//$qs->AddValidAction("del_alert"); //$qs->AddValidAction("email_alert"); //$qs->AddValidAction("email_alert2"); //$qs->AddValidAction("csv_alert"); //$qs->AddValidAction("archive_alert"); //$qs->AddValidAction("archive_alert2"); //$qs->AddValidActionOp(gettext("Delete Selected")); //$qs->AddValidActionOp(gettext("Delete ALL on Screen")); $qs->SetActionSQL($from . $where); $et->Mark("Initialization"); $qs->RunAction($submit, PAGE_STAT_UADDR, $db); $et->Mark("Alert Action"); /* Setup the Query Results Table */ $qro = new QueryResultsOutput("base_stat_uaddr.php?caller=" . $caller . "&addr_type=" . $addr_type); $qro->AddTitle(" "); $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort()); $sql = "(SELECT DISTINCT ip_src, 'S', COUNT(acid_event.cid) as num_events " . $sort_sql[0] . $from . $where . " GROUP BY ip_src HAVING num_events>0 " . $sort_sql[1] . ") UNION (SELECT DISTINCT ip_dst, 'D', COUNT(acid_event.cid) as num_events " . $sort_sql[0] . $from . $where . " GROUP BY ip_dst HAVING num_events>0 " . $sort_sql[1] . ")"; // use accumulate tables only with timestamp criteria if ($use_ac) { $where = $more = $sqla = $sqlb = $sqlc = ""; if (preg_match("/timestamp/", $criteria_clauses[1])) { $where = "WHERE " . str_replace("timestamp", "day", $criteria_clauses[1]); } $orderby = str_replace("acid_event.", "", $sort_sql[1]); // $orderby not included $sql = "(SELECT DISTINCT ip_src, 'S', sum(cid) as num_events\n\t\tFROM ac_srcaddr_ipsrc {$where} GROUP BY ip_src HAVING num_events>0) UNION \n\t\t(SELECT DISTINCT ip_dst, 'D', sum(cid) as num_events\n\t\tFROM ac_dstaddr_ipdst {$where} GROUP BY ip_dst HAVING num_events>0)"; } //echo $sql; //print_r($_SESSION); /* Run the Query again for the actual data (with the LIMIT) */ $result = $qs->ExecuteOutputQueryNoCanned($sql, $db);
$qro = new QueryResultsOutput("base_stat_sensor.php?caller=" . $caller); $qro->AddTitle(" "); $qro->AddTitle(gettext("Sensor"), "sid_a", " ", " ORDER BY acid_event.device_id ASC", "sid_d", " ", " ORDER BY acid_event.device_id DESC"); $qro->AddTitle(gettext("Name"), "", " ", " ", "", " ", " "); $qro->AddTitle(gettext("Device IP"), "", " ", " ", "", " ", " "); $events_title = _("Events") . " # <span class='idminfo' txt='" . Util::timezone($tz) . "'>(*)</span>"; $qro->AddTitle($events_title, "occur_a", " ", " ORDER BY event_cnt ASC", "occur_d", " ", " ORDER BY event_cnt DESC"); $qro->AddTitle(gettext("Unique Events"), "", "", "", "", "", ""); $qro->AddTitle(gettext("Unique Src."), "", "", "", "", "", ""); $qro->AddTitle(gettext("Unique Dst."), "", "", "", "", "", ""); /* $qro->AddTitle(gettext("Unique Events"), "sig_a", "", " ORDER BY sig_cnt ASC", "sig_d", "", " ORDER BY sig_cnt DESC"); $qro->AddTitle(gettext("Unique Src."), "saddr_a", "", " ORDER BY saddr_cnt ASC", "saddr_d", "", " ORDER BY saddr_cnt DESC"); $qro->AddTitle(gettext("Unique Dst."), "daddr_a", "", " ORDER BY daddr_cnt ASC", "daddr_d", "", " ORDER BY daddr_cnt DESC"); */ $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), ""); $sql = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1]; $sql2 = "SELECT acid_event.device_id, HEX(device.sensor_id) AS sensor_id, ifnull(sensor.name,'Unknown') AS name, inet6_ntoa(sensor.ip) AS sensor_ip, inet6_ntoa(device.device_ip) AS device_ip, device.interface, {$counter} " . $sort_sql[0] . $from . $where2 . " AND device.id=acid_event.device_id GROUP BY acid_event.device_id HAVING event_cnt>0 " . $sort_sql[1]; $sqlsensor = "SELECT " . $nevents . " as sig_cnt, count(distinct(acid_event.ip_src)) as saddr_cnt, count(distinct(acid_event.ip_dst)) as daddr_cnt" . $sort_sql[0] . $from2 . $where1 . " AND acid_event.device_id=DEVICEID"; $_SESSION['_siem_sensor_query'] = $sqlsensor; if (file_exists('/tmp/debug_siem')) { error_log("STATS SENSORS:{$sql}\nSTATS SENSOR UNIQUE:{$sqlsensor}\n", 3, "/tmp/siem"); } /* Run the Query again for the actual data (with the LIMIT) */ session_write_close(); $result = $qs->ExecuteOutputQuery($sql, $db); if ($result->baseRecordCount() == 0 && $use_ac) { $result = $qs->ExecuteOutputQuery($sql2, $db); } $qs->num_result_rows = $result->baseRecordCount(); $et->Mark("Retrieve Query Data");
<?php /* Dump some debugging information on the shared state */ if ($debug_mode > 0) { PrintCriteriaState(); } /* a browsing button was clicked -> increment view */ if (is_numeric($submit)) { if ($debug_mode > 0) { ErrorMessage("Browsing Clicked ({$submit})"); } $qs->MoveView($submit); $submit = gettext("Query DB"); } //echo $submit." ".$qs->isCannedQuery()." ".$qs->GetCurrentSort()." ".$_SERVER["QUERY_STRING"]; /* Run the SQL Query and get results */ if ($submit == gettext("Query DB") || $submit == gettext("Query+DB") || $submit == gettext("Delete Selected") || $submit == gettext("Delete ALL on Screen") || $submit == gettext("Delete Entire Query") || $qs->isCannedQuery() || $qs->GetCurrentSort() != "" && $qs->GetCurrentSort() != "none" && $_SERVER["QUERY_STRING"] != "new=1") { /* Init and run the action */ $criteria_clauses = ProcessCriteria(); //print_r($criteria_clauses); $from = "FROM acid_event " . $criteria_clauses[0]; $where = ""; if ($criteria_clauses[1] != "") { $where = "WHERE " . $criteria_clauses[1]; } $where = str_replace("::%", ":%:%", $where); if (preg_match("/^(.*)AND\\s+\\(\\s+timestamp\\s+[^']+'([^']+)'\\s+\\)\\s+AND\\s+\\(\\s+timestamp\\s+[^']+'([^']+)'\\s+\\)(.*)\$/", $where, $matches)) { if ($matches[2] != $matches[3]) { //print "A"; $where = $matches[1] . " AND timestamp BETWEEN('" . $matches[2] . "') AND ('" . $matches[3] . "') " . $matches[4]; } else { //print "B";