$colors = get_widget_colors(count($data));
break;
case "events":
//Filters of assets.
$query_where = Security_report::make_where($conn, '', '', array(), $assets_filters, '', '', false);
//Limit of alarms to show in the widget.
$limit = $chart_info['top'] != '' ? $chart_info['top'] : 5;
//Sql Query
$sqlgraph = "SELECT sum( acid_event.cnt ) as num_events, p.name, p.plugin_id, p.sid from alienvault_siem.ac_acid_event as acid_event, alienvault.plugin_sid p WHERE p.plugin_id=acid_event.plugin_id AND p.sid=acid_event.plugin_sid {$query_where} group by p.name order by num_events desc limit {$limit}";
$rg = $conn->CacheExecute($sqlgraph);
if (!$rg) {
print $conn->ErrorMsg();
} else {
while (!$rg->EOF) {
$data[] = $rg->fields["num_events"];
$name = Util::signaturefilter($rg->fields["name"]);
$label[] = $name;
$link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=all&submit=Query+DB&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=" . $rg->fields["plugin_id"] . "%3B" . $rg->fields["sid"] . "&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
$links[] = $link;
$rg->MoveNext();
}
}
$hide_x_axis = TRUE;
$colors = get_widget_colors(count($data));
break;
case 'siemhours':
//Amount of hours to show in the widget.
$max = $chart_info['range'] == '' ? 16 : $chart_info['range'];
//Type of graph. In this case is the simple raphael.
$js = "analytics";
//Retrieving the data of the widget
if (count($list) == 0) {
$htmlPdfReport->set('
<table class="w100" cellpadding="0" cellspacing="0">
<tr>
<td class="w100" align="center" valign="top">' . _("No data available") . '</td>
</tr>
</table><br/><br/>');
return;
}
$htmlPdfReport->set('
<table class="w100" cellpadding="0" cellspacing="0">
<tr>
<td style="padding:15px 0px 0px 0px;width:100%" valign="top">
<table class="w100">
<tr>');
$htmlPdfReport->set('<th>' . _("Event") . '</th>');
$htmlPdfReport->set('<th class="center">' . gettext("Risk") . '</th></tr>');
$c = 0;
foreach ($list as $l) {
$event = $l[0];
$risk = $l[1];
$bc = $c++ % 2 != 0 ? "class='par'" : "";
$htmlPdfReport->set('<tr ' . $bc . '>
<td style="text-align:left;width:68%">' . Util::wordwrap(Util::htmlentities(Util::signaturefilter($event)), 70, " ", true) . '</td>
<td nowrap="nowrap" class="left" style="width:32%">' . echo_risk($risk, 1) . '</td></tr>');
}
$htmlPdfReport->set('</table>
</td>
</tr>
</table><br/>');
}
$font_size = 12;
} else {
if (count($list) <= 30) {
$font_size = 10;
} else {
$font_size = 8;
}
}
foreach ($list as $l) {
$event = $l[0];
$occurrences = number_format($l[1], 0, ',', '.');
$link = "{$ossim_link}/alarm/alarm_console.php";
$bc = $c++ % 2 != 0 ? "class='par'" : '';
$htmlPdfReport->set('
<tr ' . $bc . '>
<td style="text-align:left;width:60mm;font-size:' . $font_size . 'px">' . Util::wordwrap(Util::htmlentities(Util::signaturefilter($event)), 30, ' ', TRUE) . '</td>
<td style="text-align:center;width:22mm;font-size:' . $font_size . 'px">' . $occurrences . '</td>
</tr>');
}
$htmlPdfReport->set('
</table>
</td>
<td valign="top" style="text-align:center;padding-top:15px;">');
if ($report_graph_type == 'applets') {
jgraph_nbevents_graph();
} else {
$htmlPdfReport->set('<img src="' . $htmlPdfReport->newImage('/report/graphs/events_received_graph.php?shared=' . urlencode($shared_file) . '&hosts=' . $num_hosts . '&type=' . $report_type . '&date_from=' . urlencode($date_from) . '&date_to=' . urlencode($date_to) . '&runorder=' . $runorder, 'png') . '" />');
}
$htmlPdfReport->set('
</td>
</tr>
</tr></table>
<script>
$(function () {
$.plot($("#graph"), [
<?php
$i = 0;
foreach ($data_pie as $data => $label) {
if ($i < 10) {
$label = addslashes($label);
?>
<?php
echo $i++ == 0 ? "" : ",";
?>
{ label: "<?php
echo Util::signaturefilter($label);
?>
", data: <?php
echo $data;
?>
}
<?php
}
}
?>
],
{
pie: {
show: true,
pieStrokeLineWidth: 1,
pieStrokeColor: '#FFF',
if ($type == "event" && is_array($SS_TopEvents) && count($SS_TopEvents) > 0) {
$list = $SS_TopEvents;
} elseif ($type == "alarm" && is_array($SA_TopAlarms) && count($SA_TopAlarms) > 0) {
$list = $SA_TopAlarms;
} else {
$list = $security_report->Events($limit, $type, $date_from, $date_to);
}
$data_pie = array();
$legend = $data = array();
foreach ($list as $key => $l) {
if ($key >= 10) {
// ponemos un límite de resultados para la gráfica
break;
}
$data_pie[$l[1]] = Security_report::Truncate($l[0], 60);
$legend[] = Util::signaturefilter(Security_report::Truncate($l[0], 60));
$data[] = $l[1];
}
$total = array_sum($data);
$labels = array();
$tlabels = array();
$zero = $one = $two = 0;
foreach ($data as $value) {
if (round($value / $total, 2) * 100 == 0) {
// 0%
$zero++;
} else {
if (round($value / $total, 2) * 100 == 1) {
// 1%
$one++;
} else {
function event_max_risk($date_from, $date_to)
{
global $NUM_HOSTS;
global $security_report;
global $report_type;
require_once 'sec_util.php';
?>
<table align="center" width="100%" cellpadding="0" cellspacing="0" class="noborder">
<tr><td class="headerpr">
<?php
if ($report_type == "alarm") {
?>
<?php
echo _("Top");
?>
<?php
echo "{$NUM_HOSTS} " . _("Alarms by Risk");
?>
<?php
} else {
?>
<?php
echo _("Top");
?>
<?php
echo "{$NUM_HOSTS} " . _("Events by Risk");
?>
<?php
}
?>
</td></tr></table>
<table align="center" width="100%">
<tr>
<?php
if ($report_type == "alarm") {
?>
<th> <?php
echo gettext("Alarm");
?>
</th>
<?php
} else {
?>
<th> <?php
echo gettext("Event");
?>
</th>
<?php
}
?>
<th> <?php
echo gettext("Risk");
?>
</th>
</tr>
<?php
$list = $security_report->EventsByRisk($NUM_HOSTS, $report_type, $date_from, $date_to);
foreach ($list as $l) {
$event = $l[0];
$risk = $l[1];
?>
<tr>
<td style="text-align:left;"><?php
echo Util::signaturefilter($event);
?>
</a></td>
<td style="text-align:left;"><?php
echo_risk($risk);
?>
</td>
</tr>
<?php
}
?>
</table>
<br/>
<?php
}
function top_siem_events($conn, $limit)
{
$data = array();
$perms_sql = "WHERE 1=1";
$domain = Session::get_ctx_where();
if ($domain != "") {
$perms_sql .= " AND ac.ctx in ({$domain})";
}
// Asset filter
$hosts = Session::get_host_where();
$nets = Session::get_net_where();
if ($hosts != "") {
$perms_sql .= " AND (ac.src_host in ({$hosts}) OR ac.dst_host in ({$hosts})";
if ($nets != "") {
$perms_sql .= " OR ac.src_net in ({$nets}) OR ac.dst_net in ({$nets}))";
} else {
$perms_sql .= ")";
}
} elseif ($nets != "") {
$perms_sql .= " AND (ac.src_net in ({$nets}) OR ac.dst_net in ({$nets}))";
}
$query = "SELECT sum(ac.cnt) as num, plugin_sid.name FROM alienvault_siem.ac_acid_event AS ac LEFT JOIN alienvault.plugin_sid ON plugin_sid.plugin_id=ac.plugin_id AND plugin_sid.sid=ac.plugin_sid {$perms_sql} GROUP BY name ORDER BY num DESC LIMIT {$limit}";
$rs = $conn->Execute($query);
if (!$rs) {
echo "error";
die($conn->ErrorMsg());
}
while (!$rs->EOF) {
$data[Util::signaturefilter($rs->fields["name"])] = $rs->fields["num"];
$rs->MoveNext();
}
return $data;
}
function event_max_risk($date_from, $date_to)
{
global $NUM_HOSTS;
global $security_report;
global $report_type;
require_once 'sec_util.php';
$list = $security_report->EventsByRisk($NUM_HOSTS, $report_type, $date_from, $date_to);
if (!is_array($list) || empty($list)) {
return 0;
}
?>
<table class='t_alarms'>
<thead>
<tr>
<td class="headerpr">
<?php
if ($report_type == "alarm") {
echo _("Top") . " " . $NUM_HOSTS . " " . _("Alarms by Risk");
} else {
echo _("Top") . " " . $NUM_HOSTS . " " . _("Events by Risk");
}
?>
</td>
</tr>
</thead>
<tbody>
<tr>
<td class='td_container'>
<table class='table_data'>
<thead>
<tr>
<?php
if ($report_type == "alarm") {
?>
<th> <?php
echo gettext("Alarm");
?>
</th>
<?php
} else {
?>
<th> <?php
echo gettext("Event");
?>
</th>
<?php
}
?>
<th><?php
echo gettext("Risk");
?>
</th>
</tr>
</thead>
<tbody>
<?php
foreach ($list as $l) {
$event = $l[0];
$risk = $l[1];
?>
<tr>
<td class='left td_data' valign='middle'><?php
echo Util::signaturefilter($event);
?>
</td>
<td class='left td_data' valign='middle'><?php
echo_risk($risk);
?>
</td>
</tr>
<?php
}
?>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<br/>
<?php
return 1;
}
<table class="transparent">
<tr>
<?php
if ($tags_html[$id_tag] != "") {
?>
<td class="transparent">
<?php
echo preg_replace("/ <a(.*)<\\/a>/", "", $tags_html[$id_tag]);
?>
</td>
<?php
}
?>
<td class="transparent">
<?php
echo Util::signaturefilter(Alarm::transform_alarm_name($conn, $group['name']));
?>
<span style='font-size:xx-small;'>(<?php
echo $ocurrences;
?>
<?php
echo $ocurrence_text;
?>
)</span>
</td>
</tr>
</table>
</td>
<td><?php
function top_siem_events($conn, $limit)
{
$data = array();
$sensor_where = "";
$sensor_join = "";
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
$snortsensors = get_sensor_sids($conn);
$sids = array();
foreach ($user_sensors as $user_sensor) {
//echo "Sids de $user_sensor ".$snortsensors[$user_sensor][0]."<br>";
if (count($snortsensors[$user_sensor]) > 0) {
foreach ($snortsensors[$user_sensor] as $sid) {
if ($sid != "") {
$sids[] = $sid;
}
}
}
}
if (count($sids) > 0) {
$sensor_where = " AND acid_event.plugin_id=alarm.plugin_id AND acid_event.plugin_sid=alarm.plugin_sid AND acid_event.sid in (" . implode(",", $sids) . ")";
$sensor_where_ac = " WHERE acid_event.sid in (" . implode(",", $sids) . ")";
} else {
$sensor_where = " AND acid_event.plugin_id=alarm.plugin_id AND acid_event.plugin_sid=alarm.plugin_sid AND acid_event.sid in (0)";
// Vacio
$sensor_where_ac = " WHERE acid_event.sid in (0)";
// Vacio
}
$sensor_join = $counter == 1 ? "snort.acid_event as acid_event," : "snort.acid_event,";
}
if ($sensor_where_ac != "") {
$query = "SELECT count(*) as num, plugin_sid.name FROM " . str_replace(",", "", $sensor_join) . " LEFT JOIN ossim.plugin_sid ON plugin_sid.plugin_id=acid_event.plugin_id AND plugin_sid.sid=acid_event.plugin_sid {$sensor_where_ac} GROUP BY name ORDER BY num DESC LIMIT {$limit}";
} else {
$query = "SELECT sum(ac.sig_cnt) as num, plugin_sid.name FROM snort.ac_alerts_signature AS ac LEFT JOIN ossim.plugin_sid ON plugin_sid.plugin_id=ac.plugin_id AND plugin_sid.sid=ac.plugin_sid GROUP BY name ORDER BY num DESC LIMIT {$limit}";
}
if (!($rs =& $conn->Execute($query))) {
echo "error";
die($conn->ErrorMsg());
}
while (!$rs->EOF) {
$data[Util::signaturefilter($rs->fields["name"])] = $rs->fields["num"];
$rs->MoveNext();
}
return $data;
}
echo $background;
?>
'>
<table class="transparent">
<tr>
<?php
if ($tags_html[$id_tag] != "") {
?>
<td class="nobborder"><?php
echo $tags_html[$id_tag];
?>
</td><?php
}
?>
<td class="nobborder"><?php
echo Util::signaturefilter($group['name']);
?>
<span style='font-size:xx-small; text-color: #AAAAAA;'>(<?php
echo $ocurrences;
?>
<?php
echo $ocurrence_text;
?>
)</span></td>
</tr>
</table>
</th>
<th width='10%' style='text-align: center; border-width: 0px; background: <?php
echo $background;
?>
'><?php
$chart['chart_type'] = "column";
break;
}
//echo "$query<br>";
// PHP/SWF Chart License - Licensed to ossim.com. For distribution with ossim only. No other redistribution / usage allowed.
// For more information please check http://www.maani.us/charts/index.php?menu=License_bulk
$chart['license'] = "J1XF-CMEW9L.HSK5T4Q79KLYCK07EK";
//$chart[ 'chart_data' ] = array ( array ( "", "US","UK","India", "Japan","China" ), array ( "", 50,70,55,60,30 ) );
$chart['chart_pref'] = array('rotation_x' => 60);
$chart['chart_rect'] = array('x' => 50, 'y' => 130, 'width' => 130, 'height' => 200, 'positive_alpha' => 0);
$chart['chart_transition'] = array('type' => "scale", 'delay' => 0.1, 'duration' => 0.3, 'order' => "category");
$chart['chart_type'] = "3d pie";
$chart['chart_value'] = array('as_percentage' => true, 'size' => 9, 'color' => "000000", 'alpha' => 85);
$chart['legend_label'] = array('layout' => "vertical", 'bullet' => "circle", 'size' => 11, 'color' => "505050", 'alpha' => 85, 'bold' => false);
$chart['legend_rect'] = array('x' => 220, 'y' => 220, 'width' => 20, 'height' => 40, 'fill_alpha' => 0);
$chart['series_color'] = array("cc6600", "aaaa22", "8800dd", "666666", "4488aa");
$chart['series_explode'] = array(0, 50);
$legend = array();
$values = array();
if (!($rs =& $conn->Execute($query))) {
print $conn->ErrorMsg();
exit;
}
while (!$rs->EOF) {
array_push($legend, Util::signaturefilter($rs->fields["name"]));
array_push($values, $rs->fields["num"]);
$rs->MoveNext();
}
$chart['live_update'] = array('url' => "/ossim/graphs/alarms_events_data2.php?bypassexpirationupdate=1&counter=" . $counter . "&time=" . time(), 'delay' => 8);
$chart['chart_data'] = array($legend, $values);
SendChartData($chart);
