function ProcessCriteria()
{
global $db, $join_sql, $perms_sql, $where_sql, $criteria_sql, $sql, $debug_mode, $caller, $DBtype;
/* XXX-SEC */
global $cs, $timetz;
/* the JOIN criteria */
$ip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid ";
// *************** DEPRECATED: TCP UDP ICMP join *********************
//$tcp_join_sql = " LEFT JOIN tcphdr ON acid_event.sid=tcphdr.sid AND acid_event.cid=tcphdr.cid ";
//$udp_join_sql = " LEFT JOIN udphdr ON acid_event.sid=udphdr.sid AND acid_event.cid=udphdr.cid ";
//$icmp_join_sql = " LEFT JOIN icmphdr ON acid_event.sid=icmphdr.sid AND acid_event.cid=icmphdr.cid ";
$rawip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid ";
$sig_join_sql = " LEFT JOIN alienvault.plugin_sid ON acid_event.plugin_id=plugin_sid.plugin_id AND acid_event.plugin_sid=plugin_sid.sid ";
$sig_join = false;
$sig_join_tmp = "";
$data_join_sql = "";
//SQL_CALC_FOUND_ROWS
$sql = "SELECT acid_event.*, HEX(acid_event.ctx) AS ctx, HEX(acid_event.src_host) AS src_host, HEX(acid_event.dst_host) AS dst_host, HEX(acid_event.src_net) AS src_net, HEX(acid_event.dst_net) AS dst_net FROM acid_event";
$where_sql = " WHERE ";
//$where_sql = "";
// $criteria_sql = " acid_event.sid > 0";
// Initially show last 24hours events
if ($_GET['time_range'] == "") {
$criteria_sql = " ( timestamp >='" . gmdate("Y-m-d", $timetz) . "' ) ";
} else {
$criteria_sql = " 1 ";
}
//$criteria_sql = " ( timestamp <= CURDATE() ) ";
//$criteria_sql = " 1 ";
$join_sql = "";
$use_ac = true;
// Use ac_acid_event or not
$sfilter = false;
$criteria_sql_ac = $criteria_sql;
/* ********************** Meta Criteria ******************************************** */
$sig = $cs->criteria['sig']->criteria;
$sig_type = $cs->criteria['sig']->sig_type;
$sig_class = $cs->criteria['sig_class']->criteria;
$sig_priority = $cs->criteria['sig_priority']->criteria;
$ag = $cs->criteria['ag']->criteria;
$sensor = $cs->criteria['sensor']->criteria;
$sensor_op = $cs->criteria['sensor']->param ? "not in" : "in";
$plugin = $cs->criteria['plugin']->criteria;
$plugingroup = $cs->criteria['plugingroup']->criteria;
$networkgroup = $cs->criteria['networkgroup']->criteria;
$userdata = $cs->criteria['userdata']->criteria;
$idm_username = $cs->criteria['idm_username']->criteria;
$idm_hostname = $cs->criteria['idm_hostname']->criteria;
$idm_domain = $cs->criteria['idm_domain']->criteria;
$sourcetype = $cs->criteria['sourcetype']->criteria;
$category = $cs->criteria['category']->criteria;
$rep = $cs->criteria['rep']->criteria;
$otx = $cs->criteria['otx']->criteria;
$time = $cs->criteria['time']->GetUTC();
$real_time = $cs->criteria['time']->criteria;
//print_r($time);
$time_cnt = $cs->criteria['time']->GetFormItemCnt();
$hostid = $cs->criteria['hostid']->criteria;
$netid = $cs->criteria['netid']->criteria;
$ctx = $cs->criteria['ctx']->criteria;
$device = $cs->criteria['device']->criteria;
$ip_addr = $cs->criteria['ip_addr']->criteria;
$ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt();
$layer4 = $cs->criteria['layer4']->criteria;
$ip_field = $cs->criteria['ip_field']->criteria;
$ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt();
$tcp_port = $cs->criteria['tcp_port']->criteria;
$tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt();
// DEPRECATED tcp flags
//$tcp_flags = $cs->criteria['tcp_flags']->criteria;
//$tcp_field = $cs->criteria['tcp_field']->criteria;
//$tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt();
$udp_port = $cs->criteria['udp_port']->criteria;
$udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt();
// DEPRECATED udp field icmp field
//$udp_field = $cs->criteria['udp_field']->criteria;
//$udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt();
//$icmp_field = $cs->criteria['icmp_field']->criteria;
//$icmp_field_cnt = $cs->criteria['icmp_field']->GetFormItemCnt();
$rawip_field = $cs->criteria['rawip_field']->criteria;
$rawip_field_cnt = $cs->criteria['rawip_field']->GetFormItemCnt();
$data = $cs->criteria['data']->criteria;
$data_cnt = $cs->criteria['data']->GetFormItemCnt();
$data_encode = $cs->criteria['data']->data_encode;
//$data_encode[0] = "ascii"; $data_encode[1] = "hex";
/* OSSIM */
$ossim_type = $cs->criteria['ossim_type']->criteria;
$ossim_priority = $cs->criteria['ossim_priority']->criteria;
$ossim_reliability = $cs->criteria['ossim_reliability']->criteria;
$ossim_asset_dst = $cs->criteria['ossim_asset_dst']->criteria;
$ossim_risk_a = $cs->criteria['ossim_risk_a']->criteria;
$tmp_meta = "";
/* Sensor */
if ($sensor != "" && $sensor != " ") {
$tmp_meta = $tmp_meta . " AND acid_event.device_id {$sensor_op} ( " . preg_replace("/^\\!/", "", $sensor) . " )";
} else {
$cs->criteria['sensor']->Set("");
}
/* Device */
if ($device != "") {
$_ip = bin2hex(inet_pton($device));
$tmp_meta .= " AND acid_event.device_id IN (SELECT id FROM device WHERE device_ip=UNHEX('" . $_ip . "'))";
}
/* Plugin */
if ($plugin != "" && $plugin != " ") {
if (preg_match("/(\\d+)\\-(\\d+)/", $plugin, $match)) {
$tmp_meta = $tmp_meta . " AND acid_event.plugin_id between " . $match[1] . " and " . $match[2];
} else {
$tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . $plugin . ")";
}
$sfilter = true;
}
/* Plugin Group */
if ($plugingroup != "" && $plugingroup != " ") {
$pg_ids = QueryOssimPluginGroup($plugingroup);
if ($pg_ids != "") {
$tmp_meta = $tmp_meta . " AND ({$pg_ids}) ";
} else {
$tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=-1 AND acid_event.plugin_sid=-1)";
}
$sfilter = true;
}
/* Network Group */
if ($networkgroup != "" && $networkgroup != " ") {
$ng_ids = QueryOssimNetworkGroup($networkgroup);
if ($ng_ids != "") {
$tmp_meta = $tmp_meta . " AND ({$ng_ids}) ";
$use_ac = false;
}
}
/* User Data */
//echo "User Data:$userdata";
$rpl = array('EQ' => '=', 'NE' => '!=', 'LT' => '<', 'LOE' => '<=', 'GT' => '>', 'GOE' => '>=');
if (trim($userdata[2]) != "") {
$q_like = $userdata[1] == 'like' ? TRUE : FALSE;
$_q = parenthesis_encode(escape_sql($userdata[2], $db->DB, $q_like));
$sql = "SELECT acid_event.*, HEX(acid_event.ctx) AS ctx, HEX(acid_event.src_host) AS src_host, \n HEX(acid_event.dst_host) AS dst_host, HEX(acid_event.src_net) AS src_net, \n HEX(acid_event.dst_net) AS dst_net,extra_data.* \n FROM acid_event";
$data_join_sql .= ",extra_data ";
$_nq = is_numeric($_q) ? $_q : "'" . $_q . "'";
$flt = "extra_data." . $userdata[0] . " " . strtr($userdata[1], $rpl) . " " . ($userdata[1] == "like" ? "'%" . $_q . "%'" : $_nq);
$tmp_meta .= " AND acid_event.id=extra_data.event_id AND ({$flt})";
$use_ac = FALSE;
}
/* IDM */
if (trim($idm_username[0]) != '' || trim($idm_domain[0]) != '') {
$data_join_sql .= ",idm_data ";
$tmp_meta .= " AND acid_event.id=idm_data.event_id";
$use_ac = FALSE;
}
if ($idm_username[0] != '') {
$_q = parenthesis_encode(escape_sql($idm_username[0], $db->DB));
if ($idm_username[1] == "both") {
$tmpcrit = "idm_data.username='******'";
} else {
$tmpcrit = "(idm_data.username='******' AND idm_data.from_src=" . ($idm_username[1] == "src" ? "1" : "0") . ")";
}
$tmp_meta .= " AND {$tmpcrit}";
}
if ($idm_domain[0] != '') {
$_q = parenthesis_encode(escape_sql($idm_domain[0], $db->DB));
if ($idm_domain[1] == "both") {
$tmpcrit = "idm_data.domain='" . $_q . "'";
} else {
$tmpcrit = "(idm_data.domain='" . $_q . "' AND idm_data.from_src=" . ($idm_domain[1] == "src" ? "1" : "0") . ")";
}
$tmp_meta .= " AND {$tmpcrit}";
}
if ($idm_hostname[0] != '') {
$_q = parenthesis_encode(escape_sql($idm_hostname[0], $db->DB));
if ($idm_hostname[1] == "both") {
$tmpcrit = "(acid_event.src_hostname='" . $_q . "' OR acid_event.dst_hostname='" . $_q . "')";
} else {
$tmpcrit = "acid_event." . $idm_hostname[1] . "_hostname='" . $_q . "'";
}
$tmp_meta .= " AND {$tmpcrit}";
$use_ac = FALSE;
}
/* OTX */
$otx_data = trim($otx[0]) != "" || trim($otx[1]) != "" ? true : false;
if ($otx_data) {
$data_join_sql .= ",otx_data";
$tmp_meta .= " AND acid_event.id=otx_data.event_id";
$use_ac = false;
}
# Pulse id
if (trim($otx[0]) != "") {
$tmp_meta .= " AND otx_data.pulse_id=unhex('" . $otx[0] . "')";
}
/* Reputation */
$rep_data = trim($rep[0]) != "" || trim($rep[1]) != "" ? true : false;
if ($rep_data) {
$data_join_sql .= ",reputation_data";
$tmp_meta .= " AND acid_event.id=reputation_data.event_id";
$use_ac = false;
}
# Reputation Activity
if (intval($rep[0])) {
$aname = GetActivityName(intval($rep[0]), $db);
$tmp_meta .= " AND (reputation_data.rep_act_src like '%" . str_replace("'", "\\'", $aname) . "%' OR reputation_data.rep_act_dst like '%" . str_replace("'", "\\'", $aname) . "%')";
}
# Reputation Severity
if (trim($rep[1]) != "") {
switch ($rep[1]) {
case "High":
$tmpcrit = "(reputation_data.rep_prio_src>6 OR reputation_data.rep_prio_dst>6)";
break;
case "Medium":
$tmpcrit = "(reputation_data.rep_prio_src in (3,4,5,6) OR reputation_data.rep_prio_dst in (3,4,5,6))";
break;
case "Low":
$tmpcrit = "(reputation_data.rep_prio_src in (0,1,2) OR reputation_data.rep_prio_dst in (0,1,2))";
break;
default:
$tmpcrit = "(reputation_data.rep_prio_src>0 OR reputation_data.rep_prio_dst>0)";
}
$tmp_meta .= " AND {$tmpcrit}";
}
/* Source Type */
if (trim($sourcetype) != "") {
$tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . GetPluginListBySourceType($sourcetype) . ")";
}
/* Category */
if ($category[0] != 0) {
$sig_join = true;
$tmp_meta = $tmp_meta . GetPluginListByCategory($category);
}
/* Signature */
if (isset($sig[0]) && $sig[0] != " " && $sig[0] != "" && (isset($sig[1]) && $sig[1] != "")) {
if ($sig_type == 1) {
// sending sig[1]=plugin_id;plugin_sid
$sfilter = true;
$pidsid = preg_split("/[\\s;]+/", $sig[1]);
$tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=" . intval($pidsid[0]) . " AND acid_event.plugin_sid=" . intval($pidsid[1]) . ")";
} else {
// free string
//$sig_join_tmp = QueryOssimSignatureTmpTable($sig[1], $sig[0], $sig[2]);
$sig_ids = QueryOssimSignature($sig[1], $sig[0], $sig[2], $db->DB);
$sig_join = true;
$tmp_meta = $tmp_meta . " AND ({$sig_ids})";
}
} else {
$cs->criteria['sig']->Set("");
}
/*
* OSSIM Code
*/
/* OSSIM Type */
if ($ossim_type[1] != " " && $ossim_type[1] != "" && $ossim_type[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_type = '" . $ossim_type[1] . "'";
$use_ac = false;
} else {
if ($ossim_type[1] == "0") {
$tmp_meta = $tmp_meta . " AND (acid_event.ossim_type is null OR acid_event.ossim_type = '0')";
$use_ac = false;
} else {
$cs->criteria['ossim_type']->Set("");
}
}
/* OSSIM Priority */
if ($ossim_priority[1] != " " && $ossim_priority[1] != "" && $ossim_priority[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_priority " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'";
$use_ac = false;
} else {
if ($ossim_priority[1] == "0") {
$use_ac = false;
$tmp_meta = $ossim_priority[0] == "=" ? $tmp_meta . " AND (acid_event.ossim_priority is null OR acid_event.ossim_priority = '0')" : ($tmp_meta = $tmp_meta . " AND acid_event.ossim_priority " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'");
} else {
$cs->criteria['ossim_priority']->Set("");
}
}
/* OSSIM Reliability */
if ($ossim_reliability[1] != " " && $ossim_reliability[1] != "" && $ossim_reliability[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'";
$use_ac = false;
} else {
if ($ossim_reliability[1] == "0") {
$tmp_meta = $ossim_reliability[0] == "=" ? $tmp_meta . " AND (acid_event.ossim_reliability is null OR acid_event.ossim_reliability = '0')" : $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'";
$use_ac = false;
} else {
$cs->criteria['ossim_reliability']->Set("");
}
}
/* OSSIM Asset DST */
if ($ossim_asset_dst[1] != " " && $ossim_asset_dst[1] != "" && $ossim_asset_dst[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'";
$use_ac = false;
} else {
if ($ossim_asset_dst[1] == "0") {
$tmp_meta = $ossim_asset_dst[0] == "=" ? $tmp_meta . " AND (acid_event.ossim_asset_dst is null OR acid_event.ossim_asset_dst = '0')" : $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'";
$use_ac = false;
} else {
$cs->criteria['ossim_asset_dst']->Set("");
}
}
/* OSSIM Risk A */
if ($ossim_risk_a != " " && $ossim_risk_a != "" && $ossim_risk_a != "0") {
if ($ossim_risk_a == "low") {
//$tmp_meta = $tmp_meta." AND ossim_risk_a >= 1 AND ossim_risk_a <= 4 ";
$tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a = 0 ";
$use_ac = false;
} else {
if ($ossim_risk_a == "medium") {
//$tmp_meta = $tmp_meta." AND ossim_risk_a >= 5 AND ossim_risk_a <= 7 ";
$tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a = 1 ";
$use_ac = false;
} else {
if ($ossim_risk_a == "high") {
//$tmp_meta = $tmp_meta." AND ossim_risk_a >= 8 AND ossim_risk_a <= 10 ";
$tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a > 1 ";
$use_ac = false;
}
}
}
} else {
$cs->criteria['ossim_risk_a']->Set("");
}
/* Date/Time */
$time_meta = "";
$real_time_meta = "";
DateTimeRows2sql($real_time, $time_cnt, $real_time_meta);
// Time without utc conversion
if (DateTimeRows2sql($time, $time_cnt, $time_meta) == 0) {
$cs->criteria['time']->SetFormItemCnt(0);
}
$criteria_sql = $criteria_sql . $tmp_meta;
$criteria_sql_ac .= $use_ac && !$sig_join ? preg_replace("/( \\d\\d):\\d\\d:\\d\\d/", "\\1:00:00", $tmp_meta) : preg_replace("/( \\d\\d):\\d\\d:\\d\\d/", "\\1:00:00", $time_meta);
$use_ac = time_can_use_ac($real_time) ? $use_ac : FALSE;
/* ********************** PERMS ************************ */
// Allowed CTX's y Asset Filter
$perms_sql = GetPerms();
$idfilter = !empty($perms_sql) ? true : false;
$criteria_sql .= $perms_sql;
$criteria_sql_ac .= $perms_sql;
/* Host ID */
$op = $hostid[3] != '' ? $hostid[3] : 'IN';
$and_or = $op == 'NOT IN' ? 'AND' : 'OR';
// src_host, dst_host fields
if ($hostid[0] != "") {
$hostwhere = "UNHEX('" . implode("',UNHEX('", explode(",", $hostid[0])) . "')";
if ($hostid[2] == "both") {
$criteria_sql .= " AND (acid_event.src_host {$op} ({$hostwhere}) {$and_or} acid_event.dst_host {$op} ({$hostwhere}))";
$criteria_sql_ac .= " AND (acid_event.src_host {$op} ({$hostwhere}) {$and_or} acid_event.dst_host {$op} ({$hostwhere}))";
} else {
$criteria_sql .= " AND acid_event." . $hostid[2] . "_host {$op} ({$hostwhere})";
$criteria_sql_ac .= " AND acid_event." . $hostid[2] . "_host {$op} ({$hostwhere})";
}
$idfilter = true;
}
/* Network ID */
// src_net, dst_net fields
if ($netid[0] != "") {
$netwhere = "UNHEX('" . implode("',UNHEX('", explode(",", $netid[0])) . "')";
if ($netid[2] == "both") {
$criteria_sql .= " AND (acid_event.src_net in ({$netwhere}) OR acid_event.dst_net in ({$netwhere}))";
$criteria_sql_ac .= " AND (acid_event.src_net in ({$netwhere}) OR acid_event.dst_net in ({$netwhere}))";
} else {
$criteria_sql .= " AND acid_event." . $netid[2] . "_host in ({$netwhere})";
$criteria_sql_ac .= " AND acid_event." . $netid[2] . "_host in ({$netwhere})";
}
$idfilter = true;
}
/* ********************** IP Criteria ********************************************** */
/* IP Addresses */
$ipfilter = false;
$tmp2 = "";
for ($i = 0; $i < $ip_addr_cnt; $i++) {
$tmp = "";
if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] != " " && $ip_addr[$i][1] != "") {
if ($ip_addr[$i][3] != "" && $ip_addr[$i][4] != "" && $ip_addr[$i][5] != "" && $ip_addr[$i][6] != "") {
/* if use illegal 256.256.256.256 address then
* this is the special case where need to search for portscans
*/
if ($ip_addr[$i][3] == "256" && $ip_addr[$i][4] == "256" && $ip_addr[$i][5] == "256" && $ip_addr[$i][6] == "256") {
$tmp = $tmp . " acid_event." . $ip_addr[$i][1] . " IS NULL" . " ";
} else {
if ($ip_addr[$i][10] == "") {
$tmp = $tmp . " acid_event." . $ip_addr[$i][1] . $ip_addr[$i][2] . "unhex('" . baseIP2hex($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6]) . "') ";
} else {
$mask = getIPMask($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6], $ip_addr[$i][10]);
if ($ip_addr[$i][2] == "!=") {
$tmp_op = " NOT ";
} else {
$tmp_op = "";
}
$tmp = $tmp . $tmp_op . " acid_event." . $ip_addr[$i][1] . ">= unhex('" . baseIP2hex($mask[0]) . "') AND acid_event." . $ip_addr[$i][1] . "<= unhex('" . baseIP2hex($mask[1]) . "')";
}
}
}
/* if have chosen the address type to be both source and destination */
if (preg_match("/ip_both/", $tmp)) {
$tmp_src = preg_replace("/ip_both/", "ip_src", $tmp);
$tmp_dst = preg_replace("/ip_both/", "ip_dst", $tmp);
if ($ip_addr[$i][2] == '=') {
$tmp = "(" . $tmp_src . ') OR (' . $tmp_dst . ')';
} else {
$tmp = "(" . $tmp_src . ') AND (' . $tmp_dst . ')';
}
}
$aux_op = $ip_addr_cnt > 0 ? $ip_addr[$i][9] == "AND" || $ip_addr[$i][9] == "OR" ? $ip_addr[$i][9] : "AND" : "";
if ($tmp != "") {
$tmp = $ip_addr[$i][0] . "(" . $tmp . ")" . $ip_addr[$i][8] . $aux_op;
}
} else {
if (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" || $ip_addr[$i][1] != " " && $ip_addr[$i][1] != "") {
/* IP_addr_type, but MALFORMED IP address */
if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "" && ($ip_addr[$i][4] != "" || $ip_addr[$i][5] != "" || $ip_addr[$i][6] != "")) {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Invalid IP address criteria") . " ' *." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . " '");
}
/* ADDRESS, but NO IP_addr_type was given */
if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] == " " && $ip_addr[$i][1] == "") {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("A IP address of") . " '" . $ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . "' " . gettext("was entered for as a criteria value, but the type of address (e.g. source, destination) was not specified."));
}
/* IP_addr_type IS FILLED, but no ADDRESS */
if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "") {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("An IP address of type") . " '" . $ip_addr[$i][1] . "' " . gettext("was selected (at #") . $i . ") " . gettext("indicating that an IP address should be a criteria, but no address on which to match was specified."));
}
}
}
$tmp2 = $tmp2 . $tmp;
if ($i > 0 && ($ip_addr[$i - 1][9] != 'OR' && $ip_addr[$i - 1][9] != 'AND') && $ip_addr[$i - 1][3] != "") {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Multiple IP address criteria entered without a boolean operator (e.g. AND, OR) between IP Criteria") . " #{$i} and #" . ($i + 1) . ".");
}
}
if ($tmp2 != "") {
BalanceBrackets($tmp2);
$criteria_sql = $criteria_sql . " AND ( " . $tmp2 . " )";
$ipfilter = true;
//$use_ac = false;
} else {
$cs->criteria['ip_addr']->SetFormItemCnt(0);
}
/* IP Fields */
if (FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0) {
$cs->criteria['ip_field']->SetFormItemCnt(0);
} else {
$use_ac = false;
}
/* CTX */
if ($ctx != "") {
$criteria_sql .= " AND acid_event.ctx = UNHEX('{$ctx}')";
$criteria_sql_ac .= " AND acid_event.ctx = UNHEX('{$ctx}')";
}
/* Layer-4 encapsulation */
if ($layer4 == "TCP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '6'";
$use_ac = false;
} else {
if ($layer4 == "UDP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '17'";
$use_ac = false;
} else {
if ($layer4 == "ICMP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '1'";
$use_ac = false;
} else {
if ($layer4 == "RawIP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '255'";
$use_ac = false;
} else {
$cs->criteria['layer4']->Set("");
}
}
}
}
/* Join the iphdr table if necessary */
if (!$cs->criteria['ip_field']->isEmpty()) {
$join_sql = $ip_join_sql . $join_sql;
}
/* ********************** TCP Criteria ********************************************** */
if ($layer4 == "TCP") {
$proto_tmp = "";
/* TCP Ports */
if (FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0) {
$cs->criteria['tcp_port']->SetFormItemCnt(0);
}
$criteria_sql = $criteria_sql . $proto_tmp;
$proto_tmp = "";
// ****************** DEPRECATED: TCP Flags TCP Fields ********************
/* TCP Flags */
/*
if (isset($tcp_flags) && sizeof($tcp_flags) == 8) {
if ($tcp_flags[0] == "contains" || $tcp_flags[0] == "is") {
$flag_tmp = $tcp_flags[1] + $tcp_flags[2] + $tcp_flags[3] + $tcp_flags[4] + $tcp_flags[5] + $tcp_flags[6] + $tcp_flags[7] + $tcp_flags[8];
if ($tcp_flags[0] == "is") $proto_tmp = $proto_tmp . ' AND tcp_flags=' . $flag_tmp;
else if ($tcp_flags[0] == "contains") $proto_tmp = $proto_tmp . ' AND (tcp_flags & ' . $flag_tmp . ' = ' . $flag_tmp . " )";
else $proto_tmp = "";
}
}
*/
/* TCP Fields */
//if (FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0) $cs->criteria['tcp_field']->SetFormItemCnt(0);
/* TCP Options
* - not implemented
*/
//if (!$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) {
//************************************************************************
if (!$cs->criteria['tcp_port']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
// DEPRECATED tcp_join_sql
//if (!$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) $join_sql = $tcp_join_sql . $join_sql;
}
}
/* ********************** UDP Criteria ********************************************* */
if ($layer4 == "UDP") {
$proto_tmp = "";
/* UDP Ports */
if (FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0) {
$cs->criteria['udp_port']->SetFormItemCnt(0);
}
$criteria_sql = $criteria_sql . $proto_tmp;
$proto_tmp = "";
// ********************** DEPRECATED UDP Fields *************************
/* UDP Fields */
//if (FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0) $cs->criteria['udp_field']->SetFormItemCnt(0);
//if (!$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty()) {
// **********************************************************************
if (!$cs->criteria['udp_port']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
// DEPRECATED udp_join_sql
//if (!$cs->criteria['udp_field']->isEmpty()) $join_sql = $udp_join_sql . $join_sql;
}
}
// DEPRECATED: ICMP
/* ********************** ICMP Criteria ******************************************** */
/*
if ($layer4 == "ICMP") {
$proto_tmp = "";
// ICMP Fields
if (FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0) $cs->criteria['icmp_field']->SetFormItemCnt(0);
if (!$cs->criteria['icmp_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
$join_sql = $icmp_join_sql . $join_sql;
}
}
*/
/* ********************** Packet Scan Criteria ************************************* */
if ($layer4 == "RawIP") {
$proto_tmp = "";
/* RawIP Fields */
if (FieldRows2sql($rawip_field, $rawip_field_cnt, $proto_tmp) == 0) {
$cs->criteria['rawip_field']->SetFormItemCnt(0);
}
if (!$cs->criteria['rawip_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
$join_sql = $rawip_join_sql . $join_sql;
}
}
/* ********************** Payload Criteria ***************************************** */
//$tmp_payload = "";
if (DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload, $db->DB) == 0) {
$cs->criteria['data']->SetFormItemCnt(0);
} else {
$use_ac = false;
}
//echo "<br><br><br>";
//print_r($data);
//print_r("data_cnt: [".$data_cnt."]");
//print_r($cs->criteria['data']->isEmpty());
//print_r("criteria_ sql: [".$criteria_sql."]");
//print_r("tmp_payload: [".$tmp_payload."]");
//print_r($data);
if (!$cs->criteria['data']->isEmpty()) {
$sql = "SELECT acid_event.*, HEX(acid_event.ctx) AS ctx, HEX(acid_event.src_host) AS src_host, HEX(acid_event.dst_host) AS dst_host, HEX(acid_event.src_net) AS src_net, HEX(acid_event.dst_net) AS dst_net, extra_data.* FROM acid_event";
if (!preg_match("/extra_data/", $data_join_sql)) {
$data_join_sql .= ",extra_data ";
}
$criteria_sql = $criteria_sql . $tmp_payload;
$use_ac = false;
}
if ($sig_join) {
$join_sql = $join_sql . $sig_join_sql;
}
$join_sql = $join_sql . $data_join_sql;
$csql[0] = $join_sql;
// special distinct for idm_username
if ($otx_data || preg_match("/idm_data/", $join_sql)) {
$sql = preg_replace("/^SELECT/", "SELECT DISTINCT", $sql);
}
// Ready to ac_acid_event
//$criteria1_sql = $criteria_sql . preg_replace("/ \d\d:\d\d:\d\d/","",str_replace("timestamp","day",$real_time_meta));
$criteria1_sql = $criteria_sql . $real_time_meta;
$criteria1_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria1_sql));
// Ready to ac_acid_event next day
//$criteria2_sql = $criteria_sql . preg_replace("/ \d\d:\d\d:\d\d/","",str_replace("timestamp","day",$time_meta));
$criteria2_sql = $criteria_sql . $time_meta;
$criteria2_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria2_sql));
// to acid_event
$criteria_sql = $criteria_sql . $time_meta;
$criteria_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria_sql));
$csql[1] = $criteria_sql;
//$csql[2] = $perms_sql . preg_replace("/ \d\d:\d\d:\d\d/","",str_replace("timestamp","day",$time_meta)); // $real_time_criteria
$csql[2] = $perms_sql . $time_meta;
$csql[3] = $use_ac;
// true if we use ac_acid_event instead acid_event
$csql[4] = $criteria1_sql;
$csql[5] = $criteria2_sql;
$csql[6] = $sfilter;
$csql[7] = $ipfilter;
$csql[8] = $idfilter;
$csql[9] = $criteria_sql_ac;
//print_r($csql);
return $csql;
}
function ProcessCriteria()
{
global $db, $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode, $caller, $DBtype;
/* XXX-SEC */
global $cs, $timetz;
/* the JOIN criteria */
$ip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid ";
$tcp_join_sql = " LEFT JOIN tcphdr ON acid_event.sid=tcphdr.sid AND acid_event.cid=tcphdr.cid ";
$udp_join_sql = " LEFT JOIN udphdr ON acid_event.sid=udphdr.sid AND acid_event.cid=udphdr.cid ";
$icmp_join_sql = " LEFT JOIN icmphdr ON acid_event.sid=icmphdr.sid AND acid_event.cid=icmphdr.cid ";
$rawip_join_sql = " LEFT JOIN iphdr ON acid_event.sid=iphdr.sid AND acid_event.cid=iphdr.cid ";
$sig_join_sql = " LEFT JOIN ossim.plugin_sid ON acid_event.plugin_id=plugin_sid.plugin_id AND acid_event.plugin_sid=plugin_sid.sid ";
$sig_join = false;
//$data_join_sql = " LEFT JOIN extra_data ON acid_event.sid=extra_data.sid AND acid_event.cid=extra_data.cid ";
$data_join_sql = "";
$ag_join_sql = " LEFT JOIN acid_ag_alert ON acid_event.sid=acid_ag_alert.ag_sid AND acid_event.cid=acid_ag_alert.ag_cid ";
//$sig_join_sql = "";
//$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.userdata1,extra_data.userdata2,extra_data.userdata3,extra_data.userdata4,extra_data.userdata5,extra_data.userdata6,extra_data.userdata7,extra_data.userdata8,extra_data.userdata9,extra_data.username,extra_data.password,extra_data.filename FROM acid_event";
$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.* FROM acid_event";
// This needs to be examined!!! -- Kevin
$where_sql = " WHERE ";
//$where_sql = "";
// $criteria_sql = " acid_event.sid > 0";
// Initially show last 24hours events
if ($_GET['time_range'] == "") {
$criteria_sql = " ( timestamp >='" . gmdate("Y-m-d", $timetz) . "' ) ";
} else {
$criteria_sql = " 1 ";
}
//$criteria_sql = " ( timestamp <= CURDATE() ) ";
//$criteria_sql = " 1 ";
$join_sql = "";
/* ********************** Meta Criteria ******************************************** */
$sig = $cs->criteria['sig']->criteria;
$sig_type = $cs->criteria['sig']->sig_type;
$sig_class = $cs->criteria['sig_class']->criteria;
$sig_priority = $cs->criteria['sig_priority']->criteria;
$ag = $cs->criteria['ag']->criteria;
$sensor = $cs->criteria['sensor']->criteria;
$plugin = $cs->criteria['plugin']->criteria;
$plugingroup = $cs->criteria['plugingroup']->criteria;
$networkgroup = $cs->criteria['networkgroup']->criteria;
$userdata = $cs->criteria['userdata']->criteria;
$sourcetype = $cs->criteria['sourcetype']->criteria;
$category = $cs->criteria['category']->criteria;
$time = $cs->criteria['time']->GetUTC();
//$cs->criteria['time']->criteria;
//print_r($time);print_r($cs->criteria['time']->criteria);
$time_cnt = $cs->criteria['time']->GetFormItemCnt();
$ip_addr = $cs->criteria['ip_addr']->criteria;
$ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt();
$layer4 = $cs->criteria['layer4']->criteria;
$ip_field = $cs->criteria['ip_field']->criteria;
$ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt();
$tcp_port = $cs->criteria['tcp_port']->criteria;
$tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt();
$tcp_flags = $cs->criteria['tcp_flags']->criteria;
$tcp_field = $cs->criteria['tcp_field']->criteria;
$tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt();
$udp_port = $cs->criteria['udp_port']->criteria;
$udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt();
$udp_field = $cs->criteria['udp_field']->criteria;
$udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt();
$icmp_field = $cs->criteria['icmp_field']->criteria;
$icmp_field_cnt = $cs->criteria['icmp_field']->GetFormItemCnt();
$rawip_field = $cs->criteria['rawip_field']->criteria;
$rawip_field_cnt = $cs->criteria['rawip_field']->GetFormItemCnt();
$data = $cs->criteria['data']->criteria;
$data_cnt = $cs->criteria['data']->GetFormItemCnt();
$cs->criteria['data']->data_encode;
//$data_encode[0] = "ascii"; $data_encode[1] = "hex";
/* OSSIM */
$ossim_type = $cs->criteria['ossim_type']->criteria;
$ossim_priority = $cs->criteria['ossim_priority']->criteria;
$ossim_reliability = $cs->criteria['ossim_reliability']->criteria;
$ossim_asset_dst = $cs->criteria['ossim_asset_dst']->criteria;
$ossim_risk_a = $cs->criteria['ossim_risk_a']->criteria;
$tmp_meta = "";
/* Sensor */
if ($sensor != "" && $sensor != " ") {
$tmp_meta = $tmp_meta . " AND acid_event.sid in (" . $sensor . ")";
} else {
$cs->criteria['sensor']->Set("");
// Filter by user perms if no criteria
if (Session::allowedSensors() != "") {
$user_sensors = explode(",", Session::allowedSensors());
$snortsensors = GetSensorSids($db);
$sensor_str = "";
foreach ($user_sensors as $user_sensor) {
if (count($snortsensors[$user_sensor]) > 0) {
$sensor_str .= $sensor_str != "" ? "," . implode(",", $snortsensors[$user_sensor]) : implode(",", $snortsensors[$user_sensor]);
}
}
if ($sensor_str == "") {
$sensor_str = "0";
}
$tmp_meta .= " AND acid_event.sid in (" . $sensor_str . ")";
}
}
/* Plugin */
if ($plugin != "" && $plugin != " ") {
$tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . $plugin . ")";
}
/* Plugin Group */
if ($plugingroup != "" && $plugingroup != " ") {
$pg_ids = QueryOssimPluginGroup($plugingroup);
if ($pg_ids != "") {
$tmp_meta = $tmp_meta . " AND ({$pg_ids}) ";
} else {
$tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=-1 AND acid_event.plugin_sid=-1)";
}
}
/* Network Group */
if ($networkgroup != "" && $networkgroup != " ") {
$ng_ids = QueryOssimNetworkGroup($networkgroup);
if ($ng_ids != "") {
$tmp_meta = $tmp_meta . " AND ({$ng_ids}) ";
}
}
/* User Data */
//print_r($_SESSION);
//echo "User Data:$userdata";
if (trim($userdata[2]) != "") {
$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.* FROM acid_event";
$data_join_sql = ",extra_data ";
$flt = "extra_data." . $userdata[0] . " " . $userdata[1] . " " . ($userdata[1] == "like" ? "'%" . str_replace("'", "\\'", $userdata[2]) . "%'" : "'" . $userdata[2] . "'");
$tmp_meta .= " AND acid_event.sid=extra_data.sid AND acid_event.cid=extra_data.cid AND ({$flt})";
}
/* Source Type */
if (trim($sourcetype) != "") {
$tmp_meta = $tmp_meta . " AND acid_event.plugin_id in (" . GetPluginListBySourceType($sourcetype) . ")";
}
/* Category */
if ($category[0] != 0) {
$sig_join = true;
$tmp_meta = $tmp_meta . GetPluginListByCategory($category);
}
/* Alert Group */
if ($ag != "" && $ag != " ") {
$tmp_meta = $tmp_meta . " AND ag_id =" . $ag;
$join_sql = $join_sql . $ag_join_sql;
} else {
$cs->criteria['ag']->Set("");
}
/* Signature */
if (isset($sig[0]) && $sig[0] != " " && $sig[0] != "" && (isset($sig[1]) && $sig[1] != "")) {
if ($sig_type == 1) {
// sending sig[1]=plugin_id;plugin_sid
$pidsid = preg_split("/[\\s;]+/", $sig[1]);
$tmp_meta = $tmp_meta . " AND (acid_event.plugin_id=" . intval($pidsid[0]) . " AND acid_event.plugin_sid=" . intval($pidsid[1]) . ")";
} else {
// free string
$sig_ids = QueryOssimSignature($sig[1], $sig[0], $sig[2]);
$sig_join = true;
$tmp_meta = $tmp_meta . " AND ({$sig_ids})";
//if ($sig_ids != "")
// $tmp_meta = $tmp_meta . " AND ($sig_ids) ";
//else
// $tmp_meta = $tmp_meta." AND (plugin_id=-1 AND plugin_sid=-1)";
}
} else {
$cs->criteria['sig']->Set("");
}
/* Signature Classification
if ($sig_class != " " && $sig_class != "" && $sig_class != "0") {
$tmp_meta = $tmp_meta . " AND sig_class_id = '" . $sig_class . "'";
} else if ($sig_class == "0") {
$tmp_meta = $tmp_meta . " AND (sig_class_id is null OR sig_class_id = '0')";
} else $cs->criteria['sig_class']->Set(""); */
/* Signature Priority
if ($sig_priority[1] != " " && $sig_priority[1] != "" && $sig_priority[1] != "0") {
$tmp_meta = $tmp_meta . " AND sig_priority " . $sig_priority[0] . " '" . $sig_priority[1] . "'";
} else if ($sig_priority[1] == "0") {
$tmp_meta = $tmp_meta . " AND (sig_priority is null OR sig_priority = '0')";
} else $cs->criteria['sig_priority']->Set("");*/
/* Date/Time
if ( DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0 )
$cs->criteria['time']->SetFormItemCnt(0); */
/*
* OSSIM Code
*/
/* OSSIM Type */
if ($ossim_type[1] != " " && $ossim_type[1] != "" && $ossim_type[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_type = '" . $ossim_type[1] . "'";
} else {
if ($ossim_type[1] == "0") {
$tmp_meta = $tmp_meta . " AND (acid_event.ossim_type is null OR acid_event.ossim_type = '0')";
} else {
$cs->criteria['ossim_type']->Set("");
}
}
/* OSSIM Priority */
if ($ossim_priority[1] != " " && $ossim_priority[1] != "" && $ossim_priority[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_priority " . $ossim_priority[0] . " '" . $ossim_priority[1] . "'";
} else {
if ($ossim_priority[1] == "0") {
$tmp_meta = $tmp_meta . " AND (acid_event.ossim_priority is null OR acid_event.ossim_priority = '0')";
} else {
$cs->criteria['ossim_priority']->Set("");
}
}
/* OSSIM Reliability */
if ($ossim_reliability[1] != " " && $ossim_reliability[1] != "" && $ossim_reliability[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_reliability " . $ossim_reliability[0] . " '" . $ossim_reliability[1] . "'";
} else {
if ($ossim_reliability[1] == "0") {
$tmp_meta = $tmp_meta . " AND (acid_event.ossim_reliability is null OR acid_event.ossim_reliability = '0')";
} else {
$cs->criteria['ossim_reliability']->Set("");
}
}
/* OSSIM Asset DST */
if ($ossim_asset_dst[1] != " " && $ossim_asset_dst[1] != "" && $ossim_asset_dst[1] != "0") {
$tmp_meta = $tmp_meta . " AND acid_event.ossim_asset_dst " . $ossim_asset_dst[0] . " '" . $ossim_asset_dst[1] . "'";
} else {
if ($ossim_asset_dst[1] == "0") {
$tmp_meta = $tmp_meta . " AND (acid_event.ossim_asset_dst is null OR acid_event.ossim_asset_dst = '0')";
} else {
$cs->criteria['ossim_asset_dst']->Set("");
}
}
/* OSSIM Risk A */
if ($ossim_risk_a != " " && $ossim_risk_a != "" && $ossim_risk_a != "0") {
if ($ossim_risk_a == "low") {
//$tmp_meta = $tmp_meta." AND ossim_risk_a >= 1 AND ossim_risk_a <= 4 ";
$tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a < 1 ";
} else {
if ($ossim_risk_a == "medium") {
//$tmp_meta = $tmp_meta." AND ossim_risk_a >= 5 AND ossim_risk_a <= 7 ";
$tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a = 1 ";
} else {
if ($ossim_risk_a == "high") {
//$tmp_meta = $tmp_meta." AND ossim_risk_a >= 8 AND ossim_risk_a <= 10 ";
$tmp_meta = $tmp_meta . " AND acid_event.ossim_risk_a > 1 ";
}
}
}
} else {
$cs->criteria['ossim_risk_a']->Set("");
}
/* Date/Time */
if (DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0) {
$cs->criteria['time']->SetFormItemCnt(0);
}
$criteria_sql = $criteria_sql . $tmp_meta;
/* ********************** IP Criteria ********************************************** */
/* IP Addresses */
$tmp2 = "";
for ($i = 0; $i < $ip_addr_cnt; $i++) {
$tmp = "";
if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] != " ") {
if ($ip_addr[$i][3] != "" && $ip_addr[$i][4] != "" && $ip_addr[$i][5] != "" && $ip_addr[$i][6] != "") {
/* if use illegal 256.256.256.256 address then
* this is the special case where need to search for portscans
*/
if ($ip_addr[$i][3] == "256" && $ip_addr[$i][4] == "256" && $ip_addr[$i][5] == "256" && $ip_addr[$i][6] == "256") {
$tmp = $tmp . " acid_event." . $ip_addr[$i][1] . " IS NULL" . " ";
} else {
if ($ip_addr[$i][10] == "") {
$tmp = $tmp . " acid_event." . $ip_addr[$i][1] . $ip_addr[$i][2] . "'" . baseIP2long($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6]) . "' ";
} else {
$mask = getIPMask($ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6], $ip_addr[$i][10]);
if ($ip_addr[$i][2] == "!=") {
$tmp_op = " NOT ";
} else {
$tmp_op = "";
}
$tmp = $tmp . $tmp_op . " (acid_event." . $ip_addr[$i][1] . ">= '" . baseIP2long($mask[0]) . "' AND " . "acid_event." . $ip_addr[$i][1] . "<= '" . baseIP2long($mask[1]) . "')";
}
}
}
/* if have chosen the address type to be both source and destination */
if (ereg("ip_both", $tmp)) {
$tmp_src = ereg_replace("ip_both", "ip_src", $tmp);
$tmp_dst = ereg_replace("ip_both", "ip_dst", $tmp);
if ($ip_addr[$i][2] == '=') {
$tmp = "(" . $tmp_src . ') OR (' . $tmp_dst . ')';
} else {
$tmp = "(" . $tmp_src . ') AND (' . $tmp_dst . ')';
}
}
if ($tmp != "") {
$tmp = $ip_addr[$i][0] . "(" . $tmp . ")" . $ip_addr[$i][8] . $ip_addr[$i][9];
}
} else {
if (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" || $ip_addr[$i][1] != " ") {
/* IP_addr_type, but MALFORMED IP address */
if ($ip_addr[$i][1] != " " && $ip_addr[$i][3] == "" && ($ip_addr[$i][4] != "" || $ip_addr[$i][5] != "" || $ip_addr[$i][6] != "")) {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Invalid IP address criteria") . " ' *." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . " '");
}
/* ADDRESS, but NO IP_addr_type was given */
if (isset($ip_addr[$i][3]) && $ip_addr[$i][1] == " ") {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("A IP address of") . " '" . $ip_addr[$i][3] . "." . $ip_addr[$i][4] . "." . $ip_addr[$i][5] . "." . $ip_addr[$i][6] . "' " . gettext("was entered for as a criteria value, but the type of address (e.g. source, destination) was not specified."));
}
/* IP_addr_type IS FILLED, but no ADDRESS */
if ($ip_addr[$i][1] != " " && $ip_addr[$i][1] != "" && $ip_addr[$i][3] == "") {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("An IP address of type") . " '" . $ip_addr[$i][1] . "' " . gettext("was selected (at #") . $i . ") " . gettext("indicating that an IP address should be a criteria, but no address on which to match was specified."));
}
}
}
$tmp2 = $tmp2 . $tmp;
if ($i > 0 && $ip_addr[$i - 1][9] == ' ' && $ip_addr[$i - 1][3] != "") {
ErrorMessage("<B>" . gettext("Criteria warning:") . "</B> " . gettext("Multiple IP address criteria entered without a boolean operator (e.g. AND, OR) between IP Criteria") . " #{$i} and #" . ($i + 1) . ".");
}
}
if ($tmp2 != "") {
$criteria_sql = $criteria_sql . " AND ( " . $tmp2 . " )";
} else {
$cs->criteria['ip_addr']->SetFormItemCnt(0);
}
/* IP Fields */
if (FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0) {
$cs->criteria['ip_field']->SetFormItemCnt(0);
}
/* Layer-4 encapsulation */
if ($layer4 == "TCP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '6'";
} else {
if ($layer4 == "UDP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '17'";
} else {
if ($layer4 == "ICMP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '1'";
} else {
if ($layer4 == "RawIP") {
$criteria_sql = $criteria_sql . " AND acid_event.ip_proto= '255'";
} else {
$cs->criteria['layer4']->Set("");
}
}
}
}
/* Join the iphdr table if necessary */
if (!$cs->criteria['ip_field']->isEmpty()) {
$join_sql = $ip_join_sql . $join_sql;
}
/* ********************** TCP Criteria ********************************************** */
if ($layer4 == "TCP") {
$proto_tmp = "";
/* TCP Ports */
if (FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0) {
$cs->criteria['tcp_port']->SetFormItemCnt(0);
}
$criteria_sql = $criteria_sql . $proto_tmp;
$proto_tmp = "";
/* TCP Flags */
if (isset($tcp_flags) && sizeof($tcp_flags) == 8) {
if ($tcp_flags[0] == "contains" || $tcp_flags[0] == "is") {
$flag_tmp = $tcp_flags[1] + $tcp_flags[2] + $tcp_flags[3] + $tcp_flags[4] + $tcp_flags[5] + $tcp_flags[6] + $tcp_flags[7] + $tcp_flags[8];
if ($tcp_flags[0] == "is") {
$proto_tmp = $proto_tmp . ' AND tcp_flags=' . $flag_tmp;
} else {
if ($tcp_flags[0] == "contains") {
$proto_tmp = $proto_tmp . ' AND (tcp_flags & ' . $flag_tmp . ' = ' . $flag_tmp . " )";
} else {
$proto_tmp = "";
}
}
}
}
/* TCP Fields */
if (FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0) {
$cs->criteria['tcp_field']->SetFormItemCnt(0);
}
/* TCP Options
* - not implemented
*/
if (!$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
if (!$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty()) {
$join_sql = $tcp_join_sql . $join_sql;
}
}
}
/* ********************** UDP Criteria ********************************************* */
if ($layer4 == "UDP") {
$proto_tmp = "";
/* UDP Ports */
if (FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0) {
$cs->criteria['udp_port']->SetFormItemCnt(0);
}
$criteria_sql = $criteria_sql . $proto_tmp;
$proto_tmp = "";
/* UDP Fields */
if (FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0) {
$cs->criteria['udp_field']->SetFormItemCnt(0);
}
if (!$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
if (!$cs->criteria['udp_field']->isEmpty()) {
$join_sql = $udp_join_sql . $join_sql;
}
}
}
/* ********************** ICMP Criteria ******************************************** */
if ($layer4 == "ICMP") {
$proto_tmp = "";
/* ICMP Fields */
if (FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0) {
$cs->criteria['icmp_field']->SetFormItemCnt(0);
}
if (!$cs->criteria['icmp_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
$join_sql = $icmp_join_sql . $join_sql;
}
}
/* ********************** Packet Scan Criteria ************************************* */
if ($layer4 == "RawIP") {
$proto_tmp = "";
/* RawIP Fields */
if (FieldRows2sql($rawip_field, $rawip_field_cnt, $proto_tmp) == 0) {
$cs->criteria['rawip_field']->SetFormItemCnt(0);
}
if (!$cs->criteria['rawip_field']->isEmpty()) {
$criteria_sql = $criteria_sql . $proto_tmp;
$join_sql = $rawip_join_sql . $join_sql;
}
}
/* ********************** Payload Criteria ***************************************** */
//$tmp_payload = "";
if (DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload) == 0) {
$cs->criteria['data']->SetFormItemCnt(0);
}
//echo "<br><br><br>";
//print_r($data);
//print_r("data_cnt: [".$data_cnt."]");
//print_r($cs->criteria['data']->isEmpty());
//print_r("criteria_ sql: [".$criteria_sql."]");
//print_r("tmp_payload: [".$tmp_payload."]");
if (!$cs->criteria['data']->isEmpty()) {
$sql = "SELECT SQL_CALC_FOUND_ROWS acid_event.*,extra_data.* FROM acid_event";
$data_join_sql = ",extra_data ";
$criteria_sql = $criteria_sql . $tmp_payload;
}
if ($sig_join) {
$join_sql = $join_sql . $sig_join_sql;
}
$join_sql = $join_sql . $data_join_sql;
$csql[0] = $join_sql;
$criteria_sql = preg_replace("/AND\\s+\\)/", " )", preg_replace("/OR\\s+\\)/", " )", $criteria_sql));
$csql[1] = $criteria_sql;
//print_r($csql);
return $csql;
}