(select count(distinct(ip_dst)) from ac_alerts_ipdst where ac_alerts_signature.signature=ac_alerts_ipdst.signature $sqlc) as daddr_cnt, sig_class_id FROM ac_alerts_signature FORCE INDEX(primary) WHERE ac_alerts_signature.sig_cnt>0 $where GROUP BY signature, sig_name, sig_class_id $orderby"; $event_cnt = EventCnt($db, "", "", "SELECT sum(sig_cnt) FROM ac_alerts_signature FORCE INDEX(primary) WHERE ac_alerts_signature.sig_cnt>0 $where"); */ } else { $event_cnt = EventCnt($db, "", "", "SELECT count(*) " . $from . $where); if ($event_cnt == 0) { $event_cnt = 1; } } //echo $sql; echo $cnt_sql; /* Run the Query again for the actual data (with the LIMIT) */ $result = $qs->ExecuteOutputQuery($sql, $db); if ($use_ac) { $qs->GetCalcFoundRows($cnt_sql, $db); } $debug_time_mode >= 1 ? $et->Mark("Retrieve Query Data") : ''; if ($debug_mode == 1) { $qs->PrintCannedQueryList(); $qs->DumpState(); echo "{$sql}<BR>"; } /* Print the current view number and # of rows */ $displaying = gettext("Displaying unique events %d-%d of <b>%s</b> matching your selection."); if (Session::am_i_admin()) { $displaying .= gettext(" <b>%s</b> total events in database."); } $qs->PrintResultCnt("", array(), $displaying); echo '<FORM METHOD="post" name="PacketForm" id="PacketForm" ACTION="base_stat_alerts.php">'; $qro->PrintHeader();
$qro->AddTitle(' '); $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort() , $qs->GetCurrentCannedQuerySort()); $sql = "SELECT SQL_CALC_FOUND_ROWS hex(otx_data.pulse_id) as pulse, COUNT(distinct otx_data.event_id) as num_events, COUNT(distinct otx_data.ioc_hash) as num_iocs ". $sort_sql[0] . $from . $where . " GROUP BY pulse_id " . $sort_sql[1]; // use accumulate tables only with timestamp criteria if (file_exists('/tmp/debug_siem')) { error_log("STATS OTX:$sql\n", 3, "/tmp/siem"); } /* Run the Query again for the actual data (with the LIMIT) */ session_write_close(); $result = $qs->ExecuteOutputQuery($sql, $db); $event_cnt = $qs->GetCalcFoundRows("SELECT count(DISTINCT pulse_id) " . $from . $where . " GROUP BY pulse_id", $result->baseRecordCount(), $db); $et->Mark("Retrieve Query Data"); $report_data = array(); // data to fill report_data if (is_array($_SESSION["server"]) && $_SESSION["server"][0]!="") { $_conn = $dbo->custom_connect($_SESSION["server"][0],$_SESSION["server"][2],$_SESSION["server"][3]); } else { $_conn = $dbo->connect(); } $event_pulses = array();
$from .= ', device '; $where .= ' AND device.id=acid_event.device_id'; $sql .= ", {$addr_type_id}, hex(sensor_id) as id"; $sql = $sql . $sort_sql[0] . $from . $where . " GROUP BY {$addr_type_name}, device.sensor_id HAVING num_events>0 " . $sort_sql[1]; } // Save WHERE in session for Mapping $_SESSION['_siem_mapping_from'] = $from; $_SESSION['_siem_mapping_where'] = preg_replace("/\\s+WHERE\\s+1/", "", $where); if (file_exists('/tmp/debug_siem')) { error_log("STATS IP:{$sql}\n", 3, "/tmp/siem"); } /* Run the Query again for the actual data (with the LIMIT) */ session_write_close(); $result = $qs->ExecuteOutputQuery($sql, $db); //$qs->GetNumResultRows($cnt_sql, $db); $event_cnt = $qs->GetCalcFoundRows($cnt_sql, $result->baseRecordCount(), $db); if ($event_cnt == 0) { $event_cnt = 1; } $et->Mark("Retrieve Query Data"); // if ($debug_mode == 1) { // $qs->PrintCannedQueryList(); // $qs->DumpState(); // echo "$sql<BR>"; // } /* Print the current view number and # of rows */ $qs->PrintResultCnt("", array(), $displaytitle); echo '<FORM METHOD="post" name="PacketForm" id="PacketForm" ACTION="base_stat_uaddr.php">'; if ($qs->num_result_rows > 0) { $qro->PrintHeader(); }
if ($fqdn == "yes") { $qro->AddTitle(gettext("Destination FQDN")); } $qro->AddTitle(gettext("Protocol"), "proto_a", "", " ORDER BY ip_proto ASC", "proto_d", "", " ORDER BY ip_proto DESC"); $qro->AddTitle(gettext("Unique Dst Ports"), "dport_a", "", " ORDER BY clayer4 ASC", "dport_d", "", " ORDER BY clayer4 DESC"); $qro->AddTitle(gettext("Unique Events"), "sig_a", "", " ORDER BY csig ASC", "sig_d", "", " ORDER BY csig DESC"); $qro->AddTitle(gettext("Total Events"), "events_a", "", " ORDER BY ccid ASC", "events_d", "", " ORDER BY ccid DESC"); $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort()); $sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto, hex(acid_event.ctx) as ctx, COUNT(DISTINCT acid_event.layer4_dport) as clayer4, COUNT(acid_event.id) as ccid, COUNT(DISTINCT acid_event.plugin_id, acid_event.plugin_sid) csig, HEX(acid_event.src_host) AS src_host, HEX(acid_event.dst_host) AS dst_host " . $sort_sql[0] . $from . $where . " GROUP by ip_src, ip_dst, ip_proto " . $sort_sql[1]; #$sql = "SELECT DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto " . $sort_sql[0] . $from . $where . $sort_sql[1]; /* Run the Query again for the actual data (with the LIMIT) */ $qs->current_view = $submit; //echo "<br>$sql<br>\n"; session_write_close(); $result = $qs->ExecuteOutputQuery($sql, $db); $qs->GetCalcFoundRows('', $result->baseRecordCount(), $db); $et->Mark("Retrieve Query Data"); // if ($debug_mode == 1) { // $qs->PrintCannedQueryList(); // $qs->DumpState(); // echo "$sql<BR>"; // } /* Print the current view number and # of rows */ $displaying = gettext("Displaying unique ip links %d-%d of <b>%s</b> matching your selection."); $qs->PrintResultCnt("", array(), $displaying); echo '<FORM METHOD="post" name="PacketForm" id="PacketForm" ACTION="base_stat_iplink.php">'; if ($qs->num_result_rows > 0) { $qro->PrintHeader(); } $i = 0; $report_data = array();