NathanGibbs3 / BASE / 590

pending completion

Build # 590

Build Type

push

travis-ci-com

Committed by

NathanGibbs3

Commit Message

20230420 Fix CI build breakage. 2

Run Details

2755 of 16977 relevant lines covered (16.23%)

21.61 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/base_stat_ipaddr.php

<?php
/*******************************************************************************
** Basic Analysis and Security Engine (BASE)
** Copyright (C) 2004 BASE Project Team
** Copyright (C) 2000 Carnegie Mellon University
**
** (see the file 'base_main.php' for license details)
**
** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
**                Sean Muller <samwise_diver@users.sourceforge.net>
** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
**
** Purpose: Displays stats on an individual IP address   
**
** Input GET/POST variables
**   - action:
**   - submit:
**   - ip:
**   - netmask:
********************************************************************************
** Authors:
********************************************************************************
** Kevin Johnson <kjohnson@secureideas.net
**
********************************************************************************
*/

  $sig   = array();
  
include("base_conf.php");
include_once("$BASE_path/includes/base_constants.inc.php");
include("$BASE_path/includes/base_include.inc.php");
include_once("$BASE_path/base_db_common.php");
include_once("$BASE_path/base_common.php");

AuthorizedRole(10000);
$et = new EventTiming($debug_time_mode);
$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to DB.
$db->baseDBConnect(
        $db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
        $alert_password
);
UpdateAlertCache($db);
$cs = new CriteriaState("base_stat_ipaddr.php");
$cs->ReadState();
$ip = ImportHTTPVar("ip", VAR_DIGIT | VAR_PERIOD);
$netmask = ImportHTTPVar("netmask", VAR_DIGIT);
$action = ImportHTTPVar("action", VAR_ALPHA);
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);  
if ( !isset($ip) || empty($ip) ){
        $Epfx = __FILE__ . ":";
        $page_title = 'ERROR';
}else{
        $Epfx = '';
        $page_title = $ip.'/'.$netmask;
}
PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1);
if (!isset($ip)){
        ErrorMessage($Epfx. __LINE__ . ": Ignoring \$ip - undefined.");
}elseif (empty($ip)){
        ErrorMessage($Epfx. __LINE__ . ": Ignoring \$ip - empty.");
}
if ( !empty($Epfx) && $debug_mode > 1 ){
        $debug_str = "<BR><PRE>\n\n" . debug_print_backtrace() . "\n\n</PRE><BR>\n";
        ErrorMessage($debug_str);
}

function PrintPortscanEvents($db, $ip)
{
  GLOBAL $portscan_file;

  if (!$portscan_file || !isset($portscan_file) || empty($portscan_file))
  {
     ErrorMessage(_PSEVENTERR._PSEVENTERRNOFILE);
     return;
  }

  if (!is_file($portscan_file))
  {
     ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE . " '" . $portscan_file . "': This file could not be found. Maybe a wrong path or a wrong filename?");
    return;    
  }

  if (!is_readable($portscan_file))
  {
    ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE . " '" . $portscan_file . "' Maybe a permission problem?");
    return;
  }

  if (!isset($ip))
  {
    ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has NOT been defined. Returning.");
    return;
  }

  if (empty($ip))
  {
    ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has been defined, but it is empty. Returning.");
    return;
  }

  $fp = fopen($portscan_file,"r");
  if ( !$fp )
  {
     ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE." '".$portscan_file."'");
     return;
  }

  echo '<TABLE border="1" width="100%" cellspacing="0" cellpadding="5">
        <TR>
        <TD CLASS="plfieldhdr">IP addresses</TD>
        <TD CLASS="plfieldhdr">Type</TD>
        <TD CLASS="plfieldhdr">Details</TD>';
        /*
           <TD CLASS="plfieldhdr">'._PSSRCIP.'</TD>
           <TD CLASS="plfieldhdr">'._PSSRCPORT.'</TD>
           <TD CLASS="plfieldhdr">'._PSDSTIP.'</TD>
           <TD CLASS="plfieldhdr">'._PSDSTPORT.'</TD>
           <TD CLASS="plfieldhdr">'._PSTCPFLAGS.'</TD>
        */
  echo '</TR>';

  $total = 0;

  //print "\$ip = \"$ip\"<BR>\n";

  while ( !feof($fp) )
  {
   $contents = fgets($fp, 255);   

   /*
   print "<BR>\n<PRE>";
   var_dump($contents);
   print "</PRE><BR>\n";
   */

        if(preg_match("/". $ip . "/", $contents)) {
     $total++;
     if( $total % 2 == 0 ) {
        $color="DDDDDD";
     }else{
        $color="FFFFFF";
     }

        $contents = preg_replace("/  /", " ", $contents);
     $elements = explode(" ", $contents);

     echo '<tr bgcolor="'.$color.'"><td align="center">'.
       $elements[0].' '.$elements[1].' '.$elements[2].'</td>';

     echo "<TD ALIGN=center>";
     $i = 4;
     while (isset($elements[$i]) && !empty($elements[$i]))
     {
       print $elements[$i] . " ";
       $i++;
       if ($i > 10)
       {
         break;
       }
     }
     echo "</TD>";

