function ProcessChartTimeConstraint($start_hour, $start_day, $start_month, $start_year, $stop_hour, $stop_day, $stop_month, $stop_year) { /* if any of the hour, day criteria is blank ' ', set it to NULL */ ereg_replace(" ", "", $start_hour); ereg_replace(" ", "", $stop_hour); ereg_replace(" ", "", $start_day); ereg_replace(" ", "", $stop_day); $tmp_sql = ""; $tmp_time = array(array(" ", ">=", $start_month, $start_day, $start_year, $start_hour, "", "", " ", "AND"), array(" ", "<=", $stop_month, $stop_day, $stop_year, $stop_hour, "", "", " ", " ")); DateTimeRows2sql($tmp_time, 2, $tmp_sql); return $tmp_sql; }
function ProcessCriteria() { global $db, $join_sql, $perms_sql, $where_sql, $criteria_sql, $sql, $debug_mode, $caller, $DBtype; /* XXX-SEC */ global $cs, $timetz; /* the JOIN criteria */ $ip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid "; // *************** DEPRECATED: TCP UDP ICMP join ********************* //$tcp_join_sql = " LEFT JOIN tcphdr ON acid_event.sid=tcphdr.sid AND acid_event.cid=tcphdr.cid "; //$udp_join_sql = " LEFT JOIN udphdr ON acid_event.sid=udphdr.sid AND acid_event.cid=udphdr.cid "; //$icmp_join_sql = " LEFT JOIN icmphdr ON acid_event.sid=icmphdr.sid AND acid_event.cid=icmphdr.cid "; $rawip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid "; $sig_join_sql = " LEFT JOIN alienvault.plugin_sid ON acid_event.plugin_id=plugin_sid.plugin_id AND acid_event.plugin_sid=plugin_sid.sid "; $sig_join = false; $sig_join_tmp = ""; $data_join_sql = ""; //SQL_CALC_FOUND_ROWS $sql = "SELECT acid_event.*, HEX(acid_event.ctx) AS ctx, HEX(acid_event.src_host) AS src_host, HEX(acid_event.dst_host) AS dst_host, HEX(acid_event.src_net) AS src_net, HEX(acid_event.dst_net) AS dst_net FROM acid_event"; $where_sql = " WHERE "; //$where_sql = ""; // $criteria_sql = " acid_event.sid > 0"; // Initially show last 24hours events if ($_GET['time_range'] == "") { $criteria_sql = " ( timestamp >='" . gmdate("Y-m-d", $timetz) . "' ) "; } else { $criteria_sql = " 1 "; } //$criteria_sql = " ( timestamp <= CURDATE() ) "; //$criteria_sql = " 1 "; $join_sql = ""; $use_ac = true; // Use ac_acid_event or not $sfilter = false; $criteria_sql_ac = $criteria_sql; /* ********************** Meta Criteria ******************************************** */ $sig = $cs->criteria['sig']->criteria; $sig_type = $cs->criteria['sig']->sig_type; $sig_class = $cs->criteria['sig_class']->criteria; $sig_priority = $cs->criteria['sig_priority']->criteria; $ag = $cs->criteria['ag']->criteria; $sensor = $cs->criteria['sensor']->criteria; $sensor_op = $cs->criteria['sensor']->param ? "not in" : "in"; $plugin = $cs->criteria['plugin']->criteria; $plugingroup = $cs->criteria['plugingroup']->criteria; $networkgroup = $cs->criteria['networkgroup']->criteria; $userdata = $cs->criteria['userdata']->criteria; $idm_username = $cs->criteria['idm_username']->criteria; $idm_hostname = $cs->criteria['idm_hostname']->criteria; $idm_domain = $cs->criteria['idm_domain']->criteria; $sourcetype = $cs->criteria['sourcetype']->criteria; $category = $cs->criteria['category']->criteria; $rep = $cs->criteria['rep']->criteria; $otx = $cs->criteria['otx']->criteria; $time = $cs->criteria['time']->GetUTC(); $real_time = $cs->criteria['time']->criteria; //print_r($time); $time_cnt = $cs->criteria['time']->GetFormItemCnt(); $hostid = $cs->criteria['hostid']->criteria; $netid = $cs->criteria['netid']->criteria; $ctx = $cs->criteria['ctx']->criteria; $device = $cs->criteria['device']->criteria; $ip_addr = $cs->criteria['ip_addr']->criteria; $ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt(); $layer4 = $cs->criteria['layer4']->criteria; $ip_field = $cs->criteria['ip_field']->criteria; $ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt(); $tcp_port = $cs->criteria['tcp_port']->criteria; $tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt(); // DEPRECATED tcp flags //$tcp_flags = $cs->criteria['tcp_flags']->criteria; //$tcp_field = $cs->criteria['tcp_field']->criteria; //$tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt(); $udp_port = $cs->criteria['udp_port']->criteria; $udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt(); // DEPRECATED udp field icmp field //$udp_field = $cs->criteria['udp_field']->criteria; //$udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt(); //$icmp_field = $cs->criteria['icmp_field']->criteria; //$icmp_field_cnt = $cs->criteria['icmp_field']->GetFormItemCnt(); $rawip_field = $cs->criteria['rawip_field']->criteria; $rawip_field_cnt = $cs->criteria['rawip_field']->GetFormItemCnt(); $data = $cs->criteria['data']->criteria; $data_cnt = $cs->criteria['data']->GetFormItemCnt(); $data_encode = $cs->criteria['data']->data_encode; //$data_encode[0] = "ascii"; $data_encode[1] = "hex"; /* OSSIM */ $ossim_type = $cs->criteria['ossim_type']->criteria; $ossim_priority = $cs->criteria['ossim_priority']->criteria; $ossim_reliability = $cs->criteria['ossim_reliability']->criteria; $ossim_asset_dst = $cs->criteria['ossim_asset_dst']->criteria; $ossim_risk_a = $cs->criteria['ossim_risk_a']->criteria; $tmp_meta = ""; /* Sensor */ if ($sensor != "" && $sensor != " ") { $tmp_meta = $tmp_meta . " AND acid_event.device_id {$sensor_op} ( " . preg_replace("/^\\!/", "", $sensor) . " )"; } else { $cs->criteria['sensor']->Set(""); } /* Device */ if ($device != "") { $_ip = bin2hex(inet_pton($device)); $tmp_meta .= " AND acid_event.device_id IN (SELECT id FROM device WHERE device_ip=UNHEX('" . $_ip . "'))"; } /* Plugin */ if ($plugin != "" && $plugin != " ") { if (preg_match("/(\\d+)\\-(\\d+)/", $plugin, $match)) { $tmp_meta = $tmp_meta . " AND acid_event.plugin_id between " . $match[1] . " and " . $match[2]; } else { $tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . $plugin . ")"; } $sfilter = true; } /* Plugin Group */ if ($plugingroup != "" && $plugingroup != " ") { $pg_ids = QueryOssimPluginGroup($plugingroup); if ($pg_ids != "") { $tmp_meta = $tmp_meta . " AND ({$pg_ids}) "; } else { $tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=-1 AND acid_event.plugin_sid=-1)"; } $sfilter = true; } /* Network Group */ if ($networkgroup != "" && $networkgroup != " ") { $ng_ids = QueryOssimNetworkGroup($networkgroup); if ($ng_ids != "") { $tmp_meta = $tmp_meta . " AND ({$ng_ids}) "; $use_ac = false; } } /* User Data */ //echo "User Data:$userdata"; $rpl = array('EQ' => '=', 'NE' => '!=', 'LT' => '<', 'LOE' => '<=', 'GT' => '>', 'GOE' => '>='); if (trim($userdata[2]) != "") { $q_like = $userdata[1] == 'like' ? TRUE : FALSE; $_q = parenthesis_encode(escape_sql($userdata[2], $db->DB, $q_like)); $sql = "SELECT acid_event.*, HEX(acid_event.ctx) AS ctx, HEX(acid_event.src_host) AS src_host, \n HEX(acid_event.dst_host) AS dst_host, HEX(acid_event.src_net) AS src_net, \n HEX(acid_event.dst_net) AS dst_net,extra_data.* \n FROM acid_event"; $data_join_sql .= ",extra_data "; $_nq = is_numeric($_q) ? $_q : "'" . $_q . "'"; $flt = "extra_data." . $userdata[0] . " " . strtr($userdata[1], $rpl) . " " . ($userdata[1] == "like" ? "'%" . $_q . "%'" : $_nq); $tmp_meta .= " AND acid_event.id=extra_data.event_id AND ({$flt})"; $use_ac = FALSE; } /* IDM */ if (trim($idm_username[0]) != '' || trim($idm_domain[0]) != '') { $data_join_sql .= ",idm_data "; $tmp_meta .= " AND acid_event.id=idm_data.event_id"; $use_ac = FALSE; } if ($idm_username[0] != '') { $_q = parenthesis_encode(escape_sql($idm_username[0], $db->DB)); if ($idm_username[1] == "both") { $tmpcrit = "idm_data.username='******'"; } else { $tmpcrit = "(idm_data.username='******' AND idm_data.from_src=" . ($idm_username[1] == "src" ? "1" : "0") . ")"; } $tmp_meta .= " AND {$tmpcrit}"; } if ($idm_domain[0] != '') { $_q = parenthesis_encode(escape_sql($idm_domain[0], $db->DB)); if ($idm_domain[1] == "both") { $tmpcrit = "idm_data.domain='" . $_q . "'"; } else { $tmpcrit = "(idm_data.domain='" . $_q . "' AND idm_data.from_src=" . ($idm_domain[1] == "src" ? "1" : "0") . ")"; } $tmp_meta .= " AND {$tmpcrit}"; } if ($idm_hostname[0] != '') { $_q = parenthesis_encode(escape_sql($idm_hostname[0], $db->DB)); if ($idm_hostname[1] == "both") { $tmpcrit = "(acid_event.src_hostname='" . $_q . "' OR acid_event.dst_hostname='" . $_q . "')"; } else { $tmpcrit = "acid_event." . $idm_hostname[1] . "_hostname='" . $_q . "'"; } $tmp_meta .= " AND {$tmpcrit}"; $use_ac = FALSE; } /* OTX */ $otx_data = trim($otx[0]) != "" || trim($otx[1]) != "" ? true : false; if ($otx_data) { $data_join_sql .= ",otx_data"; $tmp_meta .= " AND acid_event.id=otx_data.event_id"; $use_ac = false; } # Pulse id if (trim($otx[0]) != "") { $tmp_meta .= " AND otx_data.pulse_id=unhex('" . $otx[0] . "')"; } /* Reputation */ $rep_data = trim($rep[0]) != "" || trim($rep[1]) != "" ? true : false; if ($rep_data) { $data_join_sql .= ",reputation_data"; $tmp_meta .= " AND acid_event.id=reputation_data.event_id"; $use_ac = false; } # Reputation Activity if (intval($rep[0])) { $aname = GetActivityName(intval($rep[0]), $db); $tmp_meta .= " AND (reputation_data.rep_act_src like '%" . str_replace("'", "\\'", $aname) . "%' OR reputation_data.rep_act_dst like '%" . str_replace("'", "\\'", $aname) . "%')"; } # Reputation Severity if (trim($rep[1]) != "") { switch ($rep[1]) { case "High": $tmpcrit = "(reputation_data.rep_prio_src>6 OR reputation_data.rep_prio_dst>6)"; break; case "Medium": $tmpcrit = "(reputation_data.rep_prio_src in (3,4,5,6) OR reputation_data.rep_prio_dst in (3,4,5,6))"; break; case "Low": $tmpcrit = "(reputation_data.rep_prio_src in (0,1,2) OR reputation_data.rep_prio_dst in (0,1,2))"; break; default: $tmpcrit = "(reputation_data.rep_prio_src>0 OR reputation_data.rep_prio_dst>0)"; } $tmp_meta .= " AND {$tmpcrit}"; } /* Source Type */ if (trim($sourcetype) != "") { $tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . GetPluginListBySourceType($sourcetype) . ")"; } /* Category */ if ($category[0] != 0) { $sig_join = true; $tmp_meta = $tmp_meta . GetPluginListByCategory($category); } /* Signature */ if (isset($sig[0]) && $sig[0] != " " && $sig[0] != "" && (isset($sig[1]) && $sig[1] != "")) { if ($sig_type == 1) { // sending sig[1]=plugin_id;plugin_sid $sfilter = true; $pidsid = preg_split("/[\\s;]+/", $sig[1]); $tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=" . intval($pidsid[0]) . " AND acid_event.plugin_sid=" . intval($pidsid[1]) . ")"; } else { // free string //$sig_join_tmp = QueryOssimSignatureTmpTable($sig[1], $sig[0], $sig[2]); $sig_ids = QueryOssimSignature($sig[1], $sig[0], $sig[2], $db->DB); $sig_join = true; $tmp_meta = $tmp_meta . " AND ({$sig_ids})"; } } else { $cs->criteria['sig']->Set(""); } /* * OSSIM Code */ /* OSSIM Type */ if ($ossim_type[1] != " " && $ossim_type[1] != "" && $ossim_type[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_type = '" . $ossim_type[1] . "'"; $use_ac = false; } else { if ($ossim_type[1] == "0") { $tmp_meta = $tmp_meta . " AND (acid_event.ossim_type is null OR acid_event.ossim_type = '0')"; $use_ac = false; } else { $cs->criteria['ossim_type']->Set(""); } } /* OSSIM Priority */ if ($ossim_priority[1] != " " && $ossim_priority[1] != "" && $ossim_priority[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_priority " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'"; $use_ac = false; } else { if ($ossim_priority[1] == "0") { $use_ac = false; $tmp_meta = $ossim_priority[0] == "=" ? $tmp_meta . " AND (acid_event.ossim_priority is null OR acid_event.ossim_priority = '0')" : ($tmp_meta = $tmp_meta . " AND acid_event.ossim_priority " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'"); } else { $cs->criteria['ossim_priority']->Set(""); } } /* OSSIM Reliability */ if ($ossim_reliability[1] != " " && $ossim_reliability[1] != "" && $ossim_reliability[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'"; $use_ac = false; } else { if ($ossim_reliability[1] == "0") { $tmp_meta = $ossim_reliability[0] == "=" ? $tmp_meta . " AND (acid_event.ossim_reliability is null OR acid_event.ossim_reliability = '0')" : $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'"; $use_ac = false; } else { $cs->criteria['ossim_reliability']->Set(""); } } /* OSSIM Asset DST */ if ($ossim_asset_dst[1] != " " && $ossim_asset_dst[1] != "" && $ossim_asset_dst[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'"; $use_ac = false; } else { if ($ossim_asset_dst[1] == "0") { $tmp_meta = $ossim_asset_dst[0] == "=" ? $tmp_meta . " AND (acid_event.ossim_asset_dst is null OR acid_event.ossim_asset_dst = '0')" : $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'"; $use_ac = false; } else { $cs->criteria['ossim_asset_dst']->Set(""); } } /* OSSIM Risk A */ if ($ossim_risk_a != " " && $ossim_risk_a != "" && $ossim_risk_a != "0") { if ($ossim_risk_a == "low") { //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 1 AND ossim_risk_a <= 4 "; $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a = 0 "; $use_ac = false; } else { if ($ossim_risk_a == "medium") { //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 5 AND ossim_risk_a <= 7 "; $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a = 1 "; $use_ac = false; } else { if ($ossim_risk_a == "high") { //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 8 AND ossim_risk_a <= 10 "; $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a > 1 "; $use_ac = false; } } } } else { $cs->criteria['ossim_risk_a']->Set(""); } /* Date/Time */ $time_meta = ""; $real_time_meta = ""; DateTimeRows2sql($real_time, $time_cnt, $real_time_meta); // Time without utc conversion if (DateTimeRows2sql($time, $time_cnt, $time_meta) == 0) { $cs->criteria['time']->SetFormItemCnt(0); } $criteria_sql = $criteria_sql . $tmp_meta; $criteria_sql_ac .= $use_ac && !$sig_join ? preg_replace("/( \\d\\d):\\d\\d:\\d\\d/", "\\1:00:00", $tmp_meta) : preg_replace("/( \\d\\d):\\d\\d:\\d\\d/", "\\1:00:00", $time_meta); $use_ac = time_can_use_ac($real_time) ? $use_ac : FALSE; /* ********************** PERMS ************************ */ // Allowed CTX's y Asset Filter $perms_sql = GetPerms(); $idfilter = !empty($perms_sql) ? true : false; $criteria_sql .= $perms_sql; $criteria_sql_ac .= $perms_sql; /* Host ID */ $op = $hostid[3] != '' ? $hostid[3] : 'IN'; $and_or = $op == 'NOT IN' ? 'AND' : 'OR'; // src_host, dst_host fields if ($hostid[0] != "") { $hostwhere = "UNHEX('" . implode("',UNHEX('", explode(",", $hostid[0])) . "')"; if ($hostid[2] == "both") { $criteria_sql .= " AND (acid_event.src_host {$op} ({$hostwhere}) {$and_or} acid_event.dst_host {$op} ({$hostwhere}))"; $criteria_sql_ac .= " AND (acid_event.src_host {$op} ({$hostwhere}) {$and_or} acid_event.dst_host {$op} ({$hostwhere}))"; } else { $criteria_sql .= " AND acid_event." . $hostid[2] . "_host {$op} ({$hostwhere})"; $criteria_sql_ac .= " AND acid_event." . $hostid[2] . "_host {$op} ({$hostwhere})"; } $idfilter = true; } /* Network ID */ // src_net, dst_net fields if ($netid[0] != "") { $netwhere = "UNHEX('" . implode("',UNHEX('", explode(",", $netid[0])) . "')"; if ($netid[2] == "both") { $criteria_sql .= " AND (acid_event.src_net in ({$netwhere}) OR acid_event.dst_net in ({$netwhere}))"; $criteria_sql_ac .= " AND (acid_event.src_net in ({$netwhere}) OR acid_event.dst_net in ({$netwhere}))"; } else { $criteria_sql .= " AND acid_event." . $netid[2] . "_host in ({$netwhere})"; $criteria_sql_ac .= " AND acid_event." . $netid[2] . "_host in ({$netwhere})"; } $idfilter = true; } /* ********************** IP Criteria ********************************************** */ /* IP Addresses */ $ipfilter = false; $tmp2 = ""; for ($i = 0; $i < $ip_addr_cnt; $i++) { $tmp = ""; if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] != " " && $ip_addr[$i][1] != "") { if ($ip_addr[$i][3] != "" && $ip_addr[$i][4] != "" && $ip_addr[$i][5] != "" && $ip_addr[$i][6] != "") { /* if use illegal 256.256.256.256 address then * this is the special case where need to search for portscans */ if ($ip_addr[$i][3] == "256" && $ip_addr[$i][4] == "256" && $ip_addr[$i][5] == "256" && $ip_addr[$i][6] == "256") { $tmp = $tmp . " acid_event." . $ip_addr[$i][1] . " IS NULL" . " "; } else { if ($ip_addr[$i][10] == "") { $tmp = $tmp . " acid_event." . $ip_addr[$i][1] . $ip_addr[$i][2] . "unhex('" . baseIP2hex($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6]) . "') "; } else { $mask = getIPMask($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6], $ip_addr[$i][10]); if ($ip_addr[$i][2] == "!=") { $tmp_op = " NOT "; } else { $tmp_op = ""; } $tmp = $tmp . $tmp_op . " acid_event." . $ip_addr[$i][1] . ">= unhex('" . baseIP2hex($mask[0]) . "') AND acid_event." . $ip_addr[$i][1] . "<= unhex('" . baseIP2hex($mask[1]) . "')"; } } } /* if have chosen the address type to be both source and destination */ if (preg_match("/ip_both/", $tmp)) { $tmp_src = preg_replace("/ip_both/", "ip_src", $tmp); $tmp_dst = preg_replace("/ip_both/", "ip_dst", $tmp); if ($ip_addr[$i][2] == '=') { $tmp = "(" . $tmp_src . ') OR (' . $tmp_dst . ')'; } else { $tmp = "(" . $tmp_src . ') AND (' . $tmp_dst . ')'; } } $aux_op = $ip_addr_cnt > 0 ? $ip_addr[$i][9] == "AND" || $ip_addr[$i][9] == "OR" ? $ip_addr[$i][9] : "AND" : ""; if ($tmp != "") { $tmp = $ip_addr[$i][0] . "(" . $tmp . ")" . $ip_addr[$i][8] . $aux_op; } } else { if (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" || $ip_addr[$i][1] != " " && $ip_addr[$i][1] != "") { /* IP_addr_type, but MALFORMED IP address */ if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "" && ($ip_addr[$i][4] != "" || $ip_addr[$i][5] != "" || $ip_addr[$i][6] != "")) { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Invalid IP address criteria") . " ' *." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . " '"); } /* ADDRESS, but NO IP_addr_type was given */ if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] == " " && $ip_addr[$i][1] == "") { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("A IP address of") . " '" . $ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . "' " . gettext("was entered for as a criteria value, but the type of address (e.g. source, destination) was not specified.")); } /* IP_addr_type IS FILLED, but no ADDRESS */ if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "") { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("An IP address of type") . " '" . $ip_addr[$i][1] . "' " . gettext("was selected (at #") . $i . ") " . gettext("indicating that an IP address should be a criteria, but no address on which to match was specified.")); } } } $tmp2 = $tmp2 . $tmp; if ($i > 0 && ($ip_addr[$i - 1][9] != 'OR' && $ip_addr[$i - 1][9] != 'AND') && $ip_addr[$i - 1][3] != "") { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Multiple IP address criteria entered without a boolean operator (e.g. AND, OR) between IP Criteria") . " #{$i} and #" . ($i + 1) . "."); } } if ($tmp2 != "") { BalanceBrackets($tmp2); $criteria_sql = $criteria_sql . " AND ( " . $tmp2 . " )"; $ipfilter = true; //$use_ac = false; } else { $cs->criteria['ip_addr']->SetFormItemCnt(0); } /* IP Fields */ if (FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0) { $cs->criteria['ip_field']->SetFormItemCnt(0); } else { $use_ac = false; } /* CTX */ if ($ctx != "") { $criteria_sql .= " AND acid_event.ctx = UNHEX('{$ctx}')"; $criteria_sql_ac .= " AND acid_event.ctx = UNHEX('{$ctx}')"; } /* Layer-4 encapsulation */ if ($layer4 == "TCP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '6'"; $use_ac = false; } else { if ($layer4 == "UDP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '17'"; $use_ac = false; } else { if ($layer4 == "ICMP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '1'"; $use_ac = false; } else { if ($layer4 == "RawIP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '255'"; $use_ac = false; } else { $cs->criteria['layer4']->Set(""); } } } } /* Join the iphdr table if necessary */ if (!$cs->criteria['ip_field']->isEmpty()) { $join_sql = $ip_join_sql . $join_sql; } /* ********************** TCP Criteria ********************************************** */ if ($layer4 == "TCP") { $proto_tmp = ""; /* TCP Ports */ if (FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0) { $cs->criteria['tcp_port']->SetFormItemCnt(0); } $criteria_sql = $criteria_sql . $proto_tmp; $proto_tmp = ""; // ****************** DEPRECATED: TCP Flags TCP Fields ******************** /* TCP Flags */ /* if (isset($tcp_flags) && sizeof($tcp_flags) == 8) { if ($tcp_flags[0] == "contains" || $tcp_flags[0] == "is") { $flag_tmp = $tcp_flags[1] + $tcp_flags[2] + $tcp_flags[3] + $tcp_flags[4] + $tcp_flags[5] + $tcp_flags[6] + $tcp_flags[7] + $tcp_flags[8]; if ($tcp_flags[0] == "is") $proto_tmp = $proto_tmp . ' AND tcp_flags=' . $flag_tmp; else if ($tcp_flags[0] == "contains") $proto_tmp = $proto_tmp . ' AND (tcp_flags & ' . $flag_tmp . ' = ' . $flag_tmp . " )"; else $proto_tmp = ""; } } */ /* TCP Fields */ //if (FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0) $cs->criteria['tcp_field']->SetFormItemCnt(0); /* TCP Options * - not implemented */ //if (!$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) { //************************************************************************ if (!$cs->criteria['tcp_port']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; // DEPRECATED tcp_join_sql //if (!$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) $join_sql = $tcp_join_sql . $join_sql; } } /* ********************** UDP Criteria ********************************************* */ if ($layer4 == "UDP") { $proto_tmp = ""; /* UDP Ports */ if (FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0) { $cs->criteria['udp_port']->SetFormItemCnt(0); } $criteria_sql = $criteria_sql . $proto_tmp; $proto_tmp = ""; // ********************** DEPRECATED UDP Fields ************************* /* UDP Fields */ //if (FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0) $cs->criteria['udp_field']->SetFormItemCnt(0); //if (!$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty()) { // ********************************************************************** if (!$cs->criteria['udp_port']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; // DEPRECATED udp_join_sql //if (!$cs->criteria['udp_field']->isEmpty()) $join_sql = $udp_join_sql . $join_sql; } } // DEPRECATED: ICMP /* ********************** ICMP Criteria ******************************************** */ /* if ($layer4 == "ICMP") { $proto_tmp = ""; // ICMP Fields if (FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0) $cs->criteria['icmp_field']->SetFormItemCnt(0); if (!$cs->criteria['icmp_field']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; $join_sql = $icmp_join_sql . $join_sql; } } */ /* ********************** Packet Scan Criteria ************************************* */ if ($layer4 == "RawIP") { $proto_tmp = ""; /* RawIP Fields */ if (FieldRows2sql($rawip_field, $rawip_field_cnt, $proto_tmp) == 0) { $cs->criteria['rawip_field']->SetFormItemCnt(0); } if (!$cs->criteria['rawip_field']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; $join_sql = $rawip_join_sql . $join_sql; } } /* ********************** Payload Criteria ***************************************** */ //$tmp_payload = ""; if (DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload, $db->DB) == 0) { $cs->criteria['data']->SetFormItemCnt(0); } else { $use_ac = false; } //echo "<br><br><br>"; //print_r($data); //print_r("data_cnt: [".$data_cnt."]"); //print_r($cs->criteria['data']->isEmpty()); //print_r("criteria_ sql: [".$criteria_sql."]"); //print_r("tmp_payload: [".$tmp_payload."]"); //print_r($data); if (!$cs->criteria['data']->isEmpty()) { $sql = "SELECT acid_event.*, HEX(acid_event.ctx) AS ctx, HEX(acid_event.src_host) AS src_host, HEX(acid_event.dst_host) AS dst_host, HEX(acid_event.src_net) AS src_net, HEX(acid_event.dst_net) AS dst_net, extra_data.* FROM acid_event"; if (!preg_match("/extra_data/", $data_join_sql)) { $data_join_sql .= ",extra_data "; } $criteria_sql = $criteria_sql . $tmp_payload; $use_ac = false; } if ($sig_join) { $join_sql = $join_sql . $sig_join_sql; } $join_sql = $join_sql . $data_join_sql; $csql[0] = $join_sql; // special distinct for idm_username if ($otx_data || preg_match("/idm_data/", $join_sql)) { $sql = preg_replace("/^SELECT/", "SELECT DISTINCT", $sql); } // Ready to ac_acid_event //$criteria1_sql = $criteria_sql . preg_replace("/ \d\d:\d\d:\d\d/","",str_replace("timestamp","day",$real_time_meta)); $criteria1_sql = $criteria_sql . $real_time_meta; $criteria1_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria1_sql)); // Ready to ac_acid_event next day //$criteria2_sql = $criteria_sql . preg_replace("/ \d\d:\d\d:\d\d/","",str_replace("timestamp","day",$time_meta)); $criteria2_sql = $criteria_sql . $time_meta; $criteria2_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria2_sql)); // to acid_event $criteria_sql = $criteria_sql . $time_meta; $criteria_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria_sql)); $csql[1] = $criteria_sql; //$csql[2] = $perms_sql . preg_replace("/ \d\d:\d\d:\d\d/","",str_replace("timestamp","day",$time_meta)); // $real_time_criteria $csql[2] = $perms_sql . $time_meta; $csql[3] = $use_ac; // true if we use ac_acid_event instead acid_event $csql[4] = $criteria1_sql; $csql[5] = $criteria2_sql; $csql[6] = $sfilter; $csql[7] = $ipfilter; $csql[8] = $idfilter; $csql[9] = $criteria_sql_ac; //print_r($csql); return $csql; }
function ProcessChartTimeConstraint($start_hour, $start_day, $start_month, $start_year, $stop_hour, $stop_day, $stop_month, $stop_year) { /* if any of the hour, day criteria is blank ' ', set it to NULL */ $start_hour = trim($start_hour); $stop_hour = trim($stop_hour); $start_day = trim($start_day); $stop_day = trim($stop_day); $tmp_sql = ""; if ($start_month == "" && $start_day == "" && $start_year == "") { $tmp_time = array(array(" ", " ", "", "", "", "", "", "", " ", " "), array(" ", "<=", $stop_month, $stop_day, $stop_year, $stop_hour, "", "", " ", " ")); } else { if ($stop_month == "" && $stop_day == "" && $stop_year == "") { $tmp_time = array(array(" ", ">=", $start_month, $start_day, $start_year, $start_hour, "", "", " ", " "), array(" ", " ", "", "", "", "", "", "", " ", " ")); } else { $tmp_time = array(array(" ", ">=", $start_month, $start_day, $start_year, $start_hour, "", "", " ", "AND"), array(" ", "<=", $stop_month, $stop_day, $stop_year, $stop_hour, "", "", " ", " ")); } } DateTimeRows2sql($tmp_time, 2, $tmp_sql); return $tmp_sql; }
function ProcessCriteria() { global $db, $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode, $caller, $DBtype; /* XXX-SEC */ global $cs, $timetz; /* the JOIN criteria */ $ip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid "; $tcp_join_sql = " LEFT JOIN tcphdr ON acid_event.sid=tcphdr.sid AND acid_event.cid=tcphdr.cid "; $udp_join_sql = " LEFT JOIN udphdr ON acid_event.sid=udphdr.sid AND acid_event.cid=udphdr.cid "; $icmp_join_sql = " LEFT JOIN icmphdr ON acid_event.sid=icmphdr.sid AND acid_event.cid=icmphdr.cid "; $rawip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid "; $sig_join_sql = " LEFT JOIN ossim.plugin_sid ON acid_event.plugin_id=plugin_sid.plugin_id AND acid_event.plugin_sid=plugin_sid.sid "; $sig_join = false; //$data_join_sql = " LEFT JOIN extra_data ON acid_event.sid=extra_data.sid AND acid_event.cid=extra_data.cid "; $data_join_sql = ""; $ag_join_sql = " LEFT JOIN acid_ag_alert ON acid_event.sid=acid_ag_alert.ag_sid AND acid_event.cid=acid_ag_alert.ag_cid "; //$sig_join_sql = ""; //$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.userdata1,extra_data.userdata2,extra_data.userdata3,extra_data.userdata4,extra_data.userdata5,extra_data.userdata6,extra_data.userdata7,extra_data.userdata8,extra_data.userdata9,extra_data.username,extra_data.password,extra_data.filename FROM acid_event"; $sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.* FROM acid_event"; // This needs to be examined!!! -- Kevin $where_sql = " WHERE "; //$where_sql = ""; // $criteria_sql = " acid_event.sid > 0"; // Initially show last 24hours events if ($_GET['time_range'] == "") { $criteria_sql = " ( timestamp >='" . gmdate("Y-m-d", $timetz) . "' ) "; } else { $criteria_sql = " 1 "; } //$criteria_sql = " ( timestamp <= CURDATE() ) "; //$criteria_sql = " 1 "; $join_sql = ""; /* ********************** Meta Criteria ******************************************** */ $sig = $cs->criteria['sig']->criteria; $sig_type = $cs->criteria['sig']->sig_type; $sig_class = $cs->criteria['sig_class']->criteria; $sig_priority = $cs->criteria['sig_priority']->criteria; $ag = $cs->criteria['ag']->criteria; $sensor = $cs->criteria['sensor']->criteria; $plugin = $cs->criteria['plugin']->criteria; $plugingroup = $cs->criteria['plugingroup']->criteria; $networkgroup = $cs->criteria['networkgroup']->criteria; $userdata = $cs->criteria['userdata']->criteria; $sourcetype = $cs->criteria['sourcetype']->criteria; $category = $cs->criteria['category']->criteria; $time = $cs->criteria['time']->GetUTC(); //$cs->criteria['time']->criteria; //print_r($time);print_r($cs->criteria['time']->criteria); $time_cnt = $cs->criteria['time']->GetFormItemCnt(); $ip_addr = $cs->criteria['ip_addr']->criteria; $ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt(); $layer4 = $cs->criteria['layer4']->criteria; $ip_field = $cs->criteria['ip_field']->criteria; $ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt(); $tcp_port = $cs->criteria['tcp_port']->criteria; $tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt(); $tcp_flags = $cs->criteria['tcp_flags']->criteria; $tcp_field = $cs->criteria['tcp_field']->criteria; $tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt(); $udp_port = $cs->criteria['udp_port']->criteria; $udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt(); $udp_field = $cs->criteria['udp_field']->criteria; $udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt(); $icmp_field = $cs->criteria['icmp_field']->criteria; $icmp_field_cnt = $cs->criteria['icmp_field']->GetFormItemCnt(); $rawip_field = $cs->criteria['rawip_field']->criteria; $rawip_field_cnt = $cs->criteria['rawip_field']->GetFormItemCnt(); $data = $cs->criteria['data']->criteria; $data_cnt = $cs->criteria['data']->GetFormItemCnt(); $cs->criteria['data']->data_encode; //$data_encode[0] = "ascii"; $data_encode[1] = "hex"; /* OSSIM */ $ossim_type = $cs->criteria['ossim_type']->criteria; $ossim_priority = $cs->criteria['ossim_priority']->criteria; $ossim_reliability = $cs->criteria['ossim_reliability']->criteria; $ossim_asset_dst = $cs->criteria['ossim_asset_dst']->criteria; $ossim_risk_a = $cs->criteria['ossim_risk_a']->criteria; $tmp_meta = ""; /* Sensor */ if ($sensor != "" && $sensor != " ") { $tmp_meta = $tmp_meta . " AND acid_event.sid in (" . $sensor . ")"; } else { $cs->criteria['sensor']->Set(""); // Filter by user perms if no criteria if (Session::allowedSensors() != "") { $user_sensors = explode(",", Session::allowedSensors()); $snortsensors = GetSensorSids($db); $sensor_str = ""; foreach ($user_sensors as $user_sensor) { if (count($snortsensors[$user_sensor]) > 0) { $sensor_str .= $sensor_str != "" ? "," . implode(",", $snortsensors[$user_sensor]) : implode(",", $snortsensors[$user_sensor]); } } if ($sensor_str == "") { $sensor_str = "0"; } $tmp_meta .= " AND acid_event.sid in (" . $sensor_str . ")"; } } /* Plugin */ if ($plugin != "" && $plugin != " ") { $tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . $plugin . ")"; } /* Plugin Group */ if ($plugingroup != "" && $plugingroup != " ") { $pg_ids = QueryOssimPluginGroup($plugingroup); if ($pg_ids != "") { $tmp_meta = $tmp_meta . " AND ({$pg_ids}) "; } else { $tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=-1 AND acid_event.plugin_sid=-1)"; } } /* Network Group */ if ($networkgroup != "" && $networkgroup != " ") { $ng_ids = QueryOssimNetworkGroup($networkgroup); if ($ng_ids != "") { $tmp_meta = $tmp_meta . " AND ({$ng_ids}) "; } } /* User Data */ //print_r($_SESSION); //echo "User Data:$userdata"; if (trim($userdata[2]) != "") { $sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.* FROM acid_event"; $data_join_sql = ",extra_data "; $flt = "extra_data." . $userdata[0] . " " . $userdata[1] . " " . ($userdata[1] == "like" ? "'%" . str_replace("'", "\\'", $userdata[2]) . "%'" : "'" . $userdata[2] . "'"); $tmp_meta .= " AND acid_event.sid=extra_data.sid AND acid_event.cid=extra_data.cid AND ({$flt})"; } /* Source Type */ if (trim($sourcetype) != "") { $tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . GetPluginListBySourceType($sourcetype) . ")"; } /* Category */ if ($category[0] != 0) { $sig_join = true; $tmp_meta = $tmp_meta . GetPluginListByCategory($category); } /* Alert Group */ if ($ag != "" && $ag != " ") { $tmp_meta = $tmp_meta . " AND ag_id =" . $ag; $join_sql = $join_sql . $ag_join_sql; } else { $cs->criteria['ag']->Set(""); } /* Signature */ if (isset($sig[0]) && $sig[0] != " " && $sig[0] != "" && (isset($sig[1]) && $sig[1] != "")) { if ($sig_type == 1) { // sending sig[1]=plugin_id;plugin_sid $pidsid = preg_split("/[\\s;]+/", $sig[1]); $tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=" . intval($pidsid[0]) . " AND acid_event.plugin_sid=" . intval($pidsid[1]) . ")"; } else { // free string $sig_ids = QueryOssimSignature($sig[1], $sig[0], $sig[2]); $sig_join = true; $tmp_meta = $tmp_meta . " AND ({$sig_ids})"; //if ($sig_ids != "") // $tmp_meta = $tmp_meta . " AND ($sig_ids) "; //else // $tmp_meta = $tmp_meta." AND (plugin_id=-1 AND plugin_sid=-1)"; } } else { $cs->criteria['sig']->Set(""); } /* Signature Classification if ($sig_class != " " && $sig_class != "" && $sig_class != "0") { $tmp_meta = $tmp_meta . " AND sig_class_id = '" . $sig_class . "'"; } else if ($sig_class == "0") { $tmp_meta = $tmp_meta . " AND (sig_class_id is null OR sig_class_id = '0')"; } else $cs->criteria['sig_class']->Set(""); */ /* Signature Priority if ($sig_priority[1] != " " && $sig_priority[1] != "" && $sig_priority[1] != "0") { $tmp_meta = $tmp_meta . " AND sig_priority " . $sig_priority[0] . " '" . $sig_priority[1] . "'"; } else if ($sig_priority[1] == "0") { $tmp_meta = $tmp_meta . " AND (sig_priority is null OR sig_priority = '0')"; } else $cs->criteria['sig_priority']->Set("");*/ /* Date/Time if ( DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0 ) $cs->criteria['time']->SetFormItemCnt(0); */ /* * OSSIM Code */ /* OSSIM Type */ if ($ossim_type[1] != " " && $ossim_type[1] != "" && $ossim_type[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_type = '" . $ossim_type[1] . "'"; } else { if ($ossim_type[1] == "0") { $tmp_meta = $tmp_meta . " AND (acid_event.ossim_type is null OR acid_event.ossim_type = '0')"; } else { $cs->criteria['ossim_type']->Set(""); } } /* OSSIM Priority */ if ($ossim_priority[1] != " " && $ossim_priority[1] != "" && $ossim_priority[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_priority " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'"; } else { if ($ossim_priority[1] == "0") { $tmp_meta = $tmp_meta . " AND (acid_event.ossim_priority is null OR acid_event.ossim_priority = '0')"; } else { $cs->criteria['ossim_priority']->Set(""); } } /* OSSIM Reliability */ if ($ossim_reliability[1] != " " && $ossim_reliability[1] != "" && $ossim_reliability[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'"; } else { if ($ossim_reliability[1] == "0") { $tmp_meta = $tmp_meta . " AND (acid_event.ossim_reliability is null OR acid_event.ossim_reliability = '0')"; } else { $cs->criteria['ossim_reliability']->Set(""); } } /* OSSIM Asset DST */ if ($ossim_asset_dst[1] != " " && $ossim_asset_dst[1] != "" && $ossim_asset_dst[1] != "0") { $tmp_meta = $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'"; } else { if ($ossim_asset_dst[1] == "0") { $tmp_meta = $tmp_meta . " AND (acid_event.ossim_asset_dst is null OR acid_event.ossim_asset_dst = '0')"; } else { $cs->criteria['ossim_asset_dst']->Set(""); } } /* OSSIM Risk A */ if ($ossim_risk_a != " " && $ossim_risk_a != "" && $ossim_risk_a != "0") { if ($ossim_risk_a == "low") { //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 1 AND ossim_risk_a <= 4 "; $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a < 1 "; } else { if ($ossim_risk_a == "medium") { //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 5 AND ossim_risk_a <= 7 "; $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a = 1 "; } else { if ($ossim_risk_a == "high") { //$tmp_meta = $tmp_meta." AND ossim_risk_a >= 8 AND ossim_risk_a <= 10 "; $tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a > 1 "; } } } } else { $cs->criteria['ossim_risk_a']->Set(""); } /* Date/Time */ if (DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0) { $cs->criteria['time']->SetFormItemCnt(0); } $criteria_sql = $criteria_sql . $tmp_meta; /* ********************** IP Criteria ********************************************** */ /* IP Addresses */ $tmp2 = ""; for ($i = 0; $i < $ip_addr_cnt; $i++) { $tmp = ""; if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] != " ") { if ($ip_addr[$i][3] != "" && $ip_addr[$i][4] != "" && $ip_addr[$i][5] != "" && $ip_addr[$i][6] != "") { /* if use illegal 256.256.256.256 address then * this is the special case where need to search for portscans */ if ($ip_addr[$i][3] == "256" && $ip_addr[$i][4] == "256" && $ip_addr[$i][5] == "256" && $ip_addr[$i][6] == "256") { $tmp = $tmp . " acid_event." . $ip_addr[$i][1] . " IS NULL" . " "; } else { if ($ip_addr[$i][10] == "") { $tmp = $tmp . " acid_event." . $ip_addr[$i][1] . $ip_addr[$i][2] . "'" . baseIP2long($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6]) . "' "; } else { $mask = getIPMask($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6], $ip_addr[$i][10]); if ($ip_addr[$i][2] == "!=") { $tmp_op = " NOT "; } else { $tmp_op = ""; } $tmp = $tmp . $tmp_op . " (acid_event." . $ip_addr[$i][1] . ">= '" . baseIP2long($mask[0]) . "' AND " . "acid_event." . $ip_addr[$i][1] . "<= '" . baseIP2long($mask[1]) . "')"; } } } /* if have chosen the address type to be both source and destination */ if (ereg("ip_both", $tmp)) { $tmp_src = ereg_replace("ip_both", "ip_src", $tmp); $tmp_dst = ereg_replace("ip_both", "ip_dst", $tmp); if ($ip_addr[$i][2] == '=') { $tmp = "(" . $tmp_src . ') OR (' . $tmp_dst . ')'; } else { $tmp = "(" . $tmp_src . ') AND (' . $tmp_dst . ')'; } } if ($tmp != "") { $tmp = $ip_addr[$i][0] . "(" . $tmp . ")" . $ip_addr[$i][8] . $ip_addr[$i][9]; } } else { if (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" || $ip_addr[$i][1] != " ") { /* IP_addr_type, but MALFORMED IP address */ if ($ip_addr[$i][1] != " " && $ip_addr[$i][3] == "" && ($ip_addr[$i][4] != "" || $ip_addr[$i][5] != "" || $ip_addr[$i][6] != "")) { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Invalid IP address criteria") . " ' *." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . " '"); } /* ADDRESS, but NO IP_addr_type was given */ if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] == " ") { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("A IP address of") . " '" . $ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . "' " . gettext("was entered for as a criteria value, but the type of address (e.g. source, destination) was not specified.")); } /* IP_addr_type IS FILLED, but no ADDRESS */ if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "") { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("An IP address of type") . " '" . $ip_addr[$i][1] . "' " . gettext("was selected (at #") . $i . ") " . gettext("indicating that an IP address should be a criteria, but no address on which to match was specified.")); } } } $tmp2 = $tmp2 . $tmp; if ($i > 0 && $ip_addr[$i - 1][9] == ' ' && $ip_addr[$i - 1][3] != "") { ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Multiple IP address criteria entered without a boolean operator (e.g. AND, OR) between IP Criteria") . " #{$i} and #" . ($i + 1) . "."); } } if ($tmp2 != "") { $criteria_sql = $criteria_sql . " AND ( " . $tmp2 . " )"; } else { $cs->criteria['ip_addr']->SetFormItemCnt(0); } /* IP Fields */ if (FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0) { $cs->criteria['ip_field']->SetFormItemCnt(0); } /* Layer-4 encapsulation */ if ($layer4 == "TCP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '6'"; } else { if ($layer4 == "UDP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '17'"; } else { if ($layer4 == "ICMP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '1'"; } else { if ($layer4 == "RawIP") { $criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '255'"; } else { $cs->criteria['layer4']->Set(""); } } } } /* Join the iphdr table if necessary */ if (!$cs->criteria['ip_field']->isEmpty()) { $join_sql = $ip_join_sql . $join_sql; } /* ********************** TCP Criteria ********************************************** */ if ($layer4 == "TCP") { $proto_tmp = ""; /* TCP Ports */ if (FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0) { $cs->criteria['tcp_port']->SetFormItemCnt(0); } $criteria_sql = $criteria_sql . $proto_tmp; $proto_tmp = ""; /* TCP Flags */ if (isset($tcp_flags) && sizeof($tcp_flags) == 8) { if ($tcp_flags[0] == "contains" || $tcp_flags[0] == "is") { $flag_tmp = $tcp_flags[1] + $tcp_flags[2] + $tcp_flags[3] + $tcp_flags[4] + $tcp_flags[5] + $tcp_flags[6] + $tcp_flags[7] + $tcp_flags[8]; if ($tcp_flags[0] == "is") { $proto_tmp = $proto_tmp . ' AND tcp_flags=' . $flag_tmp; } else { if ($tcp_flags[0] == "contains") { $proto_tmp = $proto_tmp . ' AND (tcp_flags & ' . $flag_tmp . ' = ' . $flag_tmp . " )"; } else { $proto_tmp = ""; } } } } /* TCP Fields */ if (FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0) { $cs->criteria['tcp_field']->SetFormItemCnt(0); } /* TCP Options * - not implemented */ if (!$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; if (!$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) { $join_sql = $tcp_join_sql . $join_sql; } } } /* ********************** UDP Criteria ********************************************* */ if ($layer4 == "UDP") { $proto_tmp = ""; /* UDP Ports */ if (FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0) { $cs->criteria['udp_port']->SetFormItemCnt(0); } $criteria_sql = $criteria_sql . $proto_tmp; $proto_tmp = ""; /* UDP Fields */ if (FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0) { $cs->criteria['udp_field']->SetFormItemCnt(0); } if (!$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; if (!$cs->criteria['udp_field']->isEmpty()) { $join_sql = $udp_join_sql . $join_sql; } } } /* ********************** ICMP Criteria ******************************************** */ if ($layer4 == "ICMP") { $proto_tmp = ""; /* ICMP Fields */ if (FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0) { $cs->criteria['icmp_field']->SetFormItemCnt(0); } if (!$cs->criteria['icmp_field']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; $join_sql = $icmp_join_sql . $join_sql; } } /* ********************** Packet Scan Criteria ************************************* */ if ($layer4 == "RawIP") { $proto_tmp = ""; /* RawIP Fields */ if (FieldRows2sql($rawip_field, $rawip_field_cnt, $proto_tmp) == 0) { $cs->criteria['rawip_field']->SetFormItemCnt(0); } if (!$cs->criteria['rawip_field']->isEmpty()) { $criteria_sql = $criteria_sql . $proto_tmp; $join_sql = $rawip_join_sql . $join_sql; } } /* ********************** Payload Criteria ***************************************** */ //$tmp_payload = ""; if (DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload) == 0) { $cs->criteria['data']->SetFormItemCnt(0); } //echo "<br><br><br>"; //print_r($data); //print_r("data_cnt: [".$data_cnt."]"); //print_r($cs->criteria['data']->isEmpty()); //print_r("criteria_ sql: [".$criteria_sql."]"); //print_r("tmp_payload: [".$tmp_payload."]"); if (!$cs->criteria['data']->isEmpty()) { $sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.* FROM acid_event"; $data_join_sql = ",extra_data "; $criteria_sql = $criteria_sql . $tmp_payload; } if ($sig_join) { $join_sql = $join_sql . $sig_join_sql; } $join_sql = $join_sql . $data_join_sql; $csql[0] = $join_sql; $criteria_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria_sql)); $csql[1] = $criteria_sql; //print_r($csql); return $csql; }