Exemplo n.º 1
0
function ExportPacket($sid, $cid, $db)
{
    global $action, $action_arg;
    /* Event */
    $sql2 = "SELECT signature, timestamp FROM acid_event WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
    $result2 = $db->baseExecute($sql2);
    $myrow2 = $result2->baseFetchRow();
    $s = "------------------------------------------------------------------------------\n";
    $s = $s . "#({$sid} - {$cid}) [{$myrow2['1']}] " . BuildSigByID($myrow2[0], $sid, $cid, $db, 2) . "\r\n";
    $sql4 = "SELECT hostname, interface, filter FROM sensor  WHERE sid='" . $sid . "'";
    $result4 = $db->baseExecute($sql4);
    $myrow4 = $result4->baseFetchRow();
    $result4->baseFreeRows();
    $result2->baseFreeRows();
    /* IP */
    $sql2 = "SELECT ip_src, ip_dst, " . "ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum, ip_proto" . " FROM iphdr  WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
    $result2 = $db->baseExecute($sql2);
    $myrow2 = $result2->baseFetchRow();
    $layer4_proto = $myrow2[11];
    if ($myrow2[0] != "") {
        $sql3 = "SELECT * FROM opt  WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='0'";
        $result3 = $db->baseExecute($sql3);
        $num_opt = $result3->baseRecordCount();
        $s = $s . "IPv{$myrow2['2']}: " . baseLong2IP($myrow2[0]) . " -> " . baseLong2IP($myrow2[1]) . "\n" . "      hlen={$myrow2['3']} TOS={$myrow2['4']} dlen={$myrow2['5']} ID={$myrow2['6']}" . " flags={$myrow2['7']} offset={$myrow2['8']} TTL={$myrow2['9']} chksum={$myrow2['10']}\n";
        if ($num_opt > 0) {
            $s = $s . "    Options\n";
            for ($i = 0; $i < $num_opt; $i++) {
                $myrow3 = $result3->baseFetchRow();
                $s = $s . "      #" . ($i + 1) . " - " . IPOption2str($myrow3[4]) . " len={$myrow3['5']}";
                if ($myrow3[5] != 0) {
                    $s = $s . " data={$myrow3['6']}";
                }
                $s = $s . "\n";
            }
        }
        $result3->baseFreeRows();
    }
    $result2->baseFreeRows();
    /* TCP */
    if ($layer4_proto == "6") {
        $sql2 = "SELECT tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, " . "       tcp_csum, tcp_urp FROM tcphdr  WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
        $result2 = $db->baseExecute($sql2);
        $myrow2 = $result2->baseFetchRow();
        $sql3 = "SELECT * FROM opt  WHERE sid='" . $sid . "' AND cid='" . $cid . "' AND opt_proto='6'";
        $result3 = $db->baseExecute($sql3);
        $num_opt = $result3->baseRecordCount();
        $s = $s . "TCP:  port={$myrow2['0']} -> dport: {$myrow2['1']}  flags=";
        if (($myrow2[6] & 128) != 0) {
            $s = $s . '2';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 64) != 0) {
            $s = $s . '1';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 32) != 0) {
            $s = $s . 'U';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 16) != 0) {
            $s = $s . 'A';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 8) != 0) {
            $s = $s . 'P';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 4) != 0) {
            $s = $s . 'R';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 2) != 0) {
            $s = $s . 'S';
        } else {
            $s = $s . '*';
        }
        if (($myrow2[6] & 1) != 0) {
            $s = $s . 'F';
        } else {
            $s = $s . '*';
        }
        $s = $s . " seq={$myrow2['2']}\n" . "      ack={$myrow2['3']} off={$myrow2['4']} res={$myrow2['5']} win={$myrow2['7']} urp={$myrow2['9']} " . "chksum={$myrow2['8']}\n";
        if ($num_opt != 0) {
            $s = $s . "      Options:\n";
            for ($i = 0; $i < $num_opt; $i++) {
                $myrow3 = $result3->baseFetchRow();
                $s = $s . "       #" . ($i + 1) . " - " . TCPOption2str($myrow3[4]) . " len={$myrow3['5']}";
                if ($myrow3[5] != 0) {
                    $s = $s . " data=" . $myrow3[6];
                }
                $s = $s . "\n";
            }
        }
        $result2->baseFreeRows();
        $result3->baseFreeRows();
    }
    /* UDP */
    if ($layer4_proto == "17") {
        $sql2 = "SELECT * FROM udphdr  WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
        $result2 = $db->baseExecute($sql2);
        $myrow2 = $result2->baseFetchRow();
        $s = $s . "UDP:  port={$myrow2['2']} -> dport: {$myrow2['3']} len={$myrow2['4']}\n";
        $result2->baseFreeRows();
    }
    /* ICMP */
    if ($layer4_proto == "1") {
        $sql2 = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq FROM icmphdr " . "WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
        $result2 = $db->baseExecute($sql2);
        $myrow2 = $result2->baseFetchRow();
        $s = $s . "ICMP: type=" . ICMPType2str($myrow2[0]) . " code=" . ICMPCode2str($myrow2[0], $myrow2[1]) . "\n" . "      checksum={$myrow2['2']} id={$myrow2['3']} seq={$myrow2['4']}\n";
        $result2->baseFreeRows();
    }
    /* Print the Payload */
    $sql2 = "SELECT data_payload FROM data WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
    $result2 = $db->baseExecute($sql2);
    /* get encoding information and detail_level on the payload */
    $sql3 = 'SELECT encoding, detail FROM sensor WHERE sid=' . $sid;
    $result3 = $db->baseExecute($sql3);
    $myrow3 = $result3->baseFetchRow();
    $s = $s . "Payload: ";
    $myrow2 = $result2->baseFetchRow();
    if ($myrow2) {
        /* print the packet based on encoding type */
        $s = $s . PrintPacketPayload($myrow2[0], $myrow3[0], 2) . "\n";
        $result3->baseFreeRows();
    } else {
        /* Don't have payload so lets print out why by checking the detail level */
        /* if have fast detail level */
        if ($myrow3[1] == "0") {
            $s = $s . "Fast logging used so payload was discarded\n";
        } else {
            $s = $s . "none\n";
        }
    }
    $result2->baseFreeRows();
    return $s;
}
Exemplo n.º 2
0
if ($layer4_proto == "1") {
    $sql2 = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq FROM icmphdr " . "WHERE sid='" . $sid . "' AND cid='" . $cid . "'";
    $result2 = $db->baseExecute($sql2);
    if ($myrow2 = $result2->baseFetchRow()) {
        echo '<br>
               <TABLE BORDER=0 cellpadding=2 cellspacing=0 class="bborder" WIDTH="100%">
                  <TR><TD CLASS="header3" WIDTH=50 ROWSPAN=2 ALIGN=CENTER>ICMP';
        echo '      <TD>';
        echo '         <TABLE BORDER=0 CELLPADDING=2>';
        echo '            <TR><TD class="header">' . gettext("type") . '</TD>
                               <TD class="header">' . gettext("code") . '</TD>
                               <TD class="header">checksum</TD>
                               <TD class="header">' . gettext("ID") . '</TD>
                               <TD class="header">seq #</TR>';
        echo '            <TR><TD class="plfield">(' . $myrow2[0] . ') ' . ICMPType2str($myrow2[0]) . '</TD>';
        echo '                <TD class="plfield">(' . $myrow2[1] . ') ' . ICMPCode2str($myrow2[0], $myrow2[1]) . '</TD>';
        echo '                <TD class="plfield">' . $myrow2[2] . '<BR>=<BR>0x' . dechex($myrow2[2]) . '</TD>';
        echo '                <TD class="plfield">' . $myrow2[3] . '</TD>';
        echo '                <TD class="plfield">' . $myrow2[4] . '</TD></TR>';
        echo '         </TABLE>';
        echo '</TABLE>';
        $ICMPitype = $myrow2[0];
        $ICMPicode = $myrow2[1];
        $result2->baseFreeRows();
    }
}
/* Connect with KDB if plugin_id=1505 */
if ($plugin_id == 1505 && $plugin_sid != "") {
    $sql2 = "SELECT k.text FROM ossim.repository k, ossim.repository_relationships r WHERE k.id=r.id_document and r.type='directive' and r.keyname='" . $plugin_sid . "'";
    $result2 = $db->baseExecute($sql2);
    $kdb = "";