     $whole_entry = "";
     while($contents = fgets($fp, 255))
     {
       if (feof($fp))
       {
         break;
       }

       if (!isset($contents) || empty($contents) || $contents == "\n" || $contents == "\r\n" || $contents == "\n\r" || strlen($contents) < 3)
       {
         break;
       }

       $whole_entry .= $contents;
     }

     print "<TD ALIGN=center><PRE>";
     print $whole_entry;
     print "</PRE></TD>";

     /*
     ereg("([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*):([0-9]*)",$elements[3],$store);
     $source_ip = $store[1];
     $source_port = $store[2];
     if (empty($source_ip))
     {
       $source_ip = "n/a";
     }
     if (empty($source_port))
     {
       $source_port = "n/a";
     }
     echo '<td align="center">' . $source_ip  . '</td>';
     echo '<td align="center">' . $source_port . '</td>';

     ereg("([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*):([0-9]*)",$elements[5],$store);
     $destination_ip = $store[1];
     $destination_port = $store[2];
     if (empty($destination_ip))
     {
       $destination_ip = "n/a";
     }
     if (empty($destination_port))
     {
       $destination_port = "n/a";
     }
     echo '<td align="center">' . $destination_ip . '</td>';
     echo '<td align="center">' . $destination_port . '</td>';

     $tcp_flags = $elements[7];
     if (empty($tcp_flags))
     {
       $tcp_flags = "n/a";
     }
     echo '<td align="center">' . $tcp_flags . '</td></tr>';
     */
   }
  }

  fclose($fp);

  echo '<TR>
         <TD CLASS="plfieldhdr" align="left">'._PSTOTALHOSTS.'</TD>
         <TD CLASS="plfieldhdr">'.$total.'</TD>
         <TD CLASS="plfieldhdr" colspan="4">&nbsp;</TD>
        </TR>
        </TABLE>';
}

function PrintEventsByIP($db, $ip)
{
  GLOBAL $debug_mode;

  if (!isset($ip))
  {
    ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has NOT been defined. Returning.");
    return;
  }

  if (empty($ip))
  {
    ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has been defined, but it is empty. Returning.");
    return;
  }


  $count = 0;
  /* Jeffs stuff */
  /* Count total events for the given address */
  $event_cnt = EventCntByAddr($db, $ip);

  /* Grab unique alerts and count them */
  $unique_events = UniqueEventCntByAddr($db, $ip, $count);
  $unique_event_cnt = count($unique_events);

 printf ("<B>"._PSDETECTAMONG."/32</B><BR>", $unique_event_cnt,$event_cnt,$ip);
   
  /* Print the Statistics on Each of the Unique Alerts */
  echo '<TABLE BORDER=1>
        <TR>
           <TD CLASS="plfieldhdr">'._PSTCPFLAGS.'</TD>
           <TD CLASS="plfieldhdr">'._PSTOTALOCC.'</TD>
           <TD CLASS="plfieldhdr">'._PSNUMSENSORS.'</TD>
           <TD CLASS="plfieldhdr">'._PSFIRSTOCC.'</TD>
           <TD CLASS="plfieldhdr">'._PSLASTOCC.'</TD>
        </TR>';

 for ( $i = 0; $i < $unique_event_cnt; $i++ ) 
 {
   $current_event = $unique_events[$i];

   $total = UniqueEventTotalsByAddr($db, $ip, $current_event);
   $num_sensors = UniqueSensorCntByAddr($db, $ip, $current_event);
   $start_time = StartTimeForUniqueEventByAddr($db, $ip, $current_event);
   $stop_time = StopTimeForUniqueEventByAddr($db, $ip, $current_event);

   /* Print out */ 
   echo '<TR>';
   if ($debug_mode > 1)
   {
     SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": Before BuildSigByID()");
   }
   echo "  <TD ALIGN='center'> ".BuildSigByID($unique_events[$i], $db);
   if ($debug_mode > 1)
   {
     SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": After BuildSigByID()");
   }
   $tmp_iplookup = 'base_qry_main.php?new=1'.
                   '&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.(rawurlencode(GetSignatureName($unique_events[$i], $db))).
                   '&amp;num_result_rows=-1'.
                   '&amp;submit='._QUERYDBP.'&amp;current_view=-1&amp;ip_addr_cnt=2'.
                   BuildIPFormVars($ip);

   $tmp_sensor_lookup = 'base_stat_sensor.php?'.
                        'sig%5B0%5D=%3D&amp;sig%5B1%5D='.
                        (rawurlencode($unique_events[$i])).
                        '&amp;ip_addr_cnt=2'.BuildIPFormVars($ip);

   echo "  <TD align='center'> <A HREF=\"$tmp_iplookup\">$total</A> ";
   echo "  <TD align='center'> <A HREF=\"$tmp_sensor_lookup\">$num_sensors</A> ";
   echo "  <TD align='center'> $start_time";
   echo "  <TD align='center' valign='middle'> $stop_time";
   echo '</TR>';
 }

 echo "</TABLE>\n";
}

  if ( sizeof($sig) != 0 && strstr($sig[1], "spp_portscan") )
     $sig[1] = "";

  /*  Build new link for criteria-based sensor page 
   *                    -- ALS <aschroll@mitre.org>
   */
   $tmp_sensor_lookup = 'base_stat_sensor.php?ip_addr_cnt=2'.
                        BuildIPFormVars($ip);


   $tmp_srcdst_iplookup = 'base_qry_main.php?new=2'.
                          '&amp;num_result_rows=-1'.
                          '&amp;submit='._QUERYDBP.'&amp;current_view=-1&amp;ip_addr_cnt=2'.
                          BuildIPFormVars($ip);

   $tmp_src_iplookup    = 'base_qry_main.php?new=2'.
                          '&amp;num_result_rows=-1'.
                          '&amp;submit='._QUERYDBP.'&amp;current_view=-1&amp;ip_addr_cnt=1'.
                          BuildSrcIPFormVars($ip);

   $tmp_dst_iplookup    = 'base_qry_main.php?new=2'.
                          '&amp;num_result_rows=-1'.
                          '&amp;submit='._QUERYDBP.'&amp;current_view=-1&amp;ip_addr_cnt=1'.
                          BuildDstIPFormVars($ip);
  echo '<CENTER>';
  printf ("<FONT>"._PSALLALERTSAS.":</FONT>",$ip,$netmask); 
  echo '
 <A HREF="'.$tmp_src_iplookup.'">'._SCSOURCE.'</A> | 
 <A HREF="'.$tmp_dst_iplookup.'">'._SCDEST.'</A> | 
 <A HREF="'.$tmp_srcdst_iplookup.'">'._SCSOURCE.'/'._SCDEST.'</A><BR>';

 echo _PSSHOW.':
       <A HREF="base_stat_ipaddr.php?ip='.$ip.'&amp;netmask='.$netmask.'&amp;action=events">'._PSUNIALERTS.'</A>
       &nbsp; | &nbsp;
       <A HREF="base_stat_ipaddr.php?ip='.$ip.'&amp;netmask='.$netmask.'&amp;action=portscan">'._PSPORTSCANEVE.'</A>
       <BR>';

 echo '<FONT>'._PSREGWHOIS.': ';
    echo '
       <A HREF="http://ws.arin.net/cgi-bin/whois.pl?queryinput='.$ip.'" target="_NEW">ARIN</A> |
       <A HREF="http://www.db.ripe.net/whois?query='.$ip.'" target="_NEW">RIPE</A> |
       <A HREF="http://wq.apnic.net/apnic-bin/whois.pl?do_search=Search&amp;searchtext='.$ip.'" target="_NEW">APNIC</A> |
       <A HREF="http://lacnic.net/cgi-bin/lacnic/whois?lg=EN&amp;query='.$ip.'" target="_NEW">LACNIC</A><BR></FONT>';
        // Have no idea why this code is here.
        // Commenting it out as it was ccontributing to Issue #5
        // $octet=preg_split("/\./", $ip);
        // $classc=sprintf("%03s.%03s.%03s",$octet[0],$octet[1],$octet[2]);
        print '<FONT>'._PSEXTERNAL.': ';
        if (isset($external_dns_link)){
                print '<A HREF="'.$external_dns_link.$ip.'" target="_NEW">DNS</A>';
        }
        if (isset($external_whois_link)){
                print ' | <A HREF="'.$external_whois_link.$ip.'" target="_NEW">whois</A>';
        }
        if (isset($external_all_link)){
                print ' | <A HREF="'.$external_all_link.$ip.'" target="_NEW">Extended whois</A>';
        }
        print ' | <A HREF="http://www.dshield.org/ipinfo.php?ip='.$ip.'&amp;Submit=Submit" target="_NEW">DShield.org IP Info</A> | '.
      '<A HREF="http://www.trustedsource.org/query.php?q='.$ip.'" target="_NEW">TrustedSource.org IP Info</A> | '.
      '<A HREF="http://isc.sans.org/ipinfo.html?ip='.$ip.'" target="_NEW">ISC Source/Subnet Report</A><BR> </FONT>';

  
  echo '</CENTER>';
  echo '<HR>';

  echo '<FORM METHOD="POST" ACTION="base_stat_ipaddr.php">';
  
  if ( $debug_mode >= 1 )
     echo '<TABLE BORDER=1>
             <TR><TD>action</TD><TD>submit</TD><TD>ip</TD><TD>netmask</TD></TR>
             <TR><TD>'.$action.'</TD><TD>'.$submit.'</TD>
                 <TD>'.$ip.'</TD><TD>'.$netmask.'</TD></TR>
           </TABLE>';

  /* Print the Statistics the IP address */
  echo '<CENTER><B>'.$ip.'</B><BR>FQDN: <B>';
  
  if ( $resolve_IP == 0 )
     echo '  ('._PSNODNS.')';
  else
  {
    if ( $ip != "255.255.255.255" )
        echo baseGetHostByAddr($ip, $db, $dns_cache_lifetime);
     else
        echo $ip.' (Broadcast)';
  } 

  if ( VerifySocketSupport() )
     echo '&nbsp;&nbsp;( <A HREF="base_stat_ipaddr.php?ip='.$ip.'&amp;netmask='.$netmask.'&amp;action=whois">local whois</A> )';
 
  echo    '</B>
        <TABLE BORDER=1>
        <TR>
           <TD CLASS="plfieldhdr">'._PSNUMSENSORSBR.'</TD>
           <TD CLASS="plfieldhdr">'._PSOCCASSRC.'</TD>
           <TD CLASS="plfieldhdr">'._PSOCCASDST.'</TD>
           <TD CLASS="plfieldhdr">'._PSFIRSTOCC.'</TD>
           <TD CLASS="plfieldhdr">'._PSLASTOCC.'</TD>
        </TR>';

  $ip_src32 = baseIP2long($ip);
  $ip_dst32 = $ip_src32;

  /* Number of Sensors, First, and Last timestamp */
  $temp = "SELECT COUNT(DISTINCT sid), MIN(timestamp), MAX(timestamp) FROM acid_event ".  
          "WHERE (ip_src = '$ip_src32' OR ip_dst = '$ip_dst32' )";
  $result2 = $db->baseExecute($temp);
  $row2 = $result2->baseFetchRow();

  $num_sensors = $row2[0];
  $start_time = $row2[1]; 
  $stop_time = $row2[2];
  $result2->baseFreeRows();

  /* Unique instances as Source Address  */
  $temp = "SELECT COUNT(sid) from acid_event WHERE ip_src='$ip_src32'";  
  $result2 = $db->baseExecute($temp);
  $row2 = $result2->baseFetchRow();
  $num_src_ip = $row2[0];
  $result2->baseFreeRows(); 

  /* Unique instances Dest. Address  */
  $temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst='$ip_dst32'";
  $result2 = $db->baseExecute($temp);
  $row2 = $result2->baseFetchRow();
  $num_dst_ip = $row2[0];
  $result2->baseFreeRows(); 

  /* Print out */ 
  echo '<TR>
         <TD ALIGN="center"><A HREF="'.$tmp_sensor_lookup.'">'.$num_sensors.'</A>';
  if ( $num_src_ip == 0 )
         echo '<TD ALIGN="center">'.$num_src_ip;
  else
         echo '<TD ALIGN="center"><A HREF="'.$tmp_src_iplookup.'">'.$num_src_ip.'</A>';
  if ( $num_dst_ip == 0 )         
         echo '<TD ALIGN="center">'.$num_dst_ip;
  else
         echo '<TD ALIGN="center"><A HREF="'.$tmp_dst_iplookup.'">'.$num_dst_ip.'</A>';
  echo '
         <TD align="center">'.$start_time.'
         <TD align="center" valign="middle">'.$stop_time.'
       </TR>
      </TABLE></CENTER>';

  if ( $action == "events" )
  {
     echo '<HR>
            <CENTER><P>';
     PrintEventsByIP($db, $ip);
     echo ' </CENTER>';        
  }
  else if ( $action == "whois" )
  {
     echo "\n<B>"._PSWHOISINFO."</B>".
          "<PRE>".baseGetWhois($ip, $db, $whois_cache_lifetime)."</PRE>";
  }
  else if ( $action == "portscan" )
  {
     echo '<HR>
            <CENTER><P>';
     PrintPortscanEvents($db, $ip);
     echo ' </CENTER>';        
  }
NLIO('</form>',2);
PrintBASESubFooter();
?>

1	<?php
2	/*******************************************************************************
3	** Basic Analysis and Security Engine (BASE)
4	** Copyright (C) 2004 BASE Project Team
5	** Copyright (C) 2000 Carnegie Mellon University
6	**
7	** (see the file 'base_main.php' for license details)
8	**
9	** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
10	** Sean Muller <samwise_diver@users.sourceforge.net>
11	** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
12	**
13	** Purpose: Displays stats on an individual IP address
14	**
15	** Input GET/POST variables
16	** - action:
17	** - submit:
18	** - ip:
19	** - netmask:
20	********************************************************************************
21	** Authors:
22	********************************************************************************
23	** Kevin Johnson <kjohnson@secureideas.net
24	**
25	********************************************************************************
26	*/
27
28	$sig = array();	×
29
30	include("base_conf.php");	×
31	include_once("$BASE_path/includes/base_constants.inc.php");	×
32	include("$BASE_path/includes/base_include.inc.php");	×
33	include_once("$BASE_path/base_db_common.php");	×
34	include_once("$BASE_path/base_common.php");	×
35
36	AuthorizedRole(10000);	×
37	$et = new EventTiming($debug_time_mode);	×
38	$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to DB.	×
39	$db->baseDBConnect(	×
40	$db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
41	$alert_password
42	);
43	UpdateAlertCache($db);	×
44	$cs = new CriteriaState("base_stat_ipaddr.php");	×
45	$cs->ReadState();	×
46	$ip = ImportHTTPVar("ip", VAR_DIGIT \| VAR_PERIOD);	×
47	$netmask = ImportHTTPVar("netmask", VAR_DIGIT);	×
48	$action = ImportHTTPVar("action", VAR_ALPHA);	×
49	$submit = ImportHTTPVar("submit", VAR_ALPHA \| VAR_SPACE);	×
50	if ( !isset($ip) \|\| empty($ip) ){	×
51	$Epfx = __FILE__ . ":";	×
52	$page_title = 'ERROR';	×
53	}else{	×
54	$Epfx = '';	×
55	$page_title = $ip.'/'.$netmask;	×
56	}
57	PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1);	×
58	if (!isset($ip)){	×
59	ErrorMessage($Epfx. __LINE__ . ": Ignoring \$ip - undefined.");	×
60	}elseif (empty($ip)){	×
61	ErrorMessage($Epfx. __LINE__ . ": Ignoring \$ip - empty.");	×
62	}
63	if ( !empty($Epfx) && $debug_mode > 1 ){	×
64	$debug_str = "<BR><PRE>\n\n" . debug_print_backtrace() . "\n\n</PRE><BR>\n";	×
65	ErrorMessage($debug_str);	×
66	}
67
68	function PrintPortscanEvents($db, $ip)
69	{
70	GLOBAL $portscan_file;
71
72	if (!$portscan_file \|\| !isset($portscan_file) \|\| empty($portscan_file))	×
73	{
74	ErrorMessage(_PSEVENTERR._PSEVENTERRNOFILE);	×
75	return;	×
76	}
77
78	if (!is_file($portscan_file))	×
79	{
80	ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE . " '" . $portscan_file . "': This file could not be found. Maybe a wrong path or a wrong filename?");	×
81	return;	×
82	}
83
84	if (!is_readable($portscan_file))	×
85	{
86	ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE . " '" . $portscan_file . "' Maybe a permission problem?");	×
87	return;	×
88	}
89
90	if (!isset($ip))	×
91	{
92	ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has NOT been defined. Returning.");	×
93	return;	×
94	}
95
96	if (empty($ip))	×
97	{
98	ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has been defined, but it is empty. Returning.");	×
99	return;	×
100	}
101
102	$fp = fopen($portscan_file,"r");	×
103	if ( !$fp )	×
104	{
105	ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE." '".$portscan_file."'");	×
106	return;	×
107	}
108
109	echo '<TABLE border="1" width="100%" cellspacing="0" cellpadding="5">	×
110	<TR>
111	<TD CLASS="plfieldhdr">IP addresses</TD>
112	<TD CLASS="plfieldhdr">Type</TD>
113	<TD CLASS="plfieldhdr">Details</TD>';
114	/*
115	<TD CLASS="plfieldhdr">'._PSSRCIP.'</TD>
116	<TD CLASS="plfieldhdr">'._PSSRCPORT.'</TD>
