while (!$rs->EOF) {
$_sip = inet_ntop($rs->fields["sensor_ip"]);
$_dev = $rs->fields["id"];
$_sid = $rs->fields["sensor_id"];
if (Session::sensorAllowed($_sid)) {
$device_ip[$_dev] = $_sip;
$ip_device[$_sip][$_dev] = $_dev;
$ip_name[$_sip] = $rs->fields["name"];
$dev_perms[] = $_dev;
}
$rs->MoveNext();
}
// Allowed Sensors filter
$criteria_sql = "WHERE plugin.id=acid_event.plugin_id AND device_id IN ('" . implode("','", $dev_perms) . "')";
//$query_where
$query_where = Security_report::make_where($conn, '', '', array(), array());
$query_where = preg_replace('/AND \\(timestamp.*/', '', $query_where);
$query = "SELECT DISTINCT device_id, plugin_id, name, sum( acid_event.cnt ) as event_cnt FROM alienvault.plugin, alienvault_siem.ac_acid_event as acid_event {$criteria_sql} {$query_where} GROUP BY device_id, plugin_id ORDER BY event_cnt DESC";
//print_r($query);
if (!($rs =& $conn->Execute($query))) {
print $conn->ErrorMsg();
exit;
}
$s = 0;
$p = 0;
$data = array();
$already_plugin = array();
$already_sensor = array();
$plugin_ids = array();
$header = array();
while (!$rs->EOF) {
} else {
while (!$rg->EOF) {
$data[] = $rg->fields["num_events"];
$name = Util::signaturefilter($rg->fields["name"]);
$label[] = $name;
$link = Menu::get_menu_url("/ossim/alarm/alarm_console.php?num_alarms_page=50&hmenu=Alarms&smenu=Alarms&hide_closed=1&query=" . $rg->fields["name"], 'analysis', 'alarms');
$links[] = $link;
$rg->MoveNext();
}
}
$hide_x_axis = TRUE;
$colors = get_widget_colors(count($data));
break;
case "events":
//Filters of assets.
$query_where = Security_report::make_where($conn, '', '', array(), $assets_filters, '', '', false);
//Limit of alarms to show in the widget.
$limit = $chart_info['top'] != '' ? $chart_info['top'] : 5;
//Sql Query
$sqlgraph = "SELECT sum( acid_event.cnt ) as num_events, p.name, p.plugin_id, p.sid from alienvault_siem.ac_acid_event as acid_event, alienvault.plugin_sid p WHERE p.plugin_id=acid_event.plugin_id AND p.sid=acid_event.plugin_sid {$query_where} group by p.name order by num_events desc limit {$limit}";
$rg = $conn->CacheExecute($sqlgraph);
if (!$rg) {
print $conn->ErrorMsg();
} else {
while (!$rg->EOF) {
$data[] = $rg->fields["num_events"];
$name = Util::signaturefilter($rg->fields["name"]);
$label[] = $name;
$link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=all&submit=Query+DB&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D=" . $rg->fields["plugin_id"] . "%3B" . $rg->fields["sid"] . "&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
$links[] = $link;
$rg->MoveNext();
/* hosts to show */
if (empty($limit)) {
$limit = 11;
}
if (empty($type)) {
$type = "event";
}
if (!$type == "event") {
if ($target == "ip_dst") {
$target = "dst_ip";
}
if ($target == "ip_src") {
$target = "src_ip";
}
}
$security_report = new Security_report();
if (!strcmp($target, "ip_src") || !strcmp($target, "src_ip")) {
$title = _("TOP ATTACKER");
$sufix = "er";
$color = "#FF0000";
//$color = "navy";
//$color2 = "lightsteelblue";
$titlecolor = "darkblue";
} elseif (!strcmp($target, "ip_dst") || !strcmp($target, "dst_ip")) {
$title = _("TOP ATTACKED");
$sufix = "ed";
$color = "#FAC800";
$titlecolor = "darkred";
}
$shared = new DBA_shared(GET('shared'));
$SS_Attack = $shared->get("SS_Attack" . $sufix . "Host{$runorder}");
//
// select src_ip from alarm table and not defined into nets
//
$ips = array();
$plugin_id = NULL;
$plugin_groups = NULL;
$source_type = NULL;
$category = NULL;
$subcategory = NULL;
$limit = 20;
// Taxonomy filters
$plugin_list = Plugin_sid::get_all_sids($conn, $plugin_id, $source_type, $category, $subcategory, $plugin_groups);
// Data Source events or Source Type events
$selected = "";
// src_ips from acid_event
$where = Security_report::make_where($conn, $date_from, $date_to, $plugin_list, $dDB);
$ejoin = preg_match('/plist_[a-z]+/', $where) ? preg_replace('/.*(plist_[a-z]+)\\.id .*/', ',\\1', $where) : '';
$query = "SELECT DISTINCT ip_src AS ip FROM alienvault_siem.acid_event {$ejoin} WHERE 1=1 {$where}\n UNION SELECT DISTINCT ip_dst as ip FROM alienvault_siem.acid_event {$ejoin} WHERE 1=1 {$where}";
$rs = $conn->Execute($query);
if (!$rs) {
Av_exception::throw_error(Av_exception::DB_ERROR, $conn->ErrorMsg());
}
$already = array();
while (!$rs->EOF) {
$ip = inet_ntop($rs->fields['ip']);
if (!isset($already[$ip])) {
//Session::hostAllowed($conn,$ip) => not necessary here?
$already[$ip]++;
if (!Asset_host::is_ip_in_cache_cidr($conn, $ip)) {
// geoip
$_country_aux = $geoloc->get_country_by_host($conn, $ip);
$runorder = intval(GET('runorder'));
if ($runorder == 0) {
$runorder = "";
}
$multiple_colors = intval(GET('colors'));
if (ossim_error()) {
die(ossim_error());
}
/* hosts to show */
if (empty($limit) || $limit <= 0 || $limit > 10) {
$limit = 10;
}
if (empty($type)) {
$type = "event";
}
$security_report = new Security_report();
$shared = new DBA_shared(GET('shared'));
$SS_TopEvents = $shared->get("SS_TopEvents{$runorder}");
$SA_TopAlarms = $shared->get("SA_TopAlarms{$runorder}");
if ($type == "event" && is_array($SS_TopEvents) && count($SS_TopEvents) > 0) {
$list = $SS_TopEvents;
} elseif ($type == "alarm" && is_array($SA_TopAlarms) && count($SA_TopAlarms) > 0) {
$list = $SA_TopAlarms;
} else {
$list = $security_report->Events($limit, $type, $date_from, $date_to);
}
$data_pie = array();
$legend = $data = array();
foreach ($list as $key => $l) {
if ($key >= 10) {
// ponemos un límite de resultados para la gráfica
});
});
</script>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
<?php
} elseif ($screen == "alarms" && Session::menu_perms("analysis-menu", "ReportsAlarmReport")) {
// Alarms report
$report_type = "alarm";
$security_report = new Security_report();
$interval = 60 * 60 * 24 * $range;
# 1 month
$date_from = GET('date_from') != "" ? GET('date_from') : strftime("%Y-%m-%d", time() - $interval);
$date_to = GET('date_to') != "" ? GET('date_to') : strftime("%Y-%m-%d", time());
// Attacked host
$list1 = $security_report->AttackHost("ip_dst", $NUM_HOSTS, $report_type, $date_from, $date_to);
// Attacker host
$list2 = $security_report->AttackHost("ip_src", $NUM_HOSTS, $report_type, $date_from, $date_to);
// Ports
$list3 = $security_report->Ports($NUM_HOSTS, $report_type, $date_from, $date_to);
// Events
$list4 = $security_report->Events($NUM_HOSTS, $report_type, $date_from, $date_to);
?>
<table cellpadding='0' cellspacing='0' border='0' align="center" width='100%'>
<tr>
default:
$total = count($list);
$level = round($avg / $total);
}
} else {
$level = 0;
}
$data[] = $level;
$link = Menu::get_menu_url('/ossim/incidents/index.php', 'analysis', 'tickets');
$min = 0;
$max = 10;
break;
case 'alarm':
Session::logcheck("analysis-menu", "ControlPanelAlarms");
//Alarm Filters
list($ajoin, $awhere) = Security_report::make_where_alarm($conn, '', '', array(), $assets_filters);
$awhere = preg_replace('/AND \\(a\\.timestamp.*/', '', $awhere);
$operator = $chart_info['type'] != '' ? $chart_info['type'] : 'max';
$sqlgraph = "SELECT {$operator}(a.risk) as level FROM alienvault.alarm a {$ajoin} where 1=1 {$awhere}";
if (!($rg =& $conn->CacheExecute($sqlgraph))) {
print $conn->ErrorMsg();
} else {
$level = $rg->fields["level"];
}
$data[] = intval($level);
$link = Menu::get_menu_url('/ossim/alarm/alarm_console.php', 'analysis', 'alarms');
$min = 0;
$max = 10;
break;
default:
echo _("Unknown Type");
/**
* This function gets the SIEM trends in hours
*
* @param $h Number of hours of the trend
* @param $assets_filters [Optional] Asset filter applied
*
* @return An array with the result of the query that contains the data of the trend
*/
function SIEM_trends($h = 24, $assets_filters = '', $first_date = '')
{
global $tz;
//Cache file
$file = '_siem_events_' . Session::get_session_user() . '_';
$file .= md5($h . '_' . serialize($assets_filters));
$data = Cache_file::get_asset_data($file, 300);
if (is_array($data)) {
return $data;
}
$db = new ossim_db(TRUE);
$dbconn = $db->connect();
$tzc = Util::get_tzc($tz);
$data = array();
//Filters of assets
if (empty($assets_filters)) {
$assets_filters['assets'] = array();
$assets_filters['ctxs'] = array();
}
$query_where = Security_report::make_where($dbconn, gmdate("Y-m-d H:00:00", gmdate("U") - 3600 * $h), gmdate("Y-m-d H:59:59"), array(), $assets_filters);
$sqlgraph = "SELECT SUM(cnt) AS num_events, hour(convert_tz(timestamp,'+00:00','{$tzc}')) AS intervalo, day(convert_tz(timestamp,'+00:00','{$tzc}')) AS suf \n FROM alienvault_siem.ac_acid_event as acid_event WHERE 1=1 {$query_where} GROUP BY suf,intervalo";
if ($first_date) {
// Test if we have enough data in ac_acid_event
$query = "select cnt from alienvault_siem.ac_acid_event where timestamp between '{$first_date}:00:00' and '{$first_date}:59:59' limit 1";
$rg = $dbconn->CacheExecute($query);
if (!$rg) {
print $dbconn->ErrorMsg();
}
if ($rg->EOF) {
// Test if we have enough data in acid_event
$query = "select hex(id) from alienvault_siem.acid_event where timestamp between '{$first_date}:00:00' and '{$first_date}:59:59' limit 1";
$rg = $dbconn->CacheExecute($query);
if (!$rg) {
print $dbconn->ErrorMsg();
}
if (!$rg->EOF) {
$sqlgraph = "SELECT COUNT(acid_event.id) AS num_events, hour(convert_tz(timestamp,'+00:00','{$tzc}')) AS intervalo, day(convert_tz(timestamp,'+00:00','{$tzc}')) AS suf \n FROM alienvault_siem.acid_event WHERE 1=1 {$query_where} GROUP BY suf,intervalo";
}
}
}
$rg = $dbconn->CacheExecute($sqlgraph);
if (!$rg) {
print $dbconn->ErrorMsg();
} else {
while (!$rg->EOF) {
$data[$rg->fields['suf'] . ' ' . $rg->fields['intervalo'] . 'h'] = $rg->fields['num_events'];
$rg->MoveNext();
}
}
$db->close();
Cache_file::save_file($file, $data);
return $data;
}
?>
:
<select name="interface" onChange="submit()">
<?php
if ($_total) {
foreach ($ntop_list as $s_id => $s) {
if ($sensor == $s['ip']) {
foreach ($s['i_faces'] as $i_face => $i_data) {
if ($interface == '' && $i_data['role'] == 'admin' || $interface == $i_face) {
$selected = " selected='selected'";
} else {
$selected = '';
}
$interface_name = $i_data['name'] != '' ? $i_data['name'] : $i_face;
$interface_name = Security_report::Truncate($interface_name, 30, '...');
?>
<option <?php
echo $selected;
?>
value="<?php
echo $i_face;
?>
"><?php
echo $interface_name;
?>
</option>
<?php
}
}
}
