$qs->PrintResultCnt("", array(), $displaying); echo '<FORM METHOD="post" name="PacketForm" id="PacketForm" ACTION="base_stat_alerts.php">'; $qro->PrintHeader(); $i = 0; $report_data = array(); // data to fill report_data // The below is due to changes in the queries... // We need to verify that it works all the time -- Kevin $and = strpos($where, "WHERE") != 0 ? " AND " : " WHERE "; while (($myrow = $result->baseFetchRow()) && $i < $qs->GetDisplayRowCnt()) { if ($myrow["plugin_id"] == "" || $myrow["plugin_sid"] == "") { continue; } // $sig_id = $myrow["plugin_id"] . ";" . $myrow["plugin_sid"]; $signame = BuildSigByPlugin($myrow["plugin_id"], $myrow["plugin_sid"], $db); // /* get Total Occurrence */ $total_occurances = $myrow["sig_cnt"]; /* Get other data */ $num_sensors = $myrow["sid_cnt"]; $num_src_ip = $myrow["saddr_cnt"]; $num_dst_ip = $myrow["daddr_cnt"]; /* First and Last timestamp of this signature */ $start_time = $myrow["first_timestamp"]; $stop_time = $myrow["last_timestamp"]; if ($tz != 0) { $start_time = gmdate("Y-m-d H:i:s", get_utc_unixtime($db, $start_time) + 3600 * $tz); $stop_time = gmdate("Y-m-d H:i:s", get_utc_unixtime($db, $stop_time) + 3600 * $tz); } /* Print out (Colored Version) -- Alejandro */
function PrintEventsByIP($db, $ip) { $ip = Util::htmlentities($ip); global $debug_mode; $count = 0; /* Jeffs stuff */ /* Count total events for the given address */ $event_cnt = EventCntByAddr($db, $ip); /* Grab unique alerts and count them */ $unique_events = UniqueEventCntByAddr($db, $ip, $count); $unique_event_cnt = count($unique_events); printf("<B>" . gettext("%d unique events detected among %d events on %s") . "/32</B><BR>", $unique_event_cnt, $event_cnt, Util::htmlentities($ip)); /* Print the Statistics on Each of the Unique Alerts */ echo '<TABLE BORDER=0 class="table_list"> <TR> <TD CLASS="headerbasestat">' . gettext("TCP Flags") . '</TD> <TD CLASS="headerbasestat">' . gettext("Total<BR> Occurrences") . '</TD> <TD CLASS="headerbasestat">' . gettext("Num of Sensors") . '</TD> <TD CLASS="headerbasestat">' . gettext("First<BR> Occurrence") . '</TD> <TD CLASS="headerbasestat">' . gettext("Last<BR> Occurrence") . '</TD> </TR>'; for ($i = 0; $i < $unique_event_cnt; $i++) { $current_event = $unique_events[$i]; $total = UniqueEventTotalsByAddr($db, $ip, $current_event); $num_sensors = UniqueSensorCntByAddr($db, $ip, $current_event); $start_time = StartTimeForUniqueEventByAddr($db, $ip, $current_event); $stop_time = StopTimeForUniqueEventByAddr($db, $ip, $current_event); $cellcolor = $i % 2 != 0 ? "bgcolor='#f2f2f2'" : ""; /* Print out */ echo "<TR {$cellcolor}>"; // if ($debug_mode > 1) { // SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": Before BuildSigByID()"); // } $signame = BuildSigByPlugin($unique_events[$i][0], $unique_events[$i][1], $db); echo " <TD ALIGN='center'> " . str_replace("##", "", html_entity_decode($signame)); // if ($debug_mode > 1) { // SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": After BuildSigByID()"); // } $tmp_iplookup = 'base_qry_main.php?new=1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=' . urlencode($unique_events[$i][0] . ";" . $unique_events[$i][1]) . '&num_result_rows=-1&submit=' . gettext("Query DB") . '¤t_view=-1&ip_addr_cnt=2' . BuildIPFormVars(urlencode($ip)); $tmp_sensor_lookup = 'base_stat_sensor.php?sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=' . urlencode($unique_events[$i][0] . ";" . $unique_events[$i][1]) . '&ip_addr_cnt=2' . BuildIPFormVars(urlencode($ip)); echo " <TD align='center'> <A HREF=\"{$tmp_iplookup}\">" . Util::htmlentities($total) . "</A> "; echo " <TD align='center'> <A HREF=\"{$tmp_sensor_lookup}\">" . Util::htmlentities($num_sensors) . "</A> "; //echo " <TD align='center'> $num_sensors"; echo " <TD align='center'> {$start_time}"; echo " <TD align='center' valign='middle'> {$stop_time}"; echo '</TR>'; } echo "</TABLE>\n"; }
