NathanGibbs3 / BASE / 590

pending completion

Build # 590

Build Type

push

travis-ci-com

Committed by

NathanGibbs3

Commit Message

20230420 Fix CI build breakage. 2

Run Details

2755 of 16977 relevant lines covered (16.23%)

21.61 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/base_stat_alerts.php

<?php
// Basic Analysis and Security Engine (BASE)
// Copyright (C) 2019-2023 Nathan Gibbs
// Copyright (C) 2004 BASE Project Team
// Copyright (C) 2000 Carnegie Mellon University
//
//   For license info: See the file 'base_main.php'
//
//       Project Lead: Nathan Gibbs
// Built upon work by: Kevin Johnson & the BASE Project Team
//                     Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
//
//            Purpose: Displays statistics on the detected alerts.
//
//          Author(s): Nathan Gibbs
//                     Kevin Johnson
//                     Joel Esler
//
// Input GET/POST variables
//   - caller
//   - submit
//   - sort_order

include_once ("base_conf.php");
include_once ("$BASE_path/includes/base_constants.inc.php");
include ("$BASE_path/includes/base_include.inc.php");
include_once ("$BASE_path/base_db_common.php");
include_once ("$BASE_path/base_qry_common.php");
include_once ("$BASE_path/base_stat_common.php");

AuthorizedRole(10000);
$et = new EventTiming($debug_time_mode);
$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to DB.
$db->baseDBConnect(
        $db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
        $alert_password
);
UpdateAlertCache($db);
if ( class_exists('UILang') ){ // Issue 11 backport shim.
        $CPSensor = $UIL->CWA['Sensor'];
        $CPSig = $UIL->CWA['Sig'];
        $CPSA = $UIL->CPA['SrcAddr'];
        $CPDA = $UIL->CPA['DstAddr'];
        $CPLast = $UIL->CWA['Last'];
        $CPFirst = $UIL->CWA['First'];
        $CPTotal = $UIL->CWA['Total'];
}else{
        $CPSensor = _SENSOR;
        $CPSig = _SIGNATURE;
        $CPSA = _NBSOURCEADDR;
        $CPDA = _NBDESTADDR;
        $CPLast = _LAST;
        $CPFirst = _FIRST;
        $CPTotal = _TOTAL;
}
$submit = ImportHTTPVar('submit', VAR_ALPHA | VAR_SPACE, array(_SELECTED, _ALLONSCREEN, _ENTIREQUERY));
$sort_order = ImportHTTPVar('sort_order', VAR_LETTER | VAR_USCORE);
$caller = ImportHTTPVar('caller', VAR_LETTER | VAR_USCORE);
$cs = new CriteriaState('base_stat_alerts.php');
$cs->ReadState();
if ( $debug_mode > 0 ){ // Dump debugging info on the shared state.
        PrintCriteriaState();
}
if ( $caller == 'most_frequent' && $sort_order = 'occur_d' ){
        // Interim Issue #120 Fix
        $sort_order = $CPTotal.'_occur_d';
}
if ( $caller == 'last_alerts' && $sort_order = 'last_d' ){
        // Interim Issue #122 Fix
        $sort_order = $CPLast.'_last_d';
}
$qs = new QueryState();
if ( $caller == 'most_frequent' || $caller == 'last_alerts' ){
        // Issue(s) #120 & #122 Fix
        $qs->current_sort_order = $sort_order;
}
$qs->AddCannedQuery(
        "most_frequent", $freq_num_alerts, _MOSTFREQALERTS, $CPTotal.'_occur_d'
);
$qs->AddCannedQuery(
        "last_alerts", $last_num_ualerts, _LASTALERTS, $CPLast.'_last_d'
);
$qs->MoveView($submit); // Increment the view if necessary.
$page_title = _ALERTTITLE;
if ( $qs->isCannedQuery() ){
        $page_title.': '.$qs->GetCurrentCannedQueryDesc();
}
PrintBASESubHeader( $page_title, $page_title, $cs->GetBackLink(), 1 );

if (is_object($cs)){ // Issue #5
  $criteria_clauses = ProcessCriteria();
}
// Issue #114 fix
NLIO ("<div style='overflow:hidden'>",2);
NLIO ("<div style='float: left; width: 60%;'>",3);
PrintCriteria('');
NLIO ('</div>',3);
NLIO ("<div style='float: right; width: 40%;'>",3);
// RFE by Joel. Wanted the Summary Statistics box on the base_stat_alerts page.
PrintFramedBoxHeader(_QSCSUMM, '#669999', 0, 4);
NLIO('<td>',6);
if ( isset($show_summary_stats) ){ // Issue #5
        if ( getenv('TRAVIS') && version_compare(PHP_VERSION, "5.3.0", "<") ){
                // Issue #5 Test Shim
                $where_sql = " WHERE ";
                $criteria_sql = " 1 = 1 ";
                $join_sql = "";
        }
        PrintGeneralStats(
                $db, 1, $show_summary_stats, "$join_sql ", "$where_sql $criteria_sql"
        );
}
NLIO("<ul class='stats'><li>");
NLIO('<a href="base_stat_time.php">' . _QSCTIMEPROF . '</a> ' . _QSCOFALERTS);
NLIO('</li></ul>');
PrintFramedBoxFooter(1,4);
NLIO ('</div>',3);
NLIO ('</div>',2);
if (is_object($cs)){ // Issue #5
  $from = " FROM acid_event ".$criteria_clauses[0];
  $where = ($criteria_clauses[1] != "") ? " WHERE ".$criteria_clauses[1] : " ";
}else{
        $from = " FROM acid_event ";
        $where = " ";
}
  $qs->AddValidAction("ag_by_id");
  $qs->AddValidAction("ag_by_name");
  $qs->AddValidAction("add_new_ag");
  $qs->AddValidAction("del_alert");
  $qs->AddValidAction("email_alert");
  $qs->AddValidAction("email_alert2");
  $qs->AddValidAction("csv_alert");
  $qs->AddValidAction("archive_alert");
  $qs->AddValidAction("archive_alert2");

  $qs->AddValidActionOp(_SELECTED);
  $qs->AddValidActionOp(_ALLONSCREEN);

  $qs->SetActionSQL($from.$where);
$et->Mark("Initialization");
  $qs->RunAction($submit, PAGE_STAT_ALERTS, $db);
$et->Mark("Alert Action");
// Get total number of events.
// This is expensive, don't do it if we're avoiding count().
// Michael Stone 2005-03-09
if ( $avoid_counts != 1 ){
        $event_cnt = EventCnt($db);
}
// Create SQL to get Unique Alerts.
$cnt_sql = "SELECT count(DISTINCT signature) ".$from.$where;
// Run the query to determine the number of rows (No LIMIT).
$qs->GetNumResultRows($cnt_sql, $db);
$et->Mark("Counting Result size");
// Setup the Query Results Table.
// Common SQL Strings
$OB = ' ORDER BY';
$qro = new QueryResultsOutput("base_stat_alerts.php?caller=".$caller);
$qro->AddTitle('');
$qro->AddTitle( $CPSig,
        "sig_a", " ", "$OB sig_name ASC",
        "sig_d", " ", "$OB sig_name DESC"
);
if ( $db->baseGetDBversion() >= 103 ){
        $qro->AddTitle( _CHRTCLASS,
                "class_a", ", MIN(sig_class_id) ", "$OB sig_class_id ASC ",
                "class_d", ", MIN(sig_class_id) ", "$OB sig_class_id DESC ",
                'left'
        );
}
$qro->AddTitle( $CPTotal,
        "occur_a", " ", "$OB sig_cnt ASC",
        "occur_d", " ", "$OB sig_cnt DESC", 'right'
);
$qro->AddTitle( $CPSensor);
$qro->AddTitle( $CPSA,
        "saddr_a", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt ASC",
        "saddr_d", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt DESC",
        'right'
);
$qro->AddTitle( $CPDA,
        "daddr_a", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt ASC",
        "daddr_d", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt DESC",
        'right'
);
$qro->AddTitle( $CPFirst,
        "first_a", ", min(timestamp) AS first_timestamp ",
        "$OB first_timestamp ASC",
        "first_d", ", min(timestamp) AS first_timestamp ",
        "$OB first_timestamp DESC"
);
if ( isset($show_previous_alert) && $show_previous_alert == 1 ){
        $qro->AddTitle(_PREVIOUS);
}
$qro->AddTitle( $CPLast,
        "last_a", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp ASC",
        "last_d", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp DESC"
);

// mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY.
// mstone 20050405 add sid & ip counts.
// Issue #168
$sql = "SELECT DISTINCT signature, count(signature) as sig_cnt, ".
                "min(timestamp), max(timestamp), sig_name, count(DISTINCT(sid)), ".
                "count(DISTINCT(ip_src)), count(DISTINCT(ip_dst)), sig_class_id ";
$sqlPFX = $from.$where." GROUP BY signature, sig_name, sig_class_id ";
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());
if ( !is_null($sort_sql) ){
        $sqlPFX = $sort_sql[0].$sqlPFX.$sort_sql[1];
}
$sql .= $sqlPFX;
// Run the Query again for the actual data (with the LIMIT), if any.
$result = $qs->ExecuteOutputQuery($sql, $db);
$et->Mark("Retrieve Query Data");
if ( $debug_mode > 0 ){
        if ( $qs->isCannedQuery() ){
                $CCF = 'Yes';
                $qs->PrintCannedQueryList();
        }else{
                $CCF = 'No';
        }
        print "Canned Query: $CCF <br/>";
        $qs->DumpState();
        print "SQL Executed: $sql <br/>";
}
$qs->PrintResultCnt(); // Print current view number and # of rows.

  echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_alerts.php">';
  
  $qro->PrintHeader();

  $i = 0;
  // The below is due to changes in the queries...
  // We need to verify that it works all the time -- Kevin
  $and = (strpos($where, "WHERE") != 0 ) ? " AND " : " WHERE ";
  while ( ($myrow = $result->baseFetchRow()) && ($i < $qs->GetDisplayRowCnt()) )
  {
     $sig_id = $myrow[0];

     /* get Total Occurrence */
     $total_occurances = $myrow[1];

     /* Get other data */
     $sig_name = $myrow[4];
     $num_sensors = $myrow[5];
     $num_src_ip = $myrow[6];
     $num_dst_ip = $myrow[7];

     /* First and Last timestamp of this signature */
     $start_time = $myrow[2];
     $stop_time = $myrow[3];

                // mstone 20050406 only do this if we're going to provide links to the
                // first/last or if we're going to show the previous event time
                if ( isset($show_first_last_links) && isset($show_previous_alert) ){
                        if ( $show_first_last_links == 1 || $show_previous_alert == 1 ){
       $temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.
               "signature='".$sig_id."'
               ORDER BY timestamp DESC";
       $result2 = $db->baseExecute($temp, 0, 2);
       $last = $result2->baseFetchRow();
       $last_num = $total_occurances - 1;

       /* Getting the previous timestamp of this signature 
        * (I.E. The occurances before Last Timestamp) 
        */
       if ( $show_previous_alert == 1 )
       {
          if ( $total_occurances == 1 )
          {
             $prev = $last;
             $prev_time = $prev[0];
             $prev_num = 0;
          }
          else
          {
                  $prev = $result2->baseFetchRow();
                  $prev_time = $prev[0];
                    $prev_num = $total_occurances - 2;
                  $result2->baseFreeRows();
          }
       }
     }

     if ($show_first_last_links == 1) {
       /* Doing the same as above for the first entry that we are searching for.
        * The reason for doing this is because some older DB's such as ones using ODBC
        * probably don't support the move() function. Therefore, for the older DB's 
        * to get the first entry from the $temp variable above, we would need to 
        * continue to call MoveNext() for each and every entry for that signature. For 
        * signatures with a large amount of alerts(i.e. >1000), this could cause a severe
        * performance hit for those users.
        */ 
       $temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.
               "signature='".$sig_id."'
               ORDER BY timestamp ASC";
       $result2 = $db->baseExecute($temp, 0, 1);
       $first = $result2->baseFetchRow();
       $first_num = 0;
       $result2->baseFreeRows();
     }

                }
                // Print out (Colored Version) -- Alejandro
                if ( isset($colored_alerts) && $colored_alerts == 1 ){
                        $tmp = GetSignaturePriority($sig_id, $db);
                        $tmp2 = $colored_alerts;
                }else{
                        $tmp = $i;
                        $tmp2 = 0;
                }
                qroPrintEntryHeader($tmp, $tmp2);
     $tmp_rowid = rawurlencode($sig_id);
     echo '  <TD>&nbsp;&nbsp;
                 <INPUT TYPE="checkbox" NAME="action_chk_lst['.$i.']" VALUE="'.$tmp_rowid.'">
                 &nbsp;&nbsp;
             </TD>';
     echo '      <INPUT TYPE="hidden" NAME="action_lst['.$i.']" VALUE="'.$tmp_rowid.'">';
                qroPrintEntry(BuildSigByID($sig_id, $db), 'left');
                if ( $db->baseGetDBversion() >= 103 ){
                        qroPrintEntry(
                                GetSigClassName(GetSigClassID($sig_id, $db), $db),
                                'left'
                        );
                }
                qroPrintEntry(
                        '<A HREF="base_qry_main.php?new=1amp;&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.
                   (rawurlencode($sig_id)).'&amp;sig_type=1'.
                   '&amp;submit='._QUERYDBP.'&amp;num_result_rows=-1">'.$total_occurances.'</A>'.
                   /* mstone 20050309 lose this if we're not showing stats */
                   (($avoid_counts != 1)?('('.(round($total_occurances/$event_cnt*100)).'%)'):('')),
                        'right'
                );
     qroPrintEntry('<A HREF="base_stat_sensor.php?sig%5B0%5D=%3D&amp;sig%5B1%5D='.
                    rawurlencode($sig_id).'&amp;sig_type=1">'.$num_sensors.'</A>');

     if ( $db->baseGetDBversion() >= 100 )
        $addr_link = '&amp;sig_type=1&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.rawurlencode($sig_id);
     else
        $addr_link = '&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.rawurlencode($sig_id);

        qroPrintEntry(
                BuildUniqueAddressLink( 1, $addr_link )."$num_src_ip</a>",'right'
        );
        qroPrintEntry(
                BuildUniqueAddressLink( 2, $addr_link)."$num_dst_ip</a>",'right'
        );
        if ( isset($show_first_last_links) && $show_first_last_links == 1 ){
       qroPrintEntry('<FONT>'.
                     '<A HREF="base_qry_alert.php?'.
                     'submit=%23'.$first_num.'-%28'.$first[1].'-'.$first[2].'%29">'.
                     $start_time.'</FONT>');

       if ( $show_previous_alert == 1 )
          qroPrintEntry('<FONT>'.
                        '<A HREF="base_qry_alert.php?'.
                        'submit=%23'.$prev_num.'-%28'.$prev[1].'-'.$prev[2].'%29">'.
                        $prev_time.'</FONT>');

       qroPrintEntry('<FONT>'.
                     '<A HREF="base_qry_alert.php?'.
                     'submit=%23'.$last_num.'-%28'.$last[1].'-'.$last[2].'%29">'.
                     $stop_time.'</FONT>');
     } else {
       qroPrintEntry('<FONT>'.$start_time.'</FONT>');
       if ( $show_previous_alert == 1 )
         qroPrintEntry('<FONT>'.$prev_time.'</FONT>');
       qroPrintEntry('<FONT>'.$stop_time.'</FONT>');
     }

     qroPrintEntryFooter();

     $i++;
     $prev_time = null;
  }

$result->baseFreeRows();

$qro->PrintFooter();
$qs->PrintBrowseButtons();
$qs->PrintAlertActionButtons();
$qs->SaveState();
ExportHTTPVar("sort_order", $sort_order);
NLIO('</form>',2);
$et->Mark("Get Query Elements");
PrintBASESubFooter();
?>

1	<?php
2	// Basic Analysis and Security Engine (BASE)
3	// Copyright (C) 2019-2023 Nathan Gibbs
4	// Copyright (C) 2004 BASE Project Team
5	// Copyright (C) 2000 Carnegie Mellon University
6	//
7	// For license info: See the file 'base_main.php'
8	//
9	// Project Lead: Nathan Gibbs
10	// Built upon work by: Kevin Johnson & the BASE Project Team
11	// Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
12	//
13	// Purpose: Displays statistics on the detected alerts.
14	//
15	// Author(s): Nathan Gibbs
16	// Kevin Johnson
17	// Joel Esler
18	//
19	// Input GET/POST variables
20	// - caller
21	// - submit
22	// - sort_order
23
24	include_once ("base_conf.php");	×
25	include_once ("$BASE_path/includes/base_constants.inc.php");	×
26	include ("$BASE_path/includes/base_include.inc.php");	×
27	include_once ("$BASE_path/base_db_common.php");	×
28	include_once ("$BASE_path/base_qry_common.php");	×
29	include_once ("$BASE_path/base_stat_common.php");	×
30
31	AuthorizedRole(10000);	×
32	$et = new EventTiming($debug_time_mode);	×
33	$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to DB.	×
34	$db->baseDBConnect(	×
35	$db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
36	$alert_password
37	);
38	UpdateAlertCache($db);	×
39	if ( class_exists('UILang') ){ // Issue 11 backport shim.	×
40	$CPSensor = $UIL->CWA['Sensor'];	×
41	$CPSig = $UIL->CWA['Sig'];	×
42	$CPSA = $UIL->CPA['SrcAddr'];	×
43	$CPDA = $UIL->CPA['DstAddr'];	×
44	$CPLast = $UIL->CWA['Last'];	×
45	$CPFirst = $UIL->CWA['First'];	×
46	$CPTotal = $UIL->CWA['Total'];	×
47	}else{	×
48	$CPSensor = _SENSOR;	×
49	$CPSig = _SIGNATURE;	×
50	$CPSA = _NBSOURCEADDR;	×
51	$CPDA = _NBDESTADDR;	×
52	$CPLast = _LAST;	×
53	$CPFirst = _FIRST;	×
54	$CPTotal = _TOTAL;	×
55	}
56	$submit = ImportHTTPVar('submit', VAR_ALPHA \| VAR_SPACE, array(_SELECTED, _ALLONSCREEN, _ENTIREQUERY));	×
57	$sort_order = ImportHTTPVar('sort_order', VAR_LETTER \| VAR_USCORE);	×
58	$caller = ImportHTTPVar('caller', VAR_LETTER \| VAR_USCORE);	×
59	$cs = new CriteriaState('base_stat_alerts.php');	×
60	$cs->ReadState();	×
61	if ( $debug_mode > 0 ){ // Dump debugging info on the shared state.	×
62	PrintCriteriaState();	×
63	}
64	if ( $caller == 'most_frequent' && $sort_order = 'occur_d' ){	×
65	// Interim Issue #120 Fix
66	$sort_order = $CPTotal.'_occur_d';	×
67	}
68	if ( $caller == 'last_alerts' && $sort_order = 'last_d' ){	×
69	// Interim Issue #122 Fix
70	$sort_order = $CPLast.'_last_d';	×
71	}
72	$qs = new QueryState();	×
73	if ( $caller == 'most_frequent' \|\| $caller == 'last_alerts' ){	×
74	// Issue(s) #120 & #122 Fix
75	$qs->current_sort_order = $sort_order;	×
76	}
77	$qs->AddCannedQuery(	×
78	"most_frequent", $freq_num_alerts, _MOSTFREQALERTS, $CPTotal.'_occur_d'
79	);
80	$qs->AddCannedQuery(	×
81	"last_alerts", $last_num_ualerts, _LASTALERTS, $CPLast.'_last_d'
82	);
83	$qs->MoveView($submit); // Increment the view if necessary.	×
84	$page_title = _ALERTTITLE;	×
85	if ( $qs->isCannedQuery() ){	×
86	$page_title.': '.$qs->GetCurrentCannedQueryDesc();	×
87	}
88	PrintBASESubHeader( $page_title, $page_title, $cs->GetBackLink(), 1 );	×
89
90	if (is_object($cs)){ // Issue #5	×
91	$criteria_clauses = ProcessCriteria();	×
92	}
93	// Issue #114 fix
94	NLIO ("<div style='overflow:hidden'>",2);	×
95	NLIO ("<div style='float: left; width: 60%;'>",3);	×
96	PrintCriteria('');	×
97	NLIO ('</div>',3);	×
98	NLIO ("<div style='float: right; width: 40%;'>",3);	×
99	// RFE by Joel. Wanted the Summary Statistics box on the base_stat_alerts page.
100	PrintFramedBoxHeader(_QSCSUMM, '#669999', 0, 4);	×
101	NLIO('<td>',6);	×
102	if ( isset($show_summary_stats) ){ // Issue #5	×
103	if ( getenv('TRAVIS') && version_compare(PHP_VERSION, "5.3.0", "<") ){	×
104	// Issue #5 Test Shim
105	$where_sql = " WHERE ";	×
106	$criteria_sql = " 1 = 1 ";	×
107	$join_sql = "";	×
108	}
109	PrintGeneralStats(	×
110	$db, 1, $show_summary_stats, "$join_sql ", "$where_sql $criteria_sql"	×
111	);
112	}
113	NLIO("<ul class='stats'><li>");	×
114	NLIO('<a href="base_stat_time.php">' . _QSCTIMEPROF . '</a> ' . _QSCOFALERTS);	×
115	NLIO('</li></ul>');	×
116	PrintFramedBoxFooter(1,4);	×
117	NLIO ('</div>',3);	×
118	NLIO ('</div>',2);	×
119	if (is_object($cs)){ // Issue #5	×
120	$from = " FROM acid_event ".$criteria_clauses[0];	×
121	$where = ($criteria_clauses[1] != "") ? " WHERE ".$criteria_clauses[1] : " ";	×
122	}else{	×
123	$from = " FROM acid_event ";	×
124	$where = " ";	×
125	}
126	$qs->AddValidAction("ag_by_id");	×
127	$qs->AddValidAction("ag_by_name");	×
128	$qs->AddValidAction("add_new_ag");	×
129	$qs->AddValidAction("del_alert");	×
130	$qs->AddValidAction("email_alert");	×
131	$qs->AddValidAction("email_alert2");	×
132	$qs->AddValidAction("csv_alert");	×
133	$qs->AddValidAction("archive_alert");	×
134	$qs->AddValidAction("archive_alert2");	×
135
136	$qs->AddValidActionOp(_SELECTED);	×
137	$qs->AddValidActionOp(_ALLONSCREEN);	×
138
139	$qs->SetActionSQL($from.$where);	×
140	$et->Mark("Initialization");	×
141	$qs->RunAction($submit, PAGE_STAT_ALERTS, $db);	×
142	$et->Mark("Alert Action");	×
143	// Get total number of events.
144	// This is expensive, don't do it if we're avoiding count().
145	// Michael Stone 2005-03-09
146	if ( $avoid_counts != 1 ){	×
147	$event_cnt = EventCnt($db);	×
148	}
149	// Create SQL to get Unique Alerts.
150	$cnt_sql = "SELECT count(DISTINCT signature) ".$from.$where;	×
151	// Run the query to determine the number of rows (No LIMIT).
152	$qs->GetNumResultRows($cnt_sql, $db);	×
153	$et->Mark("Counting Result size");	×
154	// Setup the Query Results Table.
155	// Common SQL Strings
156	$OB = ' ORDER BY';	×
157	$qro = new QueryResultsOutput("base_stat_alerts.php?caller=".$caller);	×
158	$qro->AddTitle('');	×
159	$qro->AddTitle( $CPSig,	×
160	"sig_a", " ", "$OB sig_name ASC",	×
161	"sig_d", " ", "$OB sig_name DESC"	×
162	);
163	if ( $db->baseGetDBversion() >= 103 ){	×
164	$qro->AddTitle( _CHRTCLASS,	×
165	"class_a", ", MIN(sig_class_id) ", "$OB sig_class_id ASC ",	×
166	"class_d", ", MIN(sig_class_id) ", "$OB sig_class_id DESC ",	×
167	'left'
168	);
169	}
170	$qro->AddTitle( $CPTotal,	×
171	"occur_a", " ", "$OB sig_cnt ASC",	×
172	"occur_d", " ", "$OB sig_cnt DESC", 'right'	×
173	);
174	$qro->AddTitle( $CPSensor);	×
175	$qro->AddTitle( $CPSA,	×
176	"saddr_a", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt ASC",	×
177	"saddr_d", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt DESC",	×
178	'right'
179	);
180	$qro->AddTitle( $CPDA,	×
181	"daddr_a", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt ASC",	×
182	"daddr_d", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt DESC",	×
183	'right'
184	);
185	$qro->AddTitle( $CPFirst,	×
186	"first_a", ", min(timestamp) AS first_timestamp ",
187	"$OB first_timestamp ASC",	×
188	"first_d", ", min(timestamp) AS first_timestamp ",
189	"$OB first_timestamp DESC"	×
190	);
191	if ( isset($show_previous_alert) && $show_previous_alert == 1 ){	×
192	$qro->AddTitle(_PREVIOUS);	×
193	}
194	$qro->AddTitle( $CPLast,	×
195	"last_a", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp ASC",	×
196	"last_d", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp DESC"	×
197	);
198
199	// mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY.
200	// mstone 20050405 add sid & ip counts.
201	// Issue #168
202	$sql = "SELECT DISTINCT signature, count(signature) as sig_cnt, ".	×
203	"min(timestamp), max(timestamp), sig_name, count(DISTINCT(sid)), ".
204	"count(DISTINCT(ip_src)), count(DISTINCT(ip_dst)), sig_class_id ";
205	$sqlPFX = $from.$where." GROUP BY signature, sig_name, sig_class_id ";	×
206	$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());	×
207	if ( !is_null($sort_sql) ){	×
208	$sqlPFX = $sort_sql[0].$sqlPFX.$sort_sql[1];	×
209	}
210	$sql .= $sqlPFX;	×
211	// Run the Query again for the actual data (with the LIMIT), if any.
212	$result = $qs->ExecuteOutputQuery($sql, $db);	×
213	$et->Mark("Retrieve Query Data");	×
214	if ( $debug_mode > 0 ){	×
215	if ( $qs->isCannedQuery() ){	×
216	$CCF = 'Yes';	×
217	$qs->PrintCannedQueryList();	×
218	}else{	×
219	$CCF = 'No';	×
220	}
221	print "Canned Query: $CCF <br/>";	×
222	$qs->DumpState();	×
223	print "SQL Executed: $sql <br/>";	×
224	}
225	$qs->PrintResultCnt(); // Print current view number and # of rows.	×
226
227	echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_alerts.php">';	×
228
229	$qro->PrintHeader();	×
230
231	$i = 0;	×
232	// The below is due to changes in the queries...
233	// We need to verify that it works all the time -- Kevin
234	$and = (strpos($where, "WHERE") != 0 ) ? " AND " : " WHERE ";	×
235	while ( ($myrow = $result->baseFetchRow()) && ($i < $qs->GetDisplayRowCnt()) )	×
236	{
237	$sig_id = $myrow[0];	×
238
239	/* get Total Occurrence */
240	$total_occurances = $myrow[1];	×
241
242	/* Get other data */
243	$sig_name = $myrow[4];	×
244	$num_sensors = $myrow[5];	×
245	$num_src_ip = $myrow[6];	×
246	$num_dst_ip = $myrow[7];	×
247
248	/* First and Last timestamp of this signature */
249	$start_time = $myrow[2];	×
250	$stop_time = $myrow[3];	×
251
252	// mstone 20050406 only do this if we're going to provide links to the
253	// first/last or if we're going to show the previous event time
254	if ( isset($show_first_last_links) && isset($show_previous_alert) ){	×
255	if ( $show_first_last_links == 1 \|\| $show_previous_alert == 1 ){	×
256	$temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.	×
257	"signature='".$sig_id."'
258	ORDER BY timestamp DESC";
259	$result2 = $db->baseExecute($temp, 0, 2);	×
260	$last = $result2->baseFetchRow();	×
261	$last_num = $total_occurances - 1;	×
262
263	/* Getting the previous timestamp of this signature
264	* (I.E. The occurances before Last Timestamp)
265	*/
266	if ( $show_previous_alert == 1 )	×
267	{
268	if ( $total_occurances == 1 )	×
269	{
270	$prev = $last;	×
271	$prev_time = $prev[0];	×
272	$prev_num = 0;	×
273	}
274	else	×
275	{
276	$prev = $result2->baseFetchRow();	×
277	$prev_time = $prev[0];	×
278	$prev_num = $total_occurances - 2;	×
279	$result2->baseFreeRows();	×
280	}
281	}
282	}
283
284	if ($show_first_last_links == 1) {	×
285	/* Doing the same as above for the first entry that we are searching for.
286	* The reason for doing this is because some older DB's such as ones using ODBC
287	* probably don't support the move() function. Therefore, for the older DB's
288	* to get the first entry from the $temp variable above, we would need to
289	* continue to call MoveNext() for each and every entry for that signature. For
290	* signatures with a large amount of alerts(i.e. >1000), this could cause a severe
291	* performance hit for those users.
292	*/
293	$temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.	×
294	"signature='".$sig_id."'
295	ORDER BY timestamp ASC";
296	$result2 = $db->baseExecute($temp, 0, 1);	×
297	$first = $result2->baseFetchRow();	×
298	$first_num = 0;	×
299	$result2->baseFreeRows();	×
300	}
301
302	}
303	// Print out (Colored Version) -- Alejandro
304	if ( isset($colored_alerts) && $colored_alerts == 1 ){	×
305	$tmp = GetSignaturePriority($sig_id, $db);	×
306	$tmp2 = $colored_alerts;	×
307	}else{	×
308	$tmp = $i;	×
309	$tmp2 = 0;	×
310	}
311	qroPrintEntryHeader($tmp, $tmp2);	×
312	$tmp_rowid = rawurlencode($sig_id);	×
313	echo ' <TD>	×
314	<INPUT TYPE="checkbox" NAME="action_chk_lst['.$i.']" VALUE="'.$tmp_rowid.'">
315
316	</TD>';
317	echo ' <INPUT TYPE="hidden" NAME="action_lst['.$i.']" VALUE="'.$tmp_rowid.'">';	×
318	qroPrintEntry(BuildSigByID($sig_id, $db), 'left');	×
319	if ( $db->baseGetDBversion() >= 103 ){	×
320	qroPrintEntry(	×
321	GetSigClassName(GetSigClassID($sig_id, $db), $db),	×
322	'left'
323	);
324	}
325	qroPrintEntry(	×
326	'<A HREF="base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D='.
327	(rawurlencode($sig_id)).'&sig_type=1'.	×
328	'&submit='._QUERYDBP.'&num_result_rows=-1">'.$total_occurances.'</A>'.
329	/* mstone 20050309 lose this if we're not showing stats */
330	(($avoid_counts != 1)?('('.(round($total_occurances/$event_cnt*100)).'%)'):('')),	×
331	'right'
332	);
333	qroPrintEntry('<A HREF="base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D='.	×
334	rawurlencode($sig_id).'&sig_type=1">'.$num_sensors.'</A>');	×
335
336	if ( $db->baseGetDBversion() >= 100 )	×
337	$addr_link = '&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D='.rawurlencode($sig_id);	×
338	else	×
339	$addr_link = '&sig%5B0%5D=%3D&sig%5B1%5D='.rawurlencode($sig_id);	×
340
341	qroPrintEntry(	×
342	BuildUniqueAddressLink( 1, $addr_link )."$num_src_ip</a>",'right'	×
343	);
344	qroPrintEntry(	×
345	BuildUniqueAddressLink( 2, $addr_link)."$num_dst_ip</a>",'right'	×
346	);
347	if ( isset($show_first_last_links) && $show_first_last_links == 1 ){	×
348	qroPrintEntry('<FONT>'.	×
349	'<A HREF="base_qry_alert.php?'.
350	'submit=%23'.$first_num.'-%28'.$first[1].'-'.$first[2].'%29">'.	×
351	$start_time.'</FONT>');
352
353	if ( $show_previous_alert == 1 )	×
354	qroPrintEntry('<FONT>'.	×
355	'<A HREF="base_qry_alert.php?'.
356	'submit=%23'.$prev_num.'-%28'.$prev[1].'-'.$prev[2].'%29">'.	×
357	$prev_time.'</FONT>');
358
359	qroPrintEntry('<FONT>'.	×
360	'<A HREF="base_qry_alert.php?'.
361	'submit=%23'.$last_num.'-%28'.$last[1].'-'.$last[2].'%29">'.	×
362	$stop_time.'</FONT>');
363	} else {	×
364	qroPrintEntry('<FONT>'.$start_time.'</FONT>');	×
365	if ( $show_previous_alert == 1 )	×
366	qroPrintEntry('<FONT>'.$prev_time.'</FONT>');	×
367	qroPrintEntry('<FONT>'.$stop_time.'</FONT>');	×
368	}
369
370	qroPrintEntryFooter();	×
371
372	$i++;	×
373	$prev_time = null;	×
374	}
375
376	$result->baseFreeRows();	×
377
378	$qro->PrintFooter();	×
379	$qs->PrintBrowseButtons();	×
380	$qs->PrintAlertActionButtons();	×
381	$qs->SaveState();	×
382	ExportHTTPVar("sort_order", $sort_order);	×
383	NLIO('</form>',2);	×
384	$et->Mark("Get Query Elements");	×
385	PrintBASESubFooter();	×
386	?>

NathanGibbs3 / BASE / 590

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous