NathanGibbs3 / BASE / 584

pending completion

Build # 584

Build Type

push

travis-ci-com

Committed by

NathanGibbs3

Commit Message

20230412 Fix CI build breakage.
         Related Issue(s) #158

Run Details

2 of 2 new or added lines in 1 file covered. (100.0%)

2594 of 16816 relevant lines covered (15.43%)

20.97 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/base_stat_alerts.php

<?php
// Basic Analysis and Security Engine (BASE)
// Copyright (C) 2019-2022 Nathan Gibbs
// Copyright (C) 2004 BASE Project Team
// Copyright (C) 2000 Carnegie Mellon University
//
//   For license info: See the file 'base_main.php'
//
//       Project Lead: Nathan Gibbs
// Built upon work by: Kevin Johnson & the BASE Project Team
//                     Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
//
//            Purpose: Displays statistics on the detected alerts.
//
//          Author(s): Nathan Gibbs
//                     Kevin Johnson
//                     Joel Esler
//
// Input GET/POST variables
//   - caller
//   - submit
//   - sort_order

include_once ("base_conf.php");
include_once ("$BASE_path/includes/base_constants.inc.php");
include ("$BASE_path/includes/base_include.inc.php");
include_once ("$BASE_path/base_db_common.php");
include_once ("$BASE_path/base_qry_common.php");
include_once ("$BASE_path/base_stat_common.php");

AuthorizedRole(10000);
$et = new EventTiming($debug_time_mode);
$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to Alert DB.
$db->baseDBConnect(
        $db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
        $alert_password
);
UpdateAlertCache($db);
if ( class_exists('UILang') ){ // Issue 11 backport shim.
        $CPSensor = $UIL->CWA['Sensor'];
        $CPSig = $UIL->CWA['Sig'];
        $CPSA = $UIL->CPA['SrcAddr'];
        $CPDA = $UIL->CPA['DstAddr'];
        $CPLast = $UIL->CWA['Last'];
        $CPFirst = $UIL->CWA['First'];
        $CPTotal = $UIL->CWA['Total'];
}else{
        $CPSensor = _SENSOR;
        $CPSig = _SIGNATURE;
        $CPSA = _NBSOURCEADDR;
        $CPDA = _NBDESTADDR;
        $CPLast = _LAST;
        $CPFirst = _FIRST;
        $CPTotal = _TOTAL;
}
$submit = ImportHTTPVar('submit', VAR_ALPHA | VAR_SPACE, array(_SELECTED, _ALLONSCREEN, _ENTIREQUERY));
$sort_order = ImportHTTPVar('sort_order', VAR_LETTER | VAR_USCORE);
$caller = ImportHTTPVar('caller', VAR_LETTER | VAR_USCORE);
$cs = new CriteriaState('base_stat_alerts.php');
$cs->ReadState();
if ( $debug_mode > 0 ){ // Dump debugging info on the shared state.
        PrintCriteriaState();
}
if ( $caller == 'most_frequent' && $sort_order = 'occur_d' ){
        // Interim Issue #120 Fix
        $sort_order = $CPTotal.'_occur_d';
}
if ( $caller == 'last_alerts' && $sort_order = 'last_d' ){
        // Interim Issue #122 Fix
        $sort_order = $CPLast.'_last_d';
}
$qs = new QueryState();
if ( $caller == 'most_frequent' || $caller == 'last_alerts' ){
        // Issue(s) #120 & #122 Fix
        $qs->current_sort_order = $sort_order;
}
$qs->AddCannedQuery(
        "most_frequent", $freq_num_alerts, _MOSTFREQALERTS, $CPTotal.'_occur_d'
);
$qs->AddCannedQuery(
        "last_alerts", $last_num_ualerts, _LASTALERTS, $CPLast.'_last_d'
);
$qs->MoveView($submit); // Increment the view if necessary.
$page_title = _ALERTTITLE;
if ( $qs->isCannedQuery() ){
        $page_title.': '.$qs->GetCurrentCannedQueryDesc();
}
PrintBASESubHeader( $page_title, $page_title, $cs->GetBackLink(), 1 );

if (is_object($cs)){ // Issue #5
  $criteria_clauses = ProcessCriteria();
}
// Issue #114 fix
NLIO ("<div style='overflow:hidden'>",2);
NLIO ("<div style='float: left; width: 60%;'>",3);
PrintCriteria('');
NLIO ('</div>',3);
NLIO ("<div style='float: right; width: 40%;'>",3);
// RFE by Joel. Wanted the Summary Statistics box on the base_stat_alerts page.
PrintFramedBoxHeader(_QSCSUMM, '#669999', 0, 4);
NLIO('<td>',6);
if ( isset($show_summary_stats) ){ // Issue #5
        if ( getenv('TRAVIS') && version_compare(PHP_VERSION, "5.3.0", "<") ){
                // Issue #5 Test Shim
                $where_sql = " WHERE ";
                $criteria_sql = " 1 = 1 ";
                $join_sql = "";
        }
        PrintGeneralStats(
                $db, 1, $show_summary_stats, "$join_sql ", "$where_sql $criteria_sql"
        );
}
echo('<BR><LI><A HREF="base_stat_time.php">'._QSCTIMEPROF.'</A> '._QSCOFALERTS . "</LI>");
PrintFramedBoxFooter(1,4);
NLIO ('</div>',3);
NLIO ('</div>',2);
if (is_object($cs)){ // Issue #5
  $from = " FROM acid_event ".$criteria_clauses[0];
  $where = ($criteria_clauses[1] != "") ? " WHERE ".$criteria_clauses[1] : " ";
}else{
        $from = " FROM acid_event ";
        $where = " ";
}
  $qs->AddValidAction("ag_by_id");
  $qs->AddValidAction("ag_by_name");
  $qs->AddValidAction("add_new_ag");
  $qs->AddValidAction("del_alert");
  $qs->AddValidAction("email_alert");
  $qs->AddValidAction("email_alert2");
  $qs->AddValidAction("csv_alert");
  $qs->AddValidAction("archive_alert");
  $qs->AddValidAction("archive_alert2");

  $qs->AddValidActionOp(_SELECTED);
  $qs->AddValidActionOp(_ALLONSCREEN);

  $qs->SetActionSQL($from.$where);
$et->Mark("Initialization");
  $qs->RunAction($submit, PAGE_STAT_ALERTS, $db);
$et->Mark("Alert Action");
// Get total number of events.
// This is expensive, don't do it if we're avoiding count().
// Michael Stone 2005-03-09
if ( $avoid_counts != 1 ){
        $event_cnt = EventCnt($db);
}
// Create SQL to get Unique Alerts.
$cnt_sql = "SELECT count(DISTINCT signature) ".$from.$where;
// Run the query to determine the number of rows (No LIMIT).
$qs->GetNumResultRows($cnt_sql, $db);
$et->Mark("Counting Result size");
// Setup the Query Results Table.
// Common SQL Strings
$OB = ' ORDER BY';
$qro = new QueryResultsOutput("base_stat_alerts.php?caller=".$caller);
$qro->AddTitle('');
$qro->AddTitle( $CPSig,
        "sig_a", " ", "$OB sig_name ASC",
        "sig_d", " ", "$OB sig_name DESC"
);
if ( $db->baseGetDBversion() >= 103 ){
        $qro->AddTitle( _CHRTCLASS,
                "class_a", ", MIN(sig_class_id) ", "$OB sig_class_id ASC ",
                "class_d", ", MIN(sig_class_id) ", "$OB sig_class_id DESC ",
                'left'
        );
}
$qro->AddTitle( $CPTotal,
        "occur_a", " ", "$OB sig_cnt ASC",
        "occur_d", " ", "$OB sig_cnt DESC", 'right'
);
$qro->AddTitle( $CPSensor);
$qro->AddTitle( $CPSA,
        "saddr_a", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt ASC",
        "saddr_d", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt DESC",
        'right'
);
$qro->AddTitle( $CPDA,
        "daddr_a", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt ASC",
        "daddr_d", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt DESC",
        'right'
);
$qro->AddTitle( $CPFirst,
        "first_a", ", min(timestamp) AS first_timestamp ",
        "$OB first_timestamp ASC",
        "first_d", ", min(timestamp) AS first_timestamp ",
        "$OB first_timestamp DESC"
);
if ( isset($show_previous_alert) && $show_previous_alert == 1 ){
        $qro->AddTitle(_PREVIOUS);
}
$qro->AddTitle( $CPLast,
        "last_a", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp ASC",
        "last_d", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp DESC"
);

// mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY.
// mstone 20050405 add sid & ip counts.
// Issue #168
$sql = "SELECT DISTINCT signature, count(signature) as sig_cnt, ".
                "min(timestamp), max(timestamp), sig_name, count(DISTINCT(sid)), ".
                "count(DISTINCT(ip_src)), count(DISTINCT(ip_dst)), sig_class_id ";
$sqlPFX = $from.$where." GROUP BY signature, sig_name, sig_class_id ";
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());
if ( !is_null($sort_sql) ){
        $sqlPFX = $sort_sql[0].$sqlPFX.$sort_sql[1];
}
$sql .= $sqlPFX;
// Run the Query again for the actual data (with the LIMIT), if any.
$result = $qs->ExecuteOutputQuery($sql, $db);
$et->Mark("Retrieve Query Data");
if ( $debug_mode > 0 ){
        if ( $qs->isCannedQuery() ){
                $CCF = 'Yes';
                $qs->PrintCannedQueryList();
        }else{
                $CCF = 'No';
        }
        print "Canned Query: $CCF <br/>";
        $qs->DumpState();
        print "SQL Executed: $sql <br/>";
}
$qs->PrintResultCnt(); // Print current view number and # of rows.

  echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_alerts.php">';
  
  $qro->PrintHeader();

  $i = 0;
  // The below is due to changes in the queries...
  // We need to verify that it works all the time -- Kevin
  $and = (strpos($where, "WHERE") != 0 ) ? " AND " : " WHERE ";
  while ( ($myrow = $result->baseFetchRow()) && ($i < $qs->GetDisplayRowCnt()) )
  {
     $sig_id = $myrow[0];

     /* get Total Occurrence */
     $total_occurances = $myrow[1];

     /* Get other data */
     $sig_name = $myrow[4];
     $num_sensors = $myrow[5];
     $num_src_ip = $myrow[6];
     $num_dst_ip = $myrow[7];

     /* First and Last timestamp of this signature */
     $start_time = $myrow[2];
     $stop_time = $myrow[3];

                // mstone 20050406 only do this if we're going to provide links to the
                // first/last or if we're going to show the previous event time
                if ( isset($show_first_last_links) && isset($show_previous_alert) ){
                        if ( $show_first_last_links == 1 || $show_previous_alert == 1 ){
       $temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.
               "signature='".$sig_id."'
               ORDER BY timestamp DESC";
       $result2 = $db->baseExecute($temp, 0, 2);
       $last = $result2->baseFetchRow();
       $last_num = $total_occurances - 1;

       /* Getting the previous timestamp of this signature 
        * (I.E. The occurances before Last Timestamp) 
        */
       if ( $show_previous_alert == 1 )
       {
          if ( $total_occurances == 1 )
          {
             $prev = $last;
             $prev_time = $prev[0];
             $prev_num = 0;
          }
          else
          {
                  $prev = $result2->baseFetchRow();
                  $prev_time = $prev[0];
                    $prev_num = $total_occurances - 2;
                  $result2->baseFreeRows();
          }
       }
     }

     if ($show_first_last_links == 1) {
       /* Doing the same as above for the first entry that we are searching for.
        * The reason for doing this is because some older DB's such as ones using ODBC
        * probably don't support the move() function. Therefore, for the older DB's 
        * to get the first entry from the $temp variable above, we would need to 
        * continue to call MoveNext() for each and every entry for that signature. For 
        * signatures with a large amount of alerts(i.e. >1000), this could cause a severe
        * performance hit for those users.
        */ 
       $temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.
               "signature='".$sig_id."'
               ORDER BY timestamp ASC";
       $result2 = $db->baseExecute($temp, 0, 1);
       $first = $result2->baseFetchRow();
       $first_num = 0;
       $result2->baseFreeRows();
     }

                }
                // Print out (Colored Version) -- Alejandro
                if ( isset($colored_alerts) && $colored_alerts == 1 ){
                        $tmp = GetSignaturePriority($sig_id, $db);
                        $tmp2 = $colored_alerts;
                }else{
                        $tmp = $i;
                        $tmp2 = 0;
                }
                qroPrintEntryHeader($tmp, $tmp2);
     $tmp_rowid = rawurlencode($sig_id);
     echo '  <TD>&nbsp;&nbsp;
                 <INPUT TYPE="checkbox" NAME="action_chk_lst['.$i.']" VALUE="'.$tmp_rowid.'">
                 &nbsp;&nbsp;
             </TD>';
     echo '      <INPUT TYPE="hidden" NAME="action_lst['.$i.']" VALUE="'.$tmp_rowid.'">';
                qroPrintEntry(BuildSigByID($sig_id, $db), 'left');
                if ( $db->baseGetDBversion() >= 103 ){
                        qroPrintEntry(
                                GetSigClassName(GetSigClassID($sig_id, $db), $db),
                                'left'
                        );
                }
                qroPrintEntry(
                        '<A HREF="base_qry_main.php?new=1amp;&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.
                   (rawurlencode($sig_id)).'&amp;sig_type=1'.
                   '&amp;submit='._QUERYDBP.'&amp;num_result_rows=-1">'.$total_occurances.'</A>'.
                   /* mstone 20050309 lose this if we're not showing stats */
                   (($avoid_counts != 1)?('('.(round($total_occurances/$event_cnt*100)).'%)'):('')),
                        'right'
                );
     qroPrintEntry('<A HREF="base_stat_sensor.php?sig%5B0%5D=%3D&amp;sig%5B1%5D='.
                    rawurlencode($sig_id).'&amp;sig_type=1">'.$num_sensors.'</A>');

     if ( $db->baseGetDBversion() >= 100 )
        $addr_link = '&amp;sig_type=1&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.rawurlencode($sig_id);
     else
        $addr_link = '&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.rawurlencode($sig_id);

        qroPrintEntry(
                BuildUniqueAddressLink( 1, $addr_link )."$num_src_ip</a>",'right'
        );
        qroPrintEntry(
                BuildUniqueAddressLink( 2, $addr_link)."$num_dst_ip</a>",'right'
        );
        if ( isset($show_first_last_links) && $show_first_last_links == 1 ){
       qroPrintEntry('<FONT>'.
                     '<A HREF="base_qry_alert.php?'.
                     'submit=%23'.$first_num.'-%28'.$first[1].'-'.$first[2].'%29">'.
                     $start_time.'</FONT>');

       if ( $show_previous_alert == 1 )
          qroPrintEntry('<FONT>'.
                        '<A HREF="base_qry_alert.php?'.
                        'submit=%23'.$prev_num.'-%28'.$prev[1].'-'.$prev[2].'%29">'.
                        $prev_time.'</FONT>');

       qroPrintEntry('<FONT>'.
                     '<A HREF="base_qry_alert.php?'.
                     'submit=%23'.$last_num.'-%28'.$last[1].'-'.$last[2].'%29">'.
                     $stop_time.'</FONT>');
     } else {
       qroPrintEntry('<FONT>'.$start_time.'</FONT>');
       if ( $show_previous_alert == 1 )
         qroPrintEntry('<FONT>'.$prev_time.'</FONT>');
       qroPrintEntry('<FONT>'.$stop_time.'</FONT>');
     }

     qroPrintEntryFooter();

     $i++;
     $prev_time = null;
  }

  $result->baseFreeRows();

  $qro->PrintFooter();

  $qs->PrintBrowseButtons();
  $qs->PrintAlertActionButtons();
  $qs->SaveState();
        ExportHTTPVar("sort_order", $sort_order);
  echo "\n</FORM>\n";
$et->Mark("Get Query Elements");
PrintBASESubFooter();
?>

1	<?php
2	// Basic Analysis and Security Engine (BASE)
3	// Copyright (C) 2019-2022 Nathan Gibbs
4	// Copyright (C) 2004 BASE Project Team
5	// Copyright (C) 2000 Carnegie Mellon University
6	//
7	// For license info: See the file 'base_main.php'
8	//
9	// Project Lead: Nathan Gibbs
10	// Built upon work by: Kevin Johnson & the BASE Project Team
11	// Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
12	//
13	// Purpose: Displays statistics on the detected alerts.
14	//
15	// Author(s): Nathan Gibbs
16	// Kevin Johnson
17	// Joel Esler
18	//
19	// Input GET/POST variables
20	// - caller
21	// - submit
22	// - sort_order
23
24	include_once ("base_conf.php");	×
25	include_once ("$BASE_path/includes/base_constants.inc.php");	×
26	include ("$BASE_path/includes/base_include.inc.php");	×
27	include_once ("$BASE_path/base_db_common.php");	×
28	include_once ("$BASE_path/base_qry_common.php");	×
29	include_once ("$BASE_path/base_stat_common.php");	×
30
31	AuthorizedRole(10000);	×
32	$et = new EventTiming($debug_time_mode);	×
33	$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to Alert DB.	×
34	$db->baseDBConnect(	×
35	$db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
36	$alert_password
37	);
38	UpdateAlertCache($db);	×
39	if ( class_exists('UILang') ){ // Issue 11 backport shim.	×
40	$CPSensor = $UIL->CWA['Sensor'];	×
41	$CPSig = $UIL->CWA['Sig'];	×
42	$CPSA = $UIL->CPA['SrcAddr'];	×
43	$CPDA = $UIL->CPA['DstAddr'];	×
44	$CPLast = $UIL->CWA['Last'];	×
45	$CPFirst = $UIL->CWA['First'];	×
46	$CPTotal = $UIL->CWA['Total'];	×
47	}else{	×
48	$CPSensor = _SENSOR;	×
49	$CPSig = _SIGNATURE;	×
50	$CPSA = _NBSOURCEADDR;	×
51	$CPDA = _NBDESTADDR;	×
52	$CPLast = _LAST;	×
53	$CPFirst = _FIRST;	×
54	$CPTotal = _TOTAL;	×
55	}
56	$submit = ImportHTTPVar('submit', VAR_ALPHA \| VAR_SPACE, array(_SELECTED, _ALLONSCREEN, _ENTIREQUERY));	×
57	$sort_order = ImportHTTPVar('sort_order', VAR_LETTER \| VAR_USCORE);	×
58	$caller = ImportHTTPVar('caller', VAR_LETTER \| VAR_USCORE);	×
59	$cs = new CriteriaState('base_stat_alerts.php');	×
60	$cs->ReadState();	×
61	if ( $debug_mode > 0 ){ // Dump debugging info on the shared state.	×
62	PrintCriteriaState();	×
63	}
64	if ( $caller == 'most_frequent' && $sort_order = 'occur_d' ){	×
65	// Interim Issue #120 Fix
66	$sort_order = $CPTotal.'_occur_d';	×
67	}
68	if ( $caller == 'last_alerts' && $sort_order = 'last_d' ){	×
69	// Interim Issue #122 Fix
70	$sort_order = $CPLast.'_last_d';	×
71	}
72	$qs = new QueryState();	×
73	if ( $caller == 'most_frequent' \|\| $caller == 'last_alerts' ){	×
74	// Issue(s) #120 & #122 Fix
75	$qs->current_sort_order = $sort_order;	×
76	}
77	$qs->AddCannedQuery(	×
78	"most_frequent", $freq_num_alerts, _MOSTFREQALERTS, $CPTotal.'_occur_d'
79	);
80	$qs->AddCannedQuery(	×
81	"last_alerts", $last_num_ualerts, _LASTALERTS, $CPLast.'_last_d'
82	);
83	$qs->MoveView($submit); // Increment the view if necessary.	×
84	$page_title = _ALERTTITLE;	×
85	if ( $qs->isCannedQuery() ){	×
86	$page_title.': '.$qs->GetCurrentCannedQueryDesc();	×
87	}
88	PrintBASESubHeader( $page_title, $page_title, $cs->GetBackLink(), 1 );	×
89
90	if (is_object($cs)){ // Issue #5	×
91	$criteria_clauses = ProcessCriteria();	×
92	}
93	// Issue #114 fix
94	NLIO ("<div style='overflow:hidden'>",2);	×
95	NLIO ("<div style='float: left; width: 60%;'>",3);	×
96	PrintCriteria('');	×
97	NLIO ('</div>',3);	×
98	NLIO ("<div style='float: right; width: 40%;'>",3);	×
99	// RFE by Joel. Wanted the Summary Statistics box on the base_stat_alerts page.
100	PrintFramedBoxHeader(_QSCSUMM, '#669999', 0, 4);	×
101	NLIO('<td>',6);	×
102	if ( isset($show_summary_stats) ){ // Issue #5	×
103	if ( getenv('TRAVIS') && version_compare(PHP_VERSION, "5.3.0", "<") ){	×
104	// Issue #5 Test Shim
105	$where_sql = " WHERE ";	×
106	$criteria_sql = " 1 = 1 ";	×
107	$join_sql = "";	×
108	}
109	PrintGeneralStats(	×
110	$db, 1, $show_summary_stats, "$join_sql ", "$where_sql $criteria_sql"	×
111	);
112	}
113	echo('<BR><LI><A HREF="base_stat_time.php">'._QSCTIMEPROF.'</A> '._QSCOFALERTS . "</LI>");	×
114	PrintFramedBoxFooter(1,4);	×
115	NLIO ('</div>',3);	×
116	NLIO ('</div>',2);	×
117	if (is_object($cs)){ // Issue #5	×
118	$from = " FROM acid_event ".$criteria_clauses[0];	×
119	$where = ($criteria_clauses[1] != "") ? " WHERE ".$criteria_clauses[1] : " ";	×
120	}else{	×
121	$from = " FROM acid_event ";	×
122	$where = " ";	×
123	}
124	$qs->AddValidAction("ag_by_id");	×
125	$qs->AddValidAction("ag_by_name");	×
126	$qs->AddValidAction("add_new_ag");	×
127	$qs->AddValidAction("del_alert");	×
128	$qs->AddValidAction("email_alert");	×
129	$qs->AddValidAction("email_alert2");	×
130	$qs->AddValidAction("csv_alert");	×
131	$qs->AddValidAction("archive_alert");	×
132	$qs->AddValidAction("archive_alert2");	×
133
134	$qs->AddValidActionOp(_SELECTED);	×
135	$qs->AddValidActionOp(_ALLONSCREEN);	×
136
137	$qs->SetActionSQL($from.$where);	×
138	$et->Mark("Initialization");	×
139	$qs->RunAction($submit, PAGE_STAT_ALERTS, $db);	×
140	$et->Mark("Alert Action");	×
141	// Get total number of events.
142	// This is expensive, don't do it if we're avoiding count().
143	// Michael Stone 2005-03-09
144	if ( $avoid_counts != 1 ){	×
145	$event_cnt = EventCnt($db);	×
146	}
147	// Create SQL to get Unique Alerts.
148	$cnt_sql = "SELECT count(DISTINCT signature) ".$from.$where;	×
149	// Run the query to determine the number of rows (No LIMIT).
150	$qs->GetNumResultRows($cnt_sql, $db);	×
151	$et->Mark("Counting Result size");	×
152	// Setup the Query Results Table.
153	// Common SQL Strings
154	$OB = ' ORDER BY';	×
155	$qro = new QueryResultsOutput("base_stat_alerts.php?caller=".$caller);	×
156	$qro->AddTitle('');	×
157	$qro->AddTitle( $CPSig,	×
158	"sig_a", " ", "$OB sig_name ASC",	×
159	"sig_d", " ", "$OB sig_name DESC"	×
160	);
161	if ( $db->baseGetDBversion() >= 103 ){	×
162	$qro->AddTitle( _CHRTCLASS,	×
163	"class_a", ", MIN(sig_class_id) ", "$OB sig_class_id ASC ",	×
164	"class_d", ", MIN(sig_class_id) ", "$OB sig_class_id DESC ",	×
165	'left'
166	);
167	}
168	$qro->AddTitle( $CPTotal,	×
169	"occur_a", " ", "$OB sig_cnt ASC",	×
170	"occur_d", " ", "$OB sig_cnt DESC", 'right'	×
171	);
172	$qro->AddTitle( $CPSensor);	×
173	$qro->AddTitle( $CPSA,	×
174	"saddr_a", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt ASC",	×
175	"saddr_d", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt DESC",	×
176	'right'
177	);
178	$qro->AddTitle( $CPDA,	×
179	"daddr_a", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt ASC",	×
180	"daddr_d", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt DESC",	×
181	'right'
182	);
183	$qro->AddTitle( $CPFirst,	×
184	"first_a", ", min(timestamp) AS first_timestamp ",
185	"$OB first_timestamp ASC",	×
186	"first_d", ", min(timestamp) AS first_timestamp ",
187	"$OB first_timestamp DESC"	×
188	);
189	if ( isset($show_previous_alert) && $show_previous_alert == 1 ){	×
190	$qro->AddTitle(_PREVIOUS);	×
191	}
192	$qro->AddTitle( $CPLast,	×
193	"last_a", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp ASC",	×
194	"last_d", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp DESC"	×
195	);
196
197	// mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY.
198	// mstone 20050405 add sid & ip counts.
199	// Issue #168
200	$sql = "SELECT DISTINCT signature, count(signature) as sig_cnt, ".	×
201	"min(timestamp), max(timestamp), sig_name, count(DISTINCT(sid)), ".
202	"count(DISTINCT(ip_src)), count(DISTINCT(ip_dst)), sig_class_id ";
203	$sqlPFX = $from.$where." GROUP BY signature, sig_name, sig_class_id ";	×
204	$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());	×
205	if ( !is_null($sort_sql) ){	×
206	$sqlPFX = $sort_sql[0].$sqlPFX.$sort_sql[1];	×
207	}
208	$sql .= $sqlPFX;	×
209	// Run the Query again for the actual data (with the LIMIT), if any.
210	$result = $qs->ExecuteOutputQuery($sql, $db);	×
211	$et->Mark("Retrieve Query Data");	×
212	if ( $debug_mode > 0 ){	×
213	if ( $qs->isCannedQuery() ){	×
214	$CCF = 'Yes';	×
215	$qs->PrintCannedQueryList();	×
216	}else{	×
217	$CCF = 'No';	×
218	}
219	print "Canned Query: $CCF <br/>";	×
220	$qs->DumpState();	×
221	print "SQL Executed: $sql <br/>";	×
222	}
223	$qs->PrintResultCnt(); // Print current view number and # of rows.	×
224
225	echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_alerts.php">';	×
226
227	$qro->PrintHeader();	×
228
229	$i = 0;	×
230	// The below is due to changes in the queries...
231	// We need to verify that it works all the time -- Kevin
232	$and = (strpos($where, "WHERE") != 0 ) ? " AND " : " WHERE ";	×
233	while ( ($myrow = $result->baseFetchRow()) && ($i < $qs->GetDisplayRowCnt()) )	×
234	{
235	$sig_id = $myrow[0];	×
236
237	/* get Total Occurrence */
238	$total_occurances = $myrow[1];	×
239
240	/* Get other data */
241	$sig_name = $myrow[4];	×
242	$num_sensors = $myrow[5];	×
243	$num_src_ip = $myrow[6];	×
244	$num_dst_ip = $myrow[7];	×
245
246	/* First and Last timestamp of this signature */
247	$start_time = $myrow[2];	×
248	$stop_time = $myrow[3];	×
249
250	// mstone 20050406 only do this if we're going to provide links to the
251	// first/last or if we're going to show the previous event time
252	if ( isset($show_first_last_links) && isset($show_previous_alert) ){	×
253	if ( $show_first_last_links == 1 \|\| $show_previous_alert == 1 ){	×
254	$temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.	×
255	"signature='".$sig_id."'
256	ORDER BY timestamp DESC";
257	$result2 = $db->baseExecute($temp, 0, 2);	×
258	$last = $result2->baseFetchRow();	×
259	$last_num = $total_occurances - 1;	×
260
261	/* Getting the previous timestamp of this signature
262	* (I.E. The occurances before Last Timestamp)
263	*/
264	if ( $show_previous_alert == 1 )	×
265	{
266	if ( $total_occurances == 1 )	×
267	{
268	$prev = $last;	×
269	$prev_time = $prev[0];	×
270	$prev_num = 0;	×
271	}
272	else	×
273	{
274	$prev = $result2->baseFetchRow();	×
275	$prev_time = $prev[0];	×
276	$prev_num = $total_occurances - 2;	×
277	$result2->baseFreeRows();	×
278	}
279	}
280	}
281
282	if ($show_first_last_links == 1) {	×
283	/* Doing the same as above for the first entry that we are searching for.
284	* The reason for doing this is because some older DB's such as ones using ODBC
285	* probably don't support the move() function. Therefore, for the older DB's
286	* to get the first entry from the $temp variable above, we would need to
287	* continue to call MoveNext() for each and every entry for that signature. For
288	* signatures with a large amount of alerts(i.e. >1000), this could cause a severe
289	* performance hit for those users.
290	*/
291	$temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.	×
292	"signature='".$sig_id."'
293	ORDER BY timestamp ASC";
294	$result2 = $db->baseExecute($temp, 0, 1);	×
295	$first = $result2->baseFetchRow();	×
296	$first_num = 0;	×
297	$result2->baseFreeRows();	×
298	}
299
300	}
301	// Print out (Colored Version) -- Alejandro
302	if ( isset($colored_alerts) && $colored_alerts == 1 ){	×
303	$tmp = GetSignaturePriority($sig_id, $db);	×
304	$tmp2 = $colored_alerts;	×
305	}else{	×
306	$tmp = $i;	×
307	$tmp2 = 0;	×
308	}
309	qroPrintEntryHeader($tmp, $tmp2);	×
310	$tmp_rowid = rawurlencode($sig_id);	×
311	echo ' <TD>	×
312	<INPUT TYPE="checkbox" NAME="action_chk_lst['.$i.']" VALUE="'.$tmp_rowid.'">
313
314	</TD>';
315	echo ' <INPUT TYPE="hidden" NAME="action_lst['.$i.']" VALUE="'.$tmp_rowid.'">';	×
316	qroPrintEntry(BuildSigByID($sig_id, $db), 'left');	×
317	if ( $db->baseGetDBversion() >= 103 ){	×
318	qroPrintEntry(	×
319	GetSigClassName(GetSigClassID($sig_id, $db), $db),	×
320	'left'
321	);
322	}
323	qroPrintEntry(	×
324	'<A HREF="base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D='.
325	(rawurlencode($sig_id)).'&sig_type=1'.	×
326	'&submit='._QUERYDBP.'&num_result_rows=-1">'.$total_occurances.'</A>'.
327	/* mstone 20050309 lose this if we're not showing stats */
328	(($avoid_counts != 1)?('('.(round($total_occurances/$event_cnt*100)).'%)'):('')),	×
329	'right'
330	);
331	qroPrintEntry('<A HREF="base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D='.	×
332	rawurlencode($sig_id).'&sig_type=1">'.$num_sensors.'</A>');	×
333
334	if ( $db->baseGetDBversion() >= 100 )	×
335	$addr_link = '&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D='.rawurlencode($sig_id);	×
336	else	×
337	$addr_link = '&sig%5B0%5D=%3D&sig%5B1%5D='.rawurlencode($sig_id);	×
338
339	qroPrintEntry(	×
340	BuildUniqueAddressLink( 1, $addr_link )."$num_src_ip</a>",'right'	×
341	);
342	qroPrintEntry(	×
343	BuildUniqueAddressLink( 2, $addr_link)."$num_dst_ip</a>",'right'	×
344	);
345	if ( isset($show_first_last_links) && $show_first_last_links == 1 ){	×
346	qroPrintEntry('<FONT>'.	×
347	'<A HREF="base_qry_alert.php?'.
348	'submit=%23'.$first_num.'-%28'.$first[1].'-'.$first[2].'%29">'.	×
349	$start_time.'</FONT>');
350
351	if ( $show_previous_alert == 1 )	×
352	qroPrintEntry('<FONT>'.	×
353	'<A HREF="base_qry_alert.php?'.
354	'submit=%23'.$prev_num.'-%28'.$prev[1].'-'.$prev[2].'%29">'.	×
355	$prev_time.'</FONT>');
356
357	qroPrintEntry('<FONT>'.	×
358	'<A HREF="base_qry_alert.php?'.
359	'submit=%23'.$last_num.'-%28'.$last[1].'-'.$last[2].'%29">'.	×
360	$stop_time.'</FONT>');
361	} else {	×
362	qroPrintEntry('<FONT>'.$start_time.'</FONT>');	×
363	if ( $show_previous_alert == 1 )	×
364	qroPrintEntry('<FONT>'.$prev_time.'</FONT>');	×
365	qroPrintEntry('<FONT>'.$stop_time.'</FONT>');	×
366	}
367
368	qroPrintEntryFooter();	×
369
370	$i++;	×
371	$prev_time = null;	×
372	}
373
374	$result->baseFreeRows();	×
375
376	$qro->PrintFooter();	×
377
378	$qs->PrintBrowseButtons();	×
379	$qs->PrintAlertActionButtons();	×
380	$qs->SaveState();	×
381	ExportHTTPVar("sort_order", $sort_order);	×
382	echo "\n</FORM>\n";	×
383	$et->Mark("Get Query Elements");	×
384	PrintBASESubFooter();	×
385	?>

NathanGibbs3 / BASE / 584

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous