(select count(distinct(ip_dst)) from ac_alerts_ipdst where ac_alerts_signature.signature=ac_alerts_ipdst.signature $sqlc) as daddr_cnt,
sig_class_id
FROM ac_alerts_signature FORCE INDEX(primary) WHERE ac_alerts_signature.sig_cnt>0 $where GROUP BY signature, sig_name, sig_class_id $orderby";
$event_cnt = EventCnt($db, "", "", "SELECT sum(sig_cnt) FROM ac_alerts_signature FORCE INDEX(primary) WHERE ac_alerts_signature.sig_cnt>0 $where");
*/
} else {
$event_cnt = EventCnt($db, "", "", "SELECT count(*) " . $from . $where);
if ($event_cnt == 0) {
$event_cnt = 1;
}
}
//echo $sql; echo $cnt_sql;
/* Run the Query again for the actual data (with the LIMIT) */
$result = $qs->ExecuteOutputQuery($sql, $db);
if ($use_ac) {
$qs->GetCalcFoundRows($cnt_sql, $db);
}
$debug_time_mode >= 1 ? $et->Mark("Retrieve Query Data") : '';
if ($debug_mode == 1) {
$qs->PrintCannedQueryList();
$qs->DumpState();
echo "{$sql}<BR>";
}
/* Print the current view number and # of rows */
$displaying = gettext("Displaying unique events %d-%d of <b>%s</b> matching your selection.");
if (Session::am_i_admin()) {
$displaying .= gettext(" <b>%s</b> total events in database.");
}
$qs->PrintResultCnt("", array(), $displaying);
echo '<FORM METHOD="post" name="PacketForm" id="PacketForm" ACTION="base_stat_alerts.php">';
$qro->PrintHeader();
$qro->AddTitle(' ');
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort() , $qs->GetCurrentCannedQuerySort());
$sql = "SELECT SQL_CALC_FOUND_ROWS hex(otx_data.pulse_id) as pulse, COUNT(distinct otx_data.event_id) as num_events, COUNT(distinct otx_data.ioc_hash) as num_iocs ". $sort_sql[0] . $from . $where . " GROUP BY pulse_id " . $sort_sql[1];
// use accumulate tables only with timestamp criteria
if (file_exists('/tmp/debug_siem'))
{
error_log("STATS OTX:$sql\n", 3, "/tmp/siem");
}
/* Run the Query again for the actual data (with the LIMIT) */
session_write_close();
$result = $qs->ExecuteOutputQuery($sql, $db);
$event_cnt = $qs->GetCalcFoundRows("SELECT count(DISTINCT pulse_id) " . $from . $where . " GROUP BY pulse_id", $result->baseRecordCount(), $db);
$et->Mark("Retrieve Query Data");
$report_data = array(); // data to fill report_data
if (is_array($_SESSION["server"]) && $_SESSION["server"][0]!="")
{
$_conn = $dbo->custom_connect($_SESSION["server"][0],$_SESSION["server"][2],$_SESSION["server"][3]);
}
else
{
$_conn = $dbo->connect();
}
$event_pulses = array();
$from .= ', device ';
$where .= ' AND device.id=acid_event.device_id';
$sql .= ", {$addr_type_id}, hex(sensor_id) as id";
$sql = $sql . $sort_sql[0] . $from . $where . " GROUP BY {$addr_type_name}, device.sensor_id HAVING num_events>0 " . $sort_sql[1];
}
// Save WHERE in session for Mapping
$_SESSION['_siem_mapping_from'] = $from;
$_SESSION['_siem_mapping_where'] = preg_replace("/\\s+WHERE\\s+1/", "", $where);
if (file_exists('/tmp/debug_siem')) {
error_log("STATS IP:{$sql}\n", 3, "/tmp/siem");
}
/* Run the Query again for the actual data (with the LIMIT) */
session_write_close();
$result = $qs->ExecuteOutputQuery($sql, $db);
//$qs->GetNumResultRows($cnt_sql, $db);
$event_cnt = $qs->GetCalcFoundRows($cnt_sql, $result->baseRecordCount(), $db);
if ($event_cnt == 0) {
$event_cnt = 1;
}
$et->Mark("Retrieve Query Data");
// if ($debug_mode == 1) {
// $qs->PrintCannedQueryList();
// $qs->DumpState();
// echo "$sql<BR>";
// }
/* Print the current view number and # of rows */
$qs->PrintResultCnt("", array(), $displaytitle);
echo '<FORM METHOD="post" name="PacketForm" id="PacketForm" ACTION="base_stat_uaddr.php">';
if ($qs->num_result_rows > 0) {
$qro->PrintHeader();
}
if ($fqdn == "yes") {
$qro->AddTitle(gettext("Destination FQDN"));
}
$qro->AddTitle(gettext("Protocol"), "proto_a", "", " ORDER BY ip_proto ASC", "proto_d", "", " ORDER BY ip_proto DESC");
$qro->AddTitle(gettext("Unique Dst Ports"), "dport_a", "", " ORDER BY clayer4 ASC", "dport_d", "", " ORDER BY clayer4 DESC");
$qro->AddTitle(gettext("Unique Events"), "sig_a", "", " ORDER BY csig ASC", "sig_d", "", " ORDER BY csig DESC");
$qro->AddTitle(gettext("Total Events"), "events_a", "", " ORDER BY ccid ASC", "events_d", "", " ORDER BY ccid DESC");
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());
$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto, hex(acid_event.ctx) as ctx, COUNT(DISTINCT acid_event.layer4_dport) as clayer4, COUNT(acid_event.id) as ccid, COUNT(DISTINCT acid_event.plugin_id, acid_event.plugin_sid) csig, HEX(acid_event.src_host) AS src_host, HEX(acid_event.dst_host) AS dst_host " . $sort_sql[0] . $from . $where . " GROUP by ip_src, ip_dst, ip_proto " . $sort_sql[1];
#$sql = "SELECT DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto " . $sort_sql[0] . $from . $where . $sort_sql[1];
/* Run the Query again for the actual data (with the LIMIT) */
$qs->current_view = $submit;
//echo "<br>$sql<br>\n";
session_write_close();
$result = $qs->ExecuteOutputQuery($sql, $db);
$qs->GetCalcFoundRows('', $result->baseRecordCount(), $db);
$et->Mark("Retrieve Query Data");
// if ($debug_mode == 1) {
// $qs->PrintCannedQueryList();
// $qs->DumpState();
// echo "$sql<BR>";
// }
/* Print the current view number and # of rows */
$displaying = gettext("Displaying unique ip links %d-%d of <b>%s</b> matching your selection.");
$qs->PrintResultCnt("", array(), $displaying);
echo '<FORM METHOD="post" name="PacketForm" id="PacketForm" ACTION="base_stat_iplink.php">';
if ($qs->num_result_rows > 0) {
$qro->PrintHeader();
}
$i = 0;
$report_data = array();