117	<TD CLASS="plfieldhdr">'._PSDSTIP.'</TD>
118	<TD CLASS="plfieldhdr">'._PSDSTPORT.'</TD>
119	<TD CLASS="plfieldhdr">'._PSTCPFLAGS.'</TD>
120	*/
121	echo '</TR>';	×
122
123	$total = 0;	×
124
125	//print "\$ip = \"$ip\"<BR>\n";
126
127	while ( !feof($fp) )	×
128	{
129	$contents = fgets($fp, 255);	×
130
131	/*
132	print "<BR>\n<PRE>";
133	var_dump($contents);
134	print "</PRE><BR>\n";
135	*/
136
137	if(preg_match("/". $ip . "/", $contents)) {	×
138	$total++;	×
139	if( $total % 2 == 0 ) {	×
140	$color="DDDDDD";	×
141	}else{	×
142	$color="FFFFFF";	×
143	}
144
145	$contents = preg_replace("/ /", " ", $contents);	×
146	$elements = explode(" ", $contents);	×
147
148	echo '<tr bgcolor="'.$color.'"><td align="center">'.	×
149	$elements[0].' '.$elements[1].' '.$elements[2].'</td>';	×
150
151	echo "<TD ALIGN=center>";	×
152	$i = 4;	×
153	while (isset($elements[$i]) && !empty($elements[$i]))	×
154	{
155	print $elements[$i] . " ";	×
156	$i++;	×
157	if ($i > 10)	×
158	{
159	break;	×
160	}
161	}
162	echo "</TD>";	×
163
164	$whole_entry = "";	×
165	while($contents = fgets($fp, 255))	×
166	{
167	if (feof($fp))	×
168	{
169	break;	×
170	}
171
172	if (!isset($contents) \|\| empty($contents) \|\| $contents == "\n" \|\| $contents == "\r\n" \|\| $contents == "\n\r" \|\| strlen($contents) < 3)	×
173	{
174	break;	×
175	}
176
177	$whole_entry .= $contents;	×
178	}
179
180	print "<TD ALIGN=center><PRE>";	×
181	print $whole_entry;	×
182	print "</PRE></TD>";	×
183
184	/*
185	ereg("([0-9]\.[0-9]\.[0-9]\.[0-9]):([0-9]*)",$elements[3],$store);
186	$source_ip = $store[1];
187	$source_port = $store[2];
188	if (empty($source_ip))
189	{
190	$source_ip = "n/a";
191	}
192	if (empty($source_port))
193	{
194	$source_port = "n/a";
195	}
196	echo '<td align="center">' . $source_ip . '</td>';
197	echo '<td align="center">' . $source_port . '</td>';
198
199	ereg("([0-9]\.[0-9]\.[0-9]\.[0-9]):([0-9]*)",$elements[5],$store);
200	$destination_ip = $store[1];
201	$destination_port = $store[2];
202	if (empty($destination_ip))
203	{
204	$destination_ip = "n/a";
205	}
206	if (empty($destination_port))
207	{
208	$destination_port = "n/a";
209	}
210	echo '<td align="center">' . $destination_ip . '</td>';
211	echo '<td align="center">' . $destination_port . '</td>';
212
213	$tcp_flags = $elements[7];
214	if (empty($tcp_flags))
215	{
216	$tcp_flags = "n/a";
217	}
218	echo '<td align="center">' . $tcp_flags . '</td></tr>';
219	*/
220	}
221	}
222
223	fclose($fp);	×
224
225	echo '<TR>	×
226	<TD CLASS="plfieldhdr" align="left">'._PSTOTALHOSTS.'</TD>
227	<TD CLASS="plfieldhdr">'.$total.'</TD>
228	<TD CLASS="plfieldhdr" colspan="4"> </TD>
229	</TR>
230	</TABLE>';
231	}
232
233	function PrintEventsByIP($db, $ip)
234	{
235	GLOBAL $debug_mode;
236
237	if (!isset($ip))	×
238	{
239	ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has NOT been defined. Returning.");	×
240	return;	×
241	}
242
243	if (empty($ip))	×
244	{
245	ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has been defined, but it is empty. Returning.");	×
246	return;	×
247	}
248
249
250	$count = 0;	×
251	/* Jeffs stuff */
252	/* Count total events for the given address */
253	$event_cnt = EventCntByAddr($db, $ip);	×
254
255	/* Grab unique alerts and count them */
256	$unique_events = UniqueEventCntByAddr($db, $ip, $count);	×
257	$unique_event_cnt = count($unique_events);	×
258
259	printf ("<B>"._PSDETECTAMONG."/32</B><BR>", $unique_event_cnt,$event_cnt,$ip);	×
260
261	/* Print the Statistics on Each of the Unique Alerts */
262	echo '<TABLE BORDER=1>	×
263	<TR>
264	<TD CLASS="plfieldhdr">'._PSTCPFLAGS.'</TD>
265	<TD CLASS="plfieldhdr">'._PSTOTALOCC.'</TD>
266	<TD CLASS="plfieldhdr">'._PSNUMSENSORS.'</TD>
267	<TD CLASS="plfieldhdr">'._PSFIRSTOCC.'</TD>
268	<TD CLASS="plfieldhdr">'._PSLASTOCC.'</TD>
269	</TR>';
270
271	for ( $i = 0; $i < $unique_event_cnt; $i++ )	×
