NathanGibbs3 / BASE / 624

pending completion

Build # 624

Build Type

push

travis-ci-com

Committed by

NathanGibbs3

Commit Message

Merge branch 'devel'

Run Details

562 of 562 new or added lines in 28 files covered. (100.0%)

3145 of 17504 relevant lines covered (17.97%)

23.22 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/base_payload.php

<?php
/*******************************************************************************
** Basic Analysis and Security Engine (BASE)
** Copyright (C) 2004 BASE Project Team
** Copyright (C) 2000 Carnegie Mellon University
**
** (see the file 'base_main.php' for license details)
**
** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
**                Sean Muller <samwise_diver@users.sourceforge.net>
** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
**
** Purpose: Binary download of payload and pcap format packet download
**
** Input GET/POST variables
**   - sid
**   - cid
**   - download: 1 - binary download of just the payload. Nothing else.
**               2 - download pcap format based packet (for FLoP extended db)
**               3 - download pcap format based packet (for non-FLoP)
********************************************************************************
** Authors:
********************************************************************************
** Kevin Johnson <kjohnson@secureideas.net>
**
********************************************************************************
*/

$sc = DIRECTORY_SEPARATOR;
require_once("includes$sc" . 'base_krnl.php');
include_once ("$BASE_path/includes/base_constants.inc.php");
include ("$BASE_path/includes/base_include.inc.php");

AuthorizedRole(10000);
$cid = ImportHTTPVar("cid", VAR_DIGIT);
$sid = ImportHTTPVar("sid", VAR_DIGIT);
$download = ImportHTTPVar("download", VAR_DIGIT);

/**********************************************************/
/* 1 = binary download of just the payload. Nothing else. */
if ( $download == 1 ){
        // Connect to Alert DB.
        $db = NewBASEDBConnection($DBlib_path, $DBtype);
        $db->baseDBConnect($db_connect_method,
        $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);

        /* Get the Payload from the database: */
        $sql2 = "SELECT data_payload FROM data WHERE sid='".$sid."' AND cid='".$cid."'";
        $result2 = $db->baseExecute($sql2);
        $myrow2 = $result2->baseFetchRow();
        $result2->baseFreeRows();

        /* get encoding information for payload */
        /* 0 == hex, 1 == base64, 2 == ascii;        */
        $sql3 = 'SELECT encoding FROM sensor WHERE sid='.$sid;
        $result3 = $db->baseExecute($sql3);
        $myrow3 = $result3->baseFetchRow();
        $result3->baseFreeRows();

        if ( $myrow2[0] ){
                /****** database contains hexadecimal *******************/
                if ($myrow3[0] == 0){
                        header ('HTTP/1.0 200');
                        header ("Content-type: application/download");
                        header ("Content-Disposition: attachment; filename=payload_".$sid."-".$cid.".bin");
                        header ("Content-Transfer-Encoding: binary");
                        ob_start();
                        $payload = str_replace("\n", "", $myrow2[0]);
                        $len = strlen($payload);
                        $half = ($len / 2);
                        header ("Content-Length: $half");
                        $counter = 0;
                        for ($i = 0; $i < ( $len + 32 ); $i += 2){
                                $counter++;
                                if ($counter > ($len / 2)){
                                        break;
                                }
                                $byte_hex_representation = ($payload[$i].$payload[$i+1]);
                                echo chr(hexdec($byte_hex_representation));
                        }
                        ob_end_flush();        
                        // nothing should come AFTER ob_end_flush().

                /********database contains base64 *******************/
                } elseif ($myrow3[0] == 1){
                        header ('HTTP/1.0 200');
                        header ("Content-type: application/octet-stream");
                        header ("Content-Disposition: attachment; filename=payload".$sid."-".$cid.".bin");
                        header ("Content-Transfer-Encoding: binary");
                        ob_start();
                        $pre_payload = str_replace("\n", "", $myrow2[0]);
                        $payload = base64_decode($pre_payload);
                        $len = strlen($payload);
                        header ("Content-Length: $len");
                        $counter = 0;
                        for ($i = 0; $i < ($len + 16); $i++){
                                $counter++;
                                if ($counter > $len) {
                                        break;
                                }        
                                $byte = $payload[$i];
                                print $byte;
                        }
                        ob_end_flush();        
                        // nothing should come AFTER ob_end_flush().
                
                /********** database contains ASCII ***************/
                } elseif ($myrow3[0] == 2){
                        header ('HTTP/1.0 200');
                        header ('Content-Type: text/html');
                        print "<h1> File not found:</h1>";

                        print "<br>Output of binary data with storage method ASCII<br>";
                        print "is NOT supported, because this method looses data<br>";
                        print "So you can not definitely rebuild the binary,<br>";
                        print "as one ASCII character may represent different<br>";
                        print "binary values. Think of the dot, for example.<br>";

                        print "<br><br><hr><i>Generated by base_payload.php</i><br>";
                } else {
                        header ('HTTP/1.0 200');
                        header ('Content-Type: text/html');
                        print "<h1> File not found:</h1>";
                        print "<br>Encoding type not implemented in base_payload.php.";
                        print "<br><br><hr><i>Generated by base_payload.php</i><br>";
                }
        } else {
                header ('HTTP/1.0 200');
                header ('Content-Type: text/html');
                print "<h1> File not found:</h1>";
                print "<br>No payload data found, that could be downloaded or stored.";
                print "<br><br><hr><i>Generated by base_payload.php</i><br>";
        }

}
/**************************************************************************/ 
/* pcap download, for both flop-extended databases and non-flop databases */
else if ($download == 2 || $download == 3) 
{
        /*
         * If we have FLoP extended database schema then we can rebuild alert
         * in pcap format which can be used to analyze it via tcpdump or
         * ethereal to use their protocol analyzing features.
         */

        /* Connect to the Alert database. */
        $db = NewBASEDBConnection($DBlib_path, $DBtype);
        $db->baseDBConnect($db_connect_method,
        $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);


