function UpdateDNSCache($db) { global $debug_mode, $dns_cache_lifetime; $cnt = 0; $ip_result = $db->baseExecute("SELECT DISTINCT ip_src FROM acid_event " . "LEFT JOIN acid_ip_cache ON ipc_ip = ip_src " . "WHERE ipc_fqdn IS NULL"); while (($row = $ip_result->baseFetchRow()) != NULL) { //if ($debug_mode > 0) echo $row[0] . " - " . baseLong2IP($row[0]) . "<BR>"; baseGetHostByAddr(baseLong2IP($row[0]), $db, $dns_cache_lifetime); ++$cnt; } $ip_result->baseFreeRows(); $ip_result = $db->baseExecute("SELECT DISTINCT ip_dst FROM acid_event " . "LEFT JOIN acid_ip_cache ON ipc_ip = ip_dst " . "WHERE ipc_fqdn IS NULL"); while (($row = $ip_result->baseFetchRow()) != NULL) { //if ($debug_mode > 0) echo $row[0] . " - " . baseLong2IP($row[0]) . "<BR>"; baseGetHostByAddr(baseLong2IP($row[0]), $db, $dns_cache_lifetime); ++$cnt; } $ip_result->baseFreeRows(); ErrorMessage(gettext("Added ") . $cnt . gettext(" hostnames to the IP DNS cache")); }
$(document).ready(function(){ $('.flnk').on('click', function(){ setTimeout('parent.GB_hide(paramns)', 250); }); }); </script> <FORM METHOD="POST" ACTION="base_stat_ipaddr.php"> <?php /* Print the Statistics the IP address */ echo ' <p align="CENTER">FQDN: <B>'; if ($resolve_IP == 0) { echo ' (' . gettext("no DNS resolution attempted") . ')'; } else { if ($ip != "255.255.255.255") { echo baseGetHostByAddr(Util::htmlentities($ip), '', $db); } else { echo Util::htmlentities($ip) . ' (Broadcast)'; } } //if (VerifySocketSupport()) echo ' ( <A HREF="base_stat_ipaddr.php?ip=' . $ip . '&netmask=' . $netmask . '&action=whois">local whois</A> )'; echo '</B></p> <TABLE BORDER=0 class="table_list" style="width:90%"> <TR> <TD CLASS="headerbasestat uppercase">' . gettext("Devices #") . '</TD> <TD CLASS="headerbasestat uppercase">' . gettext("Src Occurances #") . '</TD> <TD CLASS="headerbasestat uppercase">' . gettext("Dst Occurances #") . '</TD> <TD CLASS="headerbasestat uppercase">' . gettext("First Event Date") . '</TD> <TD CLASS="headerbasestat uppercase">' . gettext("Last Event Date") . '</TD> </TR>'; /* Number of Sensors, First, and Last timestamp */
$_conn = $dbo->custom_connect($_SESSION["server"][0], $_SESSION["server"][2], $_SESSION["server"][3]); } else { $_conn = $dbo->connect(); } while (($myrow = $result->baseFetchRow()) && $i < $qs->GetDisplayRowCnt()) { $sip = $myrow[0]; $ip_sip = inet_ntop($sip); $dip = $myrow[1]; $ip_dip = inet_ntop($dip); $src_host = $myrow[7]; $dst_host = $myrow[8]; $proto = $myrow[2]; $ctx = $myrow[3]; if ($fqdn == "yes") { $sip_fqdn = baseGetHostByAddr($ip_sip, $ctx, $db); $dip_fqdn = baseGetHostByAddr($ip_dip, $ctx, $db); } /* Get stats on the link */ if ($sip && $dip) { #$temp = "SELECT COUNT(DISTINCT layer4_dport), " . "COUNT(acid_event.cid), COUNT(DISTINCT acid_event.signature) " . $from . $where . " AND acid_event.ip_src='" . $sip . "' AND acid_event.ip_dst='" . $dip . "' AND acid_event.ip_proto='" . $proto . "'"; #$result2 = $db->baseExecute($temp); #$row = $result2->baseFetchRow(); #$num_occurances = $row[1]; #$num_unique_dport = $row[0]; #$num_unique = $row[2]; #$result2->baseFreeRows(); $num_unique_dport = $myrow[4]; $num_occurances = $myrow[5]; $num_unique = $myrow[6]; /* Print out */ qroPrintEntryHeader($i);
$country_name = geoip_country_name_by_addr($gi, $currentIP); $homelan = ($match_cidr = Net::is_ip_in_cache_cidr($_conn, $currentIP)) || in_array($currentIP, $hosts_ips) ? " <a href='javascript:;' class='scriptinfo' style='text-decoration:none' ip='{$currentIP}'><img src=\"" . Host::get_homelan_icon($currentIP, $icons, $match_cidr, $_conn) . "\" border=0></a>" : ""; if ($country) { $country_img = " <img src=\"/ossim/pixmaps/flags/" . $country . ".png\" title=\"" . $country_name . "\">"; $slnk = $current_url . "/pixmaps/flags/" . $country . ".png"; } else { $country_img = ""; $slnk = $homelan != "" ? $current_url . "/forensics/images/homelan.png" : ""; } $sip_aux = $sensors[$currentIP] != "" ? $sensors[$currentIP] : ($hosts[$currentIP] != "" ? $hosts[$currentIP] : $currentIP); $div = '<div id="' . $currentIP . ';' . $ip_aux . '" class="HostReportMenu">'; $bdiv = '</div>'; qroPrintEntry($div . BuildAddressLink($currentIP, 32) . $currentIP . '</A> ' . $country_img . $homelan . $bdiv, 'center', '', 'nowrap'); } if ($resolve_IP == 1) { qroPrintEntry(' ' . baseGetHostByAddr($currentIP, $db, $dns_cache_lifetime) . ' '); } /* Print # of Occurances */ $tmp_iplookup = 'base_qry_main.php?num_result_rows=-1' . '&submit=' . gettext("Query+DB") . '&current_view=-1'; $tmp_iplookup2 = 'base_stat_alerts.php?num_result_rows=-1' . '&submit=' . gettext("Query+DB") . '&current_view=-1&sort_order=occur_d'; if ($addr_type == 1) { if ($no_ip) { $url_criteria = BuildSrcIPFormVars(NULL_IP); } else { $url_criteria = BuildSrcIPFormVars($currentIP); } } else { if ($addr_type == 2) { if ($no_ip) { $url_criteria = BuildDstIpFormVars(NULL_IP); } else {
$geo_info = Asset_host::get_extended_location($_conn, $geoloc, $currentIP); if ($geo_info['html_icon'] != '') { $country_img = $geo_info['html_icon'] . ' '; $slnk = $current_url . preg_replace("/.*src\\='\\/ossim([^']+)'.*/", "\\1", $country_img); } else { $country_img = ""; $slnk = ""; } $div = '<div id="' . $currentIP . ';' . $currentIP . ';' . $host_id . '" ctx="' . (Session::show_entities() ? $ctx : Session::get_default_ctx()) . '" class="HostReportMenu" style="padding:0px 0px 0px 25px">'; //'.getrepbgcolor($prio,1).' $bdiv = '</div>'; qroPrintEntry($div . $country_img . " " . BuildAddressLink($currentIP, 32) . $currentIP . '</A> ' . $bdiv, 'left', '', 'nowrap'); qroPrintEntry(getrepimg($prio, $rel, $act, $currentIP), "center", "middle"); } if ($resolve_IP == 1) { qroPrintEntry(' ' . baseGetHostByAddr($currentIP, $ctx, $db) . ' '); } /* Print # of Occurances */ $tmp_iplookup = 'base_qry_main.php?num_result_rows=-1' . '&submit=' . gettext("Query DB") . '&current_view=-1'; $tmp_iplookup2 = 'base_stat_alerts.php?num_result_rows=-1' . '&submit=' . gettext("Query DB") . '&current_view=-1&sort_order=occur_d'; if ($addr_type == 1) { if ($no_ip) { $url_criteria = BuildSrcIPFormVars(NULL_IP); } else { $url_criteria = BuildSrcIPFormVars($currentIP); } } else { if ($addr_type == 2) { if ($no_ip) { $url_criteria = BuildDstIpFormVars(NULL_IP); } else {
echo '<TR>'; if ($ICMPitype == "5") { echo '<TD class="plfield">'; echo '<A HREF="base_stat_ipaddr.php?ip=' . $gateway . '&netmask=32" TARGET="_PL_SIP">' . $gateway . '</A></TD>'; echo '<TD class="plfield">' . baseGetHostByAddr($gateway, $ctx, $db) . '</TD>'; } echo '<TD class="plfield">' . Protocol::get_protocol_by_number($icmp_proto, TRUE) . '</TD>'; echo '<TD class="plfield">'; echo '<A HREF="base_stat_ipaddr.php?ip=' . $icmp_src . '&netmask=32" TARGET="_PL_SIP">' . $icmp_src . '</A></TD>'; echo '<TD class="plfield">' . baseGetHostByAddr($icmp_src, $ctx, $db) . '</TD>'; if ($icmp_proto == "6" || $icmp_proto == "17") { echo '<TD class="plfield">' . $icmp_src_port . '</TD>'; } echo '<TD class="plfield">'; echo '<A HREF="base_stat_ipaddr.php?ip=' . $icmp_dst . '&netmask=32" TARGET="_PL_DIP">' . $icmp_dst . '</A></TD>'; echo '<TD class="plfield">' . baseGetHostByAddr($icmp_dst, $ctx, $db) . '</TD>'; if ($icmp_proto == "6" || $icmp_proto == "17") { echo '<TD class="plfield">' . $icmp_dst_port . '</TD>'; } echo '</TR>'; echo '</TABLE>'; } } } else { /* Don't have payload so lets print out why by checking the detail level */ /* if have fast detail level */ echo '<div class="siem_detail_dark">'; if ($detail == "0") { echo '<BR>   <I>' . _("Fast logging used -i so payload was discarded") . '</I><BR>'; } else { echo '<div class="siem_detail_payloadnone">' . _("none") . '</div>';
echo '<TR>'; if ($ICMPitype == "5") { echo '<TD class="plfield">'; echo '<A HREF="base_stat_ipaddr.php?ip=' . $gateway . '&netmask=32" TARGET="_PL_SIP">' . $gateway . '</A></TD>'; echo '<TD class="plfield">' . baseGetHostByAddr($gateway, $db, $dns_cache_lifetime) . '</TD>'; } echo '<TD class="plfield">' . IPProto2Str($icmp_proto) . '</TD>'; echo '<TD class="plfield">'; echo '<A HREF="base_stat_ipaddr.php?ip=' . $icmp_src . '&netmask=32" TARGET="_PL_SIP">' . $icmp_src . '</A></TD>'; echo '<TD class="plfield">' . baseGetHostByAddr($icmp_src, $db, $dns_cache_lifetime) . '</TD>'; if ($icmp_proto == "6" || $icmp_proto == "17") { echo '<TD class="plfield">' . $icmp_src_port . '</TD>'; } echo '<TD class="plfield">'; echo '<A HREF="base_stat_ipaddr.php?ip=' . $icmp_dst . '&netmask=32" TARGET="_PL_DIP">' . $icmp_dst . '</A></TD>'; echo '<TD class="plfield">' . baseGetHostByAddr($icmp_dst, $db, $dns_cache_lifetime) . '</TD>'; if ($icmp_proto == "6" || $icmp_proto == "17") { echo '<TD class="plfield">' . $icmp_dst_port . '</TD>'; } echo '</TR>'; echo '</TABLE>'; } } } else { /* Don't have payload so lets print out why by checking the detail level */ /* if have fast detail level */ if ($detail == "0") { echo '<BR>   <I>' . gettext("Fast logging used -i so payload was discarded") . '</I><BR>'; } else { echo '<BR>   <I>' . gettext("none") . ' </I><BR>'; }
//$conn_object = $db_object->connect(); echo '<CENTER><B>' . $ip . '</B> ( '; ?> <a href="<?php echo Sensor::get_sensor_link($conn_object, $ip) . "/{$ip}.html"; ?> ">See host Detail</a> <?php $db_object->close($conn_object); echo ') <BR>FQDN: <B>'; if ($resolve_IP == 0) { echo ' (' . gettext("no DNS resolution attempted") . ')'; } else { if ($ip != "255.255.255.255") { echo baseGetHostByAddr($ip, $db, $dns_cache_lifetime); } else { echo $ip . ' (Broadcast)'; } } if (VerifySocketSupport()) { echo ' ( <A HREF="base_stat_ipaddr.php?ip=' . $ip . '&netmask=' . $netmask . '&action=whois">local whois</A> )'; } echo '</B> <TABLE BORDER=0> <TR> <TD CLASS="headerbasestat">' . gettext("Num of <BR>Sensors") . '</TD> <TD CLASS="headerbasestat">' . gettext("Occurances <BR>as Src.") . '</TD> <TD CLASS="headerbasestat">' . gettext("Occurances <BR>as Dest.") . '</TD> <TD CLASS="headerbasestat">' . gettext("First<BR> Occurrence") . '</TD> <TD CLASS="headerbasestat">' . gettext("Last<BR> Occurrence") . '</TD>
$cell_data['IP_PORTDST'] = $div . '<A class="trlnk" alt="' . $current_dip . '" title="' . $current_dip . '" HREF="base_qry_main.php?new=2&hmenu=Forensics&smenu=Forensics&num_result_rows=-1&submit=Query+DB¤t_view=-1&ip_addr_cnt=1&sort_order=time_d&ip_addr%5B0%5D%5B0%5D=+&ip_addr%5B0%5D%5B1%5D=ip_dst&ip_addr%5B0%5D%5B2%5D=%3D&ip_addr%5B0%5D%5B3%5D=' . $current_dip . '&ip_addr%5B0%5D%5B8%5D=+">' . $dip_aux . '</A><FONT SIZE="-1">' . $current_dport . '</FONT>' . $country_img . $homelan . $bdiv; $cell_pdfdata['IP_PORTDST'] = $dip_aux . $current_dport . $dlnk; $cell_data['IP_DST'] = $current_dip . $country_img . $homelan; $cell_data['PORT_DST'] = str_replace(":", "", $current_dport); //qroPrintEntry($div.'<A HREF="base_stat_ipaddr.php?ip=' . $current_dip . '&netmask32">' . $dip_aux . '</A><FONT SIZE="-1">' . $current_dport . '</FONT>' . $country_img . $homelan . $bdiv, 'center', 'top', 'nowrap'); } else { //qroPrintEntry('<A HREF="' . $BASE_urlpath . '/help/base_app_faq.php#1">' . gettext("unknown") . '</A>'); $cell_data['IP_PORTDST'] = '<A class="trlnk" HREF="' . $BASE_urlpath . '/help/base_app_faq.php#1">' . gettext("unknown") . '</A>'; $cell_data['IP_DST'] = gettext("unknown"); $cell_data['PORT_DST'] = gettext("unknown"); } $cell_align['IP_PORTDST'] = "center"; $cell_align['IP_DST'] = "center"; $cell_align['PORT_DST'] = "center"; if (in_array("IP_DST_FQDN", $_SESSION['views'][$_SESSION['current_cview']]['cols'])) { $cell_data['IP_DST_FQDN'] = baseGetHostByAddr($current_dip, $db, $dns_cache_lifetime); } // 7- Asset //qroPrintEntry("<img src=\"bar2.php?value=" . $current_oasset_s . "&value2=" . $current_oasset_d . "&max=5\" border='0' align='absmiddle' title='$current_oasset_s -> $current_oasset_d'> "); $cell_data['ASSET'] = "<img src=\"bar2.php?value=" . $current_oasset_s . "&value2=" . $current_oasset_d . "&max=5\" border='0' align='absmiddle' title='{$current_oasset_s} -> {$current_oasset_d}'> "; $cell_pdfdata['ASSET'] = "<img src='" . $current_url . "/forensics/bar2.php?value=" . $current_oasset_s . "&value2=" . $current_oasset_d . "&max=5' border='0' align='absmiddle' style='width:10mm'>"; $cell_align['ASSET'] = "center"; $current_orisk = $current_dip != "255.255.255.255" ? $current_oriska : $current_oriskc; /*if ($current_dip != "255.255.255.255") { qroPrintEntry("<img src=\"bar.php?value=" . $current_oasset_d . "&max=5\" border='0' align='absmiddle'> "); $current_orisk = $current_oriska; } else { qroPrintEntry("<img src=\"bar.php?value=" . $current_oasset_s . "&max=5\" border='0' align='absmiddle'> "); $current_orisk = $current_oriskc; }*/ // 8- Priority
$report_data = array(); // data to fill report_data if (is_array($_SESSION["server"]) && $_SESSION["server"][0] != "") { $_conn = $dbo->custom_connect($_SESSION["server"][0], $_SESSION["server"][2], $_SESSION["server"][3]); } else { $_conn = $dbo->connect(); } while (($myrow = $result->baseFetchRow()) && $i < $qs->GetDisplayRowCnt()) { $sip = $myrow[0]; $ip_sip = baseLong2IP($sip); $dip = $myrow[1]; $ip_dip = baseLong2IP($dip); $proto = $myrow[2]; if ($fqdn == "yes") { $sip_fqdn = baseGetHostByAddr($ip_sip, $db, $dns_cache_lifetime); $dip_fqdn = baseGetHostByAddr($ip_dip, $db, $dns_cache_lifetime); } /* Get stats on the link */ if ($sip && $dip) { #$temp = "SELECT COUNT(DISTINCT layer4_dport), " . "COUNT(acid_event.cid), COUNT(DISTINCT acid_event.signature) " . $from . $where . " AND acid_event.ip_src='" . $sip . "' AND acid_event.ip_dst='" . $dip . "' AND acid_event.ip_proto='" . $proto . "'"; #$result2 = $db->baseExecute($temp); #$row = $result2->baseFetchRow(); #$num_occurances = $row[1]; #$num_unique_dport = $row[0]; #$num_unique = $row[2]; #$result2->baseFreeRows(); $num_occurances = $myrow[4]; $num_unique_dport = $myrow[3]; $num_unique = $myrow[5]; /* Print out */ qroPrintEntryHeader($i);
$cell_data['IP_PORTDST'] = $div . $dst_img . " " . $dip_lnk . " " . $rep_dst_icon . $bdiv; $cell_pdfdata['IP_PORTDST'] = $dst_name . $current_dport; $cell_more['IP_PORTDST'] = preg_match("/\\d+\\.\\d+\\.\\d+\\.\\d+/", $cell_data['IP_PORTSRC']) ? "nowrap" : ""; $cell_data['IP_DST'] = $dst_img . " " . ($homelan_dst ? "<b>{$current_dip}</b>" : $current_dip) . " " . $rep_dst_icon; $cell_pdfdata['IP_DST'] = $current_dip; $cell_data['PORT_DST'] = str_replace(":", "", $current_dport); } else { $cell_data['IP_PORTDST'] = gettext("unknown"); $cell_data['IP_DST'] = gettext("unknown"); $cell_data['PORT_DST'] = gettext("unknown"); } $cell_align['IP_PORTDST'] = "left"; $cell_align['IP_DST'] = "left"; $cell_align['PORT_DST'] = "center"; if (in_array("IP_DST_FQDN", $_SESSION['views'][$_SESSION['current_cview']]['cols'])) { $cell_data['IP_DST_FQDN'] = baseGetHostByAddr($current_dip, $ctx, $db); $cell_align['IP_DST_FQDN'] = "center"; } // 7- Asset //qroPrintEntry("<img src=\"bar2.php?value=" . $current_oasset_s . "&value2=" . $current_oasset_d . "&max=5\" border='0' align='absmiddle' title='$current_oasset_s -> $current_oasset_d'> "); $cell_data['ASSET'] = "<img src=\"bar2.php?value=" . $current_oasset_s . "&value2=" . $current_oasset_d . "&max=5\" border='0' align='absmiddle' title='{$current_oasset_s} -> {$current_oasset_d}'>"; $cell_pdfdata['ASSET'] = "<img src='" . $current_url . "/forensics/bar2.php?value=" . $current_oasset_s . "&value2=" . $current_oasset_d . "&max=5' border='0' align='absmiddle' style='width:10mm'>"; $cell_align['ASSET'] = "center"; $current_orisk = $current_dip != "255.255.255.255" ? $current_oriska : $current_oriskc; /*if ($current_dip != "255.255.255.255") { qroPrintEntry("<img src=\"bar.php?value=" . $current_oasset_d . "&max=5\" border='0' align='absmiddle'> "); $current_orisk = $current_oriska; } else { qroPrintEntry("<img src=\"bar.php?value=" . $current_oasset_s . "&max=5\" border='0' align='absmiddle'> "); $current_orisk = $current_oriskc; }*/