Top"); ?> :</td> <td class='TDnfprocControl'> <select name="topN" id="TopN" size="1"> <?php for ($i = 0; $i < count($TopNOption); $i++) { $checked = $process_form['topN'] == $i ? 'selected' : ''; print "<OPTION value='{$i}' {$checked}>" . $TopNOption[$i] . "</OPTION>\n"; } ?> </select> </td> </tr> <tr id="stattypeRow" <?php echo $stat_display_style; ?> > <td class="TDnfprocLabel"><?php echo _("Stat"); ?> :</td> <td class="TDnfprocControl"> <select name="stattype" id="StatTypeSelector" onChange="ShowHideOptions()" size="1"> <?php for ($i = 0; $i < count($IPStatOption); $i++) { $checked = $process_form['stattype'] == $i ? 'selected' : ''; print "<OPTION value='{$i}' {$checked}>" . $IPStatOption[$i] . "</OPTION>\n"; } ?> </select> order by <select name='statorder' id="statorder" size='1'> <?php for ($i = 0; $i < count($IPStatOrder); $i++) { $checked = $process_form['statorder'] == $i ? 'selected' : ''; print "<OPTION value='{$i}' {$checked}>" . $IPStatOrder[$i] . "</OPTION>\n"; } ?> </select> </td> </tr> <tr id="AggregateRow" <?php echo $formatselect_display_opts; ?> > <td class='TDnfprocLabel'><?php echo _("Aggregate"); ?> </td> <td class='TDnfprocControl'> <input type="checkbox" name="aggr_bidir" id="aggr_bidir" value="checked" onClick="ToggleAggregate();" style="margin-left:1" <?php echo Util::htmlentities($process_form['aggr_bidir']); ?> > <?php echo _("bi-directional"); ?> <br> <input type="checkbox" name="aggr_proto" id="aggr_proto" value="checked" style="margin-left:1" <?php echo Util::htmlentities($process_form['aggr_proto']); ?> > <?php echo _("proto"); ?> <br> <input type="checkbox" name="aggr_srcport" id="aggr_srcport" value="checked" style="margin-left:1" <?php echo Util::htmlentities($process_form['aggr_srcport']); ?> > <?php echo _("srcPort"); ?> <input type="checkbox" name="aggr_srcip" id="aggr_srcip" value="checked" style="margin-left:1" <?php echo Util::htmlentities($process_form['aggr_srcip']); ?> > <select name="aggr_srcselect" id="aggr_srcselect" onChange="NetbitEntry('src')" size="1"> <?php $i = 0; foreach (array('srcIP', 'srcIPv4/', 'srcIPv6/') as $s) { $checked = $process_form['aggr_srcselect'] == $i ? 'selected' : ''; print "<option value='{$i}' {$checked}>{$s}</option>\n"; $i++; } $_style = $process_form['aggr_srcselect'] == 0 ? 'style="display:none"' : ''; ?> </select> <input size="3" type="text" name="aggr_srcnetbits" id="aggr_srcnetbits" value="<?php echo Util::htmlentities($process_form['aggr_srcnetbits']); ?> " <?php echo $_style; ?> ><br> <input type="checkbox" name="aggr_dstport" id="aggr_dstport" value="checked" style="margin-left:1" <?php echo Util::htmlentities($process_form['aggr_dstport']); ?> > <?php echo _("dstPort"); ?> <input type="checkbox" name="aggr_dstip" id="aggr_dstip" value="checked" style="margin-left:1" <?php echo Util::htmlentities($process_form['aggr_dstip']); ?> > <select name="aggr_dstselect" id="aggr_dstselect" onChange="NetbitEntry('dst')" size="1"> <?php $i = 0; foreach (array('dstIP', 'dstIPv4/', 'dstIPv6/') as $s) { $checked = $process_form['aggr_dstselect'] == $i ? 'selected' : ''; print "<option value='{$i}' {$checked}>{$s}</option>\n"; $i++; } $_style = $process_form['aggr_dstselect'] == 0 ? 'style="display:none"' : ''; ?> </select> <input size="3" type="text" name="aggr_dstnetbits" id="aggr_dstnetbits" value="<?php echo Util::htmlentities($process_form['aggr_dstnetbits']); ?> " <?php echo $_style; ?> ><br> </td> </tr> <tr id="timesortedRow" <?php echo $list_display_style; ?> > <td class='TDnfprocLabel'><?php echo _("Sort"); ?> :</td> <td class='TDnfprocControl'> <input type="checkbox" name="timesorted" id="timesorted" value="checked" style="margin-left:1" <?php echo Util::htmlentities($process_form['timesorted']); ?> > <?php echo _("start time of flows"); ?> </td> </tr> <tr id="limitoutputRow" <?php echo $stat_display_style; ?> > <td class='TDnfprocLabel'><?php echo _("Limit"); ?> :</td> <td class='TDnfprocControl'> <input type="checkbox" name="limitoutput" id="limitoutput" value="checked" style="margin-left:1" size="1" <?php echo Util::htmlentities($process_form['limitoutput']); ?> > <select name="limitwhat" id="limitwhat" size="1"> <?php $i = 0; foreach (array(gettext("Packets"), gettext("Traffic")) as $s) { $checked = $process_form['limitwhat'] == $i ? 'selected' : ''; print "<option value='{$i}' {$checked}>{$s}</option>\n"; $i++; } ?> </select> <select name="limithow" id="limithow" size="1"> <?php $i = 0; foreach (array('>', '<') as $s) { $checked = $process_form['limithow'] == $i ? 'selected' : ''; print "<option value='{$i}' {$checked}>{$s}</option>\n"; $i++; } ?> </select> <input type="text" name="limitsize" id="limitsize" value="<?php echo Util::htmlentities($process_form['limitsize']); ?> " SIZE="6" MAXLENGTH="8"> <select name="limitscale" id="limitscale" size="1" style="margin-left:1"> <?php $i = 0; foreach ($LimitScale as $s) { $checked = $process_form['limitscale'] == $i ? 'selected' : ''; print "<option value='{$i}' {$checked}>{$s}</option>\n"; $i++; } ?> </select> </td> </tr> <tr id="outputRow"> <td class='TDnfprocLabel'><?php echo _("Output"); ?> :</td> <td class='TDnfprocControl'> <span id="FormatSelect" <?php echo $formatselect_display_opts; ?> > <select name="output" id="output" onChange="CustomOutputFormat()" style="margin-left:1" size="1"> <?php foreach ($_SESSION['formatlist'] as $key => $value) { $checked = $process_form['output'] == $key ? 'selected' : ''; print "<OPTION value='" . Util::htmlentities($key) . "' {$checked}>" . Util::htmlentities($key) . "</OPTION>\n"; } $fmt = $_SESSION['formatlist'][$process_form['output']]; if ($process_form['output'] == $fmt) { // built in format $space_display_style = ''; $edit_display_style = 'style="display:none"'; } else { $space_display_style = 'style="display:none"'; $edit_display_style = ''; } ?> </select> <script language="Javascript" type="text/javascript"> var fmts = new Hash(); <?php foreach ($_SESSION['formatlist'] as $key => $value) { print "fmts.setItem('" . Util::htmlentities($key) . "', '" . Util::htmlentities($value) . "');\n"; } ?> </script> <img src="icons/space.png" border="0" alt='space' id='space' <?php echo $space_display_style; ?> /> <a href="#null" onClick="EditCustomFormat()" title="<?php echo _("Edit format"); ?> " ><IMG SRC="icons/edit.png" name="fmt_doedit" id="fmt_doedit" border="0" <?php echo $edit_display_style; ?> alt="Edit format"></a> </span> <input type="checkbox" name="IPv6_long" id="IPv6_long" style="margin-left:1" value="checked" <?php echo Util::htmlentities($process_form['IPv6_long']); ?> > / <?php echo _("IPv6 long"); ?> <?php $fmt_edit_display_style = $process_form['output'] == 'custom ...' ? '' : 'style="display:none"'; ?> <span id="fmt_edit" <?php echo $fmt_edit_display_style; ?> > <br><?php echo _("Enter custom output format"); ?> :<br> <input size="30" type="text" name="customfmt" id="customfmt" value="<?php echo Util::htmlentities($process_form['customfmt']); ?> " > <input type="image" name="fmt_save" id="fmt_save" title="<?php echo _("Save format"); ?> " onClick="SaveOutputFormat()" value="" src="icons/save.png"> <input type="image" name="fmt_delete" id="fmt_delete" title="<?php echo _("Delete format"); ?> " onClick="DeleteOutputFormat()" value="" src="icons/trash.png" <?php echo $edit_display_style; ?> > </span> </td> </tr> </table> </td> </tr> <!-- <tr> <td></td><td></td> <td align="right" style="border:none"> <input type="button" name="JSbutton1" value="<?php echo _("Clear Form"); ?> " onClick="ResetProcessingForm()"> <input type="submit" name="process" value="<?php echo _("process"); ?> " id="process_button" onClick="form_ok=true;" size="1"> </td> </tr> --> </table> </form> <div id="lookupbox"> <div id="lookupbar" align="right" style="background-color:olivedrab"><img src="icons/close.png" onmouseover="this.style.cursor='pointer';" onClick="hidelookup()" title="Close lookup box"></div> <iframe id="cframe" src="" frameborder="0" scrolling="auto" width="100%" height="166"></iframe> </div> <?php if (!array_key_exists('run', $_SESSION)) { return; } print "<div class='flowlist'>\n"; $run = $_SESSION['run']; if ($run != null) { $filter = $process_form['filter']; if ($process_form['DefaultFilter'] != -1) { $cmd_opts['and_filter'] = $process_form['DefaultFilter']; } $cmd_opts['type'] = ($_SESSION['profileinfo']['type'] & 4) > 0 ? 'shadow' : 'real'; $cmd_opts['profile'] = $_SESSION['profileswitch']; $cmd_opts['srcselector'] = implode(':', $process_form['srcselector']); #print "<pre>\n"; $patterns = array(); $replacements = array(); $patterns[0] = '/(\\s*)([^\\s]+)/'; $replacements[0] = "\$1<a href='#null' onClick='lookup(\"\$2\", this, event)' title='lookup \$2'>\$2</a>"; // gets HAP4NfSens plugin id. returns -1 if HAP4NfSen is not installed. function getHAP4NfSenId() { $plugins = GetPlugins(); for ($i = 0; $i < count($plugins); $i++) { $plugin = $plugins[$i]; if ($plugin == "HAP4NfSen") { return $i; } } return -1; } ClearMessages(); $cmd_opts['args'] = "-T {$run}"; $cmd_opts['filter'] = $filter; $titcol = get_tit_col($run); $cmd_out = nfsend_query("run-nfdump", $cmd_opts); if (!is_array($cmd_out)) { ShowMessages(); } else { $conf = $GLOBALS["CONF"]; $solera = $conf->get_conf("solera_enable", FALSE) ? true : false; $db = new ossim_db(); $conn = $db->connect(); $sensors = $hosts = $ossim_servers = array(); $tz = Util::get_timezone(); list($hosts, $host_ids) = Asset_host::get_basic_list($conn, array(), TRUE); $entities = Session::get_all_entities($conn); $_sensors = Av_sensor::get_basic_list($conn); foreach ($_sensors as $s_id => $s) { $sensors[$s['ip']] = $s['name']; } /*$hap4nfsen_id = getHAP4NfSenId(); if ($hap4nfsen_id >= 0) { // ICMP "port" filter are no currently supported by the HAP4NfSen plugin function isChecked(&$form, $name) { // helper function used to find out, if an option is checked return $form[$name]=="checked"; } $ip_and_port_columns = preg_match('/(flow records)/i', $IPStatOption[$process_form['stattype']]) && ((isChecked($process_form,'aggr_srcip') && isChecked($process_form,'aggr_srcport')) || (isChecked($process_form,'aggr_dstip') && isChecked($process_form,'aggr_dstport'))); $ip_contains_port = $_SESSION["process_form"]["modeselect"]=='0' || !preg_match('/[ip|flow_records]/i', $IPStatOption[$process_form['stattype']]) || (preg_match('/(flow records)/i', $IPStatOption[$process_form['stattype']]) && !( // no boxes checked isChecked($process_form,'aggr_srcip') || isChecked($process_form,'aggr_srcport') || isChecked($process_form,'aggr_dstip') || isChecked($process_form,'aggr_dstport'))); $_SESSION["plugin"][$hap4nfsen_id]["cmd_opts"] = $cmd_opts; $hap_pic = "<img src=\"plugins/HAP4NfSen/graphviz.png\" valign=\"middle\" border=\"0\" alt=\"HAP\" />"; $default_pattern = array_pop($patterns); $default_replacement = array_pop($replacements); if ($ip_contains_port) { // matches cases like ip:port $max_prot_length = 5; // max. port length = 5 chars(highest port number = 65535) for ($i=$max_prot_length;$i>=1;$i--) { $diff = ($max_prot_length-$i); // difference between actual and max port length $ip_port_pattern_icmp = "/(\s*)([^\s|^:]+)(:)(0\s{4}|\d\.\d\s{2}|\d{2}\.\d\|\d\.\d{2}\s|\d{2}\.\d{2})/"; $ip_port_pattern_normal = "/(\s*)([^\s|^:]+)(:)([\d|\.]{{$i}})(\s{{$diff}})/"; $spaces = ''; for ($k=0;$k<$diff;$k++) {$spaces = $spaces . ' ';} // spaces required to align hap viewer icons array_push($patterns, $ip_port_pattern_icmp); array_push($replacements, $default_replacement . "$3$4 <a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&mode=new\" title='HAP graphlet for $2'>$hap_pic</a> "); array_push($patterns, $ip_port_pattern_normal); array_push($replacements, $default_replacement . "$3$4$spaces <a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&port=$4&mode=new\" title='HAP graphlet for $2 on port $4'>$hap_pic</a> "); } array_push($patterns, '/(\sIP\sAddr:Port)/i'); array_push($replacements, "$1 $hap_pic"); } else { if ($ip_and_port_columns) { // matches cases when both ip and port are available but are located in separate columns // ICMP verion $ip_and_port_pattern = "/(\s*)([^\s]+)(\s+)(0|\d\.\d)/"; $ip_and_port_replacement = "$1$2$3$4 " . "<a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&mode=new\" title='HAP graphlet for $2'>$hap_pic</a>"; array_push($patterns, $ip_and_port_pattern); array_push($replacements, $ip_and_port_replacement); // non-ICMP version with port filter $ip_and_port_pattern = "/(\s*)([^\s]+)(\s*)([\d|.]+)/"; $ip_and_port_replacement = "$1$2$3$4 " . "<a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&port=$4&mode=new\" title='HAP graphlet for $2 on port $4'>$hap_pic</a>"; array_push($patterns, $ip_and_port_pattern); array_push($replacements, $ip_and_port_replacement); array_push($patterns, '/(\s\s(Src\sIP\sAddr\s*Src\sPt|Dst\sIP\sAddr\s*Dst\sPt))/i'); array_push($replacements, "$1 $hap_pic"); } else { // matches all other cases array_push($patterns, $default_pattern); array_push($replacements, $default_replacement . " <a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&mode=new\" title='HAP graphlet for $2'>$hap_pic</a>"); array_push($patterns, '/(\s(|\s(Src|Dst))\sIP\sAddr)/i'); array_push($replacements, "$1 $hap_pic"); } } } if ( array_key_exists('arg', $cmd_out) ) { print "** nfdump " . $cmd_out['arg'] . "\n"; } if ( array_key_exists('filter', $cmd_out) ) { print "nfdump filter:\n"; foreach ( $cmd_out['filter'] as $line ) { print "$line\n"; } } foreach ( $cmd_out['nfdump'] as $line ) { print preg_replace($patterns, $replacements, $line) . "\n"; }*/ # parse command line #2009-12-09 17:08:17.596 40.262 TCP 192.168.1.9:80 -> 217.126.167.80:51694 .AP.SF 0 70 180978 1 35960 2585 1 $list = preg_match("/\\-o extended/", $cmd_out['arg']) ? 1 : 0; $regex = $list ? "/(\\d\\d\\d\\d\\-.*?\\s.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+->\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?\\s*[KMG]?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*)/" : "/(\\d\\d\\d\\d\\-.*?\\s.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?\\s*[KMGT]?)\\s+(.*?)\\s+(.*?)\\s+(.*)/"; echo '<div class="nfsen_list_title">' . _('Flows Info') . '</div>'; echo "<table class='table_list'>"; $geotools = false; if ($list && file_exists("../kml/GoogleEarth.php")) { $geotools = true; $geoips = array(); $geotools_src = " <a href='' onclick='window.open(\"../kml/TourConfig.php?type=ip_src&ip=&flows=1\",\"Flows sources - Goggle Earth API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img align='absmiddle' src='../pixmaps/google_earth_icon.png' border='0'></a> <a href='' onclick='window.open(\"../kml/IPGoogleMap.php?type=ip_src&ip=&flows=1\",\"Flows sources - Goggle Maps API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img align='absmiddle' src='../pixmaps/google_maps_icon.png' border='0'></a>"; $geotools_dst = " <a href='' onclick='window.open(\"../kml/TourConfig.php?type=ip_dst&ip=&flows=1\",\"Flows destinations - Goggle Earth API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img align='absmiddle' src='../pixmaps/google_earth_icon.png' border='0'></a> <a href='' onclick='window.open(\"../kml/IPGoogleMap.php?type=ip_dst&ip=&flows=1\",\"Flows destinations - Goggle Maps API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img align='absmiddle' src='../pixmaps/google_maps_icon.png' border='0'></a>"; } echo $list ? "\n \n <tr>\n <th>" . _("Date flow start") . "<br><span style='font-size:8px'>" . Util::timezone($tz) . "</style></th>\n <th>" . _("Duration") . "</th>\n <th>" . _("Proto") . "</th>\n <th>" . _("Src IP Addr:Port") . "{$geotools_src}</th>\n <th>" . _("Dst IP Addr:Port") . "{$geotools_dst}</th>\n <th>" . _("Flags") . "</th>\n <th>" . _("Tos") . "</th>\n <th>" . _("Packets") . "</th>\n <th>" . _("Bytes") . "</th>\n <th>" . _("pps") . "</th>\n <th>" . _("bps") . "</th>\n <th>" . _("Bpp") . "</th>\n <th>" . _("Flows") . "</th>\n \t" . ($solera ? "<th></th>" : "") . "\n </tr>" : "<tr>\n <th>" . _("Date flow seen") . "<br><span style='font-size:8px'>" . Util::timezone($tz) . "</style></th>\n <th>" . _("Duration") . "</th>\n <th>" . _("Proto") . "</th>\n <th>" . $titcol . "</th>\n <th>" . _("Flows") . "(%)</th>\n <th>" . _("Packets") . "(%)</th>\n <th>" . _("Bytes") . "(%)</th>\n <th>" . _("pps") . "</th>\n <th>" . _("bps") . "</th>\n <th>" . _("Bpp") . "</th>\n \t" . ($solera ? "<th></th>" : "") . "\n </tr>"; $status = $errors = array(); $rep = new Reputation(); //print_r($cmd_out['arg']); //print_r($cmd_out['nfdump']); foreach ($cmd_out['nfdump'] as $k => $line) { #capture status if (preg_match("/^(Summary|Time window|Total flows processed|Sys)\\:/", $line, $found)) { $status[$found[1]] = str_replace($found[1] . ":", "", $line); } # capture errors if (preg_match("/ error /i", $line, $found)) { if (preg_match("/stat\\(\\) error/i", $line)) { $errors[] = _('The netflow information you are trying to access either has not been processed yet or does not exist. Please check your date filters.'); Av_exception::write_log(Av_exception::USER_ERROR, $line); } else { $errors[] = $line; } } # print results $line = preg_replace("/\\(\\s(\\d)/", "(\\1", $line); // Patch for ( 0.3) $line = preg_replace("/(\\d)\\s*([KMGT])/", "\\1\\2", $line); // Patch for 1.2 M(99.6) $line = preg_replace("/(\\d+)(TCP|UDP|ICMP|IGMP)\\s/", "\\1 \\2 ", $line); // Patch for 9.003TCP $start = $end = $proto = ""; $ips = $ports = array(); if (preg_match($regex, preg_replace('/\\s*/', ' ', $line), $found)) { echo "<tr class='tr_flow_data'>\n"; foreach ($found as $ki => $field) { if ($ki > 0) { $wrap = $ki == 1 ? "nowrap" : ""; $field = Util::htmlentities(preg_replace("/(\\:\\d+)\\.0\$/", "\\1", $field)); if (preg_match("/(\\d+\\.\\d+\\.\\d+\\.\\d+)(.*)/", $field, $fnd)) { # match ip (resolve and geolocalize) $ip = $fnd[1]; $port = $fnd[2]; list($name, $ctx, $host_id) = GetDataFromSingleIp($ip, $hosts); if ($name == "" && $sensors[$ip] != "") { $name = $sensors[$ip]; } $output = Asset_host::get_extended_name($conn, $geoloc, $ip, $ctx, $host_id, ''); $homelan = $output['is_internal'] || $name != "" && $name != $ip; $icon = $output['html_icon']; # reputation info if (!is_array($_SESSION["_repinfo_ips"][$ip])) { $_SESSION["_repinfo_ips"][$ip] = $rep->get_data_by_ip($ip); } $rep_icon = Reputation::getrepimg($_SESSION["_repinfo_ips"][$ip][0], $_SESSION["_repinfo_ips"][$ip][1], $_SESSION["_repinfo_ips"][$ip][2], $ip); $rep_bgcolor = Reputation::getrepbgcolor($_SESSION["_repinfo_ips"][$ip][0]); $style_aux = $homelan ? 'style="font-weight:bold"' : ''; $bold_aux1 = $homelan ? '<b>' : ''; $bold_aux2 = $homelan ? '<b>' : ''; $field = '<div id="' . $ip . ';' . Util::htmlentities($name) . ';' . $host_id . '" id2="' . $ip . ';' . $ip . '" ctx="' . $ctx . '" class="HostReportMenu">' . $icon . ' <a ' . $style_aux . ' href="javascript:;">' . Util::htmlentities($name) . '</a>' . $bold_aux1 . $port . $bold_aux2 . ' ' . $rep_icon . '</div>'; $wrap = "nowrap style='{$rep_bgcolor}'"; $ips[] = $ip; if ($geotools) { if ($ki == 4) { $geoips['ip_src'][$ip]++; } elseif ($ki == 5) { $geoips['ip_dst'][$ip]++; } } $ports[] = str_replace(":", "", $port); } if (preg_match("/(\\d+-\\d+-\\d+ \\d+:\\d+:\\d+)(.*)/", $field, $fnd)) { # match date $start = $end = $fnd[1]; $time = strtotime($fnd[1]); $field = Util::htmlentities(gmdate("Y-m-d H:i:s", $time + 3600 * $tz) . "." . $fnd[2]); } if (preg_match("/(TCP|UDP|ICMP|RAW)/", $field, $fnd)) { # match date $proto = strtolower($fnd[1]); } print "<td {$wrap}>{$field}</td>"; } } // solera deepsee integration if ($solera) { echo "<td><a href=\"javascript:;\" onclick=\"solera_deepsee('" . Util::htmlentities($start) . "','" . Util::htmlentities($end) . "','" . Util::htmlentities($ips[0]) . "','" . Util::htmlentities($ports[0]) . "','" . Util::htmlentities($ips[1]) . "','" . Util::htmlentities($ports[1]) . "','" . Util::htmlentities($proto) . "')\"><img src='/ossim/pixmaps/solera.png' border='0' align='absmiddle'></a></td>"; } echo "</tr>\n"; } } echo "</table>"; if ($geotools) { foreach ($geoips as $type => $list) { $ipsfile = fopen("/var/tmp/flowips_" . Session::get_session_user() . ".{$type}", "w"); foreach ($list as $ip => $val) { fputs($ipsfile, "{$ip}\n"); } fclose($ipsfile); } } #Summary: total flows: 20, total bytes: 7701, total packets: 133, avg bps: 60, avg pps: 0, avg bpp: 57 #Time window: 2009-12-10 08:21:30 - 2009-12-10 08:38:26 #Total flows processed: 21, Records skipped: 0, Bytes read: 1128 #Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 152173.9 if (count($status) > 0) { echo "<table class='transparent' style='margin-bottom:5px;width:100%'>"; foreach ($status as $key => $line) { $line = preg_replace("/(Wall)\\:/", "<span class='th_summary'>\\1</span>", $line); $line = preg_replace("/\\,\\s+(.*?)\\:/", " <span class='th_summary'>\\1</span>", $line); echo "<tr>\n <td class='nobborder' style='padding: 4px;'>\n <span class='th_summary'>{$key}</span>\n {$line}\n </td>\n </tr>"; } echo "</table>"; } # stat() error '/home/dk/nfsen/profiles-data/live/device2/2009/12/10/nfcapd.200912100920': File not found! if (count($errors) > 0) { foreach ($errors as $line) { echo "<div class='details_error'>" . _("ERROR FOUND: ") . "{$line}</div>"; } } $conn->disconnect(); } #print "</pre>\n"; } print "</div>\n"; $db_aux->close(); $geoloc->close(); return; }
$qs->RunAction($submit, PAGE_STAT_SENSOR, $db); $et->Mark("Alert Action"); /* create SQL to get Unique Alerts */ $cnt_sql = "SELECT count(DISTINCT acid_event.device_id) " . $from . $where; /* Run the query to determine the number of rows (No LIMIT)*/ if (!$use_ac) { $qs->GetNumResultRows($cnt_sql, $db); } $et->Mark("Counting Result size"); /* Setup the Query Results Table */ $qro = new QueryResultsOutput("base_stat_sensor.php?caller=" . $caller); $qro->AddTitle(" "); $qro->AddTitle(gettext("Sensor"), "sid_a", " ", " ORDER BY acid_event.device_id ASC", "sid_d", " ", " ORDER BY acid_event.device_id DESC"); $qro->AddTitle(gettext("Name"), "", " ", " ", "", " ", " "); $qro->AddTitle(gettext("Device IP"), "", " ", " ", "", " ", " "); $events_title = _("Events") . " # <span class='idminfo' txt='" . Util::timezone($tz) . "'>(*)</span>"; $qro->AddTitle($events_title, "occur_a", " ", " ORDER BY event_cnt ASC", "occur_d", " ", " ORDER BY event_cnt DESC"); $qro->AddTitle(gettext("Unique Events"), "", "", "", "", "", ""); $qro->AddTitle(gettext("Unique Src."), "", "", "", "", "", ""); $qro->AddTitle(gettext("Unique Dst."), "", "", "", "", "", ""); /* $qro->AddTitle(gettext("Unique Events"), "sig_a", "", " ORDER BY sig_cnt ASC", "sig_d", "", " ORDER BY sig_cnt DESC"); $qro->AddTitle(gettext("Unique Src."), "saddr_a", "", " ORDER BY saddr_cnt ASC", "saddr_d", "", " ORDER BY saddr_cnt DESC"); $qro->AddTitle(gettext("Unique Dst."), "daddr_a", "", " ORDER BY daddr_cnt ASC", "daddr_d", "", " ORDER BY daddr_cnt DESC"); */ $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), ""); $sql = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1]; $sql2 = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where2 . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1]; $sqlsensor = "SELECT " . $nevents . " as sig_cnt, count(distinct(acid_event.ip_src)) as saddr_cnt, count(distinct(acid_event.ip_dst)) as daddr_cnt" . $sort_sql[0] . $from2 . $where1 . " AND acid_event.device_id=DEVICEID"; $_SESSION['_siem_sensor_query'] = $sqlsensor; if (file_exists('/tmp/debug_siem')) {
// 4- Timestamp //qroPrintEntry($myrow["timestamp"], "center"); $tzone = $myrow['tzone']; $event_date = $myrow['timestamp']; $tzdate = $event_date; $event_date_uut = get_utc_unixtime($db, $event_date); // Event date timezone if ($tzone != 0) { $event_date = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tzone); } // Apply user timezone if ($tz != 0) { $tzdate = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tz); } $cell_data['DATE'] = $tzdate; $cell_tooltip['DATE'] = $event_date == $myrow['timestamp'] || $event_date == $tzdate ? "" : _("Event date") . ": <b>" . Util::htmlentities($event_date) . "</b><br>" . _("Timezone") . ": <b>" . Util::timezone($tzone) . "</b>"; $cell_pdfdata['DATE'] = str_replace(" ", "<br>", $tzdate); $cell_align['DATE'] = "center"; $cell_more['DATE'] = "nowrap"; // 5- Source IP Address if ($current_sip32 != "") { // Src Data $src_output = Asset_host::get_extended_name($_conn, $geoloc, $current_sip, $ctx, $current_src_host, $myrow["src_net"]); $src_name = $src_output['name']; $homelan_src = $src_output['is_internal']; $src_img = $src_output['html_icon']; //$rep_src_icon = getrepimg($myrow["REP_PRIO_SRC"],$myrow["REP_REL_SRC"],$myrow["REP_ACT_SRC"],$current_sip); $rep_src_icon = ''; // Div for right click menu // Warning: ctx attribute could be src_ctx $div = '<div id="' . $current_sip . ';' . $src_name . ';' . $current_src_host . '" date_from="' . $date_from_aux . '" date_to="' . $date_to_aux . '" id2="' . $current_sip . ';' . $current_dip . '" ctx="' . $ctx . '" class="HostReportMenu">';