} } if (!$dst_latitude && !$dst_longitude) { $record = $geoloc->get_location_from_file($current_dip); if ($record->latitude != 0 && $record->longitude != 0) { $dst_latitude = $record->latitude; $dst_longitude = $record->longitude; } if (empty($dst_loc) && $record->country_name != '') { $dst_loc = '<img src="../pixmaps/flags/' . strtolower($record->country_code) . '.png"/> <a target="_blank" href="' . $gmaps_url . '">' . $record->country_name . '</a>'; } } $dst_loc = str_replace('__LAT__', $src_latitude, str_replace('__LONG__', $src_longitude, $dst_loc)); $dbo->close($_conn); // Signature $htmlTriggeredSignature = explode("##", BuildSigByPlugin($plugin_id, $plugin_sid, $db)); // Extradata translation adding $myrow2['filename'] = $myrow6['filename']; $myrow2['username'] = $myrow6['username']; for ($k = 1; $k <= 9; $k++) { $myrow2['userdata' . $k] = $myrow6['userdata' . $k]; } $signature = TranslateSignature($htmlTriggeredSignature[1], $myrow2); // VIEW $back = "<a href=\"base_qry_main.php?num_result_rows=-1&submit=Query+DB&caller=&pag={$pag}¤t_view={$pag}\">" . _('Security Events') . "</a>"; if (!array_key_exists("minimal_view", $_GET)) { PrintPacketLookupBrowseButtons2($seq, $tmp_sql, $sort_sql[0] . $from . $where, $db, $previous, $next); ?> <!-- Breadcrum --> <div id="bread_crumb" class="av_breadcrumb"> <div class="av_breadcrumb_item av_link"><?php
' . ($tzcell ? '<TD nowrap>' . $event_date . ' ' . Util::timezone($tzone) . '</TD>' : '') . ' <TD>' . htmlspecialchars(@inet_ntop($myrow4["ip"]) ? $myrow4["name"] . " [" . inet_ntop($myrow4["ip"]) . "]" : _("Unknown")) . '</TD> <TD>' . ($myrow4["interface"] == "" ? " <I>-</I> " : $myrow4["interface"]) . '</TD> </TR> </TABLE> <br/> <TABLE class="table_list"> <TR> <th>' . _("Triggered Signature") . '</th> <th>' . _("Event Type ID") . '</th> <th>' . _("Category") . '</th> <th>' . _("Sub-Category") . '</th> </TR> <TR> <TD><a href="javascript:;" class="trlnka" id="' . $plugin_id . ';' . $plugin_sid . '">'; $htmlTriggeredSignature = str_replace("##", "", BuildSigByPlugin($plugin_id, $plugin_sid, $db)); // Extradata translation adding $myrow2['filename'] = $myrow6['filename']; $myrow2['username'] = $myrow6['username']; for ($k = 1; $k <= 9; $k++) { $myrow2['userdata' . $k] = $myrow6['userdata' . $k]; } echo TranslateSignature($htmlTriggeredSignature, $myrow2) . '</a></TD> <TD>' . $plugin_sid . '</TD> <TD>' . $cat . '</TD> <TD>' . $subcat . '</TD> </TR> </TABLE> <br/> <TABLE class="table_list"> <TR>
if ($tz != 0) { $myrow["timestamp"] = gmdate("Y-m-d H:i:s", get_utc_unixtime($db, $myrow["timestamp"]) + 3600 * $tz); } $current_sip32 = $myrow["ip_src"]; $current_sip = baseLong2IP($current_sip32); $current_dip32 = $myrow["ip_dst"]; $current_dip = baseLong2IP($current_dip32); $current_proto = $myrow["ip_proto"]; $current_sport = $current_dport = ""; if ($myrow["layer4_sport"] != 0) { $current_sport = ":" . $myrow["layer4_sport"]; } if ($myrow["layer4_dport"] != 0) { $current_dport = ":" . $myrow["layer4_dport"]; } $current_sig = BuildSigByPlugin($myrow["plugin_id"], $myrow["plugin_sid"], $db); $current_sig_txt = trim(html_entity_decode(strip_tags($current_sig))); $current_otype = $myrow["ossim_type"]; $current_oprio = $myrow["ossim_priority"]; $current_oreli = $myrow["ossim_reliability"]; $current_oasset_s = $myrow["ossim_asset_src"]; $current_oasset_d = $myrow["ossim_asset_dst"]; $current_oriskc = $myrow["ossim_risk_c"]; $current_oriska = $myrow["ossim_risk_a"]; // if ($portscan_payload_in_signature == 1) { /* fetch from payload portscan open port number */ if (stristr($current_sig_txt, "(portscan) Open Port")) { $sql2 = "SELECT data_payload FROM data WHERE sid='" . $myrow["sid"] . "' AND cid='" . $myrow["cid"] . "'"; $result2 = $db->baseExecute($sql2); $myrow_payload = $result2->baseFetchRow();
function Description() { $tmp = $tmp_human = ""; if (isset($this->criteria[0]) && $this->criteria[0] != " " && isset($this->criteria[1]) && $this->criteria[1] != "") { if ($this->criteria[0] == '=' && $this->criteria[2] == '!=') { $tmp_human = '!='; } else { if ($this->criteria[0] == '=' && $this->criteria[2] == '=') { $tmp_human = '='; } else { if ($this->criteria[0] == 'LIKE' && $this->criteria[2] == '!=') { $tmp_human = ' ' . gettext("does not contain") . ' '; } else { if ($this->criteria[0] == 'LIKE' && $this->criteria[2] == '=') { $tmp_human = ' ' . gettext("contains") . ' '; } } } } $tmp = $tmp . gettext("Signature") . ' ' . $tmp_human . ' "'; $pidsid = explode(";", $this->criteria[1]); if ($this->db->baseGetDBversion() >= 100 && $this->sig_type == 1) { $tmp = $tmp . html_entity_decode(preg_replace("/.*##/", "", BuildSigByPlugin(intval($pidsid[0]), intval($pidsid[1]), $this->db))) . '" ' . $this->cs->GetClearCriteriaString($this->export_name); } else { $tmp = $tmp . Util::htmlentities($this->criteria[1], ENT_COMPAT, "UTF-8") . '"' . $this->cs->GetClearCriteriaString($this->export_name); } $tmp = $tmp . '<BR>'; } return $tmp; }
<TR><TD CLASS="header3" WIDTH=50 ALIGN=CENTER ROWSPAN=4>Meta</TD> <TD> <TABLE BORDER=0 CELLPADDING=4> <TR><TD CLASS="header" >' . _("ID") . ' #</TD> <TD CLASS="header" nowrap>' . _("Date") . " " . Util::timezone($tz) . '</TD> ' . ($tzcell ? '<TD CLASS="header" nowrap>' . _("Event date") . '</TD>' : '') . ' <TD CLASS="header">' . _("Triggered Signature") . '</TD> <TD CLASS="header" nowrap>' . _("Data Source Name") . '</TD> <TD CLASS="header" nowrap>' . _("Data Source ID") . '</TD> <TD CLASS="header" nowrap>' . _("Event Type ID") . '</TD> <TD></td></TR> <TR><TD CLASS="plfield" nowrap>' . ($sid . " - " . $cid) . '</TD> <TD CLASS="plfield" nowrap>' . htmlspecialchars($tzdate) . '</TD> ' . ($tzcell ? '<TD CLASS="plfield" nowrap>' . $event_date . '<br>' . Util::timezone($tzone) . '</TD>' : '') . ' <TD CLASS="plfield">'; $htmlTriggeredSignature = html_entity_decode(htmlspecialchars(str_replace("##", "", BuildSigByPlugin($plugin_id, $plugin_sid, $db)))); echo $htmlTriggeredSignature . '</TD> <TD CLASS="plfield">' . $plugin_name . '</TD> <TD CLASS="plfield">' . $plugin_id . '</TD> <TD CLASS="plfield">' . $plugin_sid . '</TD> ' . ($_GET['minimal_view'] == "" ? '<TD CLASS="plfield"><a href="javascript:;" onclick="GB_show(\'' . _("Modify Rel/Prio") . '\',\'modify_relprio.php?id=' . $plugin_id . '&sid=' . $plugin_sid . '\',280,450)" class="greybox"><img src="../vulnmeter/images/pencil.png" border="0" alt="' . _("Modify Rel/Prio") . '" title="' . _("Modify Rel/Prio") . '"></a></td>' : ''); '<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0033" target="_blank"><img src="manage_references_icon.php?id=5" alt="cve" title="cve" border="0"></a> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-5976" target="_blank"><img src="manage_references_icon.php?id=5" alt="cve" title="cve" border="0"></a> pads: New service detectedArray '; //<-- $return; foreach (explode('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', $htmlTriggeredSignature) as $key => $value) { if ($key != 0) { $posIni = strpos($value, "'"); if ($posIni !== false) { $return[] = 'CVE-' . substr($value, 0, $posIni); }