        /* Sanity check */
        if ($download == 2) 
        {
                /* Check do we have pcap_header and data_header columns in data table. */
                if (!in_array("pcap_header", $db->DB->MetaColumnNames('data')) ||
                    !in_array("data_header", $db->DB->MetaColumnNames('data'))) 
                {
                        header ('HTTP/1.0 200');
                        header ('Content-Type: text/html');
                        print "<h1> File not found:</h1>";
                        print "<br>Make sure you have FLoP extended database.";
                        print "<br><br><hr><i>Generated by base_payload.php</i><br>";
                        exit;
                }
        }



        /*********** Get needed data from database. **************/

        /* For FLoP-extended databases: */
        if ($download == 2) 
        {
                $sql2 = "SELECT pcap_header, data_header, data_payload FROM data ";
                $sql2.= "WHERE sid='".$sid."' AND cid='".$cid."'";
        } 
        /* For non-flop databases: */
        else 
        {
                $sql2 = "SELECT data_payload FROM data ";
                $sql2.= "WHERE sid='".$sid."' AND cid='".$cid."'";
        }
        $result2 = $db->baseExecute($sql2);
        $myrow2 = $result2->baseFetchRow();
        $result2->baseFreeRows();

        /* Get encoding information for current sensor. */
        $sql3 = 'SELECT encoding FROM sensor WHERE sid='.$sid;
        $result3 = $db->baseExecute($sql3);
        $myrow3 = $result3->baseFetchRow();
        $result3->baseFreeRows();



        /* For flop-extended databases: IP header information is already present
           in myrow2. 

           For non-flop databases we are NOT done, yet.  So, try and get the missing
           information: */
        if ($download == 3) 
        {
                $ip_sql = "SELECT ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_off, ip_flags,";
                $ip_sql.= "ip_ttl, ip_proto, ip_csum, ip_src, ip_dst FROM iphdr ";
                $ip_sql.= "WHERE sid='".$sid."' AND cid='".$cid."'";
                $ip_res = $db->baseExecute($ip_sql);
                $ip = $ip_res->baseFetchRow();
                $ip_res->baseFreeRows();
  
                if ($ip[8] == 1) 
                {
                        $l4_sql = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq ";
                        $l4_sql.= "FROM icmphdr WHERE sid='".$sid."' AND cid='".$cid."'";
                } 
                elseif ($ip[8] == 6) 
                {
                        $l4_sql = "SELECT tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off,";
                        $l4_sql.= "tcp_res, tcp_flags, tcp_win, tcp_csum, tcp_urp from tcphdr ";
                        $l4_sql.= "WHERE sid='".$sid."' AND cid='".$cid."'";
                } 
                elseif ($ip[8] == 17) 
                {
                        $l4_sql = "SELECT udp_sport, udp_dport, udp_len, udp_csum FROM udphdr ";
                        $l4_sql.= "WHERE sid='".$sid."' AND cid='".$cid."'";
                }

                $l4_res = $db->baseExecute($l4_sql);
                $l4 = $l4_res->baseFetchRow();
                $l4_res->baseFreeRows();
      
        } // if ($download == 3) 


        /***********************************************************************/
        /* Now, when extracting the information from the database: Pay attention
         * to the encoding:
   *
        /* 0 == hex, 1 == base64, 2 == ascii; cf. snort-2.8.5.1/src/plugbase.h */

        /****** hexadecimal encoding *********/
        if ($myrow3[0] == 0) 
        {
                /* FLoP-extended databases */
                if ($download == 2) 
                {
                        $pcap_header  = $myrow2[0];
                        $data_header  = $myrow2[1];
                        $data_payload = $myrow2[2];
                } 
                /* Non-flop databases */
                else 
                {
                        $data_payload = $myrow2[0];
                }
        } 
        /******** base64 encoding ********/
        elseif ($myrow3[0] == 1) 
        {
                /* FLoP-extended databases */
                if ($download == 2) 
                {
                        $pcap_header  = bin2hex(base64_decode($myrow2[0]));
                        $data_header  = bin2hex(base64_decode($myrow2[1]));
                        $data_payload = bin2hex(base64_decode($myrow2[2]));
                } 
                /* Non-flop databases */
                else
                {
                        $data_payload = bin2hex(base64_decode($myrow2[0]));
                }
        } 
        else 
        {
                /******* database contains neither hex nor base64 encoding. *********/
                header ('HTTP/1.0 200');
                header ('Content-Type: text/html');
                print "<h1> File not found:</h1>";
                print "<br>Only HEX and BASE64 encoding types are supported, nothing else.";
                print "<br><br><hr><i>Generated by base_payload.php</i><br>";
                exit;
        }




        /* 
         * From here on: pcap header, data_header and data_payload all contain data 
         * in hex encoding, even if original encoding type was base64.
         */

        /* Sanity checks for FLoP-extended databases*/
        if ($download == 2) 
        {
                 # /usr/include/pcap.h:
                 # struct pcap_pkthdr {
           #    struct timeval ts;  /* time stamp */
           #    bpf_u_int32 caplen; /* length of portion present */
           #    bpf_u_int32 len;    /* length this packet (off wire) */
                 # };
                 # 
                 # And a struct timeval has either a 32-bit or 64-bit tv_sec.
                if (strlen($pcap_header) > 48) 
                {
                        header ('HTTP/1.0 200');
                        header ('Content-Type: text/html');
                        print "<h1> File not found:</h1>";
                        print "<br>Error in pcap_header, answer is too large: ".strlen($pcap_header)."!";
                        print "<br><br><hr><i>Generated by base_payload.php</i><br>";
                        exit;
                } 
                else if (strlen($pcap_header) == 0) 
                {
                        header ('HTTP/1.0 200');
                        header ('Content-Type: text/html');
                        print "<h1> File not found:</h1>";
                        print "<br>No pcap header, we can't rebuild the network packet.";
                        print "<br><br><hr><i>Generated by base_payload.php</i><br>";
                        exit;
                }
        } // if ($download == 2)





        /* For non-flop databases, the data_header has not been created, yet.
         * Do it now: */
        if ($download == 3) 
        {
                # tack an ethernet header on there
                $data_header = "DEADCAFEBABE1122334455660800";

                # later on, all of this gets interpreted as hex, so simply
                # pull the values from the db, convert them to hex, 0-pad them
                # as necessary, and tack them together.
                $data_header.= sprintf("%02s", $ip[0] . $ip[1]); // ver&ihl
                $data_header.= sprintf("%02s", dechex($ip[2])); // tos
                $data_header.= sprintf("%04s", dechex($ip[3])); // len 
                $data_header.= sprintf("%04s", dechex($ip[4])); // id 
                $data_header.= sprintf("%02s", dechex($ip[5])); // flags 
                $data_header.= sprintf("%02s", dechex($ip[6])); // offset 
                $data_header.= sprintf("%02s", dechex($ip[7])); // ttl
                $data_header.= sprintf("%02s", dechex($ip[8])); // proto 
                $data_header.= sprintf("%04s", dechex($ip[9])); // csum.        

                # http://us2.php.net/manual/en/function.dechex.php#71795
                # source IP
                $chars = ($ip[10] <= 0x0fffffff) ? 1 : 0;
                $data_header.= sprintf("%02s", substr(dechex((float) $ip[10]),0,2-$chars));

                for ($i = 1; $i < 4; $i++) 
                        $data_header.= sprintf("%02s", substr(dechex((float) $ip[10]), $i*2-$chars, 2));

                # dest IP
                $chars = ($ip[11] <= 0x0fffffff) ? 1 : 0;
                $data_header.= sprintf("%02s", substr(dechex((float) $ip[11]),0,2-$chars));

                for ($i = 1; $i < 4; $i++)
                        $data_header.= sprintf("%02s", substr(dechex((float) $ip[11]), $i*2-$chars, 2));

                if ($ip[8] == 1) 
                {
                        $data_header.= sprintf("%02s", dechex((float) $l4[0])); // type 
                        $data_header.= sprintf("%02s", dechex((float) $l4[1])); // code 
                        $data_header.= sprintf("%04s", dechex((float) $l4[2])); // sum 
                        // only echo req/rep, timestamp, info req/rep have id/seq
                        if ($l4[0] == 0 || $l4[0] == 8 || ($l4[0] >= 13 && $l4[0] <= 16)) 
                        {
                                $data_header.= sprintf("%04s", dechex((float) $l4[3])); // id 
                                $data_header.= sprintf("%04s", dechex((float) $l4[4])); // seq 
                        }
                } 
                elseif ($ip[8] == 6) 
                {
                        $data_header.= sprintf("%04s", dechex((float) $l4[0])); // source port 
                        $data_header.= sprintf("%04s", dechex((float) $l4[1])); // dest port 
                        $data_header.= sprintf("%08s", dechex((float) $l4[2])); // seq # 
                        $data_header.= sprintf("%08s", dechex((float) $l4[3])); // ack # 
                        $data_header.= sprintf("%01s", dechex((float) $l4[4])); // offset 
                        $data_header.= sprintf("%03s", dechex((float) $l4[6])); // flags
                        $data_header.= sprintf("%04s", dechex((float) $l4[7])); // window 
                        $data_header.= sprintf("%04s", dechex((float) $l4[8])); // checksum
                        $data_header.= sprintf("%04s", dechex((float) $l4[9])); // urg ptr 

                        # walk opts...
                        $tcp_opt_sql = "SELECT optid, opt_code, opt_len, opt_data FROM opt ";
                        $tcp_opt_sql.= "WHERE sid='".$sid."' AND cid='".$cid."' AND opt_proto=6 ORDER BY optid ASC";
                        $tcp_opt_res = $db->baseExecute($tcp_opt_sql);
                        $tcp_opt_data = "";


                        while ($tcp_opt = $tcp_opt_res->baseFetchRow()) 
                        {
                                $tcp_opt_data .= sprintf("%02s", dechex((float) $tcp_opt[1]));

                                // if opt_len == 0, its an "opt kind", and thus has no length or data
                                if ($tcp_opt[2] != 0) 
                                {
                                        $tcp_opt_data .= sprintf("%02s", dechex((float) $tcp_opt[2] + 2));
                                        $tcp_opt_data .= $tcp_opt[3];
                                }
                        } // while ($tcp_opt = $tcp_opt_res->baseFetchRow())

                        $tcp_opt_res->baseFreeRows();
                        $data_header.= $tcp_opt_data;

                } 
                elseif ($ip[8] == 17) 
                {
                        $data_header.= sprintf("%04s", dechex((float) $l4[0])); // source port 
                        $data_header.= sprintf("%04s", dechex((float) $l4[1])); // dest port 
                        $data_header.= sprintf("%04s", dechex((float) $l4[2])); // len 
                        $data_header.= sprintf("%04s", dechex((float) $l4[3])); // sum 
                }
      
        } // if ($download == 3)




        /*****************************************************************/
        /* Now, begin to create the file the user wants to download: */
        header ('HTTP/1.0 200');
        header ("Content-type: application/octet-stream");
        header ("Content-Disposition: attachment; filename=base_packet_".$sid."-".$cid.".pcap");
        header ("Content-Transfer-Encoding: binary");
        


        /*
         * Calculating snaplen which is length of payload plus header,
         * for HEX we have to divide by two -> two HEX characters
         * represent one binary byte.
         */

        $snaplen = (strlen($data_header) + strlen($data_payload)) / 2;        
        header ("Content-length: ". 40 + $snaplen);



        /* Create pcap file header. */
        $hdr['magic'] =         pack('L', 0xa1b2c3d4);  /* unsigned long  (always 32 bit, machine byte order) */
        $hdr['version_major'] = pack('S', 2);           /* unsigned short (always 16 bit, machine byte order) */
        $hdr['version_minor'] = pack('S', 4);           /* unsigned short (always 16 bit, machine byte order) */
        $hdr['thiszone'] =      pack('I', 0);           /* signed   long  (always 32 bit, machine byte order) */
        $hdr['sigfigs'] =       pack('L', 0);           /* unsigned long  (always 32 bit, machine byte order) */
        $hdr['snaplen'] =       pack('L', $snaplen);    /* unsigned long  (always 32 bit, machine byte order) */
        $hdr['linktype'] =      pack('L', 1);           /* unsigned long  (always 32 bit, machine byte order) */


        /* Create pcap packet header. Converting hex to decimal and then to network byte order (big endian). */
        /* For FLoP-extended databases: */
        if ($download == 2)        
        {
                /* tv_sec in a struct timeval is either 32 bits or 64 bits long. 
                 * But, as it seems, in $pcap_header it is ALWAYS 32 bits = 4 bytes long.
                 * Which means that, in the way as snort stores it, 8 bytes are consumed.
                 * So, offset is 0, and length is ALWAYS 8.
                 * I have not checked whether this is FLoP's or snort's fault.
                 */
                list(, $phdr['timeval_sec']) =  unpack('L', pack('N', hexdec(substr($pcap_header, 0, 8))));

                if (strlen($pcap_header) > 32)
                {
                        /* A 64-bit tv_sec in a struct timeval are 8 bytes.  In hexadecimal form
                           as snort stores it, this consumes 16 bytes */ 
                        list(, $phdr['timeval_usec']) = unpack('L', pack('N', hexdec(substr($pcap_header, 16, 8))));
                }
                else
                {
                        /* A 32-bit tv_sec in a struct timeval are 4 bytes.  In hexadecimal form
                           as snort stores it, this consumes 8 bytes */
                        list(, $phdr['timeval_usec']) = unpack('L', pack('N', hexdec(substr($pcap_header, 8, 8))));
                }

                list(, $phdr['caplen']) =     unpack('L', pack('N', hexdec(substr($pcap_header, (strlen($pcap_header)) - 16, 8))));
                list(, $phdr['len']) =        unpack('L', pack('N', hexdec(substr($pcap_header, strlen($pcap_header) - 8, 8))));
                

                if ($debug_mode > 0)
                {
                        error_log("phdr[timeval_sec]  = \"" . $phdr['timeval_sec']  . "\"");
                        error_log("phdr[timeval_usec] = \"" . $phdr['timeval_usec'] . "\"");
                        error_log("snaplen            = $snaplen bytes.<BR>\n");
                        error_log("phdr[caplen]       = \"" . $phdr['caplen'] . "\"");
                        list(, $tmp['caplen_new'])    = unpack('L', pack('N', hexdec(substr($pcap_header, 32, 8))));
                        error_log("phdr[caplen] new   = \"" . $tmp['caplen_new'] . "\"");
                        error_log("phdr[len]          = \"" . $phdr['len']    . "\"");
                        list(, $tmp['len_new'])       = unpack('L', pack('N', hexdec(substr($pcap_header, 40, 8)))); 
                        error_log("phdr[len] new      = \"" . $tmp['len_new'] . "\"");
                }
        } 
        /* For non-flop databases */
        else 
        {
                $ts_sql = "SELECT timestamp FROM event ";
                $ts_sql.= "WHERE sid='".$sid."' AND cid='".$cid."'";
                $ts_res = $db->baseExecute($ts_sql);
                $ts_string = $ts_res->baseFetchRow();
                $ts_res->baseFreeRows();
                $ts = strtotime($ts_string[0]);
                list(, $phdr['timeval_sec']) =  unpack('L', pack('L', $ts));
                list(, $phdr['timeval_usec']) = unpack('L', pack('L', 0));
                list(, $phdr['caplen']) =       unpack('L', pack('L', $snaplen));
                list(, $phdr['len']) =          unpack('L', pack('L', $snaplen));
        }

        /* Copy header to packet, convert hex to dec and from dec to char. */
        $packet = "";
        for ($i = 0; $i < strlen($data_header); $i = $i + 2)
                $packet .= chr(hexdec(substr($data_header, $i, 2)));

        /* Copy payload to packet, convert hex to dec and from dec to char. */
        for ($i = 0; $i < strlen($data_payload); $i = $i + 2)
                $packet .= chr(hexdec(substr($data_payload, $i, 2)));

        ob_start();

        /* Writing pcap file header */
        foreach ($hdr as $value)
                echo $value;
 
        /* Writing pcap packet header */
        foreach ($phdr as $value)
                echo pack('L', $value);

        /* Writing packet */
        echo $packet;

        ob_end_flush();        
        /* nothing should come after ob_end_flush(). */
        // End of else if ($download == 2 || $download == 3)
}else{
        if (!headers_sent()){
                header ('HTTP/1.0 200');
                header ('Content-Type: text/html');
        }
        print "<h1> File not found:</h1>";
        print "<br>Page is only for downloading purposes; it has no content.";
        print "<br><br><hr><i>Generated by base_payload</i><br>";
}
?>

1	<?php
2	/*******************************************************************************
3	** Basic Analysis and Security Engine (BASE)
4	** Copyright (C) 2004 BASE Project Team
5	** Copyright (C) 2000 Carnegie Mellon University
6	**
7	** (see the file 'base_main.php' for license details)
8	**
9	** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
10	** Sean Muller <samwise_diver@users.sourceforge.net>
11	** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
12	**
13	** Purpose: Binary download of payload and pcap format packet download
14	**
15	** Input GET/POST variables
16	** - sid
17	** - cid
18	** - download: 1 - binary download of just the payload. Nothing else.
19	** 2 - download pcap format based packet (for FLoP extended db)
20	** 3 - download pcap format based packet (for non-FLoP)
21	********************************************************************************
22	** Authors:
23	********************************************************************************
24	** Kevin Johnson <kjohnson@secureideas.net>
25	**
26	********************************************************************************
27	*/
28
29	$sc = DIRECTORY_SEPARATOR;	×
30	require_once("includes$sc" . 'base_krnl.php');	×
31	include_once ("$BASE_path/includes/base_constants.inc.php");	×
32	include ("$BASE_path/includes/base_include.inc.php");	×
33
34	AuthorizedRole(10000);	×
35	$cid = ImportHTTPVar("cid", VAR_DIGIT);	×
36	$sid = ImportHTTPVar("sid", VAR_DIGIT);	×
37	$download = ImportHTTPVar("download", VAR_DIGIT);	×
38
39	/**********************************************************/
40	/* 1 = binary download of just the payload. Nothing else. */
41	if ( $download == 1 ){	×
42	// Connect to Alert DB.
43	$db = NewBASEDBConnection($DBlib_path, $DBtype);	×
44	$db->baseDBConnect($db_connect_method,	×
45	$alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
46
47	/* Get the Payload from the database: */
48	$sql2 = "SELECT data_payload FROM data WHERE sid='".$sid."' AND cid='".$cid."'";	×
49	$result2 = $db->baseExecute($sql2);	×
50	$myrow2 = $result2->baseFetchRow();	×
51	$result2->baseFreeRows();	×
52
53	/* get encoding information for payload */
54	/* 0 == hex, 1 == base64, 2 == ascii; */
55	$sql3 = 'SELECT encoding FROM sensor WHERE sid='.$sid;	×
56	$result3 = $db->baseExecute($sql3);	×
57	$myrow3 = $result3->baseFetchRow();	×
58	$result3->baseFreeRows();	×
59
60	if ( $myrow2[0] ){	×
61	/**** database contains hexadecimal *****************/
62	if ($myrow3[0] == 0){	×
63	header ('HTTP/1.0 200');	×
64	header ("Content-type: application/download");	×
65	header ("Content-Disposition: attachment; filename=payload_".$sid."-".$cid.".bin");	×
66	header ("Content-Transfer-Encoding: binary");	×
67	ob_start();	×
68	$payload = str_replace("\n", "", $myrow2[0]);	×
69	$len = strlen($payload);	×
70	$half = ($len / 2);	×
71	header ("Content-Length: $half");	×
72	$counter = 0;	×
73	for ($i = 0; $i < ( $len + 32 ); $i += 2){	×
74	$counter++;	×
75	if ($counter > ($len / 2)){	×
76	break;	×
77	}
78	$byte_hex_representation = ($payload[$i].$payload[$i+1]);	×
79	echo chr(hexdec($byte_hex_representation));	×
80	}
81	ob_end_flush();	×
82	// nothing should come AFTER ob_end_flush().
83
84	/******database contains base64 *****************/
85	} elseif ($myrow3[0] == 1){	×
86	header ('HTTP/1.0 200');	×
87	header ("Content-type: application/octet-stream");	×
88	header ("Content-Disposition: attachment; filename=payload".$sid."-".$cid.".bin");	×
89	header ("Content-Transfer-Encoding: binary");	×
90	ob_start();	×
91	$pre_payload = str_replace("\n", "", $myrow2[0]);	×
92	$payload = base64_decode($pre_payload);	×
93	$len = strlen($payload);	×
94	header ("Content-Length: $len");	×
95	$counter = 0;	×
96	for ($i = 0; $i < ($len + 16); $i++){	×
97	$counter++;	×
98	if ($counter > $len) {	×
99	break;	×
100	}
101	$byte = $payload[$i];	×
102	print $byte;	×
103	}
104	ob_end_flush();	×
105	// nothing should come AFTER ob_end_flush().
106
107	/******** database contains ASCII *************/
108	} elseif ($myrow3[0] == 2){	×
109	header ('HTTP/1.0 200');	×
110	header ('Content-Type: text/html');	×
111	print "<h1> File not found:</h1>";	×
112
113	print "<br>Output of binary data with storage method ASCII<br>";	×
114	print "is NOT supported, because this method looses data<br>";	×
115	print "So you can not definitely rebuild the binary,<br>";	×
116	print "as one ASCII character may represent different<br>";	×
117	print "binary values. Think of the dot, for example.<br>";	×
118
119	print "<br><br><hr><i>Generated by base_payload.php</i><br>";	×
120	} else {	×
121	header ('HTTP/1.0 200');	×
122	header ('Content-Type: text/html');	×
123	print "<h1> File not found:</h1>";	×
124	print "<br>Encoding type not implemented in base_payload.php.";	×
125	print "<br><br><hr><i>Generated by base_payload.php</i><br>";	×
126	}
127	} else {	×
128	header ('HTTP/1.0 200');	×
129	header ('Content-Type: text/html');	×
130	print "<h1> File not found:</h1>";	×
131	print "<br>No payload data found, that could be downloaded or stored.";	×
132	print "<br><br><hr><i>Generated by base_payload.php</i><br>";	×
133	}
134
135	}
136	/**************************************************************************/
137	/* pcap download, for both flop-extended databases and non-flop databases */
138	else if ($download == 2 \|\| $download == 3)	×
139	{
140	/*
141	* If we have FLoP extended database schema then we can rebuild alert
142	* in pcap format which can be used to analyze it via tcpdump or
143	* ethereal to use their protocol analyzing features.
144	*/
145
146	/* Connect to the Alert database. */
147	$db = NewBASEDBConnection($DBlib_path, $DBtype);	×
148	$db->baseDBConnect($db_connect_method,	×
149	$alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
150
151
152	/* Sanity check */
153	if ($download == 2)	×
154	{
155	/* Check do we have pcap_header and data_header columns in data table. */
156	if (!in_array("pcap_header", $db->DB->MetaColumnNames('data')) \|\|	×
157	!in_array("data_header", $db->DB->MetaColumnNames('data')))	×
158	{
159	header ('HTTP/1.0 200');	×
160	header ('Content-Type: text/html');	×
161	print "<h1> File not found:</h1>";	×
162	print "<br>Make sure you have FLoP extended database.";	×
163	print "<br><br><hr><i>Generated by base_payload.php</i><br>";	×
164	exit;	×
165	}
166	}
167
168
169
170	/********* Get needed data from database. ************/
171
172	/* For FLoP-extended databases: */
173	if ($download == 2)	×
174	{
175	$sql2 = "SELECT pcap_header, data_header, data_payload FROM data ";	×
176	$sql2.= "WHERE sid='".$sid."' AND cid='".$cid."'";	×
177	}
178	/* For non-flop databases: */
179	else	×
180	{
181	$sql2 = "SELECT data_payload FROM data ";	×
182	$sql2.= "WHERE sid='".$sid."' AND cid='".$cid."'";	×
183	}
184	$result2 = $db->baseExecute($sql2);	×
185	$myrow2 = $result2->baseFetchRow();	×
186	$result2->baseFreeRows();	×
187
188	/* Get encoding information for current sensor. */
189	$sql3 = 'SELECT encoding FROM sensor WHERE sid='.$sid;	×
190	$result3 = $db->baseExecute($sql3);	×
191	$myrow3 = $result3->baseFetchRow();	×
192	$result3->baseFreeRows();	×
193
194
195
196	/* For flop-extended databases: IP header information is already present
197	in myrow2.
198
199	For non-flop databases we are NOT done, yet. So, try and get the missing
200	information: */
201	if ($download == 3)	×
202	{
203	$ip_sql = "SELECT ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_off, ip_flags,";	×
204	$ip_sql.= "ip_ttl, ip_proto, ip_csum, ip_src, ip_dst FROM iphdr ";	×
205	$ip_sql.= "WHERE sid='".$sid."' AND cid='".$cid."'";	×
206	$ip_res = $db->baseExecute($ip_sql);	×
207	$ip = $ip_res->baseFetchRow();	×
208	$ip_res->baseFreeRows();	×
209
210	if ($ip[8] == 1)	×
211	{
212	$l4_sql = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq ";	×
213	$l4_sql.= "FROM icmphdr WHERE sid='".$sid."' AND cid='".$cid."'";	×
214	}
215	elseif ($ip[8] == 6)	×
216	{
217	$l4_sql = "SELECT tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off,";	×
218	$l4_sql.= "tcp_res, tcp_flags, tcp_win, tcp_csum, tcp_urp from tcphdr ";	×
219	$l4_sql.= "WHERE sid='".$sid."' AND cid='".$cid."'";	×
220	}
221	elseif ($ip[8] == 17)	×
222	{
223	$l4_sql = "SELECT udp_sport, udp_dport, udp_len, udp_csum FROM udphdr ";	×
224	$l4_sql.= "WHERE sid='".$sid."' AND cid='".$cid."'";	×
225	}
226
227	$l4_res = $db->baseExecute($l4_sql);	×
228	$l4 = $l4_res->baseFetchRow();	×
229	$l4_res->baseFreeRows();	×
230
231	} // if ($download == 3)
232
233
234	/***********************************************************************/
235	/* Now, when extracting the information from the database: Pay attention
236	* to the encoding:
237	*
238	/* 0 == hex, 1 == base64, 2 == ascii; cf. snort-2.8.5.1/src/plugbase.h */
239
240	/**** hexadecimal encoding *******/
241	if ($myrow3[0] == 0)	×
242	{
243	/* FLoP-extended databases */
244	if ($download == 2)	×
245	{
246	$pcap_header = $myrow2[0];	×
247	$data_header = $myrow2[1];	×
248	$data_payload = $myrow2[2];	×
249	}
250	/* Non-flop databases */
251	else	×
252	{
253	$data_payload = $myrow2[0];	×
254	}
255	}
256	/****** base64 encoding ******/
257	elseif ($myrow3[0] == 1)	×
258	{
259	/* FLoP-extended databases */
260	if ($download == 2)	×
261	{
262	$pcap_header = bin2hex(base64_decode($myrow2[0]));	×
263	$data_header = bin2hex(base64_decode($myrow2[1]));	×
264	$data_payload = bin2hex(base64_decode($myrow2[2]));	×
265	}
266	/* Non-flop databases */
267	else	×
268	{
269	$data_payload = bin2hex(base64_decode($myrow2[0]));	×
270	}
271	}
272	else	×
273	{
274	/***** database contains neither hex nor base64 encoding. *******/
275	header ('HTTP/1.0 200');	×
276	header ('Content-Type: text/html');	×
277	print "<h1> File not found:</h1>";	×
278	print "<br>Only HEX and BASE64 encoding types are supported, nothing else.";	×
279	print "<br><br><hr><i>Generated by base_payload.php</i><br>";	×
280	exit;	×
281	}
282
283
284
285
286	/*
287	* From here on: pcap header, data_header and data_payload all contain data
288	* in hex encoding, even if original encoding type was base64.
289	*/
290
291	/* Sanity checks for FLoP-extended databases*/
292	if ($download == 2)	×
293	{
294	# /usr/include/pcap.h:
295	# struct pcap_pkthdr {
296	# struct timeval ts; /* time stamp */
297	# bpf_u_int32 caplen; /* length of portion present */
298	# bpf_u_int32 len; /* length this packet (off wire) */
299	# };
300	#
301	# And a struct timeval has either a 32-bit or 64-bit tv_sec.
302	if (strlen($pcap_header) > 48)	×
303	{
304	header ('HTTP/1.0 200');	×
305	header ('Content-Type: text/html');	×
306	print "<h1> File not found:</h1>";	×
307	print "<br>Error in pcap_header, answer is too large: ".strlen($pcap_header)."!";	×
308	print "<br><br><hr><i>Generated by base_payload.php</i><br>";	×
309	exit;	×
310	}
311	else if (strlen($pcap_header) == 0)	×
312	{
313	header ('HTTP/1.0 200');	×
314	header ('Content-Type: text/html');	×
315	print "<h1> File not found:</h1>";	×
316	print "<br>No pcap header, we can't rebuild the network packet.";	×
317	print "<br><br><hr><i>Generated by base_payload.php</i><br>";	×
318	exit;	×
319	}
320	} // if ($download == 2)
321
322
323
324
325
326	/* For non-flop databases, the data_header has not been created, yet.
327	* Do it now: */
328	if ($download == 3)	×
329	{
330	# tack an ethernet header on there
331	$data_header = "DEADCAFEBABE1122334455660800";	×
332
333	# later on, all of this gets interpreted as hex, so simply
334	# pull the values from the db, convert them to hex, 0-pad them
335	# as necessary, and tack them together.
336	$data_header.= sprintf("%02s", $ip[0] . $ip[1]); // ver&ihl	×
337	$data_header.= sprintf("%02s", dechex($ip[2])); // tos	×
338	$data_header.= sprintf("%04s", dechex($ip[3])); // len	×
339	$data_header.= sprintf("%04s", dechex($ip[4])); // id	×
340	$data_header.= sprintf("%02s", dechex($ip[5])); // flags	×
341	$data_header.= sprintf("%02s", dechex($ip[6])); // offset	×
342	$data_header.= sprintf("%02s", dechex($ip[7])); // ttl	×
343	$data_header.= sprintf("%02s", dechex($ip[8])); // proto	×
344	$data_header.= sprintf("%04s", dechex($ip[9])); // csum.	×
345
346	# http://us2.php.net/manual/en/function.dechex.php#71795
347	# source IP
348	$chars = ($ip[10] <= 0x0fffffff) ? 1 : 0;	×
349	$data_header.= sprintf("%02s", substr(dechex((float) $ip[10]),0,2-$chars));	×
350
351	for ($i = 1; $i < 4; $i++)	×
352	$data_header.= sprintf("%02s", substr(dechex((float) $ip[10]), $i*2-$chars, 2));	×
353
354	# dest IP
355	$chars = ($ip[11] <= 0x0fffffff) ? 1 : 0;	×
356	$data_header.= sprintf("%02s", substr(dechex((float) $ip[11]),0,2-$chars));	×
357
358	for ($i = 1; $i < 4; $i++)	×
359	$data_header.= sprintf("%02s", substr(dechex((float) $ip[11]), $i*2-$chars, 2));	×
360
361	if ($ip[8] == 1)	×
362	{
363	$data_header.= sprintf("%02s", dechex((float) $l4[0])); // type	×
364	$data_header.= sprintf("%02s", dechex((float) $l4[1])); // code	×
365	$data_header.= sprintf("%04s", dechex((float) $l4[2])); // sum	×
366	// only echo req/rep, timestamp, info req/rep have id/seq
367	if ($l4[0] == 0 \|\| $l4[0] == 8 \|\| ($l4[0] >= 13 && $l4[0] <= 16))	×
368	{
369	$data_header.= sprintf("%04s", dechex((float) $l4[3])); // id	×
370	$data_header.= sprintf("%04s", dechex((float) $l4[4])); // seq	×
371	}
372	}
373	elseif ($ip[8] == 6)	×
374	{
375	$data_header.= sprintf("%04s", dechex((float) $l4[0])); // source port	×
376	$data_header.= sprintf("%04s", dechex((float) $l4[1])); // dest port	×
377	$data_header.= sprintf("%08s", dechex((float) $l4[2])); // seq #	×
378	$data_header.= sprintf("%08s", dechex((float) $l4[3])); // ack #	×
379	$data_header.= sprintf("%01s", dechex((float) $l4[4])); // offset	×
380	$data_header.= sprintf("%03s", dechex((float) $l4[6])); // flags	×
381	$data_header.= sprintf("%04s", dechex((float) $l4[7])); // window	×
382	$data_header.= sprintf("%04s", dechex((float) $l4[8])); // checksum	×
383	$data_header.= sprintf("%04s", dechex((float) $l4[9])); // urg ptr	×
384
385	# walk opts...
386	$tcp_opt_sql = "SELECT optid, opt_code, opt_len, opt_data FROM opt ";	×
387	$tcp_opt_sql.= "WHERE sid='".$sid."' AND cid='".$cid."' AND opt_proto=6 ORDER BY optid ASC";	×
388	$tcp_opt_res = $db->baseExecute($tcp_opt_sql);	×
389	$tcp_opt_data = "";	×
390
391
392	while ($tcp_opt = $tcp_opt_res->baseFetchRow())	×
393	{
394	$tcp_opt_data .= sprintf("%02s", dechex((float) $tcp_opt[1]));	×
395
396	// if opt_len == 0, its an "opt kind", and thus has no length or data
397	if ($tcp_opt[2] != 0)	×
398	{
399	$tcp_opt_data .= sprintf("%02s", dechex((float) $tcp_opt[2] + 2));	×
400	$tcp_opt_data .= $tcp_opt[3];	×
401	}
402	} // while ($tcp_opt = $tcp_opt_res->baseFetchRow())
403
404	$tcp_opt_res->baseFreeRows();	×
405	$data_header.= $tcp_opt_data;	×
406
407	}
408	elseif ($ip[8] == 17)	×
409	{
410	$data_header.= sprintf("%04s", dechex((float) $l4[0])); // source port	×
411	$data_header.= sprintf("%04s", dechex((float) $l4[1])); // dest port	×
412	$data_header.= sprintf("%04s", dechex((float) $l4[2])); // len	×
413	$data_header.= sprintf("%04s", dechex((float) $l4[3])); // sum	×
414	}
415
416	} // if ($download == 3)
417
418
419
420
421	/*****************************************************************/
422	/* Now, begin to create the file the user wants to download: */
423	header ('HTTP/1.0 200');	×
424	header ("Content-type: application/octet-stream");	×
425	header ("Content-Disposition: attachment; filename=base_packet_".$sid."-".$cid.".pcap");	×
426	header ("Content-Transfer-Encoding: binary");	×
427
428
429
430	/*
431	* Calculating snaplen which is length of payload plus header,
432	* for HEX we have to divide by two -> two HEX characters
433	* represent one binary byte.
434	*/
435
436	$snaplen = (strlen($data_header) + strlen($data_payload)) / 2;	×
437	header ("Content-length: ". 40 + $snaplen);	×
438
439
440
441	/* Create pcap file header. */
442	$hdr['magic'] = pack('L', 0xa1b2c3d4); /* unsigned long (always 32 bit, machine byte order) */	×
443	$hdr['version_major'] = pack('S', 2); /* unsigned short (always 16 bit, machine byte order) */
444	$hdr['version_minor'] = pack('S', 4); /* unsigned short (always 16 bit, machine byte order) */
445	$hdr['thiszone'] = pack('I', 0); /* signed long (always 32 bit, machine byte order) */
446	$hdr['sigfigs'] = pack('L', 0); /* unsigned long (always 32 bit, machine byte order) */
447	$hdr['snaplen'] = pack('L', $snaplen); /* unsigned long (always 32 bit, machine byte order) */
448	$hdr['linktype'] = pack('L', 1); /* unsigned long (always 32 bit, machine byte order) */
449
450
451	/* Create pcap packet header. Converting hex to decimal and then to network byte order (big endian). */
452	/* For FLoP-extended databases: */
453	if ($download == 2)	×
454	{
455	/* tv_sec in a struct timeval is either 32 bits or 64 bits long.
456	* But, as it seems, in $pcap_header it is ALWAYS 32 bits = 4 bytes long.
457	* Which means that, in the way as snort stores it, 8 bytes are consumed.
458	* So, offset is 0, and length is ALWAYS 8.
459	* I have not checked whether this is FLoP's or snort's fault.
460	*/
461	list(, $phdr['timeval_sec']) = unpack('L', pack('N', hexdec(substr($pcap_header, 0, 8))));	×
462
463	if (strlen($pcap_header) > 32)	×
464	{
465	/* A 64-bit tv_sec in a struct timeval are 8 bytes. In hexadecimal form
466	as snort stores it, this consumes 16 bytes */
467	list(, $phdr['timeval_usec']) = unpack('L', pack('N', hexdec(substr($pcap_header, 16, 8))));	×
468	}
469	else	×
470	{
471	/* A 32-bit tv_sec in a struct timeval are 4 bytes. In hexadecimal form
472	as snort stores it, this consumes 8 bytes */
473	list(, $phdr['timeval_usec']) = unpack('L', pack('N', hexdec(substr($pcap_header, 8, 8))));	×
474	}
475
476	list(, $phdr['caplen']) = unpack('L', pack('N', hexdec(substr($pcap_header, (strlen($pcap_header)) - 16, 8))));	×
477	list(, $phdr['len']) = unpack('L', pack('N', hexdec(substr($pcap_header, strlen($pcap_header) - 8, 8))));	×
478
479
480	if ($debug_mode > 0)	×
481	{
482	error_log("phdr[timeval_sec] = \"" . $phdr['timeval_sec'] . "\"");	×
483	error_log("phdr[timeval_usec] = \"" . $phdr['timeval_usec'] . "\"");	×
484	error_log("snaplen = $snaplen bytes.<BR>\n");	×
485	error_log("phdr[caplen] = \"" . $phdr['caplen'] . "\"");	×
486	list(, $tmp['caplen_new']) = unpack('L', pack('N', hexdec(substr($pcap_header, 32, 8))));	×
487	error_log("phdr[caplen] new = \"" . $tmp['caplen_new'] . "\"");	×
488	error_log("phdr[len] = \"" . $phdr['len'] . "\"");	×
489	list(, $tmp['len_new']) = unpack('L', pack('N', hexdec(substr($pcap_header, 40, 8))));	×
490	error_log("phdr[len] new = \"" . $tmp['len_new'] . "\"");	×
491	}
492	}
493	/* For non-flop databases */
494	else	×
495	{
496	$ts_sql = "SELECT timestamp FROM event ";	×
497	$ts_sql.= "WHERE sid='".$sid."' AND cid='".$cid."'";	×
498	$ts_res = $db->baseExecute($ts_sql);	×
499	$ts_string = $ts_res->baseFetchRow();	×
500	$ts_res->baseFreeRows();	×
501	$ts = strtotime($ts_string[0]);	×
502	list(, $phdr['timeval_sec']) = unpack('L', pack('L', $ts));	×
503	list(, $phdr['timeval_usec']) = unpack('L', pack('L', 0));	×
504	list(, $phdr['caplen']) = unpack('L', pack('L', $snaplen));	×
505	list(, $phdr['len']) = unpack('L', pack('L', $snaplen));	×
506	}
507
508	/* Copy header to packet, convert hex to dec and from dec to char. */
509	$packet = "";	×
510	for ($i = 0; $i < strlen($data_header); $i = $i + 2)	×
511	$packet .= chr(hexdec(substr($data_header, $i, 2)));	×
512
513	/* Copy payload to packet, convert hex to dec and from dec to char. */
514	for ($i = 0; $i < strlen($data_payload); $i = $i + 2)	×
515	$packet .= chr(hexdec(substr($data_payload, $i, 2)));	×
516
517	ob_start();	×
518
519	/* Writing pcap file header */
520	foreach ($hdr as $value)	×
521	echo $value;	×
522
523	/* Writing pcap packet header */
524	foreach ($phdr as $value)	×
525	echo pack('L', $value);	×
526
527	/* Writing packet */
528	echo $packet;	×
529
530	ob_end_flush();	×
531	/* nothing should come after ob_end_flush(). */
532	// End of else if ($download == 2 \|\| $download == 3)
533	}else{	×
534	if (!headers_sent()){	×
535	header ('HTTP/1.0 200');	×
536	header ('Content-Type: text/html');	×
537	}
538	print "<h1> File not found:</h1>";	×
539	print "<br>Page is only for downloading purposes; it has no content.";	×
540	print "<br><br><hr><i>Generated by base_payload</i><br>";	×
541	}
542	?>

NathanGibbs3 / BASE / 624

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous