NathanGibbs3 / BASE / 624

pending completion

Build # 624

Build Type

push

travis-ci-com

Committed by

NathanGibbs3

Commit Message

Merge branch 'devel'

Run Details

562 of 562 new or added lines in 28 files covered. (100.0%)

3145 of 17504 relevant lines covered (17.97%)

23.22 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/base_stat_ipaddr.php

<?php
/*******************************************************************************
** Basic Analysis and Security Engine (BASE)
** Copyright (C) 2004 BASE Project Team
** Copyright (C) 2000 Carnegie Mellon University
**
** (see the file 'base_main.php' for license details)
**
** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
**                Sean Muller <samwise_diver@users.sourceforge.net>
** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
**
** Purpose: Displays stats on an individual IP address   
**
** Input GET/POST variables
**   - action:
**   - submit:
**   - ip:
**   - netmask:
********************************************************************************
** Authors:
********************************************************************************
** Kevin Johnson <kjohnson@secureideas.net
**
********************************************************************************
*/

  $sig   = array();

$sc = DIRECTORY_SEPARATOR;
require_once("includes$sc" . 'base_krnl.php');
include_once("$BASE_path/includes/base_include.inc.php");
include_once("$BASE_path/base_db_common.php");
include_once("$BASE_path/base_common.php");

AuthorizedRole(10000);
$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to DB.
$db->baseDBConnect(
        $db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
        $alert_password
);
UpdateAlertCache($db);
$cs = new CriteriaState("base_stat_ipaddr.php");
$cs->ReadState();
$ip = ImportHTTPVar("ip", VAR_DIGIT | VAR_PERIOD);
$netmask = ImportHTTPVar("netmask", VAR_DIGIT);
$action = ImportHTTPVar("action", VAR_ALPHA);
$submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);  
if ( !isset($ip) || empty($ip) ){
        $Epfx = __FILE__ . ":";
        $page_title = 'ERROR';
}else{
        $Epfx = '';
        $page_title = $ip.'/'.$netmask;
}
PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1);
if (!isset($ip)){
        ErrorMessage($Epfx. __LINE__ . ": Ignoring \$ip - undefined.");
}elseif (empty($ip)){
        ErrorMessage($Epfx. __LINE__ . ": Ignoring \$ip - empty.");
}
if ( !empty($Epfx) && $debug_mode > 1 ){
        $debug_str = "<BR><PRE>\n\n" . debug_print_backtrace() . "\n\n</PRE><BR>\n";
        ErrorMessage($debug_str);
}

function PrintPortscanEvents($db, $ip)
{
  GLOBAL $portscan_file;

  if (!$portscan_file || !isset($portscan_file) || empty($portscan_file))
  {
     ErrorMessage(_PSEVENTERR._PSEVENTERRNOFILE);
     return;
  }

  if (!is_file($portscan_file))
  {
     ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE . " '" . $portscan_file . "': This file could not be found. Maybe a wrong path or a wrong filename?");
    return;    
  }

  if (!is_readable($portscan_file))
  {
    ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE . " '" . $portscan_file . "' Maybe a permission problem?");
    return;
  }

  if (!isset($ip))
  {
    ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has NOT been defined. Returning.");
    return;
  }

  if (empty($ip))
  {
    ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has been defined, but it is empty. Returning.");
    return;
  }

  $fp = fopen($portscan_file,"r");
  if ( !$fp )
  {
     ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE." '".$portscan_file."'");
     return;
  }

  echo '<TABLE border="1" width="100%" cellspacing="0" cellpadding="5">
        <TR>
        <TD CLASS="plfieldhdr">IP addresses</TD>
        <TD CLASS="plfieldhdr">Type</TD>
        <TD CLASS="plfieldhdr">Details</TD>';
        /*
           <TD CLASS="plfieldhdr">'._PSSRCIP.'</TD>
           <TD CLASS="plfieldhdr">'._PSSRCPORT.'</TD>
           <TD CLASS="plfieldhdr">'._PSDSTIP.'</TD>
           <TD CLASS="plfieldhdr">'._PSDSTPORT.'</TD>
           <TD CLASS="plfieldhdr">'._PSTCPFLAGS.'</TD>
        */
  echo '</TR>';

  $total = 0;

  //print "\$ip = \"$ip\"<BR>\n";

  while ( !feof($fp) )
  {
   $contents = fgets($fp, 255);   

   /*
   print "<BR>\n<PRE>";
   var_dump($contents);
   print "</PRE><BR>\n";
   */

        if(preg_match("/". $ip . "/", $contents)) {
     $total++;
     if( $total % 2 == 0 ) {
        $color="DDDDDD";
     }else{
        $color="FFFFFF";
     }

        $contents = preg_replace("/  /", " ", $contents);
     $elements = explode(" ", $contents);

     echo '<tr bgcolor="'.$color.'"><td align="center">'.
       $elements[0].' '.$elements[1].' '.$elements[2].'</td>';

     echo "<TD ALIGN=center>";
     $i = 4;
     while (isset($elements[$i]) && !empty($elements[$i]))
     {
       print $elements[$i] . " ";
       $i++;
       if ($i > 10)
       {
         break;
       }
     }
     echo "</TD>";

     $whole_entry = "";
     while($contents = fgets($fp, 255))
     {
       if (feof($fp))
       {
         break;
       }

       if (!isset($contents) || empty($contents) || $contents == "\n" || $contents == "\r\n" || $contents == "\n\r" || strlen($contents) < 3)
       {
         break;
       }

       $whole_entry .= $contents;
     }

     print "<TD ALIGN=center><PRE>";
     print $whole_entry;
     print "</PRE></TD>";

     /*
     ereg("([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*):([0-9]*)",$elements[3],$store);
     $source_ip = $store[1];
     $source_port = $store[2];
     if (empty($source_ip))
     {
       $source_ip = "n/a";
     }
     if (empty($source_port))
     {
       $source_port = "n/a";
     }
     echo '<td align="center">' . $source_ip  . '</td>';
     echo '<td align="center">' . $source_port . '</td>';

     ereg("([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*):([0-9]*)",$elements[5],$store);
     $destination_ip = $store[1];
     $destination_port = $store[2];
     if (empty($destination_ip))
     {
       $destination_ip = "n/a";
     }
     if (empty($destination_port))
     {
       $destination_port = "n/a";
     }
     echo '<td align="center">' . $destination_ip . '</td>';
     echo '<td align="center">' . $destination_port . '</td>';

     $tcp_flags = $elements[7];
     if (empty($tcp_flags))
     {
       $tcp_flags = "n/a";
     }
     echo '<td align="center">' . $tcp_flags . '</td></tr>';
     */
   }
  }

  fclose($fp);

  echo '<TR>
         <TD CLASS="plfieldhdr" align="left">'._PSTOTALHOSTS.'</TD>
         <TD CLASS="plfieldhdr">'.$total.'</TD>
         <TD CLASS="plfieldhdr" colspan="4">&nbsp;</TD>
        </TR>
        </TABLE>';
}

function PrintEventsByIP($db, $ip)
{
  GLOBAL $debug_mode;

  if (!isset($ip))
  {
    ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has NOT been defined. Returning.");
    return;
  }

  if (empty($ip))
  {
    ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has been defined, but it is empty. Returning.");
    return;
  }


  $count = 0;
  /* Jeffs stuff */
  /* Count total events for the given address */
  $event_cnt = EventCntByAddr($db, $ip);

  /* Grab unique alerts and count them */
  $unique_events = UniqueEventCntByAddr($db, $ip, $count);
  $unique_event_cnt = count($unique_events);

 printf ("<B>"._PSDETECTAMONG."/32</B><BR>", $unique_event_cnt,$event_cnt,$ip);
   
  /* Print the Statistics on Each of the Unique Alerts */
  echo '<TABLE BORDER=1>
        <TR>
           <TD CLASS="plfieldhdr">'._PSTCPFLAGS.'</TD>
           <TD CLASS="plfieldhdr">'._PSTOTALOCC.'</TD>
           <TD CLASS="plfieldhdr">'._PSNUMSENSORS.'</TD>
           <TD CLASS="plfieldhdr">'._PSFIRSTOCC.'</TD>
           <TD CLASS="plfieldhdr">'._PSLASTOCC.'</TD>
        </TR>';

 for ( $i = 0; $i < $unique_event_cnt; $i++ ) 
 {
   $current_event = $unique_events[$i];

   $total = UniqueEventTotalsByAddr($db, $ip, $current_event);
   $num_sensors = UniqueSensorCntByAddr($db, $ip, $current_event);
   $start_time = StartTimeForUniqueEventByAddr($db, $ip, $current_event);
   $stop_time = StopTimeForUniqueEventByAddr($db, $ip, $current_event);

   /* Print out */ 
   echo '<TR>';
   if ($debug_mode > 1)
   {
     SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": Before BuildSigByID()");
   }
   echo "  <TD ALIGN='center'> ".BuildSigByID($unique_events[$i], $db);
   if ($debug_mode > 1)
   {
     SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": After BuildSigByID()");
   }
   $tmp_iplookup = 'base_qry_main.php?new=1'.
                   '&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.(rawurlencode(GetSignatureName($unique_events[$i], $db))).
                   '&amp;num_result_rows=-1'.
                   '&amp;submit='._QUERYDBP.'&amp;current_view=-1&amp;ip_addr_cnt=2'.
                   BuildIPFormVars($ip);

   $tmp_sensor_lookup = 'base_stat_sensor.php?'.
                        'sig%5B0%5D=%3D&amp;sig%5B1%5D='.
                        (rawurlencode($unique_events[$i])).
                        '&amp;ip_addr_cnt=2'.BuildIPFormVars($ip);

   echo "  <TD align='center'> <A HREF=\"$tmp_iplookup\">$total</A> ";
   echo "  <TD align='center'> <A HREF=\"$tmp_sensor_lookup\">$num_sensors</A> ";
   echo "  <TD align='center'> $start_time";
   echo "  <TD align='center' valign='middle'> $stop_time";
   echo '</TR>';
 }

 echo "</TABLE>\n";
}

  if ( sizeof($sig) != 0 && strstr($sig[1], "spp_portscan") )
     $sig[1] = "";

  /*  Build new link for criteria-based sensor page 
   *                    -- ALS <aschroll@mitre.org>
   */
   $tmp_sensor_lookup = 'base_stat_sensor.php?ip_addr_cnt=2'.
                        BuildIPFormVars($ip);


   $tmp_srcdst_iplookup = 'base_qry_main.php?new=2'.
                          '&amp;num_result_rows=-1'.
                          '&amp;submit='._QUERYDBP.'&amp;current_view=-1&amp;ip_addr_cnt=2'.
                          BuildIPFormVars($ip);

   $tmp_src_iplookup    = 'base_qry_main.php?new=2'.
                          '&amp;num_result_rows=-1'.
                          '&amp;submit='._QUERYDBP.'&amp;current_view=-1&amp;ip_addr_cnt=1'.
                          BuildSrcIPFormVars($ip);

   $tmp_dst_iplookup    = 'base_qry_main.php?new=2'.
                          '&amp;num_result_rows=-1'.
                          '&amp;submit='._QUERYDBP.'&amp;current_view=-1&amp;ip_addr_cnt=1'.
                          BuildDstIPFormVars($ip);
  echo '<CENTER>';
  printf ("<FONT>"._PSALLALERTSAS.":</FONT>",$ip,$netmask); 
  echo '
 <A HREF="'.$tmp_src_iplookup.'">'._SCSOURCE.'</A> | 
 <A HREF="'.$tmp_dst_iplookup.'">'._SCDEST.'</A> | 
 <A HREF="'.$tmp_srcdst_iplookup.'">'._SCSOURCE.'/'._SCDEST.'</A><BR>';

 echo _PSSHOW.':
       <A HREF="base_stat_ipaddr.php?ip='.$ip.'&amp;netmask='.$netmask.'&amp;action=events">'._PSUNIALERTS.'</A>
       &nbsp; | &nbsp;
       <A HREF="base_stat_ipaddr.php?ip='.$ip.'&amp;netmask='.$netmask.'&amp;action=portscan">'._PSPORTSCANEVE.'</A>
       <BR>';

 echo '<FONT>'._PSREGWHOIS.': ';
    echo '
       <A HREF="http://ws.arin.net/cgi-bin/whois.pl?queryinput='.$ip.'" target="_NEW">ARIN</A> |
       <A HREF="http://www.db.ripe.net/whois?query='.$ip.'" target="_NEW">RIPE</A> |
       <A HREF="http://wq.apnic.net/apnic-bin/whois.pl?do_search=Search&amp;searchtext='.$ip.'" target="_NEW">APNIC</A> |
       <A HREF="http://lacnic.net/cgi-bin/lacnic/whois?lg=EN&amp;query='.$ip.'" target="_NEW">LACNIC</A><BR></FONT>';
        // Have no idea why this code is here.
        // Commenting it out as it was ccontributing to Issue #5
        // $octet=preg_split("/\./", $ip);
        // $classc=sprintf("%03s.%03s.%03s",$octet[0],$octet[1],$octet[2]);
        print '<FONT>'._PSEXTERNAL.': ';
        if (isset($external_dns_link)){
                print '<A HREF="'.$external_dns_link.$ip.'" target="_NEW">DNS</A>';
        }
        if (isset($external_whois_link)){
                print ' | <A HREF="'.$external_whois_link.$ip.'" target="_NEW">whois</A>';
        }
        if (isset($external_all_link)){
                print ' | <A HREF="'.$external_all_link.$ip.'" target="_NEW">Extended whois</A>';
        }
        print ' | <A HREF="http://www.dshield.org/ipinfo.php?ip='.$ip.'&amp;Submit=Submit" target="_NEW">DShield.org IP Info</A> | '.
      '<A HREF="http://www.trustedsource.org/query.php?q='.$ip.'" target="_NEW">TrustedSource.org IP Info</A> | '.
      '<A HREF="http://isc.sans.org/ipinfo.html?ip='.$ip.'" target="_NEW">ISC Source/Subnet Report</A><BR> </FONT>';

  
  echo '</CENTER>';
  echo '<HR>';

  echo '<FORM METHOD="POST" ACTION="base_stat_ipaddr.php">';
  
  if ( $debug_mode >= 1 )
     echo '<TABLE BORDER=1>
             <TR><TD>action</TD><TD>submit</TD><TD>ip</TD><TD>netmask</TD></TR>
             <TR><TD>'.$action.'</TD><TD>'.$submit.'</TD>
                 <TD>'.$ip.'</TD><TD>'.$netmask.'</TD></TR>
           </TABLE>';

  /* Print the Statistics the IP address */
  echo '<CENTER><B>'.$ip.'</B><BR>FQDN: <B>';
  
  if ( $resolve_IP == 0 )
     echo '  ('._PSNODNS.')';
  else
  {
    if ( $ip != "255.255.255.255" )
        echo baseGetHostByAddr($ip, $db, $dns_cache_lifetime);
     else
        echo $ip.' (Broadcast)';
  } 

  if ( VerifySocketSupport() )
     echo '&nbsp;&nbsp;( <A HREF="base_stat_ipaddr.php?ip='.$ip.'&amp;netmask='.$netmask.'&amp;action=whois">local whois</A> )';
 
  echo    '</B>
        <TABLE BORDER=1>
        <TR>
           <TD CLASS="plfieldhdr">'._PSNUMSENSORSBR.'</TD>
           <TD CLASS="plfieldhdr">'._PSOCCASSRC.'</TD>
           <TD CLASS="plfieldhdr">'._PSOCCASDST.'</TD>
           <TD CLASS="plfieldhdr">'._PSFIRSTOCC.'</TD>
           <TD CLASS="plfieldhdr">'._PSLASTOCC.'</TD>
        </TR>';

  $ip_src32 = baseIP2long($ip);
  $ip_dst32 = $ip_src32;

  /* Number of Sensors, First, and Last timestamp */
  $temp = "SELECT COUNT(DISTINCT sid), MIN(timestamp), MAX(timestamp) FROM acid_event ".  
          "WHERE (ip_src = '$ip_src32' OR ip_dst = '$ip_dst32' )";
  $result2 = $db->baseExecute($temp);
  $row2 = $result2->baseFetchRow();

  $num_sensors = $row2[0];
  $start_time = $row2[1]; 
  $stop_time = $row2[2];
  $result2->baseFreeRows();

  /* Unique instances as Source Address  */
  $temp = "SELECT COUNT(sid) from acid_event WHERE ip_src='$ip_src32'";  
  $result2 = $db->baseExecute($temp);
  $row2 = $result2->baseFetchRow();
  $num_src_ip = $row2[0];
  $result2->baseFreeRows(); 

  /* Unique instances Dest. Address  */
  $temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst='$ip_dst32'";
  $result2 = $db->baseExecute($temp);
  $row2 = $result2->baseFetchRow();
  $num_dst_ip = $row2[0];
  $result2->baseFreeRows(); 

  /* Print out */ 
  echo '<TR>
         <TD ALIGN="center"><A HREF="'.$tmp_sensor_lookup.'">'.$num_sensors.'</A>';
  if ( $num_src_ip == 0 )
         echo '<TD ALIGN="center">'.$num_src_ip;
  else
         echo '<TD ALIGN="center"><A HREF="'.$tmp_src_iplookup.'">'.$num_src_ip.'</A>';
  if ( $num_dst_ip == 0 )         
         echo '<TD ALIGN="center">'.$num_dst_ip;
  else
         echo '<TD ALIGN="center"><A HREF="'.$tmp_dst_iplookup.'">'.$num_dst_ip.'</A>';
  echo '
         <TD align="center">'.$start_time.'
         <TD align="center" valign="middle">'.$stop_time.'
       </TR>
      </TABLE></CENTER>';

  if ( $action == "events" )
  {
     echo '<HR>
            <CENTER><P>';
     PrintEventsByIP($db, $ip);
     echo ' </CENTER>';        
  }
  else if ( $action == "whois" )
  {
     echo "\n<B>"._PSWHOISINFO."</B>".
          "<PRE>".baseGetWhois($ip, $db, $whois_cache_lifetime)."</PRE>";
  }
  else if ( $action == "portscan" )
  {
     echo '<HR>
            <CENTER><P>';
     PrintPortscanEvents($db, $ip);
     echo ' </CENTER>';        
  }
NLIO('</form>',2);
PrintBASESubFooter();
?>

1	<?php
2	/*******************************************************************************
3	** Basic Analysis and Security Engine (BASE)
4	** Copyright (C) 2004 BASE Project Team
5	** Copyright (C) 2000 Carnegie Mellon University
6	**
7	** (see the file 'base_main.php' for license details)
8	**
9	** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
10	** Sean Muller <samwise_diver@users.sourceforge.net>
11	** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
12	**
13	** Purpose: Displays stats on an individual IP address
14	**
15	** Input GET/POST variables
16	** - action:
17	** - submit:
18	** - ip:
19	** - netmask:
20	********************************************************************************
21	** Authors:
22	********************************************************************************
23	** Kevin Johnson <kjohnson@secureideas.net
24	**
25	********************************************************************************
26	*/
27
28	$sig = array();	×
29
30	$sc = DIRECTORY_SEPARATOR;	×
31	require_once("includes$sc" . 'base_krnl.php');	×
32	include_once("$BASE_path/includes/base_include.inc.php");	×
33	include_once("$BASE_path/base_db_common.php");	×
34	include_once("$BASE_path/base_common.php");	×
35
36	AuthorizedRole(10000);	×
37	$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to DB.	×
38	$db->baseDBConnect(	×
39	$db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
40	$alert_password
41	);
42	UpdateAlertCache($db);	×
43	$cs = new CriteriaState("base_stat_ipaddr.php");	×
44	$cs->ReadState();	×
45	$ip = ImportHTTPVar("ip", VAR_DIGIT \| VAR_PERIOD);	×
46	$netmask = ImportHTTPVar("netmask", VAR_DIGIT);	×
47	$action = ImportHTTPVar("action", VAR_ALPHA);	×
48	$submit = ImportHTTPVar("submit", VAR_ALPHA \| VAR_SPACE);	×
49	if ( !isset($ip) \|\| empty($ip) ){	×
50	$Epfx = __FILE__ . ":";	×
51	$page_title = 'ERROR';	×
52	}else{	×
53	$Epfx = '';	×
54	$page_title = $ip.'/'.$netmask;	×
55	}
56	PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1);	×
57	if (!isset($ip)){	×
58	ErrorMessage($Epfx. __LINE__ . ": Ignoring \$ip - undefined.");	×
59	}elseif (empty($ip)){	×
60	ErrorMessage($Epfx. __LINE__ . ": Ignoring \$ip - empty.");	×
61	}
62	if ( !empty($Epfx) && $debug_mode > 1 ){	×
63	$debug_str = "<BR><PRE>\n\n" . debug_print_backtrace() . "\n\n</PRE><BR>\n";	×
64	ErrorMessage($debug_str);	×
65	}
66
67	function PrintPortscanEvents($db, $ip)
68	{
69	GLOBAL $portscan_file;
70
71	if (!$portscan_file \|\| !isset($portscan_file) \|\| empty($portscan_file))	×
72	{
73	ErrorMessage(_PSEVENTERR._PSEVENTERRNOFILE);	×
74	return;	×
75	}
76
77	if (!is_file($portscan_file))	×
78	{
79	ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE . " '" . $portscan_file . "': This file could not be found. Maybe a wrong path or a wrong filename?");	×
80	return;	×
81	}
82
83	if (!is_readable($portscan_file))	×
84	{
85	ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE . " '" . $portscan_file . "' Maybe a permission problem?");	×
86	return;	×
87	}
88
89	if (!isset($ip))	×
90	{
91	ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has NOT been defined. Returning.");	×
92	return;	×
93	}
94
95	if (empty($ip))	×
96	{
97	ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has been defined, but it is empty. Returning.");	×
98	return;	×
99	}
100
101	$fp = fopen($portscan_file,"r");	×
102	if ( !$fp )	×
103	{
104	ErrorMessage(_PSEVENTERR._PSEVENTERROPENFILE." '".$portscan_file."'");	×
105	return;	×
106	}
107
108	echo '<TABLE border="1" width="100%" cellspacing="0" cellpadding="5">	×
109	<TR>
110	<TD CLASS="plfieldhdr">IP addresses</TD>
111	<TD CLASS="plfieldhdr">Type</TD>
112	<TD CLASS="plfieldhdr">Details</TD>';
113	/*
114	<TD CLASS="plfieldhdr">'._PSSRCIP.'</TD>
115	<TD CLASS="plfieldhdr">'._PSSRCPORT.'</TD>
116	<TD CLASS="plfieldhdr">'._PSDSTIP.'</TD>
117	<TD CLASS="plfieldhdr">'._PSDSTPORT.'</TD>
118	<TD CLASS="plfieldhdr">'._PSTCPFLAGS.'</TD>
119	*/
120	echo '</TR>';	×
121
122	$total = 0;	×
123
124	//print "\$ip = \"$ip\"<BR>\n";
125
126	while ( !feof($fp) )	×
127	{
128	$contents = fgets($fp, 255);	×
129
130	/*
131	print "<BR>\n<PRE>";
132	var_dump($contents);
133	print "</PRE><BR>\n";
134	*/
135
136	if(preg_match("/". $ip . "/", $contents)) {	×
137	$total++;	×
138	if( $total % 2 == 0 ) {	×
139	$color="DDDDDD";	×
140	}else{	×
141	$color="FFFFFF";	×
142	}
143
144	$contents = preg_replace("/ /", " ", $contents);	×
145	$elements = explode(" ", $contents);	×
146
147	echo '<tr bgcolor="'.$color.'"><td align="center">'.	×
148	$elements[0].' '.$elements[1].' '.$elements[2].'</td>';	×
149
150	echo "<TD ALIGN=center>";	×
151	$i = 4;	×
152	while (isset($elements[$i]) && !empty($elements[$i]))	×
153	{
154	print $elements[$i] . " ";	×
155	$i++;	×
156	if ($i > 10)	×
157	{
158	break;	×
159	}
160	}
161	echo "</TD>";	×
162
163	$whole_entry = "";	×
164	while($contents = fgets($fp, 255))	×
165	{
166	if (feof($fp))	×
167	{
168	break;	×
169	}
170
171	if (!isset($contents) \|\| empty($contents) \|\| $contents == "\n" \|\| $contents == "\r\n" \|\| $contents == "\n\r" \|\| strlen($contents) < 3)	×
172	{
173	break;	×
174	}
175
176	$whole_entry .= $contents;	×
177	}
178
179	print "<TD ALIGN=center><PRE>";	×
180	print $whole_entry;	×
181	print "</PRE></TD>";	×
182
183	/*
184	ereg("([0-9]\.[0-9]\.[0-9]\.[0-9]):([0-9]*)",$elements[3],$store);
185	$source_ip = $store[1];
186	$source_port = $store[2];
187	if (empty($source_ip))
188	{
189	$source_ip = "n/a";
190	}
191	if (empty($source_port))
192	{
193	$source_port = "n/a";
194	}
195	echo '<td align="center">' . $source_ip . '</td>';
196	echo '<td align="center">' . $source_port . '</td>';
197
198	ereg("([0-9]\.[0-9]\.[0-9]\.[0-9]):([0-9]*)",$elements[5],$store);
199	$destination_ip = $store[1];
200	$destination_port = $store[2];
201	if (empty($destination_ip))
202	{
203	$destination_ip = "n/a";
204	}
205	if (empty($destination_port))
206	{
207	$destination_port = "n/a";
208	}
209	echo '<td align="center">' . $destination_ip . '</td>';
210	echo '<td align="center">' . $destination_port . '</td>';
211
212	$tcp_flags = $elements[7];
213	if (empty($tcp_flags))
214	{
215	$tcp_flags = "n/a";
216	}
217	echo '<td align="center">' . $tcp_flags . '</td></tr>';
218	*/
219	}
220	}
221
222	fclose($fp);	×
223
224	echo '<TR>	×
225	<TD CLASS="plfieldhdr" align="left">'._PSTOTALHOSTS.'</TD>
226	<TD CLASS="plfieldhdr">'.$total.'</TD>
227	<TD CLASS="plfieldhdr" colspan="4"> </TD>
228	</TR>
229	</TABLE>';
230	}
231
232	function PrintEventsByIP($db, $ip)
233	{
234	GLOBAL $debug_mode;
235
236	if (!isset($ip))	×
237	{
238	ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has NOT been defined. Returning.");	×
239	return;	×
240	}
241
242	if (empty($ip))	×
243	{
244	ErrorMessage(__FILE__ . ":" . __LINE__ . ": \$ip has been defined, but it is empty. Returning.");	×
245	return;	×
246	}
247
248
249	$count = 0;	×
250	/* Jeffs stuff */
251	/* Count total events for the given address */
252	$event_cnt = EventCntByAddr($db, $ip);	×
253
254	/* Grab unique alerts and count them */
255	$unique_events = UniqueEventCntByAddr($db, $ip, $count);	×
256	$unique_event_cnt = count($unique_events);	×
257
258	printf ("<B>"._PSDETECTAMONG."/32</B><BR>", $unique_event_cnt,$event_cnt,$ip);	×
259
260	/* Print the Statistics on Each of the Unique Alerts */
261	echo '<TABLE BORDER=1>	×
262	<TR>
263	<TD CLASS="plfieldhdr">'._PSTCPFLAGS.'</TD>
264	<TD CLASS="plfieldhdr">'._PSTOTALOCC.'</TD>
265	<TD CLASS="plfieldhdr">'._PSNUMSENSORS.'</TD>
266	<TD CLASS="plfieldhdr">'._PSFIRSTOCC.'</TD>
267	<TD CLASS="plfieldhdr">'._PSLASTOCC.'</TD>
268	</TR>';
269
270	for ( $i = 0; $i < $unique_event_cnt; $i++ )	×
271	{
272	$current_event = $unique_events[$i];	×
273
274	$total = UniqueEventTotalsByAddr($db, $ip, $current_event);	×
275	$num_sensors = UniqueSensorCntByAddr($db, $ip, $current_event);	×
276	$start_time = StartTimeForUniqueEventByAddr($db, $ip, $current_event);	×
277	$stop_time = StopTimeForUniqueEventByAddr($db, $ip, $current_event);	×
278
279	/* Print out */
280	echo '<TR>';	×
281	if ($debug_mode > 1)	×
282	{
283	SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": Before BuildSigByID()");	×
284	}
285	echo " <TD ALIGN='center'> ".BuildSigByID($unique_events[$i], $db);	×
286	if ($debug_mode > 1)	×
287	{
288	SQLTraceLog(__FILE__ . ":" . __LINE__ . ":" . __FUNCTION__ . ": After BuildSigByID()");	×
289	}
290	$tmp_iplookup = 'base_qry_main.php?new=1'.	×
291	'&sig%5B0%5D=%3D&sig%5B1%5D='.(rawurlencode(GetSignatureName($unique_events[$i], $db))).	×
292	'&num_result_rows=-1'.
293	'&submit='._QUERYDBP.'&current_view=-1&ip_addr_cnt=2'.
294	BuildIPFormVars($ip);	×
295
296	$tmp_sensor_lookup = 'base_stat_sensor.php?'.	×
297	'sig%5B0%5D=%3D&sig%5B1%5D='.
298	(rawurlencode($unique_events[$i])).	×
299	'&ip_addr_cnt=2'.BuildIPFormVars($ip);	×
300
301	echo " <TD align='center'> <A HREF=\"$tmp_iplookup\">$total</A> ";	×
302	echo " <TD align='center'> <A HREF=\"$tmp_sensor_lookup\">$num_sensors</A> ";	×
303	echo " <TD align='center'> $start_time";	×
304	echo " <TD align='center' valign='middle'> $stop_time";	×
305	echo '</TR>';	×
306	}
307
308	echo "</TABLE>\n";	×
309	}
310
311	if ( sizeof($sig) != 0 && strstr($sig[1], "spp_portscan") )	×
312	$sig[1] = "";	×
313
314	/* Build new link for criteria-based sensor page
315	* -- ALS <aschroll@mitre.org>
316	*/
317	$tmp_sensor_lookup = 'base_stat_sensor.php?ip_addr_cnt=2'.	×
318	BuildIPFormVars($ip);	×
319
320
321	$tmp_srcdst_iplookup = 'base_qry_main.php?new=2'.	×
322	'&num_result_rows=-1'.
323	'&submit='._QUERYDBP.'&current_view=-1&ip_addr_cnt=2'.
324	BuildIPFormVars($ip);	×
325
326	$tmp_src_iplookup = 'base_qry_main.php?new=2'.	×
327	'&num_result_rows=-1'.
328	'&submit='._QUERYDBP.'&current_view=-1&ip_addr_cnt=1'.
329	BuildSrcIPFormVars($ip);	×
330
331	$tmp_dst_iplookup = 'base_qry_main.php?new=2'.	×
332	'&num_result_rows=-1'.
333	'&submit='._QUERYDBP.'&current_view=-1&ip_addr_cnt=1'.
334	BuildDstIPFormVars($ip);	×
335	echo '<CENTER>';	×
336	printf ("<FONT>"._PSALLALERTSAS.":</FONT>",$ip,$netmask);	×
337	echo '	×
338	<A HREF="'.$tmp_src_iplookup.'">'._SCSOURCE.'</A> \|
339	<A HREF="'.$tmp_dst_iplookup.'">'._SCDEST.'</A> \|
340	<A HREF="'.$tmp_srcdst_iplookup.'">'._SCSOURCE.'/'._SCDEST.'</A><BR>';
341
342	echo _PSSHOW.':	×
343	<A HREF="base_stat_ipaddr.php?ip='.$ip.'&netmask='.$netmask.'&action=events">'._PSUNIALERTS.'</A>
344	\|
345	<A HREF="base_stat_ipaddr.php?ip='.$ip.'&netmask='.$netmask.'&action=portscan">'._PSPORTSCANEVE.'</A>
346	<BR>';
347
348	echo '<FONT>'._PSREGWHOIS.': ';	×
349	echo '	×
350	<A HREF="http://ws.arin.net/cgi-bin/whois.pl?queryinput='.$ip.'" target="_NEW">ARIN</A> \|
351	<A HREF="http://www.db.ripe.net/whois?query='.$ip.'" target="_NEW">RIPE</A> \|
352	<A HREF="http://wq.apnic.net/apnic-bin/whois.pl?do_search=Search&searchtext='.$ip.'" target="_NEW">APNIC</A> \|
353	<A HREF="http://lacnic.net/cgi-bin/lacnic/whois?lg=EN&query='.$ip.'" target="_NEW">LACNIC</A><BR></FONT>';
354	// Have no idea why this code is here.
355	// Commenting it out as it was ccontributing to Issue #5
356	// $octet=preg_split("/\./", $ip);
357	// $classc=sprintf("%03s.%03s.%03s",$octet[0],$octet[1],$octet[2]);
358	print '<FONT>'._PSEXTERNAL.': ';	×
359	if (isset($external_dns_link)){	×
360	print '<A HREF="'.$external_dns_link.$ip.'" target="_NEW">DNS</A>';	×
361	}
362	if (isset($external_whois_link)){	×
363	print ' \| <A HREF="'.$external_whois_link.$ip.'" target="_NEW">whois</A>';	×
364	}
365	if (isset($external_all_link)){	×
366	print ' \| <A HREF="'.$external_all_link.$ip.'" target="_NEW">Extended whois</A>';	×
367	}
368	print ' \| <A HREF="http://www.dshield.org/ipinfo.php?ip='.$ip.'&Submit=Submit" target="_NEW">DShield.org IP Info</A> \| '.	×
369	'<A HREF="http://www.trustedsource.org/query.php?q='.$ip.'" target="_NEW">TrustedSource.org IP Info</A> \| '.
370	'<A HREF="http://isc.sans.org/ipinfo.html?ip='.$ip.'" target="_NEW">ISC Source/Subnet Report</A><BR> </FONT>';
371
372
373	echo '</CENTER>';	×
374	echo '<HR>';	×
375
376	echo '<FORM METHOD="POST" ACTION="base_stat_ipaddr.php">';	×
377
378	if ( $debug_mode >= 1 )	×
379	echo '<TABLE BORDER=1>	×
380	<TR><TD>action</TD><TD>submit</TD><TD>ip</TD><TD>netmask</TD></TR>
381	<TR><TD>'.$action.'</TD><TD>'.$submit.'</TD>
382	<TD>'.$ip.'</TD><TD>'.$netmask.'</TD></TR>
383	</TABLE>';
384
385	/* Print the Statistics the IP address */
386	echo '<CENTER><B>'.$ip.'</B><BR>FQDN: <B>';	×
387
388	if ( $resolve_IP == 0 )	×
389	echo ' ('._PSNODNS.')';	×
390	else	×
391	{
392	if ( $ip != "255.255.255.255" )	×
393	echo baseGetHostByAddr($ip, $db, $dns_cache_lifetime);	×
394	else	×
395	echo $ip.' (Broadcast)';	×
396	}
397
398	if ( VerifySocketSupport() )	×
399	echo '  ( <A HREF="base_stat_ipaddr.php?ip='.$ip.'&netmask='.$netmask.'&action=whois">local whois</A> )';	×
400
401	echo '</B>	×
402	<TABLE BORDER=1>
403	<TR>
404	<TD CLASS="plfieldhdr">'._PSNUMSENSORSBR.'</TD>
405	<TD CLASS="plfieldhdr">'._PSOCCASSRC.'</TD>
406	<TD CLASS="plfieldhdr">'._PSOCCASDST.'</TD>
407	<TD CLASS="plfieldhdr">'._PSFIRSTOCC.'</TD>
408	<TD CLASS="plfieldhdr">'._PSLASTOCC.'</TD>
409	</TR>';
410
411	$ip_src32 = baseIP2long($ip);	×
412	$ip_dst32 = $ip_src32;	×
413
414	/* Number of Sensors, First, and Last timestamp */
415	$temp = "SELECT COUNT(DISTINCT sid), MIN(timestamp), MAX(timestamp) FROM acid_event ".	×
416	"WHERE (ip_src = '$ip_src32' OR ip_dst = '$ip_dst32' )";	×
417	$result2 = $db->baseExecute($temp);	×
418	$row2 = $result2->baseFetchRow();	×
419
420	$num_sensors = $row2[0];	×
421	$start_time = $row2[1];	×
422	$stop_time = $row2[2];	×
423	$result2->baseFreeRows();	×
424
425	/* Unique instances as Source Address */
426	$temp = "SELECT COUNT(sid) from acid_event WHERE ip_src='$ip_src32'";	×
427	$result2 = $db->baseExecute($temp);	×
428	$row2 = $result2->baseFetchRow();	×
429	$num_src_ip = $row2[0];	×
430	$result2->baseFreeRows();	×
431
432	/* Unique instances Dest. Address */
433	$temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst='$ip_dst32'";	×
434	$result2 = $db->baseExecute($temp);	×
435	$row2 = $result2->baseFetchRow();	×
436	$num_dst_ip = $row2[0];	×
437	$result2->baseFreeRows();	×
438
439	/* Print out */
440	echo '<TR>	×
441	<TD ALIGN="center"><A HREF="'.$tmp_sensor_lookup.'">'.$num_sensors.'</A>';
442	if ( $num_src_ip == 0 )	×
443	echo '<TD ALIGN="center">'.$num_src_ip;	×
444	else	×
445	echo '<TD ALIGN="center"><A HREF="'.$tmp_src_iplookup.'">'.$num_src_ip.'</A>';	×
446	if ( $num_dst_ip == 0 )	×
447	echo '<TD ALIGN="center">'.$num_dst_ip;	×
448	else	×
449	echo '<TD ALIGN="center"><A HREF="'.$tmp_dst_iplookup.'">'.$num_dst_ip.'</A>';	×
450	echo '	×
451	<TD align="center">'.$start_time.'
452	<TD align="center" valign="middle">'.$stop_time.'
453	</TR>
454	</TABLE></CENTER>';
455
456	if ( $action == "events" )	×
457	{
458	echo '<HR>	×
459	<CENTER><P>';
460	PrintEventsByIP($db, $ip);	×
461	echo ' </CENTER>';	×
462	}
463	else if ( $action == "whois" )	×
464	{
465	echo "\n<B>"._PSWHOISINFO."</B>".	×
466	"<PRE>".baseGetWhois($ip, $db, $whois_cache_lifetime)."</PRE>";	×
467	}
468	else if ( $action == "portscan" )	×
469	{
470	echo '<HR>	×
471	<CENTER><P>';
472	PrintPortscanEvents($db, $ip);	×
473	echo ' </CENTER>';	×
474	}
475	NLIO('</form>',2);	×
476	PrintBASESubFooter();	×
477	?>

NathanGibbs3 / BASE / 624

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous