$acid_link = Util::get_acid_events_link($s_since, $s_date, "time_a");
echo "<a href=\"{$acid_link}\" class='stop'><span style='color:black' class='tip' title='" . _("First") . ": {$s_since} " . Util::timezone($tz) . "<br>" . _("Last") . ": {$s_last} " . Util::timezone($tz) . "'>" . $ago . "</span></a>";
?>
</td>
<?php
} else {
?>
<td class="nobborder" style='<?php
echo $bgcolor;
?>
text-align: center' width='12%'>
<?php
$now = gmdate("Y-m-d H:i:s", gmdate("U") + 3600 * $tz);
$ago = get_alarm_life($s_since, $now);
$acid_link = Util::get_acid_events_link($s_since, $now, "time_a");
echo "<a href=\"{$acid_link}\" class='stop'>\n \t\t\t\t <span style='color:black' class='tip' title='" . _("First") . ": {$s_since} " . Util::timezone($tz) . "'>" . $ago . "</span>\n \t\t\t\t </a>\n \t\t\t\t <img src='/ossim/alarm/style/img/correlating.gif' class='img_cor tip' title='" . _("This alarm is still being correlated and therefore it can not be modified") . "'/>";
?>
</td>
<?php
}
?>
<td class="left" style="padding-left:10px"><?php
echo $source_balloon;
?>
</td>
<td class="left" style="padding-left:10px"><?php
echo $dest_balloon;
?>
</td>
</td>
</tr>
</table>
</tr>
<tr><td style="padding-left:10px;padding-right:10px" colspan="5" class="nobborder"><table class="transparent" width="100%" cellpadding=0 cellspacing=0 border=0><tr><td class="nobborder" style="background:url('../pixmaps/points.gif') repeat-x"><img src="../pixmaps/points.gif"></td></tr></table></td></tr>
<tr>
<td class="nobborder" style="padding:10px" valign="top">
<table class="transparent" width="100%">
<tr>
<td class="nobborder">
<table class="transparent">
<tr>
<?php
$txtzone = "<a href=\"javascript:;\" class=\"scriptinfoimg\" style=\"color:black\" txt=\"<img src='../pixmaps/timezones/" . rawurlencode(Util::timezone($tz)) . ".png' border=0>\">" . Util::timezone($tz) . "</a>";
?>
<td class="nobborder" nowrap style="font-size:11px;font-family:arial"><?php
echo _("Time frame selection") . " {$txtzone}";
?>
:</td>
<td class="nobborder">
<div id="widget">
<a href="javascript:;"><img src="../pixmaps/calendar.png" id='imgcalendar' border="0"></a>
<div id="widgetCalendar"></div>
</div>
</td>
<td class="nobborder" nowrap>
<?php
if ($param_start != "" && $param_end != "" && date_parse($param_start) && date_parse($param_end)) {
?>
$et->Mark("Initialization");
$qs->RunAction($submit, PAGE_STAT_UADDR, $db);
$et->Mark("Alert Action");
/* Run the query to determine the number of rows (No LIMIT)*/
//$cnt_sql = "SELECT count(DISTINCT $addr_type_name) " . $from . $where;
$et->Mark("Counting Result size");
/* Setup the Query Results Table */
$qro = new QueryResultsOutput("base_stat_uaddr.php?caller=" . $caller . "&addr_type=" . $addr_type);
$qro->AddTitle(" ");
$qro->AddTitle($results_title, "addr_a", " ", " ORDER BY {$addr_type_name} ASC", "addr_d", " ", " ORDER BY {$addr_type_name} DESC");
$qro->AddTitle(gettext("OTX"));
if ($resolve_IP == 1) {
$qro->AddTitle("FQDN");
}
$qro->AddTitle(Session::show_entities() ? gettext("Context") : gettext("Sensor"));
$qro->AddTitle(gettext("Events") . " # <span class='idminfo' txt='" . Util::timezone(Util::get_timezone()) . "'>(*)</span>", "occur_a", " ", " ORDER BY num_events ASC", "occur_d", " ", " ORDER BY num_events DESC");
$qro->AddTitle(gettext("Unique Events"), "sig_a", " ", " ORDER BY num_sig ASC", "sig_d", " ", " ORDER BY num_sig DESC");
if ($addr_type == DEST_IP) {
$displaytitle = gettext("Displaying unique destination addresses %d-%d of <b>%s</b> matching your selection.");
$qro->AddTitle(gettext("Unique Src. Contacted."), "saddr_a", " ", " ORDER BY num_sip ASC", "saddr_d", " ", " ORDER BY num_sip DESC");
} else {
$displaytitle = gettext("Displaying unique source addresses %d-%d of <b>%s</b> matching your selection.");
$qro->AddTitle(gettext("Unique Dst. Contacted"), "daddr_a", " ", " ORDER BY num_dip ASC", "daddr_d", " ", " ORDER BY num_dip DESC");
}
if (file_exists("../kml/GoogleEarth.php")) {
$qro->AddTitle(gettext("Geo Tools") . " <a href='' onclick='window.open(\"../kml/TourConfig.php?type={$addr_type_name}&ip={$currentIP}\",\"IP {$currentIP} " . ($addr_type == 2 ? _("sources") : _("destinations")) . " - Goggle Earth API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img title='" . _("Geolocation Tour") . "' align='absmiddle' src='../pixmaps/google_earth_icon.png' border='0'></a> <a href='' onclick='window.open(\"../kml/IPGoogleMap.php?type={$addr_type_name}&ip={$currentIP}\",\"IP {$currentIP} " . ($addr_type == 2 ? _("sources") : _("destinations")) . " - Goggle Maps API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img title='" . _("Geolocation Map") . "' align='absmiddle' src='../pixmaps/google_maps_icon.png' border='0'></a>", "geotools");
}
if (!Session::am_i_admin()) {
$displaytitle = preg_replace("/\\. <b>.*/", ".", $displaytitle);
}
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());
<!--<tr><td style="padding-top:5px"><table width="100%" cellpadding=0 cellspacing=0 border=0><tr><td style="background:url('../pixmaps/points.gif') repeat-x"><img src="../pixmaps/points.gif"></td></tr></table></td></tr>-->
<?php
$urltimecriteria = $_SERVER['SCRIPT_NAME'];
$params = "";
// Clicked from qry_alert or clicked from Time profile must return to main
if (preg_match("/base_qry_alert|base_stat_time/", $urltimecriteria)) {
$urltimecriteria = "base_qry_main.php";
}
if ($_GET["addr_type"] != "") {
$params .= "&addr_type=" . $_GET["addr_type"];
}
if ($_GET["sort_order"] != "") {
$params .= "&sort_order=" . $_GET["sort_order"];
}
$txtzone = "<a href=\"javascript:;\" class=\"scriptinfoimg\" txt=\"<img src='../pixmaps/timezones/" . rawurlencode(Util::timezone($GLOBALS["tz"])) . ".png' border=0>\">" . Util::timezone($GLOBALS["tz"]) . "</a>";
?>
<tr>
<td>
<table>
<tr>
<td>
<table width='100%'><tr>
<td>
<table cellpadding="0" cellspacing="0">
<tr>
<td><?php
echo _("Time frame selection") . " {$txtzone}";
?>
: </td>
echo gettext("Sensor");
?>
</a></td>
<td style="background-color:#9DD131;font-weight:bold"> <?php
echo gettext("Since") . "<br>" . Util::timezone($tz);
?>
</td>
<td style="background-color:#9DD131;font-weight:bold"><a href="<?php
echo $_SERVER["SCRIPT_NAME"];
?>
?order=<?php
echo ossim_db::get_order("timestamp", $order) . "&inf={$inf}&sup={$sup}&src_ip={$src_ip}&dst_ip={$dst_ip}&num_alarms_page={$num_alarms_page}&date_from={$date_from}&date_to={$date_to}&hide_closed={$hide_closed}&norefresh={$norefresh}&query={$query}&directive_id={$directive_id}&no_resolv={$no_resolv}&sensor_query={$sensor_query}&num_events={$num_events}&num_events_op={$num_events_op}";
?>
">
<?php
echo gettext("Last") . "<br>" . Util::timezone($tz);
?>
</a></td>
<td style="background-color:#9DD131;font-weight:bold"><a href="<?php
echo $_SERVER["SCRIPT_NAME"];
?>
?order=<?php
echo ossim_db::get_order("src_ip", $order) . "&inf={$inf}&sup={$sup}&src_ip={$src_ip}&dst_ip={$dst_ip}&num_alarms_page={$num_alarms_page}&date_from={$date_from}&date_to={$date_to}&hide_closed={$hide_closed}&norefresh={$norefresh}&query={$query}&directive_id={$directive_id}&no_resolv={$no_resolv}&sensor_query={$sensor_query}&num_events={$num_events}&num_events_op={$num_events_op}";
?>
"> <?php
echo gettext("Source");
?>
</a></td>
<td style="background-color:#9DD131;font-weight:bold"><a href="<?php
echo $_SERVER["SCRIPT_NAME"];
?>
}
$debug_time_mode >= 1 ? $et->Mark("Counting Result size") : '';
/* Setup the Query Results Table */
$qro = new QueryResultsOutput("base_stat_alerts.php?caller=" . $caller);
$qro->AddTitle(" ");
$qro->AddTitle(gettext("Signature"), "sig_a", " ", " ORDER BY plugin_id ASC,plugin_sid", "sig_d", " ", " ORDER BY plugin_id DESC,plugin_sid");
//if ($db->baseGetDBversion() >= 103) $qro->AddTitle(gettext("Classification"), "class_a", ", MIN(sig_class_id) ", " ORDER BY sig_class_id ASC ", "class_d", ", MIN(sig_class_id) ", " ORDER BY sig_class_id DESC ");
$qro->AddTitle(gettext("Total") . " #", "occur_a", " ", " ORDER BY sig_cnt ASC", "occur_d", " ", " ORDER BY sig_cnt DESC");
$qro->AddTitle(gettext("Sensor") . " #");
$qro->AddTitle(_("Src. Addr."), "saddr_a", ", count(DISTINCT ip_src) AS saddr_cnt ", " ORDER BY saddr_cnt ASC", "saddr_d", ", count(DISTINCT ip_src) AS saddr_cnt ", " ORDER BY saddr_cnt DESC");
$qro->AddTitle(_("Dst. Addr."), "daddr_a", ", count(DISTINCT ip_dst) AS daddr_cnt ", " ORDER BY daddr_cnt ASC", "daddr_d", ", count(DISTINCT ip_dst) AS daddr_cnt ", " ORDER BY daddr_cnt DESC");
$qro->AddTitle(_("First") . " " . Util::timezone($tz), "first_a", ", min(timestamp) AS first_timestamp ", " ORDER BY first_timestamp ASC", "first_d", ", min(timestamp) AS first_timestamp ", " ORDER BY first_timestamp DESC");
if ($show_previous_alert == 1) {
$qro->AddTitle("Previous");
}
$qro->AddTitle(_("Last") . " " . Util::timezone($tz), "last_a", ", max(timestamp) AS last_timestamp ", " ORDER BY last_timestamp ASC", "last_d", ", max(timestamp) AS last_timestamp ", " ORDER BY last_timestamp DESC");
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());
/* mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY */
/* mstone 20050405 add sid & ip counts */
//$sql = "SELECT DISTINCT signature, count(signature) as sig_cnt, " . "min(timestamp), max(timestamp), sig_name, count(DISTINCT(acid_event.sid)), count(DISTINCT(ip_src)), count(DISTINCT(ip_dst)), sig_class_id " . $sort_sql[0] . $from . $where . " GROUP BY signature, sig_name, sig_class_id " . $sort_sql[1];
$sql = "SELECT DISTINCT acid_event.plugin_id, acid_event.plugin_sid, count(acid_event.plugin_sid) as sig_cnt, " . "min(timestamp) as first_timestamp, max(timestamp) as last_timestamp, count(DISTINCT(acid_event.sid)) as sid_cnt, count(DISTINCT(ip_src)) as saddr_cnt, count(DISTINCT(ip_dst)) as daddr_cnt " . $sort_sql[0] . $from . $where . " GROUP BY plugin_id, plugin_sid " . $sort_sql[1];
//echo $sql."<br>";
// use accumulate tables only with timestamp criteria
if ($use_ac) {
$where = $more = $sqla = $sqlb = $sqlc = "";
if (preg_match("/timestamp/", $criteria_clauses[1])) {
$where = "AND " . str_replace("timestamp", "day", $criteria_clauses[1]);
$sqla = " and ac_alerts_signature.day=ac_alerts_sid.day";
$sqlb = " and ac_alerts_signature.day=ac_alerts_ipsrc.day";
$sqlc = " and ac_alerts_signature.day=ac_alerts_ipdst.day";
}
$alert_user = $_SESSION["server"][2];
$alert_password = $_SESSION["server"][3];
$alert_dbname = $_SESSION["server"][4];
require_once "{$BASE_path}/includes/base_db.inc.php";
$dbtest = NewBASEDBConnection($DBlib_path, $DBtype);
$dbtest->DB = NewADOConnection();
error_reporting(E_ERROR | E_PARSE);
if (!$dbtest->DB->PConnect($alert_port == "" ? $alert_host : $alert_host . ":" . $alert_port, $alert_user, $alert_password, $alert_dbname)) {
unset($_SESSION['server']);
echo "<br> <font style='font-family:arial;font-size:11px'><b>ERROR</b>: " . _("Unable to connect") . " " . $alert_dbname . " ({$alert_host}). Connection restored to local.";
echo "<br> <a href='base_qry_main.php?clear_allcriteria=1&num_result_rows=-1&submit=Query+DB¤t_view=-1&sort_order=time_d' style='font-family:arial;font-size:11px'><u>Click here to continue</u></a>";
exit;
}
error_reporting(E_ALL ^ E_NOTICE);
}
$current_url = Util::get_ossim_url();
$events_report_type = 33;
$graph_report_type = 34;
$criteria_report_type = 35;
$unique_events_report_type = 36;
$unique_iplinks_report_type = 37;
$sensors_report_type = 38;
$unique_addr_report_type = 40;
$src_port_report_type = 42;
$dst_port_report_type = 44;
$unique_plugins_report_type = 46;
$unique_country_events_report_type = 48;
//
$current_cols_titles = array("SIGNATURE" => _("Signature"), "DATE" => _("Date") . " " . Util::timezone($tz), "IP_PORTSRC" => _("Source"), "IP_PORTDST" => _("Dest."), "SENSOR" => _("Sensor"), "IP_SRC" => _("Src IP"), "IP_DST" => _("Dst IP"), "IP_SRC_FQDN" => _("Src IP FQDN"), "IP_DST_FQDN" => _("Dst IP FQDN"), "PORT_SRC" => _("Src Port"), "PORT_DST" => _("Dst Port"), "ASSET" => _("Asset <br>S<img src='images/arrow-000-small.gif' border=0 align=absmiddle>D"), "PRIORITY" => _("Prio"), "RELIABILITY" => _("Rel"), "RISK" => _("Risk"), "IP_PROTO" => _("L4-proto"), "USERDATA1" => _("Userdata1"), "USERDATA2" => _("Userdata2"), "USERDATA3" => _("Userdata3"), "USERDATA4" => _("Userdata4"), "USERDATA5" => _("Userdata5"), "USERDATA6" => _("Userdata6"), "USERDATA7" => _("Userdata7"), "USERDATA8" => _("Userdata8"), "USERDATA9" => _("Userdata9"), "USERNAME" => _("Username"), "FILENAME" => _("Filename"), "PASSWORD" => _("Password"), "PAYLOAD" => _("Payload"), "SID" => _("SID"), "CID" => _("CID"), "PLUGIN_ID" => _("Data Source ID"), "PLUGIN_SID" => _("Event Type ID"), "PLUGIN_DESC" => _("Data Source Description"), "PLUGIN_NAME" => _("Data Source Name"), "PLUGIN_SOURCE_TYPE" => _("Source Type"), "PLUGIN_SID_CATEGORY" => _("Category"), "PLUGIN_SID_SUBCATEGORY" => _("SubCategory"), 'CONTEXT' => _("Context"));
$current_cols_widths = array("SIGNATURE" => "45mm", "IP_PORTSRC" => "25mm", "IP_PORTDST" => "25mm", "ASSET" => "12mm", "PRIORITY" => "12mm", "RELIABILITY" => "12mm", "RISK" => "12mm", "IP_PROTO" => "10mm");
$siem_events_title = _("SIEM Events events");
$buffer .= "<td><b>";
if ($view && $href_sim) {
$buffer .= "<a class='greybox' href='{$href_sim}'>";
}
$buffer .= "{$risk}";
if ($view && $href_sim) {
$buffer .= "</a>";
}
$buffer .= "</b></td>";
}
$buffer .= "<td class='td_date' nowrap='nowrap'>";
if ($view) {
if ($event_date == $orig_date || $event_date == $date) {
$buffer .= "<a class='greybox' href='" . Util::get_acid_date_link($date, $src_ip, "ip_src") . "'><font color='black'>{$date}</font></a>";
} else {
$buffer .= "\n\n\t\t\t\t\t\t\t<a class='greybox' href='" . Util::get_acid_date_link($date, $src_ip, "ip_src") . "'>\n\t\t\t\t\t\t\t <font color='black'>{$date}</font>\n\t\t\t\t\t\t\t</a>\n\t\t\t\t\t\t\t<div style='display: none;'>\n <table class='t_white'> \n <tr>\n <td>" . _('Sensor date') . ":</td>\n <td>{$event_date}</td>\n </tr>\n \n <tr>\n <td>" . _("Timezone") . ":</td>\n <td>" . Util::timezone($alarm->get_tzone()) . "</td>\n </tr>\n </table>\n </div>\t\t\n\t\t\t\t";
}
} else {
$buffer .= "<span style='color:gray'>{$date}</span>";
}
$buffer .= "</td>";
// Src
if ($no_resolv || !$src_host) {
$src_name = $src_ip;
$ctx_src = $ctx;
} elseif ($src_host) {
$src_name = $src_host->get_name();
$ctx_src = $src_host->get_ctx();
}
// Src icon and bold
$src_output = Asset_host::get_extended_name($conn, $geoloc, $src_ip, $ctx_src, $event_info["src_host"], $event_info["src_net"]);
</a>
<span class="tooltip">
<span class="top"></span>
<span class="middle ne1 center">
<b><?php
echo _("Sensor date");
?>
:</b><br><?php
echo $event_date;
?>
<br>
<b><?php
echo _("Timezone");
?>
:</b> <?php
echo Util::timezone($alarm->get_tzone());
?>
<br>
</span>
<span class="bottom"></span>
</span>
</div>
<?php
}
?>
</td>
<?php
$src_link = "../report/host_report.php?host={$src_ip}";
$src_title = _("Src Asset") . ": <b>{$asset_src}</b><br>" . _("IP") . ": <b>{$src_ip}</b>";
$dst_link = "../report/host_report.php?host={$dst_ip}";
//
}
arsort($countries);
// Not found
if (count($countries) == 0)
{
echo "<tr><td><table class='transparent' style='width:100%'><tr><td colspan='5' style='padding:6px'><b>"._("No external IP addresses were found in the SIEM events")."</b></td></tr></table></td></tr>\n";
}
// Results
else
{
echo '<br/><TABLE class="table_list">';
echo '<tr><th style="text-align:left" width="25%">Country</th>
<th width="15%">' . gettext("Events") . " # <span class='idminfo' txt='".Util::timezone(Util::get_timezone())."'>(*)</span>". '</th>
<th width="10%">' . gettext("Unique Src. #") . '</th>
<th width="10%">' . gettext("Unique Dst. #") . '</th>
<th></th></TR>';
$max_cnt = 1;
$i = 0;
foreach ($countries as $country=>$num) {
if ($max_cnt == 1 && $num > 0) $max_cnt = $num;
$data = $country_acc[$country];
if ($data['srcnum']+$data['dstnum'] == 0) $entry_width = 0;
else $entry_width = round($data['events'] / $max_cnt * 100);
if ($data['code']=="") $data['code']="unknown";
?>
<tr>
<td style="padding:7px;text-align:left"><?=$data['flag']." ".$country?></td>
}
if ($plugin == "") {
$plugin = intval($matches[4]);
}
$_SESSION["_plugins"][$matches[4]] = $plugin;
}
}
if ($htmlResult) {
$red = 0;
$color = "black";
}
// para coger
$date = $matches[2];
$event_date = $matches[2];
$tzone = intval($matches[10]);
$txtzone = Util::timezone($tzone);
$event_date_uut = Util::get_utc_unixtime($conn, $event_date);
// Special case: old events
$eventhour = gmdate("H", $event_date_uut);
$ctime = explode("/", $logfile);
$storehour = $ctime[count($ctime) - 3];
// hours
$warning = $storehour - $eventhour != 0 ? "<a href='javascript:;' style='text-decoration:none' txt='" . _("Date may not be normalized") . "' class='scriptinfotxt'><img src='../pixmaps/warning.png' align='absmiddle' border='0' style='margin-left:3px;margin-right:3px'></a>" : "";
// Event date timezone
if ($tzone != 0) {
$event_date = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tzone);
}
// Apply user timezone
if ($tz != 0) {
$date = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tz);
}
<BLOCKQUOTE>
<TABLE BORDER=0 cellpadding=2 cellspacing=0 class="bborder" WIDTH="100%">
<TR><TD CLASS="header3" WIDTH=50 ALIGN=CENTER ROWSPAN=4>Meta</TD>
<TD>
<TABLE BORDER=0 CELLPADDING=4>
<TR><TD CLASS="header" >' . _("ID") . ' #</TD>
<TD CLASS="header" nowrap>' . _("Date") . " " . Util::timezone($tz) . '</TD>
' . ($tzcell ? '<TD CLASS="header" nowrap>' . _("Event date") . '</TD>' : '') . '
<TD CLASS="header">' . _("Triggered Signature") . '</TD>
<TD CLASS="header" nowrap>' . _("Data Source Name") . '</TD>
<TD CLASS="header" nowrap>' . _("Data Source ID") . '</TD>
<TD CLASS="header" nowrap>' . _("Event Type ID") . '</TD>
<TD></td></TR>
<TR><TD CLASS="plfield" nowrap>' . ($sid . " - " . $cid) . '</TD>
<TD CLASS="plfield" nowrap>' . htmlspecialchars($tzdate) . '</TD>
' . ($tzcell ? '<TD CLASS="plfield" nowrap>' . $event_date . '<br>' . Util::timezone($tzone) . '</TD>' : '') . '
<TD CLASS="plfield">';
$htmlTriggeredSignature = html_entity_decode(htmlspecialchars(str_replace("##", "", BuildSigByPlugin($plugin_id, $plugin_sid, $db))));
echo $htmlTriggeredSignature . '</TD>
<TD CLASS="plfield">' . $plugin_name . '</TD>
<TD CLASS="plfield">' . $plugin_id . '</TD>
<TD CLASS="plfield">' . $plugin_sid . '</TD>
' . ($_GET['minimal_view'] == "" ? '<TD CLASS="plfield"><a href="javascript:;" onclick="GB_show(\'' . _("Modify Rel/Prio") . '\',\'modify_relprio.php?id=' . $plugin_id . '&sid=' . $plugin_sid . '\',280,450)" class="greybox"><img src="../vulnmeter/images/pencil.png" border="0" alt="' . _("Modify Rel/Prio") . '" title="' . _("Modify Rel/Prio") . '"></a></td>' : '');
'<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0033" target="_blank"><img src="manage_references_icon.php?id=5" alt="cve" title="cve" border="0"></a> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5976" target="_blank"><img src="manage_references_icon.php?id=5" alt="cve" title="cve" border="0"></a> pads: New service detectedArray
';
//<--
$return;
foreach (explode('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', $htmlTriggeredSignature) as $key => $value) {
if ($key != 0) {
$posIni = strpos($value, "'");
if ($posIni !== false) {
require_once 'av_init.php';
Session::logcheck('analysis-menu', 'EventsForensics');
Session::logcheck('report-menu', 'ReportsReportServer');
$rtype = GET('rtype');
$pro = Session::is_pro();
ossim_valid($rtype, OSS_DIGIT, 'illegal:' . _('Report type'));
if (ossim_error()) {
$config_nt = array('content' => _("Invalid report type"), 'options' => array('type' => 'nf_error', 'cancel_button' => FALSE), 'style' => 'margin: 20px auto; width: 80%; text-align: center;');
$nt = new Notification('nt_1', $config_nt);
$nt->show();
exit;
}
$addr_type = intval(GET('addr_type'));
$type = array("33" => "Events", "38" => "Sensors", "36" => "Unique_Events", "46" => "Unique_Plugins", "40" => "Unique_Addresses", "42" => "Source_Port", "44" => "Destination_Port", "37" => "Unique_IP_links", "48" => "Unique_Country_Events");
$tz = Util::get_timezone();
$current_cols_titles = array("SIGNATURE" => _("Signature"), "ENTITY" => _("Context"), "DATE" => _("Date") . " " . Util::timezone($tz), "IP_PORTSRC" => _("Source"), "IP_PORTDST" => _("Destination"), "SENSOR" => _("Sensor"), "OTX" => _("OTX"), "IP_SRC" => _("Src IP"), "IP_DST" => _("Dst IP"), "IP_SRC_FQDN" => _("Src IP FQDN"), "IP_DST_FQDN" => _("Dst IP FQDN"), "PORT_SRC" => _("Src Port"), "PORT_DST" => _("Dst Port"), "ASSET" => _("Asset S->D"), "PRIORITY" => _("Prio"), "RELIABILITY" => _("Rel"), "RISK" => _("Risk"), "IP_PROTO" => _("L4-proto"), "USERDATA1" => _("Userdata1"), "USERDATA2" => _("Userdata2"), "USERDATA3" => _("Userdata3"), "USERDATA4" => _("Userdata4"), "USERDATA5" => _("Userdata5"), "USERDATA6" => _("Userdata6"), "USERDATA7" => _("Userdata7"), "USERDATA8" => _("Userdata8"), "USERDATA9" => _("Userdata9"), "USERNAME" => _("Username"), "FILENAME" => _("Filename"), "PASSWORD" => _("Password"), "PAYLOAD" => _("Payload"), "PLUGIN_ID" => _("Data Source ID"), "PLUGIN_SID" => _("Event Type ID"), "PLUGIN_DESC" => _("Data Source Description"), "PLUGIN_NAME" => _("Data Source Name"), "PLUGIN_SOURCE_TYPE" => _("Source Type"), "PLUGIN_SID_CATEGORY" => _("Category"), "PLUGIN_SID_SUBCATEGORY" => _("SubCategory"), 'SRC_USERDOMAIN' => _("IDM User@Domain Src IP"), 'DST_USERDOMAIN' => _("IDM User@Domain Dst IP"), 'SRC_HOSTNAME' => _("IDM Source"), 'DST_HOSTNAME' => _("IDM Destination"), 'SRC_MAC' => _("IDM MAC Src IP"), 'DST_MAC' => _("IDM MAC Dst IP"), 'REP_PRIO_SRC' => _("Rep Src IP Prio"), 'REP_PRIO_DST' => _("Rep Dst IP Prio"), 'REP_REL_SRC' => _("Rep Src IP Rel"), 'REP_REL_DST' => _("Rep Dst IP Rel"), 'REP_ACT_SRC' => _("Rep Src IP Act"), 'REP_ACT_DST' => _("Rep Dst IP Act"), 'DEVICE' => _("Device IP"));
$user = $_SESSION["_user"];
$path_conf = $GLOBALS["CONF"];
/* database connect */
$db = new ossim_db(true);
$conn = $db->connect();
//$conn = $db->custom_connect('localhost',$path_conf->get_conf("ossim_user"),$path_conf->get_conf("ossim_pass"));
$config = new User_config($conn);
$default_view = $config->get($login, 'custom_view_default', 'php', "siem") != "" ? $config->get($login, 'custom_view_default', 'php', "siem") : ($idm_enabled ? 'IDM' : 'default');
$output_name = $type[$rtype] . "_" . $user . "_" . date("Y-m-d", time()) . ".csv";
$csv_header = "";
$csv_body = "";
$var_data = Session::show_entities() ? "Context" : "Sensor";
if ($type[$rtype] == "Events") {
$sql = "SELECT dataV1, dataV2, dataV11, dataV3, dataV5, dataV10, cell_data\n FROM datawarehouse.report_data WHERE id_report_data_type={$rtype} and user='******'";
if ($_SESSION['current_cview'] != $default_view) {
// 4- Timestamp
//qroPrintEntry($myrow["timestamp"], "center");
$tzone = $myrow['tzone'];
$event_date = $myrow['timestamp'];
$tzdate = $event_date;
$event_date_uut = get_utc_unixtime($db, $event_date);
// Event date timezone
if ($tzone != 0) {
$event_date = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tzone);
}
// Apply user timezone
if ($tz != 0) {
$tzdate = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tz);
}
$cell_data['DATE'] = $tzdate;
$cell_tooltip['DATE'] = $event_date == $myrow['timestamp'] || $event_date == $tzdate ? "" : _("Event date") . ": " . htmlspecialchars("<b>" . $event_date . "</b><br>" . _("Timezone") . ": <b>" . Util::timezone($tzone) . "</b>");
$cell_pdfdata['DATE'] = str_replace(" ", "<br>", $tzdate);
$cell_align['DATE'] = "center";
$cell_more['DATE'] = "nowrap";
//$tmp_iplookup = 'base_qry_main.php?sig%5B0%5D=%3D' . '&num_result_rows=-1' . '&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=+' . '&submit=' . gettext("Query+DB") . '&current_view=-1&ip_addr_cnt=2';
/* TCP or UDP show the associated port #
if ( ($current_proto == TCP) || ($current_proto == UDP) )
$result4 = $db->baseExecute("SELECT layer4_sport, layer4_dport FROM acid_event ".
"WHERE sid='".$myrow[0]."' AND cid='".$myrow[1]."'");
if ( ($current_proto == TCP) || ($current_proto == UDP) )
{
$myrow4 = $result4->baseFetchRow();
if ( $myrow4[0] != "" ) $current_sport = ":".$myrow4[0];
if ( $myrow4[1] != "" ) $current_dport = ":".$myrow4[1];
* along with this package; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston,
* MA 02110-1301 USA
*
*
* On Debian GNU/Linux systems, the complete text of the GNU General
* Public License can be found in `/usr/share/common-licenses/GPL-2'.
*
* Otherwise you can read it here: http://www.gnu.org/licenses/gpl-2.0.txt
*
*/
require 'general.php';
if (Session::menu_perms("analysis-menu", "EventsForensics")) {
//Timezone
$tz = Util::get_timezone();
$text_tz = Util::timezone($tz);
$htmlPdfReport->pageBreak();
$htmlPdfReport->setBookmark($title);
$htmlPdfReport->set($htmlPdfReport->newTitle($title, $date_from, $date_to, null));
$htmlPdfReport->set("\n<br/><br/>\n");
$db = new ossim_db();
$conn = $db->connect();
$conn->SetFetchMode(ADODB_FETCH_ASSOC);
$rs = $conn->Execute($query, $params);
if (!$rs) {
$htmlPdfReport->set("<table class='w100' cellpadding='0' cellspacing='0'>\n <tr><td class='w100' align='center' valign='top'>" . _("No data available") . "</td></tr>\n </table>\n");
} else {
// Plugins
$htmlPdfReport->set("<table style='width: 193mm;' cellpadding='0' cellspacing='0'>\n <tr><th style='width: 193mm;' align='center'>" . _("SIEM Unique Plugins") . "</th></tr>\n </table><br/>\n");
$htmlPdfReport->set("<table style='width: 193mm; margin:auto;' cellpadding='0' cellspacing='2'>");
//Headers
$txtzone = "<a href=\"javascript:;\" class=\"scriptinfoimg\" txt=\"<img src='../pixmaps/timezones/" . rawurlencode(Util::timezone($tz)) . ".png' border=0>\">" . Util::timezone($tz) . "</a>";
list($cat, $subcat) = GetCategorySubCategory($plugin_id, $plugin_sid, $db);
echo '
<div class="siem_detail_table">
<div class="siem_detail_section">Normalized<br>Event</div>
<div class="siem_detail_content">
<TABLE class="table_list">
<TR>
<th>' . _("Date") . '</th>
' . ($tzcell ? '<th>' . _("Event date") . '</th>' : '') . '
<th>' . gettext("Alienvault Sensor") . '</th>
<th>' . gettext("Interface") . '</th>
</TR>
<TR>
<TD> ' . htmlspecialchars($tzdate) . " " . $txtzone . '</TD>
' . ($tzcell ? '<TD nowrap>' . $event_date . ' ' . Util::timezone($tzone) . '</TD>' : '') . '
<TD>' . htmlspecialchars(@inet_ntop($myrow4["ip"]) ? $myrow4["name"] . " [" . inet_ntop($myrow4["ip"]) . "]" : _("Unknown")) . '</TD>
<TD>' . ($myrow4["interface"] == "" ? " <I>-</I> " : $myrow4["interface"]) . '</TD>
</TR>
</TABLE>
<br/>
<TABLE class="table_list">
<TR>
<th>' . _("Triggered Signature") . '</th>
<th>' . _("Event Type ID") . '</th>
<th>' . _("Category") . '</th>
<th>' . _("Sub-Category") . '</th>
</TR>
<TR>
<TD><a href="javascript:;" class="trlnka" id="' . $plugin_id . ';' . $plugin_sid . '">';
$htmlTriggeredSignature = str_replace("##", "", BuildSigByPlugin($plugin_id, $plugin_sid, $db));
$qs->RunAction($submit, PAGE_STAT_SENSOR, $db);
$et->Mark("Alert Action");
/* create SQL to get Unique Alerts */
$cnt_sql = "SELECT count(DISTINCT acid_event.device_id) " . $from . $where;
/* Run the query to determine the number of rows (No LIMIT)*/
if (!$use_ac) {
$qs->GetNumResultRows($cnt_sql, $db);
}
$et->Mark("Counting Result size");
/* Setup the Query Results Table */
$qro = new QueryResultsOutput("base_stat_sensor.php?caller=" . $caller);
$qro->AddTitle(" ");
$qro->AddTitle(gettext("Sensor"), "sid_a", " ", " ORDER BY acid_event.device_id ASC", "sid_d", " ", " ORDER BY acid_event.device_id DESC");
$qro->AddTitle(gettext("Name"), "", " ", " ", "", " ", " ");
$qro->AddTitle(gettext("Device IP"), "", " ", " ", "", " ", " ");
$events_title = !$use_ac ? _("Events") . " # <span class='idminfo' txt='" . Util::timezone($tz) . "'>(*)</span>" : _("Events") . " # <span class='idminfo' txt='" . _("Time UTC") . "'>(*)</span>";
$qro->AddTitle($events_title, "occur_a", " ", " ORDER BY event_cnt ASC", "occur_d", " ", " ORDER BY event_cnt DESC");
$qro->AddTitle(gettext("Unique Events"), "", "", "", "", "", "");
$qro->AddTitle(gettext("Unique Src."), "", "", "", "", "", "");
$qro->AddTitle(gettext("Unique Dst."), "", "", "", "", "", "");
/*
$qro->AddTitle(gettext("Unique Events"), "sig_a", "", " ORDER BY sig_cnt ASC", "sig_d", "", " ORDER BY sig_cnt DESC");
$qro->AddTitle(gettext("Unique Src."), "saddr_a", "", " ORDER BY saddr_cnt ASC", "saddr_d", "", " ORDER BY saddr_cnt DESC");
$qro->AddTitle(gettext("Unique Dst."), "daddr_a", "", " ORDER BY daddr_cnt ASC", "daddr_d", "", " ORDER BY daddr_cnt DESC");
*/
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), "");
if ($complete) {
// incude all fields for pdf/csv reports
$sql2 = $sql = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntop(sensor.ip) AS sensor_ip, inet6_ntop(device.device_ip) AS device_ip, device.interface, count(acid_event.id) as event_cnt, count(distinct acid_event.plugin_id, acid_event.plugin_sid) as sig_cnt, count(distinct(acid_event.ip_src)) as saddr_cnt, count(distinct(acid_event.ip_dst)) as daddr_cnt" . $sort_sql[0] . $from1 . $where1 . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id" . $sort_sql[1];
} else {
$sql = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntop(sensor.ip) AS sensor_ip, inet6_ntop(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1];
</a></li>
<li><a href="#" onclick="learn_more();return false" id="kdb_docs"><?php
echo _('Learn More');
?>
</a></li>
</ul>
</div>
</div>
</div>
<?php
// In graybox external minimal view (no pagging)
} elseif (!array_key_exists("noback", $_GET)) {
$back = str_replace(_('Security Events'), _('Back'), $back);
echo "<div align='center'>{$back}</div><br/>";
}
$txtzone = "<a href=\"javascript:;\" class=\"tzoneimg\" txt=\"<img src='../pixmaps/timezones/" . rawurlencode(Util::timezone($tz)) . ".png' width='400' height='205' border=0>\">" . Util::timezone($tz) . "</a>";
// Taxonomy
list($cat, $subcat) = GetCategorySubCategory($plugin_id, $plugin_sid, $db);
// Risk & Proto
$ossim_risk = $ossim_risk_c < $ossim_risk_a ? $ossim_risk_a : $ossim_risk_c;
$p_name = Protocol::get_protocol_by_number($ip_proto, TRUE);
if (FALSE === $p_name) {
$p_name = _('UNKNOWN');
}
$otx_link = '<a class="trlnk __CLASS__" href="#" txt="__TOOLTIP__" onclick="GB_show(\'' . _("OTX Details") . '\',\'' . str_replace('__EVENTID__', $eid, $otx_detail_url) . '\',500,\'80%\');return false">__VALUE__</a>';
?>
<script type="text/javascript" src="../js/utils.js"></script>
<script type="text/javascript" src="../js/av_map.js.php"></script>
<script type="text/javascript" src="../js/notification.js"></script>
<?php
}
}*/
/* create SQL to get Unique Alerts */
$cnt_sql = "SELECT count(DISTINCT acid_event.plugin_id) " . $fromcnt . $where;
/* Run the query to determine the number of rows (No LIMIT)*/
$qs->GetNumResultRows($cnt_sql, $db);
$debug_time_mode >= 1 ? $et->Mark("Counting Result size") : '';
/* Setup the Query Results Table */
$qro = new QueryResultsOutput("base_stat_ptypes.php?caller=" . $caller);
//$qro->AddTitle(" ");
$qro->AddTitle(gettext("Product Type"));
$events_title = _("Events") . " # <span class='idminfo' txt='" . Util::timezone($tz) . "'>(*)</span>";
$qro->AddTitle($events_title, "occur_a", " ", " ORDER BY events ASC, product_type DESC", "occur_d", ", ", " ORDER BY events DESC, product_type DESC");
$qro->AddTitle(Session::show_entities() ? gettext("Context") : gettext("Sensor"));
$qro->AddTitle(gettext("Last Event"));
$qro->AddTitle(gettext("Date") . " " . Util::timezone($tz));
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());
/* mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY */
/* mstone 20050405 add sid & ip counts */
if (Session::show_entities()) {
$sql = "SELECT plugin.product_type,hex(acid_event.ctx) as ctx, {$counter} " . $fromcnt . ",alienvault.plugin " . $where . " AND plugin.id=acid_event.plugin_id\n GROUP BY plugin.product_type,ctx " . $sort_sql[1];
$_SESSION['_siem_plugins_query'] = "SELECT plugin_sid.name as sig_name,timestamp\n {$fromplg}, alienvault.plugin " . $where . " AND acid_event.plugin_id=plugin.id AND plugin.product_type=PLUGIN_ID AND acid_event.ctx=UNHEX('DID')\n ORDER BY timestamp DESC LIMIT 1";
} else {
$sql = "SELECT plugin.product_type, device_id as ctx, {$counter} " . $fromcnt . ",device,alienvault.plugin " . $where . " AND device.id=acid_event.device_id AND plugin.id=acid_event.plugin_id\n GROUP BY plugin.product_type,device_id " . $sort_sql[1];
$_SESSION['_siem_plugins_query'] = "SELECT plugin_sid.name as sig_name,timestamp\n {$fromplg}, alienvault.plugin " . $where . " AND acid_event.plugin_id=plugin.id AND plugin.product_type=PLUGIN_ID AND acid_event.device_id=DID\n ORDER BY timestamp DESC LIMIT 1";
}
//echo $sql;
if (file_exists('/tmp/debug_siem')) {
file_put_contents("/tmp/siem", "STATS PTYPES:{$sql}\n" . $_SESSION['_siem_plugins_query'] . "\n", FILE_APPEND);
}
/* Run the Query again for the actual data (with the LIMIT) */
function DisplayProcessing()
{
global $self;
global $ListNOption;
global $TopNOption;
global $OutputFormatOption;
global $IPStatOption;
global $IPStatOrder;
global $LimitScale;
require_once 'av_init.php';
$geoloc = new Geolocation("/usr/share/geoip/GeoLiteCity.dat");
$db_aux = new ossim_db();
$conn_aux = $db_aux->connect();
$aux_ri_interfaces = Remote_interface::get_list($conn_aux, "WHERE status = 1");
$ri_list = $aux_ri_interfaces[0];
$ri_total = $aux_ri_interfaces[1];
$ri_data = array();
if ($ri_total > 0) {
foreach ($ri_list as $r_interface) {
$ri_data[] = array("name" => $r_interface->get_name(), "id" => "web_interfaces", "target" => "_blank", "url" => $r_interface->get_ip());
}
}
$type = $detail_opts['type'] == "flows" ? 0 : ($detail_opts['type'] == "packets" ? 1 : 2);
if ($ri_total >= 0) {
echo '<a name="processing"></a>';
}
$detail_opts = $_SESSION['detail_opts'];
$process_form = $_SESSION['process_form'];
?>
<table style='width:100%;margin-top:15px;margin-bottom:5px;border:none'><tr>
<td class='nobborder'><b><?php
echo _("Netflow Processing");
?>
</b></td>
<td class='noborder nfsen_menu'>
<a href='javascript:lastsessions()'><?php
echo _("List last 500 sessions");
?>
</a> |
<a href='javascript:launch("2","<?php
echo $type;
?>
")'><?php
echo _("Top 10 Src IPs");
?>
</a> |
<a href='javascript:launch("3","<?php
echo $type;
?>
")'><?php
echo _("Top 10 Dst IPs");
?>
</a> |
<a href='javascript:launch("5","<?php
echo $type;
?>
")'><?php
echo _("Top 10 Src Port");
?>
</a> |
<a href='javascript:launch("6","<?php
echo $type;
?>
")'><?php
echo _("Top 10 Dst Port");
?>
</a> |
<a href='javascript:launch("13","<?php
echo $type;
?>
")'><?php
echo _("Top 10 Proto");
?>
</a>
</td></tr></table>
<form action="<?php
echo $self;
?>
" onSubmit="return ValidateProcessForm()" id="FlowProcessingForm" method="POST" laction="<?php
echo $self;
?>
">
<?php
if (preg_match("/^\\d+\$/", $_SESSION['tend'])) {
?>
<input type="hidden" name="tend" value="<?php
echo intval($_SESSION['tend']);
?>
" />
<?php
}
if (preg_match("/^\\d+\$/", $_SESSION['tleft'])) {
?>
<input type="hidden" name="tleft" value="<?php
echo intval($_SESSION['tleft']);
?>
" />
<?php
}
if (preg_match("/^\\d+\$/", $_SESSION['tright'])) {
?>
<input type="hidden" name="tright" value="<?php
echo intval($_SESSION['tright']);
?>
" />
<?php
}
if ($_SESSION["detail_opts"]["cursor_mode"] != "") {
?>
<input type="hidden" name="cursor_mode" value="<?php
echo Util::htmlentities($_SESSION["detail_opts"]["cursor_mode"]);
?>
" />
<?php
}
if ($_SESSION["detail_opts"]["wsize"] != "") {
?>
<input type="hidden" name="wsize" value="<?php
echo Util::htmlentities($_SESSION["detail_opts"]["wsize"]);
?>
" />
<?php
}
if ($_SESSION["detail_opts"]["logscale"] != "") {
?>
<input type="hidden" name="logscale" value="<?php
echo Util::htmlentities($_SESSION["detail_opts"]["logscale"]);
?>
" />
<?php
}
if ($_SESSION["detail_opts"]["linegraph"] != "") {
?>
<input type="hidden" name="linegraph" value="<?php
echo Util::htmlentities($_SESSION["detail_opts"]["linegraph"]);
?>
" />
<?php
}
?>
<input type="hidden" name="login" value="<?php
echo Util::htmlentities($_SESSION["_remote_login"]);
?>
" />
<table class='nfsen_filters'>
<tr>
<th class="thold"><?php
echo _("Source");
?>
</th>
<th class="thold"><?php
echo _("Filter");
?>
</th>
<th class="thold"><?php
echo _("Options");
?>
</th>
</tr>
<tr>
<td style='vertical-align:top'>
<select name="srcselector[]" id='SourceSelector' size="6" style="width: 100%" multiple='multiple'>
<?php
foreach ($process_form['srcselector'] as $selected_channel) {
$_tmp[$selected_channel] = 1;
}
$i = 0;
foreach ($_SESSION['profileinfo']['channel'] as $channel) {
$channel_name = $channel['name'];
$checked = array_key_exists($channel['id'], $_tmp) ? 'selected' : '';
echo "<OPTION value='" . Util::htmlentities($channel['id']) . "' {$checked}>{$channel_name}</OPTION>\n";
}
?>
</select>
<div style='margin: 5px auto'>
<input class="small av_b_secondary" type="button" name="JSbutton2" value="All Sources" onClick="SelectAllSources()"/>
</div>
</td>
<td style="vertical-align:top;">
<textarea name="filter" id="filter" multiline="true" wrap="phisical" rows="6" cols="50" maxlength="10240"><?php
if (is_array($process_form)) {
$display_filter = array_key_exists('editfilter', $process_form) ? $process_form['editfilter'] : $process_form['filter'];
} else {
$display_filter = array();
}
if (count($display_filter) < 1 && GET('ip') != "" && GET('ip2') != "") {
$display_filter[0] = "(src ip " . GET('ip') . " and dst ip " . GET('ip2') . ") or (src ip " . GET('ip2') . " and dst ip " . GET('ip') . ")";
} elseif (count($display_filter) < 1 && GET('ip') != "") {
$display_filter[0] = "src ip " . GET('ip') . " or dst ip " . GET('ip');
} elseif (preg_match("/(\\d+\\.\\d+\\.\\d+\\.\\d+)/", $display_filter[0]) && GET('ip') != "" && GET('ip2') != "") {
$ip1 = GET('ip');
$ip2 = GET('ip2');
$filter = "(src ip {$ip1} and dst ip {$ip2}) or (src ip {$ip2} and dst ip {$ip1})";
$display_filter[0] = preg_replace("/\\(src ip \\d+\\.\\d+\\.\\d+\\.\\d+ and dst ip \\d+\\.\\d+\\.\\d+\\.\\d+\\) or \\(src ip \\d+\\.\\d+\\.\\d+\\.\\d+ and dst ip \\d+\\.\\d+\\.\\d+\\.\\d+\\)/", $filter, $display_filter[0]);
$display_filter[0] = preg_replace("/src ip \\d+\\.\\d+\\.\\d+\\.\\d+ or dst ip \\d+\\.\\d+\\.\\d+\\.\\d+/", $filter, $display_filter[0]);
} elseif (preg_match("/(\\d+\\.\\d+\\.\\d+\\.\\d+)/", $display_filter[0]) && GET('ip') != "") {
$filter = "src ip " . GET('ip') . " or dst ip " . GET('ip');
$display_filter[0] = preg_replace("/\\(src ip \\d+\\.\\d+\\.\\d+\\.\\d+ and dst ip \\d+\\.\\d+\\.\\d+\\.\\d+\\) or \\(src ip \\d+\\.\\d+\\.\\d+\\.\\d+ and dst ip \\d+\\.\\d+\\.\\d+\\.\\d+\\)/", $filter, $display_filter[0]);
$display_filter[0] = preg_replace("/src ip \\d+\\.\\d+\\.\\d+\\.\\d+ or dst ip \\d+\\.\\d+\\.\\d+\\.\\d+/", $filter, $display_filter[0]);
}
foreach ($display_filter as $line) {
print str_replace("&", "&", Util::htmlentities(stripslashes($line))) . "\n";
}
?>
</textarea>
<?php
$deletefilter_display_style = is_array($process_form) && array_key_exists('editfilter', $process_form) ? '' : 'style="display:none;"';
?>
<input type="image" name="filter_delete" id="filter_delete" title="<?php
echo _("Delete filter");
?>
" align="right"
onClick="HandleFilter(3)" value="" src="icons/trash.png" <?php
echo $deletefilter_display_style;
?>
>
<!-- <input type="image" name="filter_save" id="filter_save" title="Save filter" align="right"
onClick="HandleFilter(2)"
value="" src="icons/save.png"> -->
<input type="hidden" name="filter_name" id="filter_name" value="none">
<div style='margin: 5px auto'>
<span id="filter_span">and</span>
<select name="DefaultFilter" id="DefaultFilter" onChange="HandleFilter(0)" size="1">
<?php
print "<option value='-1' label='none'><none></option>\n";
foreach ($_SESSION['DefaultFilters'] as $name) {
$checked = $process_form['DefaultFilter'] == $name ? 'selected' : '';
print "<option value='" . Util::htmlentities($name) . "' {$checked}>" . Util::htmlentities($name) . "</option>\n";
}
$editfilter_display_style = 'style="display:none;"';
foreach ($_SESSION['DefaultFilters'] as $name) {
if ($process_form['DefaultFilter'] == $name) {
$editfilter_display_style = '';
}
}
?>
</select>
<input type="image" name="filter_save" id="filter_save" title="<?php
echo _("Save filter");
?>
"
onClick="HandleFilter(2)" value="" src="icons/save.png" border="0" align="absmiddle">
<input type="image" name="filter_edit" id="filter_edit" title="Edit filter" <?php
echo $editfilter_display_style;
?>
onClick="HandleFilter(1)" value="" src="icons/edit.png">
</div>
<script language="Javascript" type="text/javascript">
var DefaultFilters = new Array();
<?php
foreach ($_SESSION['DefaultFilters'] as $name) {
print "DefaultFilters.push('" . Util::htmlentities($name) . "');\n";
}
if (array_key_exists('editfilter', $process_form)) {
print "edit_filter = '" . Util::htmlentities($process_form['DefaultFilter']) . "';\n";
}
?>
</script>
</td>
<!-- Options start here -->
<td style='padding: 0px;vertical-align:top;border:none;'>
<table border="0" id="ProcessOptionTable" style="font-size:14px;font-weight:bold;width:100%;border:none">
<tr>
<td class='TDnfprocLabel' style='white-space:nowrap'>
<?php
$i = 0;
foreach (array('List Flows', 'Stat TopN') as $s) {
$checked = $process_form['modeselect'] == $i ? 'checked' : '';
print "<input type='radio' onClick='SwitchOptionTable({$i})' name='modeselect' id='modeselect{$i}' value='{$i}' {$checked}>{$s} ";
$i++;
}
$list_display_style = $process_form['modeselect'] == 0 ? '' : 'style="display:none;"';
$stat_display_style = $process_form['modeselect'] == 0 ? 'style="display:none;"' : '';
$formatselect_display_opts = $process_form['modeselect'] == 1 && $process_form['stattype'] != 0 ? 'style="display:none;"' : '';
?>
</td>
<td class='TDnfprocControl' >
<table class='noborder' style='margin: auto;'>
<tr>
<td class='nobborder'><input class="small av_b_secondary" type="button" name="JSbutton1" value="<?php
echo _("Clear Form");
?>
" onClick="ResetProcessingForm()"/></td>
<td class='nobborder'><input class="small" type="submit" name="process" value="<?php
echo _("Process");
?>
" id="process_button" onClick="clean_remote_data();form_ok=true;" size="1"/></td>
<?php
if (count($RemoteInterfacesData) > 0 && !isset($_POST['login'])) {
?>
<td class='nobborder'><input type="button" name="remote_process" value="<?php
echo _("Remote Process");
?>
" id="remote_process_button" onclick="$('#rinterfaces').toggle()"/>
<div id='container_rmp' style='position:relative;'>
<div id="rinterfaces" style="position:absolute; top:0; right:0;display:none; margin:1px 0px 0px 2px; text-align:right;">
<?php
foreach ($RemoteInterfacesData as $data) {
$short_name = strlen($data['name']) > 12 ? substr($data['name'], 0, 12) . "..." : $data['name'];
?>
<input type="button" onclick="remote_interface('<?php
echo $data["url"];
?>
')" style="width:180px; font-size: 11px;" title="<?php
echo $data["name"] . " [" . $data["url"] . "]";
?>
" value="<?php
echo $short_name . " [" . $data["url"] . "]";
?>
"/><br />
<?php
}
?>
</div>
</div>
</td>
<?php
}
?>
</tr>
</table>
</td>
</tr>
<tr id="listNRow" <?php
echo $list_display_style;
?>
>
<td class='TDnfprocLabel'><?php
echo _("Limit to");
?>
:</td>
<td class='TDnfprocControl'>
<select name="listN" id="listN" style="margin-left:1" size="1">
<?php
for ($i = 0; $i < count($ListNOption); $i++) {
$checked = $process_form['listN'] == $i ? 'selected' : '';
print "<OPTION value='{$i}' {$checked}>" . $ListNOption[$i] . "</OPTION>\n";
}
?>
</select><?php
echo _("Flows");
?>
<br>
</td>
</tr>
<tr id="topNRow" <?php
echo $stat_display_style;
?>
>
<td class='TDnfprocLabel'><?php
echo _("Top");
?>
:</td>
<td class='TDnfprocControl'>
<select name="topN" id="TopN" size="1">
<?php
for ($i = 0; $i < count($TopNOption); $i++) {
$checked = $process_form['topN'] == $i ? 'selected' : '';
print "<OPTION value='{$i}' {$checked}>" . $TopNOption[$i] . "</OPTION>\n";
}
?>
</select>
</td>
</tr>
<tr id="stattypeRow" <?php
echo $stat_display_style;
?>
>
<td class="TDnfprocLabel"><?php
echo _("Stat");
?>
:</td>
<td class="TDnfprocControl">
<select name="stattype" id="StatTypeSelector" onChange="ShowHideOptions()" size="1">
<?php
for ($i = 0; $i < count($IPStatOption); $i++) {
$checked = $process_form['stattype'] == $i ? 'selected' : '';
print "<OPTION value='{$i}' {$checked}>" . $IPStatOption[$i] . "</OPTION>\n";
}
?>
</select>
order by
<select name='statorder' id="statorder" size='1'>
<?php
for ($i = 0; $i < count($IPStatOrder); $i++) {
$checked = $process_form['statorder'] == $i ? 'selected' : '';
print "<OPTION value='{$i}' {$checked}>" . $IPStatOrder[$i] . "</OPTION>\n";
}
?>
</select>
</td>
</tr>
<tr id="AggregateRow" <?php
echo $formatselect_display_opts;
?>
>
<td class='TDnfprocLabel'><?php
echo _("Aggregate");
?>
</td>
<td class='TDnfprocControl'>
<input type="checkbox" name="aggr_bidir" id="aggr_bidir" value="checked" onClick="ToggleAggregate();"
style="margin-left:1" <?php
echo Util::htmlentities($process_form['aggr_bidir']);
?>
> <?php
echo _("bi-directional");
?>
<br>
<input type="checkbox" name="aggr_proto" id="aggr_proto" value="checked"
style="margin-left:1" <?php
echo Util::htmlentities($process_form['aggr_proto']);
?>
> <?php
echo _("proto");
?>
<br>
<input type="checkbox" name="aggr_srcport" id="aggr_srcport" value="checked"
style="margin-left:1" <?php
echo Util::htmlentities($process_form['aggr_srcport']);
?>
> <?php
echo _("srcPort");
?>
<input type="checkbox" name="aggr_srcip" id="aggr_srcip" value="checked"
style="margin-left:1" <?php
echo Util::htmlentities($process_form['aggr_srcip']);
?>
>
<select name="aggr_srcselect" id="aggr_srcselect" onChange="NetbitEntry('src')" size="1">
<?php
$i = 0;
foreach (array('srcIP', 'srcIPv4/', 'srcIPv6/') as $s) {
$checked = $process_form['aggr_srcselect'] == $i ? 'selected' : '';
print "<option value='{$i}' {$checked}>{$s}</option>\n";
$i++;
}
$_style = $process_form['aggr_srcselect'] == 0 ? 'style="display:none"' : '';
?>
</select>
<input size="3" type="text" name="aggr_srcnetbits" id="aggr_srcnetbits"
value="<?php
echo Util::htmlentities($process_form['aggr_srcnetbits']);
?>
" <?php
echo $_style;
?>
><br>
<input type="checkbox" name="aggr_dstport" id="aggr_dstport" value="checked"
style="margin-left:1" <?php
echo Util::htmlentities($process_form['aggr_dstport']);
?>
> <?php
echo _("dstPort");
?>
<input type="checkbox" name="aggr_dstip" id="aggr_dstip" value="checked"
style="margin-left:1" <?php
echo Util::htmlentities($process_form['aggr_dstip']);
?>
>
<select name="aggr_dstselect" id="aggr_dstselect" onChange="NetbitEntry('dst')" size="1">
<?php
$i = 0;
foreach (array('dstIP', 'dstIPv4/', 'dstIPv6/') as $s) {
$checked = $process_form['aggr_dstselect'] == $i ? 'selected' : '';
print "<option value='{$i}' {$checked}>{$s}</option>\n";
$i++;
}
$_style = $process_form['aggr_dstselect'] == 0 ? 'style="display:none"' : '';
?>
</select>
<input size="3" type="text" name="aggr_dstnetbits" id="aggr_dstnetbits"
value="<?php
echo Util::htmlentities($process_form['aggr_dstnetbits']);
?>
" <?php
echo $_style;
?>
><br>
</td>
</tr>
<tr id="timesortedRow" <?php
echo $list_display_style;
?>
>
<td class='TDnfprocLabel'><?php
echo _("Sort");
?>
:</td>
<td class='TDnfprocControl'>
<input type="checkbox" name="timesorted" id="timesorted" value="checked"
style="margin-left:1" <?php
echo Util::htmlentities($process_form['timesorted']);
?>
>
<?php
echo _("start time of flows");
?>
</td>
</tr>
<tr id="limitoutputRow" <?php
echo $stat_display_style;
?>
>
<td class='TDnfprocLabel'><?php
echo _("Limit");
?>
:</td>
<td class='TDnfprocControl'>
<input type="checkbox" name="limitoutput" id="limitoutput" value="checked" style="margin-left:1"
size="1" <?php
echo Util::htmlentities($process_form['limitoutput']);
?>
>
<select name="limitwhat" id="limitwhat" size="1">
<?php
$i = 0;
foreach (array(gettext("Packets"), gettext("Traffic")) as $s) {
$checked = $process_form['limitwhat'] == $i ? 'selected' : '';
print "<option value='{$i}' {$checked}>{$s}</option>\n";
$i++;
}
?>
</select>
<select name="limithow" id="limithow" size="1">
<?php
$i = 0;
foreach (array('>', '<') as $s) {
$checked = $process_form['limithow'] == $i ? 'selected' : '';
print "<option value='{$i}' {$checked}>{$s}</option>\n";
$i++;
}
?>
</select>
<input type="text" name="limitsize" id="limitsize" value="<?php
echo Util::htmlentities($process_form['limitsize']);
?>
" SIZE="6" MAXLENGTH="8">
<select name="limitscale" id="limitscale" size="1" style="margin-left:1">
<?php
$i = 0;
foreach ($LimitScale as $s) {
$checked = $process_form['limitscale'] == $i ? 'selected' : '';
print "<option value='{$i}' {$checked}>{$s}</option>\n";
$i++;
}
?>
</select>
</td>
</tr>
<tr id="outputRow">
<td class='TDnfprocLabel'><?php
echo _("Output");
?>
:</td>
<td class='TDnfprocControl'>
<span id="FormatSelect" <?php
echo $formatselect_display_opts;
?>
>
<select name="output" id="output" onChange="CustomOutputFormat()" style="margin-left:1" size="1">
<?php
foreach ($_SESSION['formatlist'] as $key => $value) {
$checked = $process_form['output'] == $key ? 'selected' : '';
print "<OPTION value='" . Util::htmlentities($key) . "' {$checked}>" . Util::htmlentities($key) . "</OPTION>\n";
}
$fmt = $_SESSION['formatlist'][$process_form['output']];
if ($process_form['output'] == $fmt) {
// built in format
$space_display_style = '';
$edit_display_style = 'style="display:none"';
} else {
$space_display_style = 'style="display:none"';
$edit_display_style = '';
}
?>
</select>
<script language="Javascript" type="text/javascript">
var fmts = new Hash();
<?php
foreach ($_SESSION['formatlist'] as $key => $value) {
print "fmts.setItem('" . Util::htmlentities($key) . "', '" . Util::htmlentities($value) . "');\n";
}
?>
</script>
<img src="icons/space.png" border="0" alt='space' id='space' <?php
echo $space_display_style;
?>
/>
<a href="#null" onClick="EditCustomFormat()"
title="<?php
echo _("Edit format");
?>
" ><IMG SRC="icons/edit.png" name="fmt_doedit" id="fmt_doedit" border="0"
<?php
echo $edit_display_style;
?>
alt="Edit format"></a>
</span>
<input type="checkbox" name="IPv6_long" id="IPv6_long" style="margin-left:1" value="checked" <?php
echo Util::htmlentities($process_form['IPv6_long']);
?>
>
/ <?php
echo _("IPv6 long");
?>
<?php
$fmt_edit_display_style = $process_form['output'] == 'custom ...' ? '' : 'style="display:none"';
?>
<span id="fmt_edit" <?php
echo $fmt_edit_display_style;
?>
>
<br><?php
echo _("Enter custom output format");
?>
:<br>
<input size="30" type="text" name="customfmt" id="customfmt"
value="<?php
echo Util::htmlentities($process_form['customfmt']);
?>
" >
<input type="image" name="fmt_save" id="fmt_save" title="<?php
echo _("Save format");
?>
"
onClick="SaveOutputFormat()"
value="" src="icons/save.png">
<input type="image" name="fmt_delete" id="fmt_delete" title="<?php
echo _("Delete format");
?>
"
onClick="DeleteOutputFormat()"
value="" src="icons/trash.png" <?php
echo $edit_display_style;
?>
>
</span>
</td>
</tr>
</table>
</td>
</tr>
<!--
<tr>
<td></td><td></td>
<td align="right" style="border:none">
<input type="button" name="JSbutton1" value="<?php
echo _("Clear Form");
?>
" onClick="ResetProcessingForm()">
<input type="submit" name="process" value="<?php
echo _("process");
?>
" id="process_button" onClick="form_ok=true;" size="1">
</td>
</tr>
-->
</table>
</form>
<div id="lookupbox">
<div id="lookupbar" align="right" style="background-color:olivedrab"><img src="icons/close.png"
onmouseover="this.style.cursor='pointer';" onClick="hidelookup()" title="Close lookup box"></div>
<iframe id="cframe" src="" frameborder="0" scrolling="auto" width="100%" height="166"></iframe>
</div>
<?php
if (!array_key_exists('run', $_SESSION)) {
return;
}
print "<div class='flowlist'>\n";
$run = $_SESSION['run'];
if ($run != null) {
$filter = $process_form['filter'];
if ($process_form['DefaultFilter'] != -1) {
$cmd_opts['and_filter'] = $process_form['DefaultFilter'];
}
$cmd_opts['type'] = ($_SESSION['profileinfo']['type'] & 4) > 0 ? 'shadow' : 'real';
$cmd_opts['profile'] = $_SESSION['profileswitch'];
$cmd_opts['srcselector'] = implode(':', $process_form['srcselector']);
#print "<pre>\n";
$patterns = array();
$replacements = array();
$patterns[0] = '/(\\s*)([^\\s]+)/';
$replacements[0] = "\$1<a href='#null' onClick='lookup(\"\$2\", this, event)' title='lookup \$2'>\$2</a>";
// gets HAP4NfSens plugin id. returns -1 if HAP4NfSen is not installed.
function getHAP4NfSenId()
{
$plugins = GetPlugins();
for ($i = 0; $i < count($plugins); $i++) {
$plugin = $plugins[$i];
if ($plugin == "HAP4NfSen") {
return $i;
}
}
return -1;
}
ClearMessages();
$cmd_opts['args'] = "-T {$run}";
$cmd_opts['filter'] = $filter;
$titcol = get_tit_col($run);
$cmd_out = nfsend_query("run-nfdump", $cmd_opts);
if (!is_array($cmd_out)) {
ShowMessages();
} else {
$conf = $GLOBALS["CONF"];
$solera = $conf->get_conf("solera_enable", FALSE) ? true : false;
$db = new ossim_db();
$conn = $db->connect();
$sensors = $hosts = $ossim_servers = array();
$tz = Util::get_timezone();
list($hosts, $host_ids) = Asset_host::get_basic_list($conn, array(), TRUE);
$entities = Session::get_all_entities($conn);
$_sensors = Av_sensor::get_basic_list($conn);
foreach ($_sensors as $s_id => $s) {
$sensors[$s['ip']] = $s['name'];
}
/*$hap4nfsen_id = getHAP4NfSenId();
if ($hap4nfsen_id >= 0) {
// ICMP "port" filter are no currently supported by the HAP4NfSen plugin
function isChecked(&$form, $name) { // helper function used to find out, if an option is checked
return $form[$name]=="checked";
}
$ip_and_port_columns = preg_match('/(flow records)/i', $IPStatOption[$process_form['stattype']]) &&
((isChecked($process_form,'aggr_srcip') && isChecked($process_form,'aggr_srcport')) ||
(isChecked($process_form,'aggr_dstip') && isChecked($process_form,'aggr_dstport')));
$ip_contains_port = $_SESSION["process_form"]["modeselect"]=='0' || !preg_match('/[ip|flow_records]/i', $IPStatOption[$process_form['stattype']]) ||
(preg_match('/(flow records)/i', $IPStatOption[$process_form['stattype']]) && !( // no boxes checked
isChecked($process_form,'aggr_srcip') || isChecked($process_form,'aggr_srcport') ||
isChecked($process_form,'aggr_dstip') || isChecked($process_form,'aggr_dstport')));
$_SESSION["plugin"][$hap4nfsen_id]["cmd_opts"] = $cmd_opts;
$hap_pic = "<img src=\"plugins/HAP4NfSen/graphviz.png\" valign=\"middle\" border=\"0\" alt=\"HAP\" />";
$default_pattern = array_pop($patterns);
$default_replacement = array_pop($replacements);
if ($ip_contains_port) { // matches cases like ip:port
$max_prot_length = 5; // max. port length = 5 chars(highest port number = 65535)
for ($i=$max_prot_length;$i>=1;$i--) {
$diff = ($max_prot_length-$i); // difference between actual and max port length
$ip_port_pattern_icmp = "/(\s*)([^\s|^:]+)(:)(0\s{4}|\d\.\d\s{2}|\d{2}\.\d\|\d\.\d{2}\s|\d{2}\.\d{2})/";
$ip_port_pattern_normal = "/(\s*)([^\s|^:]+)(:)([\d|\.]{{$i}})(\s{{$diff}})/";
$spaces = '';
for ($k=0;$k<$diff;$k++) {$spaces = $spaces . ' ';} // spaces required to align hap viewer icons
array_push($patterns, $ip_port_pattern_icmp);
array_push($replacements, $default_replacement .
"$3$4 <a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&mode=new\" title='HAP graphlet for $2'>$hap_pic</a> ");
array_push($patterns, $ip_port_pattern_normal);
array_push($replacements, $default_replacement .
"$3$4$spaces <a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&port=$4&mode=new\" title='HAP graphlet for $2 on port $4'>$hap_pic</a> ");
}
array_push($patterns, '/(\sIP\sAddr:Port)/i');
array_push($replacements, "$1 $hap_pic");
} else {
if ($ip_and_port_columns) { // matches cases when both ip and port are available but are located in separate columns
// ICMP verion
$ip_and_port_pattern = "/(\s*)([^\s]+)(\s+)(0|\d\.\d)/";
$ip_and_port_replacement = "$1$2$3$4 " .
"<a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&mode=new\" title='HAP graphlet for $2'>$hap_pic</a>";
array_push($patterns, $ip_and_port_pattern);
array_push($replacements, $ip_and_port_replacement);
// non-ICMP version with port filter
$ip_and_port_pattern = "/(\s*)([^\s]+)(\s*)([\d|.]+)/";
$ip_and_port_replacement = "$1$2$3$4 " .
"<a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&port=$4&mode=new\" title='HAP graphlet for $2 on port $4'>$hap_pic</a>";
array_push($patterns, $ip_and_port_pattern);
array_push($replacements, $ip_and_port_replacement);
array_push($patterns, '/(\s\s(Src\sIP\sAddr\s*Src\sPt|Dst\sIP\sAddr\s*Dst\sPt))/i');
array_push($replacements, "$1 $hap_pic");
} else { // matches all other cases
array_push($patterns, $default_pattern);
array_push($replacements, $default_replacement .
" <a href=\"nfsen.php?tab=5&sub_tab=" . $hap4nfsen_id . "&ip=$2&mode=new\" title='HAP graphlet for $2'>$hap_pic</a>");
array_push($patterns, '/(\s(|\s(Src|Dst))\sIP\sAddr)/i');
array_push($replacements, "$1 $hap_pic");
}
}
}
if ( array_key_exists('arg', $cmd_out) ) {
print "** nfdump " . $cmd_out['arg'] . "\n";
}
if ( array_key_exists('filter', $cmd_out) ) {
print "nfdump filter:\n";
foreach ( $cmd_out['filter'] as $line ) {
print "$line\n";
}
}
foreach ( $cmd_out['nfdump'] as $line ) {
print preg_replace($patterns, $replacements, $line) . "\n";
}*/
# parse command line
#2009-12-09 17:08:17.596 40.262 TCP 192.168.1.9:80 -> 217.126.167.80:51694 .AP.SF 0 70 180978 1 35960 2585 1
$list = preg_match("/\\-o extended/", $cmd_out['arg']) ? 1 : 0;
$regex = $list ? "/(\\d\\d\\d\\d\\-.*?\\s.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+->\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?\\s*[KMG]?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*)/" : "/(\\d\\d\\d\\d\\-.*?\\s.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?)\\s+(.*?\\s*[KMGT]?)\\s+(.*?)\\s+(.*?)\\s+(.*)/";
echo '<div class="nfsen_list_title">' . _('Flows Info') . '</div>';
echo "<table class='table_list'>";
$geotools = false;
if ($list && file_exists("../kml/GoogleEarth.php")) {
$geotools = true;
$geoips = array();
$geotools_src = " <a href='' onclick='window.open(\"../kml/TourConfig.php?type=ip_src&ip=&flows=1\",\"Flows sources - Goggle Earth API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img align='absmiddle' src='../pixmaps/google_earth_icon.png' border='0'></a> <a href='' onclick='window.open(\"../kml/IPGoogleMap.php?type=ip_src&ip=&flows=1\",\"Flows sources - Goggle Maps API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img align='absmiddle' src='../pixmaps/google_maps_icon.png' border='0'></a>";
$geotools_dst = " <a href='' onclick='window.open(\"../kml/TourConfig.php?type=ip_dst&ip=&flows=1\",\"Flows destinations - Goggle Earth API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img align='absmiddle' src='../pixmaps/google_earth_icon.png' border='0'></a> <a href='' onclick='window.open(\"../kml/IPGoogleMap.php?type=ip_dst&ip=&flows=1\",\"Flows destinations - Goggle Maps API\",\"width=1024,height=700,scrollbars=NO,toolbar=1\");return false'><img align='absmiddle' src='../pixmaps/google_maps_icon.png' border='0'></a>";
}
echo $list ? "\n \n <tr>\n <th>" . _("Date flow start") . "<br><span style='font-size:8px'>" . Util::timezone($tz) . "</style></th>\n <th>" . _("Duration") . "</th>\n <th>" . _("Proto") . "</th>\n <th>" . _("Src IP Addr:Port") . "{$geotools_src}</th>\n <th>" . _("Dst IP Addr:Port") . "{$geotools_dst}</th>\n <th>" . _("Flags") . "</th>\n <th>" . _("Tos") . "</th>\n <th>" . _("Packets") . "</th>\n <th>" . _("Bytes") . "</th>\n <th>" . _("pps") . "</th>\n <th>" . _("bps") . "</th>\n <th>" . _("Bpp") . "</th>\n <th>" . _("Flows") . "</th>\n \t" . ($solera ? "<th></th>" : "") . "\n </tr>" : "<tr>\n <th>" . _("Date flow seen") . "<br><span style='font-size:8px'>" . Util::timezone($tz) . "</style></th>\n <th>" . _("Duration") . "</th>\n <th>" . _("Proto") . "</th>\n <th>" . $titcol . "</th>\n <th>" . _("Flows") . "(%)</th>\n <th>" . _("Packets") . "(%)</th>\n <th>" . _("Bytes") . "(%)</th>\n <th>" . _("pps") . "</th>\n <th>" . _("bps") . "</th>\n <th>" . _("Bpp") . "</th>\n \t" . ($solera ? "<th></th>" : "") . "\n </tr>";
$status = $errors = array();
$rep = new Reputation();
//print_r($cmd_out['arg']);
//print_r($cmd_out['nfdump']);
foreach ($cmd_out['nfdump'] as $k => $line) {
#capture status
if (preg_match("/^(Summary|Time window|Total flows processed|Sys)\\:/", $line, $found)) {
$status[$found[1]] = str_replace($found[1] . ":", "", $line);
}
# capture errors
if (preg_match("/ error /i", $line, $found)) {
if (preg_match("/stat\\(\\) error/i", $line)) {
$errors[] = _('The netflow information you are trying to access either has not been processed yet or does not exist. Please check your date filters.');
Av_exception::write_log(Av_exception::USER_ERROR, $line);
} else {
$errors[] = $line;
}
}
# print results
$line = preg_replace("/\\(\\s(\\d)/", "(\\1", $line);
// Patch for ( 0.3)
$line = preg_replace("/(\\d)\\s*([KMGT])/", "\\1\\2", $line);
// Patch for 1.2 M(99.6)
$line = preg_replace("/(\\d+)(TCP|UDP|ICMP|IGMP)\\s/", "\\1 \\2 ", $line);
// Patch for 9.003TCP
$start = $end = $proto = "";
$ips = $ports = array();
if (preg_match($regex, preg_replace('/\\s*/', ' ', $line), $found)) {
echo "<tr class='tr_flow_data'>\n";
foreach ($found as $ki => $field) {
if ($ki > 0) {
$wrap = $ki == 1 ? "nowrap" : "";
$field = Util::htmlentities(preg_replace("/(\\:\\d+)\\.0\$/", "\\1", $field));
if (preg_match("/(\\d+\\.\\d+\\.\\d+\\.\\d+)(.*)/", $field, $fnd)) {
# match ip (resolve and geolocalize)
$ip = $fnd[1];
$port = $fnd[2];
list($name, $ctx, $host_id) = GetDataFromSingleIp($ip, $hosts);
if ($name == "" && $sensors[$ip] != "") {
$name = $sensors[$ip];
}
$output = Asset_host::get_extended_name($conn, $geoloc, $ip, $ctx, $host_id, '');
$homelan = $output['is_internal'] || $name != "" && $name != $ip;
$icon = $output['html_icon'];
# reputation info
if (!is_array($_SESSION["_repinfo_ips"][$ip])) {
$_SESSION["_repinfo_ips"][$ip] = $rep->get_data_by_ip($ip);
}
$rep_icon = Reputation::getrepimg($_SESSION["_repinfo_ips"][$ip][0], $_SESSION["_repinfo_ips"][$ip][1], $_SESSION["_repinfo_ips"][$ip][2], $ip);
$rep_bgcolor = Reputation::getrepbgcolor($_SESSION["_repinfo_ips"][$ip][0]);
$style_aux = $homelan ? 'style="font-weight:bold"' : '';
$bold_aux1 = $homelan ? '<b>' : '';
$bold_aux2 = $homelan ? '<b>' : '';
$field = '<div id="' . $ip . ';' . Util::htmlentities($name) . ';' . $host_id . '" id2="' . $ip . ';' . $ip . '" ctx="' . $ctx . '" class="HostReportMenu">' . $icon . ' <a ' . $style_aux . ' href="javascript:;">' . Util::htmlentities($name) . '</a>' . $bold_aux1 . $port . $bold_aux2 . ' ' . $rep_icon . '</div>';
$wrap = "nowrap style='{$rep_bgcolor}'";
$ips[] = $ip;
if ($geotools) {
if ($ki == 4) {
$geoips['ip_src'][$ip]++;
} elseif ($ki == 5) {
$geoips['ip_dst'][$ip]++;
}
}
$ports[] = str_replace(":", "", $port);
}
if (preg_match("/(\\d+-\\d+-\\d+ \\d+:\\d+:\\d+)(.*)/", $field, $fnd)) {
# match date
$start = $end = $fnd[1];
$time = strtotime($fnd[1]);
$field = Util::htmlentities(gmdate("Y-m-d H:i:s", $time + 3600 * $tz) . "." . $fnd[2]);
}
if (preg_match("/(TCP|UDP|ICMP|RAW)/", $field, $fnd)) {
# match date
$proto = strtolower($fnd[1]);
}
print "<td {$wrap}>{$field}</td>";
}
}
// solera deepsee integration
if ($solera) {
echo "<td><a href=\"javascript:;\" onclick=\"solera_deepsee('" . Util::htmlentities($start) . "','" . Util::htmlentities($end) . "','" . Util::htmlentities($ips[0]) . "','" . Util::htmlentities($ports[0]) . "','" . Util::htmlentities($ips[1]) . "','" . Util::htmlentities($ports[1]) . "','" . Util::htmlentities($proto) . "')\"><img src='/ossim/pixmaps/solera.png' border='0' align='absmiddle'></a></td>";
}
echo "</tr>\n";
}
}
echo "</table>";
if ($geotools) {
foreach ($geoips as $type => $list) {
$ipsfile = fopen("/var/tmp/flowips_" . Session::get_session_user() . ".{$type}", "w");
foreach ($list as $ip => $val) {
fputs($ipsfile, "{$ip}\n");
}
fclose($ipsfile);
}
}
#Summary: total flows: 20, total bytes: 7701, total packets: 133, avg bps: 60, avg pps: 0, avg bpp: 57
#Time window: 2009-12-10 08:21:30 - 2009-12-10 08:38:26
#Total flows processed: 21, Records skipped: 0, Bytes read: 1128
#Sys: 0.000s flows/second: 0.0 Wall: 0.000s flows/second: 152173.9
if (count($status) > 0) {
echo "<table class='transparent' style='margin-bottom:5px;width:100%'>";
foreach ($status as $key => $line) {
$line = preg_replace("/(Wall)\\:/", "<span class='th_summary'>\\1</span>", $line);
$line = preg_replace("/\\,\\s+(.*?)\\:/", " <span class='th_summary'>\\1</span>", $line);
echo "<tr>\n <td class='nobborder' style='padding: 4px;'>\n <span class='th_summary'>{$key}</span>\n {$line}\n </td>\n </tr>";
}
echo "</table>";
}
# stat() error '/home/dk/nfsen/profiles-data/live/device2/2009/12/10/nfcapd.200912100920': File not found!
if (count($errors) > 0) {
foreach ($errors as $line) {
echo "<div class='details_error'>" . _("ERROR FOUND: ") . "{$line}</div>";
}
}
$conn->disconnect();
}
#print "</pre>\n";
}
print "</div>\n";
$db_aux->close();
$geoloc->close();
return;
}
$qs->RunAction($submit, PAGE_STAT_SENSOR, $db);
$et->Mark("Alert Action");
/* create SQL to get Unique Alerts */
$cnt_sql = "SELECT count(DISTINCT acid_event.device_id) " . $from . $where;
/* Run the query to determine the number of rows (No LIMIT)*/
if (!$use_ac) {
$qs->GetNumResultRows($cnt_sql, $db);
}
$et->Mark("Counting Result size");
/* Setup the Query Results Table */
$qro = new QueryResultsOutput("base_stat_sensor.php?caller=" . $caller);
$qro->AddTitle(" ");
$qro->AddTitle(gettext("Sensor"), "sid_a", " ", " ORDER BY acid_event.device_id ASC", "sid_d", " ", " ORDER BY acid_event.device_id DESC");
$qro->AddTitle(gettext("Name"), "", " ", " ", "", " ", " ");
$qro->AddTitle(gettext("Device IP"), "", " ", " ", "", " ", " ");
$events_title = _("Events") . " # <span class='idminfo' txt='" . Util::timezone($tz) . "'>(*)</span>";
$qro->AddTitle($events_title, "occur_a", " ", " ORDER BY event_cnt ASC", "occur_d", " ", " ORDER BY event_cnt DESC");
$qro->AddTitle(gettext("Unique Events"), "", "", "", "", "", "");
$qro->AddTitle(gettext("Unique Src."), "", "", "", "", "", "");
$qro->AddTitle(gettext("Unique Dst."), "", "", "", "", "", "");
/*
$qro->AddTitle(gettext("Unique Events"), "sig_a", "", " ORDER BY sig_cnt ASC", "sig_d", "", " ORDER BY sig_cnt DESC");
$qro->AddTitle(gettext("Unique Src."), "saddr_a", "", " ORDER BY saddr_cnt ASC", "saddr_d", "", " ORDER BY saddr_cnt DESC");
$qro->AddTitle(gettext("Unique Dst."), "daddr_a", "", " ORDER BY daddr_cnt ASC", "daddr_d", "", " ORDER BY daddr_cnt DESC");
*/
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), "");
$sql = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1];
$sql2 = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where2 . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1];
$sqlsensor = "SELECT " . $nevents . " as sig_cnt, count(distinct(acid_event.ip_src)) as saddr_cnt, count(distinct(acid_event.ip_dst)) as daddr_cnt" . $sort_sql[0] . $from2 . $where1 . " AND acid_event.device_id=DEVICEID";
$_SESSION['_siem_sensor_query'] = $sqlsensor;
if (file_exists('/tmp/debug_siem')) {
// 4- Timestamp
//qroPrintEntry($myrow["timestamp"], "center");
$tzone = $myrow['tzone'];
$event_date = $myrow['timestamp'];
$tzdate = $event_date;
$event_date_uut = get_utc_unixtime($db, $event_date);
// Event date timezone
if ($tzone != 0) {
$event_date = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tzone);
}
// Apply user timezone
if ($tz != 0) {
$tzdate = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tz);
}
$cell_data['DATE'] = $tzdate;
$cell_tooltip['DATE'] = $event_date == $myrow['timestamp'] || $event_date == $tzdate ? "" : _("Event date") . ": <b>" . Util::htmlentities($event_date) . "</b><br>" . _("Timezone") . ": <b>" . Util::timezone($tzone) . "</b>";
$cell_pdfdata['DATE'] = str_replace(" ", "<br>", $tzdate);
$cell_align['DATE'] = "center";
$cell_more['DATE'] = "nowrap";
// 5- Source IP Address
if ($current_sip32 != "") {
// Src Data
$src_output = Asset_host::get_extended_name($_conn, $geoloc, $current_sip, $ctx, $current_src_host, $myrow["src_net"]);
$src_name = $src_output['name'];
$homelan_src = $src_output['is_internal'];
$src_img = $src_output['html_icon'];
//$rep_src_icon = getrepimg($myrow["REP_PRIO_SRC"],$myrow["REP_REL_SRC"],$myrow["REP_ACT_SRC"],$current_sip);
$rep_src_icon = '';
// Div for right click menu
// Warning: ctx attribute could be src_ctx
$div = '<div id="' . $current_sip . ';' . $src_name . ';' . $current_src_host . '" date_from="' . $date_from_aux . '" date_to="' . $date_to_aux . '" id2="' . $current_sip . ';' . $current_dip . '" ctx="' . $ctx . '" class="HostReportMenu">';
