require_once '../repository/repository_view.php'; } /* PAYLOAD */ if ($is_snort) { echo '<div class="siem_detail_table"> <div class="siem_detail_section">' . _("Payload"); echo showShellcodeAnalysisLink($eid, $plugin_sid_name); echo '</div>'; } else { echo '<div class="siem_detail_table"> <div class="siem_detail_section">' . _("Raw Log") . '</div>'; } echo ' <div class="siem_detail_content siem_border">'; if ($payload) { /* print the packet based on encoding type */ PrintPacketPayload($payload, $encoding, 1, $plugin_id == $otx_plugin_id ? true : false); if ($layer4_proto == "1") { if ($ICMPitype == "4" && $ICMPicode == "0" || $ICMPitype == "5" || $ICMPitype == "12" && $ICMPicode == "0" || ($ICMPitype == "3" || $ICMPitype == "11") && $ICMPicode == "0" || $ICMPicode == "1" || $ICMPicode == "3" || $ICMPicode == "4" || $ICMPicode == "9" || $ICMPicode == "13") { /* 0 == hex, 1 == base64, 2 == ascii; cf. snort-2.4.4/src/plugbase.h */ if ($encoding == 1) { /* encoding is base64 */ $work = bin2hex(base64_decode(str_replace("\n", "", Util::htmlentities($payload)))); } else { /* assuming that encoding is hex */ $work = str_replace("\n", "", Util::htmlentities($payload)); } /* * - depending on how the packet logged, 32-bits of NULL padding after * the checksum may still be present. */ if (substr($work, 0, 8) == "00000000") {
function ExportPacket($sid, $cid, $db) { global $action, $action_arg; /* Event */ $sql2 = "SELECT signature, timestamp FROM acid_event WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $s = "------------------------------------------------------------------------------\n"; $s = $s . "#({$sid} - {$cid}) [{$myrow2['1']}] " . BuildSigByID($myrow2[0], $sid, $cid, $db, 2) . "\r\n"; $sql4 = "SELECT hostname, interface, filter FROM sensor WHERE sid='" . $sid . "'"; $result4 = $db->baseExecute($sql4); $myrow4 = $result4->baseFetchRow(); $result4->baseFreeRows(); $result2->baseFreeRows(); /* IP */ $sql2 = "SELECT ip_src, ip_dst, " . "ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum, ip_proto" . " FROM iphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $layer4_proto = $myrow2[11]; if ($myrow2[0] != "") { $sql3 = "SELECT * FROM opt WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='0'"; $result3 = $db->baseExecute($sql3); $num_opt = $result3->baseRecordCount(); $s = $s . "IPv{$myrow2['2']}: " . baseLong2IP($myrow2[0]) . " -> " . baseLong2IP($myrow2[1]) . "\n" . " hlen={$myrow2['3']} TOS={$myrow2['4']} dlen={$myrow2['5']} ID={$myrow2['6']}" . " flags={$myrow2['7']} offset={$myrow2['8']} TTL={$myrow2['9']} chksum={$myrow2['10']}\n"; if ($num_opt > 0) { $s = $s . " Options\n"; for ($i = 0; $i < $num_opt; $i++) { $myrow3 = $result3->baseFetchRow(); $s = $s . " #" . ($i + 1) . " - " . IPOption2str($myrow3[4]) . " len={$myrow3['5']}"; if ($myrow3[5] != 0) { $s = $s . " data={$myrow3['6']}"; } $s = $s . "\n"; } } $result3->baseFreeRows(); } $result2->baseFreeRows(); /* TCP */ if ($layer4_proto == "6") { $sql2 = "SELECT tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, " . " tcp_csum, tcp_urp FROM tcphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $sql3 = "SELECT * FROM opt WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='6'"; $result3 = $db->baseExecute($sql3); $num_opt = $result3->baseRecordCount(); $s = $s . "TCP: port={$myrow2['0']} -> dport: {$myrow2['1']} flags="; if (($myrow2[6] & 128) != 0) { $s = $s . '2'; } else { $s = $s . '*'; } if (($myrow2[6] & 64) != 0) { $s = $s . '1'; } else { $s = $s . '*'; } if (($myrow2[6] & 32) != 0) { $s = $s . 'U'; } else { $s = $s . '*'; } if (($myrow2[6] & 16) != 0) { $s = $s . 'A'; } else { $s = $s . '*'; } if (($myrow2[6] & 8) != 0) { $s = $s . 'P'; } else { $s = $s . '*'; } if (($myrow2[6] & 4) != 0) { $s = $s . 'R'; } else { $s = $s . '*'; } if (($myrow2[6] & 2) != 0) { $s = $s . 'S'; } else { $s = $s . '*'; } if (($myrow2[6] & 1) != 0) { $s = $s . 'F'; } else { $s = $s . '*'; } $s = $s . " seq={$myrow2['2']}\n" . " ack={$myrow2['3']} off={$myrow2['4']} res={$myrow2['5']} win={$myrow2['7']} urp={$myrow2['9']} " . "chksum={$myrow2['8']}\n"; if ($num_opt != 0) { $s = $s . " Options:\n"; for ($i = 0; $i < $num_opt; $i++) { $myrow3 = $result3->baseFetchRow(); $s = $s . " #" . ($i + 1) . " - " . TCPOption2str($myrow3[4]) . " len={$myrow3['5']}"; if ($myrow3[5] != 0) { $s = $s . " data=" . $myrow3[6]; } $s = $s . "\n"; } } $result2->baseFreeRows(); $result3->baseFreeRows(); } /* UDP */ if ($layer4_proto == "17") { $sql2 = "SELECT * FROM udphdr WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $s = $s . "UDP: port={$myrow2['2']} -> dport: {$myrow2['3']} len={$myrow2['4']}\n"; $result2->baseFreeRows(); } /* ICMP */ if ($layer4_proto == "1") { $sql2 = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq FROM icmphdr " . "WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); $myrow2 = $result2->baseFetchRow(); $s = $s . "ICMP: type=" . ICMPType2str($myrow2[0]) . " code=" . ICMPCode2str($myrow2[0], $myrow2[1]) . "\n" . " checksum={$myrow2['2']} id={$myrow2['3']} seq={$myrow2['4']}\n"; $result2->baseFreeRows(); } /* Print the Payload */ $sql2 = "SELECT data_payload FROM data WHERE sid='" . $sid . "' AND cid='" . $cid . "'"; $result2 = $db->baseExecute($sql2); /* get encoding information and detail_level on the payload */ $sql3 = 'SELECT encoding, detail FROM sensor WHERE sid=' . $sid; $result3 = $db->baseExecute($sql3); $myrow3 = $result3->baseFetchRow(); $s = $s . "Payload: "; $myrow2 = $result2->baseFetchRow(); if ($myrow2) { /* print the packet based on encoding type */ $s = $s . PrintPacketPayload($myrow2[0], $myrow3[0], 2) . "\n"; $result3->baseFreeRows(); } else { /* Don't have payload so lets print out why by checking the detail level */ /* if have fast detail level */ if ($myrow3[1] == "0") { $s = $s . "Fast logging used so payload was discarded\n"; } else { $s = $s . "none\n"; } } $result2->baseFreeRows(); return $s; }
echo '<br><div class="siem_detail_table"> <div class="siem_detail_section">' . _("Payload") . ' '; //echo ("<br>" . PrintCleanURL()); //echo ("<br>" . PrintBinDownload($db, $eid)); echo showShellcodeAnalysisLink($eid, $plugin_sid_name); echo "</div>"; } else { echo '<br><div class="siem_detail_table"> <div class="siem_detail_section">' . _("Raw Log") . '</div>'; echo "<style type='text/css'>\n pre.nowrapspace { white-space: -moz-pre-wrap !important; white-space: -pre-wrap;white-space: -o-pre-wrap;white-space: pre-wrap;white-space: normal; min-height:20px; }\n </style>\n"; } echo ' <div class="siem_detail_content">'; if ($payload) { /* print the packet based on encoding type */ PrintPacketPayload($payload, $encoding, 1); if ($layer4_proto == "1") { if ($ICMPitype == "4" && $ICMPicode == "0" || $ICMPitype == "5" || $ICMPitype == "12" && $ICMPicode == "0" || ($ICMPitype == "3" || $ICMPitype == "11") && $ICMPicode == "0" || $ICMPicode == "1" || $ICMPicode == "3" || $ICMPicode == "4" || $ICMPicode == "9" || $ICMPicode == "13") { /* 0 == hex, 1 == base64, 2 == ascii; cf. snort-2.4.4/src/plugbase.h */ if ($encoding == 1) { /* encoding is base64 */ $work = bin2hex(base64_decode(str_replace("\n", "", $payload))); } else { /* assuming that encoding is hex */ $work = str_replace("\n", "", $payload); } /* * - depending on how the packet logged, 32-bits of NULL padding after * the checksum may still be present. */ if (substr($work, 0, 8) == "00000000") {