// $sig_id = $myrow["plugin_id"] . ";" . $myrow["plugin_sid"]; $signame = BuildSigByPlugin($myrow["plugin_id"], $myrow["plugin_sid"], $db); // /* get Total Occurrence */ $total_occurances = $myrow["sig_cnt"]; /* Get other data */ $num_sensors = $myrow["sid_cnt"]; $num_src_ip = $myrow["saddr_cnt"]; $num_dst_ip = $myrow["daddr_cnt"]; /* First and Last timestamp of this signature */ $start_time = $myrow["first_timestamp"]; $stop_time = $myrow["last_timestamp"]; if ($tz != 0) { $start_time = gmdate("Y-m-d H:i:s", get_utc_unixtime($db, $start_time) + 3600 * $tz); $stop_time = gmdate("Y-m-d H:i:s", get_utc_unixtime($db, $stop_time) + 3600 * $tz); } /* Print out (Colored Version) -- Alejandro */ //qroPrintEntryHeader((($colored_alerts == 1) ? GetSignaturePriority($sig_id, $db) : $i) , $colored_alerts); qroPrintEntryHeader($i, $colored_alerts); $tmp_rowid = $myrow["plugin_id"] . " " . $myrow["plugin_sid"]; echo ' <TD nowrap> <INPUT TYPE="checkbox" NAME="action_chk_lst[' . $i . ']" VALUE="' . $tmp_rowid . '"> </TD>'; echo ' <INPUT TYPE="hidden" NAME="action_lst[' . $i . ']" VALUE="' . $tmp_rowid . '">'; $sigstr = trim(preg_replace("/.*\\/\\s*(.*)/", "\\1", preg_replace("/^[\\.\\,\"\\!]|[\\.\\,\"\\!]\$/", "", preg_replace("/.*##/", "", html_entity_decode(strip_tags($signame)))))); $siglink = "base_qry_main.php?new=1&submit=" . gettext("Query+DB") . "&num_result_rows=-1&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=" . urlencode($sig_id); $tmpsig = explode("##", $signame); if ($tmpsig[1] != "") { $antes = $tmpsig[0];
while (($myrow = $result->baseFetchRow()) && $i < $qs->GetDisplayRowCnt()) { $ctx = $myrow["ctx"]; $product_type = GetSourceType($myrow["product_type"], $db); $total_occurances = $myrow["events"]; $temp = "SELECT acid_event.id,plugin_sid.name as sig_name,acid_event.timestamp FROM alienvault.plugin LEFT JOIN alienvault.product_type ON product_type.id=plugin.product_type, acid_event LEFT JOIN alienvault.plugin_sid ON plugin_sid.plugin_id=acid_event.plugin_id AND plugin_sid.sid=acid_event.plugin_sid WHERE acid_event.plugin_id=plugin.id AND product_type.id=" . $myrow["product_type"] . " ORDER BY timestamp DESC LIMIT 1"; $result2 = $db->baseExecute($temp); $last = $result2->baseFetchRow(); $result2->baseFreeRows(); $last_signature = $last['sig_name']; if (empty($last_signature)) { $last_signature = _("Signame Unknown"); } $sig_id = $last['id']; $timestamp = $last["timestamp"]; if ($tz != 0) { $timestamp = gmdate("Y-m-d H:i:s", get_utc_unixtime($db, $timestamp) + 3600 * $tz); } $submit = "#" . ($qs->GetCurrentView() * $show_rows + $i) . "-" . $sig_id; $tmp_rowid = rawurlencode($sig_id); $urlp = "base_qry_main.php?new=1&submit=" . gettext("Query DB") . "&sourcetype=" . urlencode($myrow["product_type"]); //$urlp = "base_stat_ptypes.php?sort=occur_d&sourcetype=".urlencode($myrow["product_type"]); qroPrintEntryHeader($i); qroPrintEntry('  <a href="' . $urlp . '">' . $product_type . '</a>', 'left', "", "nowrap"); qroPrintEntry(' <a href="' . $urlp . '">' . $total_occurances . '</a>', "center", "", ""); qroPrintEntry(Session::show_entities() && !empty($entities[$ctx]) ? $entities[$ctx] : (Session::show_entities() ? _("Unknown") : GetSensorName($ctx, $db)), "center", "", ""); qroPrintEntry(" <A HREF='{$urlp}'>" . $last_signature . "</a>", "left", "", ""); qroPrintEntry($timestamp, "center", "", "nowrap"); qroPrintEntryFooter(); $i++; $prev_time = null; }
// OTX icon $repinfo = $repinfo_src || $repinfo_dst; $otxinfo = $myrow2["pulse"] != ''; $myrow2['otx'] = ''; if ($otxinfo && $repinfo) { $myrow2['otx'] = 'otxrep'; } elseif ($otxinfo && !$repinfo) { $myrow2['otx'] = 'otx'; } elseif (!$otxinfo && $repinfo) { $myrow2['otx'] = 'rep'; } // Timezone $tz = Util::get_timezone(); $event_date = $timestamp; $tzdate = $event_date; $event_date_uut = get_utc_unixtime($db, $event_date); // Event date timezone if ($tzone != 0) { $event_date = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tzone); } // Apply user timezone if ($tz != 0) { $tzdate = gmdate("Y-m-d H:i:s", $event_date_uut + 3600 * $tz); } $tzcell = $event_date == $timestamp || $event_date == $tzdate ? 0 : 1; _("Event date") . ": <b>" . Util::htmlentities($event_date) . "</b><br>" . _("Timezone") . ": <b>" . Util::htmlentities(Util::timezone($tzone)) . "</b>"; // This is one array that contains all the ids that are been used by snort, this way we will show more info for those events. // COMMON DATA // require_once 'classes/geolocation.inc'; $geoloc = new Geolocation('/usr/share/geoip/GeoLiteCity.dat');
$i = 0; $qs->num_result_rows = $max; $qs->current_view = 0; $result = $qs->ExecuteOutputQueryNoCanned($sql, $db); $hosts_ips = array_keys($hosts); $report_data = array(); // data to fill report_data if (is_array($_SESSION["server"]) && $_SESSION["server"][0] != "") { $_conn = $dbo->custom_connect($_SESSION["server"][0], $_SESSION["server"][2], $_SESSION["server"][3]); } else { $_conn = $dbo->connect(); } while ($myrow = $result->baseFetchRow()) { // if ($tz != 0) { $myrow["timestamp"] = gmdate("Y-m-d H:i:s", get_utc_unixtime($db, $myrow["timestamp"]) + 3600 * $tz); } $current_sip32 = $myrow["ip_src"]; $current_sip = baseLong2IP($current_sip32); $current_dip32 = $myrow["ip_dst"]; $current_dip = baseLong2IP($current_dip32); $current_proto = $myrow["ip_proto"]; $current_sport = $current_dport = ""; if ($myrow["layer4_sport"] != 0) { $current_sport = ":" . $myrow["layer4_sport"]; } if ($myrow["layer4_dport"] != 0) { $current_dport = ":" . $myrow["layer4_dport"]; } $current_sig = BuildSigByPlugin($myrow["plugin_id"], $myrow["plugin_sid"], $db); $current_sig_txt = trim(html_entity_decode(strip_tags($current_sig)));
} $tz = Util::get_timezone(); $plugin_id = ImportHTTPVar("id", VAR_DIGIT); $plugin_sid = ImportHTTPVar("sid", VAR_DIGIT); $sqlgraph = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_current_query_graph'])); $sql = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['siem_alerts_query'])); session_write_close(); $qs = new QueryState(); $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); $rs = $qs->ExecuteOutputQuery($sql, $db); if ($row = $rs->baseFetchRow()) { $addr_link = '&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=' . urlencode($plugin_id . ";" . $plugin_sid); $src_addrs = BuildUniqueAddressLink(1, $addr_link) . $row[0] . '</A>'; $dst_addrs = BuildUniqueAddressLink(2, $addr_link) . $row[1] . '</A>'; $last = get_utc_unixtime($db, $row[2]); } $rs->baseFreeRows(); if ($tz != 0) { $last = gmdate("Y-m-d H:i:s", $last + 3600 * $tz); } else { $last = $row[2]; } echo "{$src_addrs}##{$dst_addrs}##{$last}##"; $tr = $_SESSION["time_range"] != "" ? $_SESSION["time_range"] : "all"; $trdata = array(0, 0, $tr); if ($tr == "range") { $desde = strtotime($_SESSION["time"][0][4] . "-" . $_SESSION["time"][0][2] . "-" . $_SESSION["time"][0][3]) + 3600 * $tz; $hasta = strtotime($_SESSION["time"][1][4] . "-" . $_SESSION["time"][1][2] . "-" . $_SESSION["time"][1][3]) + 3600 * $tz; $diff = $hasta - $desde; if ($diff > 2678400) {
echo "-##-##-"; die; } $tz = Util::get_timezone(); $plugin_id = ImportHTTPVar("id", VAR_DIGIT); $plugin_sid = ImportHTTPVar("sid", VAR_DIGIT); $sqlgraph = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['_siem_current_query_graph'])); $sqlunique = str_replace("PLUGINSID", $plugin_sid, str_replace("PLUGINID", $plugin_id, $_SESSION['_siem_ip_query'])); session_write_close(); $qs = new QueryState(); $db = NewBASEDBConnection($DBlib_path, $DBtype); $db->baseDBConnect($db_connect_method, $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); // Unique $rs = $qs->ExecuteOutputQueryNoCanned($sqlunique, $db); if ($row = $rs->baseFetchRow()) { $last = $tz != 0 ? gmdate("Y-m-d H:i:s", get_utc_unixtime($db, $row[0]) + 3600 * $tz) : get_utc_unixtime($db, $row[0]); if (preg_match("/_acid_event/", $sqlunique)) { $last = str_replace(":00:00", "H", $last); } } $rs->baseFreeRows(); //error_log("$sql\n$sqlunique\n$sqlgraph\n",3,"/tmp/graph"); echo "{$last}##"; // Graph $tr = $_SESSION["time_range"] != "" ? $_SESSION["time_range"] : "all"; $trdata = array(0, 0, $tr); if ($tr == "range") { // Using offset date("Z") to fix the gmdate conversion into range_graphic(): Line 886 $desde = strtotime($_SESSION["time"][0][4] . "-" . $_SESSION["time"][0][2] . "-" . $_SESSION["time"][0][3]) + date("Z"); $hasta = strtotime($_SESSION["time"][1][4] . "-" . $_SESSION["time"][1][2] . "-" . $_SESSION["time"][1][3]) + date("Z"); $diff = $hasta - $desde;