/* $qro->AddTitle(gettext("Unique Events"), "sig_a", "", " ORDER BY sig_cnt ASC", "sig_d", "", " ORDER BY sig_cnt DESC"); $qro->AddTitle(gettext("Unique Src."), "saddr_a", "", " ORDER BY saddr_cnt ASC", "saddr_d", "", " ORDER BY saddr_cnt DESC"); $qro->AddTitle(gettext("Unique Dst."), "daddr_a", "", " ORDER BY daddr_cnt ASC", "daddr_d", "", " ORDER BY daddr_cnt DESC"); */ $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), ""); $sql = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1]; $sql2 = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where2 . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1]; $sqlsensor = "SELECT " . $nevents . " as sig_cnt, count(distinct(acid_event.ip_src)) as saddr_cnt, count(distinct(acid_event.ip_dst)) as daddr_cnt" . $sort_sql[0] . $from2 . $where1 . " AND acid_event.device_id=DEVICEID"; $_SESSION['_siem_sensor_query'] = $sqlsensor; if (file_exists('/tmp/debug_siem')) { error_log("STATS SENSORS:{$sql}\nSTATS SENSOR UNIQUE:{$sqlsensor}\n", 3, "/tmp/siem"); } /* Run the Query again for the actual data (with the LIMIT) */ session_write_close(); $result = $qs->ExecuteOutputQuery($sql, $db); if ($result->baseRecordCount() == 0 && $use_ac) { $result = $qs->ExecuteOutputQuery($sql2, $db); } $qs->num_result_rows = $result->baseRecordCount(); $et->Mark("Retrieve Query Data"); // if ($debug_mode == 1) { // $qs->PrintCannedQueryList(); // $qs->DumpState(); // echo "$sql<BR>"; // } /* Print the current view number and # of rows */ $displaying = gettext("Displaying sensors %d-%d of <b>%s</b> matching your selection."); $qs->PrintResultCnt("", array(), $displaying); echo '<FORM METHOD="post" NAME="PacketForm" id="PacketForm" ACTION="base_stat_sensor.php">'; if ($qs->num_result_rows > 0) {
} if ($ids != "") { $sql = "DELETE FROM sig_reference WHERE ref_id in ({$ids})"; $qs->ExecuteOutputQueryNoCanned($sql, $db_snort); } $sql = "DELETE FROM reference_system WHERE ref_system_id={$delete}"; $qs->ExecuteOutputQueryNoCanned($sql, $db_snort); $sql = "DELETE FROM reference WHERE ref_system_id={$delete}"; $qs->ExecuteOutputQueryNoCanned($sql, $db_snort); } else { $error_msg = ossim_get_error(); ossim_clean_error(); } } $sql = "SELECT * FROM reference_system"; $result = $qs->ExecuteOutputQuery($sql, $db_snort); $ref_types = array(); while ($myrow = $result->baseFetchRow()) { $ref_types[] = $myrow; } ?> <!-- <?php echo gettext("Forensics Console " . $BASE_installID) . $BASE_VERSION; ?> --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=<?php
** (see the file 'base_main.php' for license details) ** ** Built upon work by Roman Danyliw <*****@*****.**>, <*****@*****.**> ** Built upon work by the BASE Project Team <*****@*****.**> */ require "base_conf.php"; require "vars_session.php"; require_once 'classes/Util.inc'; require "{$BASE_path}/includes/base_constants.inc.php"; require "{$BASE_path}/includes/base_include.inc.php"; include_once "{$BASE_path}/base_db_common.php"; include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_stat_common.php"; if ($_SESSION['siem_sensor_query'] == "") { echo "-##-##-"; die; } $device_id = ImportHTTPVar("id", VAR_DIGIT); $sql = str_replace("DEVICEID", $device_id, $_SESSION['siem_sensor_query']); session_write_close(); $qs = new QueryState(); $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $rs = $qs->ExecuteOutputQuery($sql, $db); if ($row = $rs->baseFetchRow()) { $unique_addrs = BuildUniqueAlertLink("?sensor=" . urlencode($device_id)) . Util::htmlentities($row[0]) . '</A>'; $src_addrs = BuildUniqueAddressLink(1, "&sensor=" . urlencode($device_id)) . Util::htmlentities($row[1]) . '</A>'; $dst_addrs = BuildUniqueAddressLink(2, "&sensor=" . urlencode($device_id)) . Util::htmlentities($row[2]) . '</A>'; } $rs->baseFreeRows(); echo "{$unique_addrs}##{$src_addrs}##{$dst_addrs}";
include_once "{$BASE_path}/base_qry_common.php"; include_once "{$BASE_path}/base_stat_common.php"; if ($_SESSION['siem_current_query_graph'] == "" || $_SESSION['siem_alerts_query'] == "") { echo "-##-##-"; die; } $tz = Util::get_timezone(); $plugin_id = ImportHTTPVar("id", VAR_DIGIT); $plugin_sid = ImportHTTPVar("sid", VAR_DIGIT); $sqlgraph = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_current_query_graph'])); $sql = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_alerts_query'])); session_write_close(); $qs = new QueryState(); $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $rs = $qs->ExecuteOutputQuery($sql, $db); if ($row = $rs->baseFetchRow()) { $addr_link = '&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=' . urlencode($plugin_id . ";" . $plugin_sid); $src_addrs = BuildUniqueAddressLink(1, $addr_link) . $row[0] . '</A>'; $dst_addrs = BuildUniqueAddressLink(2, $addr_link) . $row[1] . '</A>'; $last = get_utc_unixtime($db, $row[2]); } $rs->baseFreeRows(); if ($tz != 0) { $last = gmdate("Y-m-d H:i:s", $last + 3600 * $tz); } else { $last = $row[2]; } echo "{$src_addrs}##{$dst_addrs}##{$last}##"; $tr = $_SESSION["time_range"] != "" ? $_SESSION["time_range"] : "all"; $trdata = array(0, 0, $tr);
$sqlb = " and ac_alertsclas_classid.day=ac_alertsclas_signature.day"; $sqlc = " and ac_alertsclas_classid.day=ac_alertsclas_ipsrc.day"; $sqld = " and ac_alertsclas_classid.day=ac_alertsclas_ipdst.day"; } $orderby = str_replace("acid_event.", "", $sort_sql[1]); $sql = "SELECT SQL_CALC_FOUND_ROWS DISTINCT sig_class_id, sum(cid) as num_events,\n (select count(distinct(sid)) from ac_alertsclas_sid where ac_alertsclas_classid.sig_class_id=ac_alertsclas_sid.sig_class_id {$sqla}) as num_sensors,\n (select count(distinct(signature)) from ac_alertsclas_signature where ac_alertsclas_classid.sig_class_id=ac_alertsclas_signature.sig_class_id {$sqlb}) as num_sig,\n (select count(distinct(ip_src)) from ac_alertsclas_ipsrc where ac_alertsclas_classid.sig_class_id=ac_alertsclas_ipsrc.sig_class_id {$sqlc}) as num_sip,\n (select count(distinct(ip_dst)) from ac_alertsclas_ipdst where ac_alertsclas_classid.sig_class_id=ac_alertsclas_ipdst.sig_class_id {$sqld}) as num_dip,\n min(first_timestamp) as first_timestamp, max(last_timestamp) as last_timestamp\n FROM ac_alertsclas_classid FORCE INDEX(primary) {$where} GROUP BY sig_class_id {$orderby}"; $event_cnt = EventCnt($db, "", "", "SELECT sum(cid) FROM ac_alertsclas_classid {$where}"); $where = "AND " . str_replace("timestamp", "day", $criteria_clauses[1]); if ($tr != "today" && $tr != "day") { // we dont have hour interval in ac_* tables $sqlgraph = "SELECT sum(cid) as num_events, {$interval} FROM ac_alertsclas_classid WHERE sig_class_id=SIGCLASSID {$grpby}"; } } //echo $sql."<br>".$sqlgraph."<br>".$interval." ".$tr; /* Run the Query again for the actual data (with the LIMIT) */ $result = $qs->ExecuteOutputQuery($sql, $db); if ($use_ac) { $qs->GetCalcFoundRows($cnt_sql, $db); } $et->Mark("Retrieve Query Data"); if ($debug_mode == 1) { $qs->PrintCannedQueryList(); $qs->DumpState(); echo "{$sql}<BR>"; } /* Print the current view number and # of rows */ $qs->PrintResultCnt(); echo ' <script src="js/jquery.flot.pack.js" language="javascript" type="text/javascript"></script> '; echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_class_graph.php">';