272	{
273	$current_event = $unique_events[$i];	×
274
275	$total = UniqueEventTotalsByAddr($db, $ip, $current_event);	×
276	$num_sensors = UniqueSensorCntByAddr($db, $ip, $current_event);	×
277	$start_time = StartTimeForUniqueEventByAddr($db, $ip, $current_event);	×
278	$stop_time = StopTimeForUniqueEventByAddr($db, $ip, $current_event);	×
279
280	/* Print out */
281	echo '<TR>';	×
282	if ($debug_mode > 1)	×
283	{
284	SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": Before BuildSigByID()");	×
285	}
286	echo " <TD ALIGN='center'> ".BuildSigByID($unique_events[$i], $db);	×
287	if ($debug_mode > 1)	×
288	{
289	SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": After BuildSigByID()");	×
290	}
291	$tmp_iplookup = 'base_qry_main.php?new=1'.	×
292	'&sig%5B0%5D=%3D&sig%5B1%5D='.(rawurlencode(GetSignatureName($unique_events[$i], $db))).	×
293	'&num_result_rows=-1'.
294	'&submit='._QUERYDBP.'&current_view=-1&ip_addr_cnt=2'.
295	BuildIPFormVars($ip);	×
296
297	$tmp_sensor_lookup = 'base_stat_sensor.php?'.	×
298	'sig%5B0%5D=%3D&sig%5B1%5D='.
299	(rawurlencode($unique_events[$i])).	×
300	'&ip_addr_cnt=2'.BuildIPFormVars($ip);	×
301
302	echo " <TD align='center'> <A HREF=\"$tmp_iplookup\">$total</A> ";	×
303	echo " <TD align='center'> <A HREF=\"$tmp_sensor_lookup\">$num_sensors</A> ";	×
304	echo " <TD align='center'> $start_time";	×
305	echo " <TD align='center' valign='middle'> $stop_time";	×
306	echo '</TR>';	×
307	}
308
309	echo "</TABLE>\n";	×
310	}
311
312	if ( sizeof($sig) != 0 && strstr($sig[1], "spp_portscan") )	×
313	$sig[1] = "";	×
314
315	/* Build new link for criteria-based sensor page
316	* -- ALS <aschroll@mitre.org>
317	*/
318	$tmp_sensor_lookup = 'base_stat_sensor.php?ip_addr_cnt=2'.	×
319	BuildIPFormVars($ip);	×
320
321
322	$tmp_srcdst_iplookup = 'base_qry_main.php?new=2'.	×
323	'&num_result_rows=-1'.
324	'&submit='._QUERYDBP.'&current_view=-1&ip_addr_cnt=2'.
325	BuildIPFormVars($ip);	×
326
327	$tmp_src_iplookup = 'base_qry_main.php?new=2'.	×
328	'&num_result_rows=-1'.
329	'&submit='._QUERYDBP.'&current_view=-1&ip_addr_cnt=1'.
330	BuildSrcIPFormVars($ip);	×
331
332	$tmp_dst_iplookup = 'base_qry_main.php?new=2'.	×
333	'&num_result_rows=-1'.
334	'&submit='._QUERYDBP.'&current_view=-1&ip_addr_cnt=1'.
335	BuildDstIPFormVars($ip);	×
336	echo '<CENTER>';	×
337	printf ("<FONT>"._PSALLALERTSAS.":</FONT>",$ip,$netmask);	×
338	echo '	×
339	<A HREF="'.$tmp_src_iplookup.'">'._SCSOURCE.'</A> \|
340	<A HREF="'.$tmp_dst_iplookup.'">'._SCDEST.'</A> \|
341	<A HREF="'.$tmp_srcdst_iplookup.'">'._SCSOURCE.'/'._SCDEST.'</A><BR>';
342
343	echo _PSSHOW.':	×
344	<A HREF="base_stat_ipaddr.php?ip='.$ip.'&netmask='.$netmask.'&action=events">'._PSUNIALERTS.'</A>
345	\|
346	<A HREF="base_stat_ipaddr.php?ip='.$ip.'&netmask='.$netmask.'&action=portscan">'._PSPORTSCANEVE.'</A>
347	<BR>';
348
349	echo '<FONT>'._PSREGWHOIS.': ';	×
350	echo '	×
351	<A HREF="http://ws.arin.net/cgi-bin/whois.pl?queryinput='.$ip.'" target="_NEW">ARIN</A> \|
352	<A HREF="http://www.db.ripe.net/whois?query='.$ip.'" target="_NEW">RIPE</A> \|
353	<A HREF="http://wq.apnic.net/apnic-bin/whois.pl?do_search=Search&searchtext='.$ip.'" target="_NEW">APNIC</A> \|
354	<A HREF="http://lacnic.net/cgi-bin/lacnic/whois?lg=EN&query='.$ip.'" target="_NEW">LACNIC</A><BR></FONT>';
355	// Have no idea why this code is here.
356	// Commenting it out as it was ccontributing to Issue #5
357	// $octet=preg_split("/\./", $ip);
358	// $classc=sprintf("%03s.%03s.%03s",$octet[0],$octet[1],$octet[2]);
359	print '<FONT>'._PSEXTERNAL.': ';	×
360	if (isset($external_dns_link)){	×
361	print '<A HREF="'.$external_dns_link.$ip.'" target="_NEW">DNS</A>';	×
362	}
363	if (isset($external_whois_link)){	×
364	print ' \| <A HREF="'.$external_whois_link.$ip.'" target="_NEW">whois</A>';	×
365	}
366	if (isset($external_all_link)){	×
367	print ' \| <A HREF="'.$external_all_link.$ip.'" target="_NEW">Extended whois</A>';	×
368	}
369	print ' \| <A HREF="http://www.dshield.org/ipinfo.php?ip='.$ip.'&Submit=Submit" target="_NEW">DShield.org IP Info</A> \| '.	×
370	'<A HREF="http://www.trustedsource.org/query.php?q='.$ip.'" target="_NEW">TrustedSource.org IP Info</A> \| '.
371	'<A HREF="http://isc.sans.org/ipinfo.html?ip='.$ip.'" target="_NEW">ISC Source/Subnet Report</A><BR> </FONT>';
372
373
374	echo '</CENTER>';	×
375	echo '<HR>';	×
376
377	echo '<FORM METHOD="POST" ACTION="base_stat_ipaddr.php">';	×
378
379	if ( $debug_mode >= 1 )	×
380	echo '<TABLE BORDER=1>	×
381	<TR><TD>action</TD><TD>submit</TD><TD>ip</TD><TD>netmask</TD></TR>
382	<TR><TD>'.$action.'</TD><TD>'.$submit.'</TD>
383	<TD>'.$ip.'</TD><TD>'.$netmask.'</TD></TR>
384	</TABLE>';
385
386	/* Print the Statistics the IP address */
387	echo '<CENTER><B>'.$ip.'</B><BR>FQDN: <B>';	×
388
389	if ( $resolve_IP == 0 )	×
390	echo ' ('._PSNODNS.')';	×
391	else	×
392	{
393	if ( $ip != "255.255.255.255" )	×
394	echo baseGetHostByAddr($ip, $db, $dns_cache_lifetime);	×
395	else	×
396	echo $ip.' (Broadcast)';	×
397	}
398
399	if ( VerifySocketSupport() )	×
400	echo '  ( <A HREF="base_stat_ipaddr.php?ip='.$ip.'&netmask='.$netmask.'&action=whois">local whois</A> )';	×
401
402	echo '</B>	×
403	<TABLE BORDER=1>
404	<TR>
405	<TD CLASS="plfieldhdr">'._PSNUMSENSORSBR.'</TD>
406	<TD CLASS="plfieldhdr">'._PSOCCASSRC.'</TD>
407	<TD CLASS="plfieldhdr">'._PSOCCASDST.'</TD>
408	<TD CLASS="plfieldhdr">'._PSFIRSTOCC.'</TD>
409	<TD CLASS="plfieldhdr">'._PSLASTOCC.'</TD>
410	</TR>';
411
412	$ip_src32 = baseIP2long($ip);	×
413	$ip_dst32 = $ip_src32;	×
414
415	/* Number of Sensors, First, and Last timestamp */
416	$temp = "SELECT COUNT(DISTINCT sid), MIN(timestamp), MAX(timestamp) FROM acid_event ".	×
417	"WHERE (ip_src = '$ip_src32' OR ip_dst = '$ip_dst32' )";	×
418	$result2 = $db->baseExecute($temp);	×
419	$row2 = $result2->baseFetchRow();	×
420
421	$num_sensors = $row2[0];	×
422	$start_time = $row2[1];	×
423	$stop_time = $row2[2];	×
424	$result2->baseFreeRows();	×
425
426	/* Unique instances as Source Address */
427	$temp = "SELECT COUNT(sid) from acid_event WHERE ip_src='$ip_src32'";	×
428	$result2 = $db->baseExecute($temp);	×
429	$row2 = $result2->baseFetchRow();	×
430	$num_src_ip = $row2[0];	×
431	$result2->baseFreeRows();	×
432
433	/* Unique instances Dest. Address */
434	$temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst='$ip_dst32'";	×
435	$result2 = $db->baseExecute($temp);	×
436	$row2 = $result2->baseFetchRow();	×
437	$num_dst_ip = $row2[0];	×
438	$result2->baseFreeRows();	×
439
440	/* Print out */
441	echo '<TR>	×
442	<TD ALIGN="center"><A HREF="'.$tmp_sensor_lookup.'">'.$num_sensors.'</A>';
443	if ( $num_src_ip == 0 )	×
444	echo '<TD ALIGN="center">'.$num_src_ip;	×
445	else	×
446	echo '<TD ALIGN="center"><A HREF="'.$tmp_src_iplookup.'">'.$num_src_ip.'</A>';	×
447	if ( $num_dst_ip == 0 )	×
448	echo '<TD ALIGN="center">'.$num_dst_ip;	×
449	else	×
450	echo '<TD ALIGN="center"><A HREF="'.$tmp_dst_iplookup.'">'.$num_dst_ip.'</A>';	×
451	echo '	×
452	<TD align="center">'.$start_time.'
453	<TD align="center" valign="middle">'.$stop_time.'
454	</TR>
455	</TABLE></CENTER>';
456
457	if ( $action == "events" )	×
458	{
459	echo '<HR>	×
460	<CENTER><P>';
461	PrintEventsByIP($db, $ip);	×
462	echo ' </CENTER>';	×
463	}
464	else if ( $action == "whois" )	×
465	{
466	echo "\n<B>"._PSWHOISINFO."</B>".	×
467	"<PRE>".baseGetWhois($ip, $db, $whois_cache_lifetime)."</PRE>";	×
468	}
469	else if ( $action == "portscan" )	×
470	{
471	echo '<HR>	×
472	<CENTER><P>';
473	PrintPortscanEvents($db, $ip);	×
474	echo ' </CENTER>';	×
475	}
476	NLIO('</form>',2);	×
477	PrintBASESubFooter();	×
478	?>

NathanGibbs3 / BASE / 590

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous