function ExportPacket($sid, $cid, $db) { global $action, $action_arg; /* Event */ $sql2 = "SELECT signature, timestamp FROM acid_event WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $s = "------------------------------------------------------------------------------\n"; $s = $s . "#({$sid} - {$cid}) [{$myrow2['1']}] " . BuildSigByID($myrow2[0], $sid, $cid, $db, 2) . "\r\n"; $sql4 = "SELECT hostname, interface, filter FROM sensor WHERE sid='" . $sid . "'"; $result4 = $db->baseExecute($sql4); $myrow4 = $result4->baseFetchRow(); $result4->baseFreeRows(); $result2->baseFreeRows(); /* IP */ $sql2 = "SELECT ip_src, ip_dst, " . "ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum, ip_proto" . " FROM iphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $layer4_proto = $myrow2[11]; if ($myrow2[0] != "") { $sql3 = "SELECT * FROM opt WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='0'"; $result3 = $db->baseExecute($sql3); $num_opt = $result3->baseRecordCount(); $s = $s . "IPv{$myrow2['2']}: " . baseLong2IP($myrow2[0]) . " -> " . baseLong2IP($myrow2[1]) . "\n" . " hlen={$myrow2['3']} TOS={$myrow2['4']} dlen={$myrow2['5']} ID={$myrow2['6']}" . " flags={$myrow2['7']} offset={$myrow2['8']} TTL={$myrow2['9']} chksum={$myrow2['10']}\n"; if ($num_opt > 0) { $s = $s . " Options\n"; for ($i = 0; $i < $num_opt; $i++) { $myrow3 = $result3->baseFetchRow(); $s = $s . " #" . ($i + 1) . " - " . IPOption2str($myrow3[4]) . " len={$myrow3['5']}"; if ($myrow3[5] != 0) { $s = $s . " data={$myrow3['6']}"; } $s = $s . "\n"; } } $result3->baseFreeRows(); } $result2->baseFreeRows(); /* TCP */ if ($layer4_proto == "6") { $sql2 = "SELECT tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, " . " tcp_csum, tcp_urp FROM tcphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $sql3 = "SELECT * FROM opt WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='6'"; $result3 = $db->baseExecute($sql3); $num_opt = $result3->baseRecordCount(); $s = $s . "TCP: port={$myrow2['0']} -> dport: {$myrow2['1']} flags="; if (($myrow2[6] & 128) != 0) { $s = $s . '2'; } else { $s = $s . '*'; } if (($myrow2[6] & 64) != 0) { $s = $s . '1'; } else { $s = $s . '*'; } if (($myrow2[6] & 32) != 0) { $s = $s . 'U'; } else { $s = $s . '*'; } if (($myrow2[6] & 16) != 0) { $s = $s . 'A'; } else { $s = $s . '*'; } if (($myrow2[6] & 8) != 0) { $s = $s . 'P'; } else { $s = $s . '*'; } if (($myrow2[6] & 4) != 0) { $s = $s . 'R'; } else { $s = $s . '*'; } if (($myrow2[6] & 2) != 0) { $s = $s . 'S'; } else { $s = $s . '*'; } if (($myrow2[6] & 1) != 0) { $s = $s . 'F'; } else { $s = $s . '*'; } $s = $s . " seq={$myrow2['2']}\n" . " ack={$myrow2['3']} off={$myrow2['4']} res={$myrow2['5']} win={$myrow2['7']} urp={$myrow2['9']} " . "chksum={$myrow2['8']}\n"; if ($num_opt != 0) { $s = $s . " Options:\n"; for ($i = 0; $i < $num_opt; $i++) { $myrow3 = $result3->baseFetchRow(); $s = $s . " #" . ($i + 1) . " - " . TCPOption2str($myrow3[4]) . " len={$myrow3['5']}"; if ($myrow3[5] != 0) { $s = $s . " data=" . $myrow3[6]; } $s = $s . "\n"; } } $result2->baseFreeRows(); $result3->baseFreeRows(); } /* UDP */ if ($layer4_proto == "17") { $sql2 = "SELECT * FROM udphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $s = $s . "UDP: port={$myrow2['2']} -> dport: {$myrow2['3']} len={$myrow2['4']}\n"; $result2->baseFreeRows(); } /* ICMP */ if ($layer4_proto == "1") { $sql2 = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq FROM icmphdr " . "WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $s = $s . "ICMP: type=" . ICMPType2str($myrow2[0]) . " code=" . ICMPCode2str($myrow2[0], $myrow2[1]) . "\n" . " checksum={$myrow2['2']} id={$myrow2['3']} seq={$myrow2['4']}\n"; $result2->baseFreeRows(); } /* Print the Payload */ $sql2 = "SELECT data_payload FROM data WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); /* get encoding information and detail_level on the payload */ $sql3 = 'SELECT encoding, detail FROM sensor WHERE sid=' . $sid; $result3 = $db->baseExecute($sql3); $myrow3 = $result3->baseFetchRow(); $s = $s . "Payload: "; $myrow2 = $result2->baseFetchRow(); if ($myrow2) { /* print the packet based on encoding type */ $s = $s . PrintPacketPayload($myrow2[0], $myrow3[0], 2) . "\n"; $result3->baseFreeRows(); } else { /* Don't have payload so lets print out why by checking the detail level */ /* if have fast detail level */ if ($myrow3[1] == "0") { $s = $s . "Fast logging used so payload was discarded\n"; } else { $s = $s . "none\n"; } } $result2->baseFreeRows(); return $s; }
/* ICMP */ if ($layer4_proto == "1") { $sql2 = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq FROM icmphdr " . "WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); if ($myrow2 = $result2->baseFetchRow()) { echo '<br> <TABLE BORDER=0 cellpadding=2 cellspacing=0 class="bborder" WIDTH="100%"> <TR><TD CLASS="header3" WIDTH=50 ROWSPAN=2 ALIGN=CENTER>ICMP'; echo ' <TD>'; echo ' <TABLE BORDER=0 CELLPADDING=2>'; echo ' <TR><TD class="header">' . gettext("type") . '</TD> <TD class="header">' . gettext("code") . '</TD> <TD class="header">checksum</TD> <TD class="header">' . gettext("ID") . '</TD> <TD class="header">seq #</TR>'; echo ' <TR><TD class="plfield">(' . $myrow2[0] . ') ' . ICMPType2str($myrow2[0]) . '</TD>'; echo ' <TD class="plfield">(' . $myrow2[1] . ') ' . ICMPCode2str($myrow2[0], $myrow2[1]) . '</TD>'; echo ' <TD class="plfield">' . $myrow2[2] . '<BR>=<BR>0x' . dechex($myrow2[2]) . '</TD>'; echo ' <TD class="plfield">' . $myrow2[3] . '</TD>'; echo ' <TD class="plfield">' . $myrow2[4] . '</TD></TR>'; echo ' </TABLE>'; echo '</TABLE>'; $ICMPitype = $myrow2[0]; $ICMPicode = $myrow2[1]; $result2->baseFreeRows(); } } /* Connect with KDB if plugin_id=1505 */ if ($plugin_id == 1505 && $plugin_sid != "") { $sql2 = "SELECT k.text FROM ossim.repository k, ossim.repository_relationships r WHERE k.id=r.id_document and r.type='directive' and r.keyname='" . $plugin_sid . "'"; $result2 = $db->baseExecute($sql2);