foreach ($sim_events as $sim_event) { if ($i >= 5) { continue; } $color = $i % 2 == 0 ? "#F2F2F2" : "#FFFFFF"; $current_sip32 = $sim_event['sip']; $current_sip = baseLong2IP($current_sip32); $current_dip32 = $sim_event['dip']; $current_dip = baseLong2IP($current_dip32); $current_oasset_s = $sim_event['oasset_s']; $current_oasset_d = $sim_event['oasset_d']; $current_oprio = $sim_event['prio']; $current_oreli = $sim_event['rel']; $current_oriskc = $sim_event['risk_c']; $current_oriska = $sim_event['risk_a']; $proto = IPProto2str($sim_event['proto']); if ($current_sip32 != "") { $country = strtolower(geoip_country_code_by_addr($gi, $current_sip)); $country_name = geoip_country_name_by_addr($gi, $current_sip); if ($country) { $country_img = " <img src=\"/ossim/pixmaps/flags/" . $country . ".png\" alt=\"{$country_name}\" title=\"{$country_name}\">"; } else { $country_img = ""; } $ip_aux = $sensors[$current_sip] != "" ? $sensors[$current_sip] : ($hosts[$current_sip] != "" ? $hosts[$current_sip] : $current_sip); $ip_src = '<A HREF="base_stat_ipaddr.php?ip=' . $current_sip . '&netmask=32">' . $ip_aux . '</A><FONT SIZE="-1">' . $current_sport . '</FONT>' . $country_img; } else { /* if no IP address was found check if this is a spp_portscan message * and try to extract a source IP * - contrib: Michael Bell <*****@*****.**> */
qroPrintEntry($div2 . $d_country_img . BuildAddressLink($ip_dip, 32) . $ip_dip . '</A>' . $bdiv2, "", "", "nowrap"); if ($fqdn == "yes") { qroPrintEntry('<FONT>' . $dip_fqdn . '</FONT>'); } qroPrintEntry('<FONT>' . IPProto2str($proto) . '</FONT>'); $tmp = '<A HREF="base_stat_ports.php?port_type=2&proto=' . $proto . $tmp_ip_criteria . '">'; qroPrintEntry($tmp . $num_unique_dport . '</A>'); $tmp = '<A HREF="base_stat_alerts.php?foo=1' . $tmp_ip_criteria . '">'; qroPrintEntry($tmp . $num_unique . '</A>'); $tmp = '<A HREF="base_qry_main.php?new=1' . '&num_result_rows=-1' . '&submit=' . gettext("Query DB") . '&current_view=-1' . $tmp_ip_criteria . '">'; qroPrintEntry($tmp . $num_occurances . '</A>'); qroPrintEntryFooter(); } $i++; // report_data $report_data[] = array($ip_sip, '', $ip_dip, '', IPProto2str($proto), "", "", "", "", "", "", $num_unique_dport, $num_unique, $num_occurances, $s_country_img != '' || $d_country_img != '' ? $s_country_img . "####" . $d_country_img : ''); } $result->baseFreeRows(); $dbo->close($_conn); $qro->PrintFooter(); $qs->PrintBrowseButtons(); $qs->PrintAlertActionButtons(); $qs->SaveReportData($report_data, $unique_iplinks_report_type); $qs->SaveState(); echo "<input type='hidden' name='fqdn' value='" . Util::htmlentities($fqdn) . "'>\n"; echo "\n</FORM>\n"; PrintBASESubFooter(); $et->Mark("Get Query Elements"); $et->PrintTiming(); $db->baseClose(); echo "</body>\r\n</html>";
</TABLE> <br/> <TABLE class="table_list"> <TR> <th>' . gettext("Source Address") . '</th> <th>' . gettext("Source Port") . '</th> <th>' . gettext("Destination Address") . '</th> <th>' . gettext("Destination Port") . '</th> <th>' . gettext("Protocol") . '</th> </TR> <TR> <TD class="plfield" nowrap><div id="' . $current_sip . ';' . $sip_aux . ';' . $myrow2["src_host"] . '" ctx="' . $ctx . '" class="HostReportMenu">' . $ip_src_data . '</div></TD> <TD class="plfield" nowrap>' . $layer4_sport . '</TD> <TD class="plfield" nowrap><div id="' . $current_dip . ';' . $dip_aux . ';' . $myrow2["dst_host"] . '" ctx="' . $ctx . '" class="HostReportMenu">' . $ip_dst_data . '</div></TD> <TD class="plfield" nowrap>' . $layer4_dport . '</TD> <TD class="plfield" nowrap>' . IPProto2str($ip_proto) . '</TD> </TR> </TABLE> </div> </div> <BR> <div class="siem_detail_table"> <div class="siem_detail_section">SIEM</div> <div class="siem_detail_content"> '; echo ' <TABLE class="table_list"> <TR> <th>' . _("Unique Event ID#") . '</th> <th>' . gettext("Asset") . ' S<img border="0" align="absmiddle" src="images/arrow-000-small.gif">D</th>
} else { $country_img = ""; $dlnk = $dlnkrd = ""; } $dip_aux = $sensors[$current_dip] != "" ? $sensors[$current_dip] : ($hosts[$current_dip] != "" ? $hosts[$current_dip] : $current_dip); $div = '<div id="' . $current_dip . ';' . $ip_aux . '" class="HostReportMenu">'; $bdiv = '</div>'; $homelan = ($match_cidr = Net::is_ip_in_cache_cidr($_conn, $current_dip)) || in_array($current_dip, $hosts_ips) ? " <a href='javascript:;' class='scriptinfo' style='text-decoration:none' ip='{$current_dip}'><img src=\"" . Host::get_homelan_icon($current_dip, $icons, $match_cidr, $_conn) . "\" border=0></a>" : ""; if ($homelan != "") { $dlnk = "<img src='images/homelan.png' align='absmiddle' border=0 style='width:3mm'>"; $dlnkrd = $current_url . "/forensics/images/homelan.png"; } } // $i++; $report_data[] = array(trim(html_entity_decode($despues)), $myrow["timestamp"], $sip_aux . $current_sport, $slnkrd, $dip_aux . $current_dport, $dlnkrd, $current_url . "/forensics/bar2.php?value=" . $current_oasset_s . "&value2=" . $current_oasset_d . "&max=5", $current_url . "/forensics/bar2.php?value=" . $current_oprio . "&max=5", $current_url . "/forensics/bar2.php?value=" . $current_oreli . "&max=9", $current_url . "/forensics/bar2.php?value=" . $current_oriskc . "&value2=" . $current_oriska . "&max=9&range=1", IPProto2str($current_proto), $rowid, $myrow["sid"], $myrow["cid"]); } $result->baseFreeRows(); $dbo->close($_conn); $qs->PrintAlertActionButtons(); $qs->SaveReportData($report_data, $events_report_type); $qs->SaveState(); ?> <form action="base_timeline.php" id="ftl"> <table cellpadding=0 cellspacing=0 width="100%"> <tr> <td align="left" style="padding-top:3px"> <img src="../pixmaps/arrow_green.gif" border=0 align="absmiddle"> <?php echo _("Timeline resolution"); ?> :
qroPrintEntry(BuildAddressLink(baseLong2IP($dip), 32) . $ip_dip . '</A>' . $d_country_img . $homelan_dip, "", "", "nowrap"); if ($fqdn == "yes") { qroPrintEntry('<FONT>' . $dip_fqdn . '</FONT>'); } qroPrintEntry('<FONT>' . IPProto2str($proto) . '</FONT>'); $tmp = '<A HREF="base_stat_ports.php?port_type=2&proto=' . $proto . $tmp_ip_criteria . '">'; qroPrintEntry($tmp . $num_unique_dport . '</A>'); $tmp = '<A HREF="base_stat_alerts.php?foo=1' . $tmp_ip_criteria . '">'; qroPrintEntry($tmp . $num_unique . '</A>'); $tmp = '<A HREF="base_qry_main.php?new=1' . '&num_result_rows=-1' . '&submit=' . gettext("Query+DB") . '&current_view=-1' . $tmp_ip_criteria . '">'; qroPrintEntry($tmp . $num_occurances . '</A>'); qroPrintEntryFooter(); } $i++; // report_data $report_data[] = array($ip_sip, $slnk, $ip_dip, $dlnk, IPProto2str($proto), "", "", "", "", "", "", $num_unique_dport, $num_unique, $num_occurances); } $result->baseFreeRows(); $dbo->close($_conn); $qro->PrintFooter(); $qs->PrintBrowseButtons(); $qs->PrintAlertActionButtons(); $qs->SaveReportData($report_data, $unique_iplinks_report_type); $qs->SaveState(); echo "<input type='hidden' name='fqdn' value='{$fqdn}'>\n"; echo "\n</FORM>\n"; PrintBASESubFooter(); $et->Mark("Get Query Elements"); $et->PrintTiming(); echo "</body>\r\n</html>"; geoip_close($gi);
break; case 1: $context = '<a href="javascript:;" title="'._("Event prioritized, as target inventory matched the list of affected systems").'"><img src="images/marker_yellow.png" border="0"></a>'; break; case 0: $context = '<a href="javascript:;" title="'._("No action related to the context analysis").'"><img src="images/marker_grey.png" border="0"></a>'; break; } $cell_data['CONTEXT'] = $context; $cell_align['CONTEXT'] = "center"; $cell_more['CONTEXT'] = "nowrap";*/ // 11- Protocol //qroPrintEntry('<FONT>' . IPProto2str($current_proto) . '</FONT>'); $cell_data['IP_PROTO'] = IPProto2str($current_proto); $cell_align['IP_PROTO'] = "center"; // X- ExtraData $cell_data['USERNAME'] = Util::htmlentities(Util::wordwrap($myrow['username'], 25, " ", true)); $cell_data['PASSWORD'] = Util::htmlentities(Util::wordwrap($myrow['password'], 25, " ", true)); $cell_data['FILENAME'] = Util::htmlentities(Util::wordwrap($myrow['filename'], 25, " ", true)); $cell_data['PAYLOAD'] = Util::htmlentities(Util::wordwrap($myrow['data_payload'], 25, " ", true)); for ($u = 1; $u < 10; $u++) { $cell_data['USERDATA' . $u] = $i < 9 ? Util::htmlentities(Util::wordwrap($myrow['userdata' . $u], 25, " ", true)) : Util::htmlentities($myrow['userdata' . $u]); } // IDM-Reputation Data $cell_data['SRC_USERDOMAIN'] = Util::htmlentities($myrow['src_userdomain']); $cell_align['SRC_USERDOMAIN'] = "center"; $cell_data['DST_USERDOMAIN'] = Util::htmlentities($myrow['dst_userdomain']); $cell_align['DST_USERDOMAIN'] = "center"; $cell_data['SRC_HOSTNAME'] = Util::htmlentities($myrow['src_hostname']);
} $src_net_id = $myrow['src_net']; $dst_net_id = $myrow['dst_net']; // 5- Source IP Address if ($current_sip32 != "") { $src_output = Asset_host::get_extended_name($_conn, $geoloc, $current_sip, $ctx, $myrow['src_host'], $myrow["src_net"]); $sip_aux = $src_output['name']; } // 6- Destination IP Address if ($current_dip32 != "") { $dst_output = Asset_host::get_extended_name($_conn, $geoloc, $current_dip, $ctx, $myrow['dst_host'], $myrow["dst_net"]); $dip_aux = $dst_output['name']; } // $i++; $report_data[] = array(trim(html_entity_decode($despues)), $myrow["timestamp"], $sip_aux . $current_sport, '', $dip_aux . $current_dport, '', $current_url . "/forensics/bar2.php?value=" . $current_oasset_s . "&value2=" . $current_oasset_d . "&max=5", $current_url . "/forensics/bar2.php?value=" . $current_oprio . "&max=5", $current_url . "/forensics/bar2.php?value=" . $current_oreli . "&max=9", strtoupper(bin2hex($myrow["id"])), IPProto2str($current_proto), $rowid, 0, 0, ''); } $result->baseFreeRows(); $dbo->close($_conn); $geoloc->close(); $qs->PrintAlertActionButtons(); $qs->SaveReportData($report_data, $events_report_type); $qs->SaveState(); $db->baseClose(); ?> <form action="base_timeline.php" id="ftl"> <br/> <table class="transparent" cellpadding=0 cellspacing=0 width="100%"> <tr> <td align="left" style="padding-top:3px" class='siem_title_gray'> <?php