NathanGibbs3 / BASE / 627

pending completion

Build # 627

Build Type

push

travis-ci-com

Committed by

NathanGibbs3

Commit Message

Merge branch 'documentation' into devel

Run Details

1766 of 6437 relevant lines covered (27.44%)

105.91 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/base_stat_alerts.php

<?php
// Basic Analysis and Security Engine (BASE)
// Copyright (C) 2019-2023 Nathan Gibbs
// Copyright (C) 2004 BASE Project Team
// Copyright (C) 2000 Carnegie Mellon University
//
//   For license info: See the file 'base_main.php'
//
//       Project Lead: Nathan Gibbs
// Built upon work by: Kevin Johnson & the BASE Project Team
//                     Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
//
//            Purpose: Displays statistics on the detected alerts.
//
//          Author(s): Nathan Gibbs
//                     Kevin Johnson
//                     Joel Esler
//
// Input GET/POST variables
//   - caller
//   - submit
//   - sort_order

$sc = DIRECTORY_SEPARATOR;
require_once("includes$sc" . 'base_krnl.php');
include_once("$BASE_path/includes/base_include.inc.php");
include_once("$BASE_path/base_db_common.php");
include_once("$BASE_path/base_qry_common.php");
include_once("$BASE_path/base_stat_common.php");

AuthorizedRole(10000);
$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to DB.
$db->baseDBConnect(
        $db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
        $alert_password
);
UpdateAlertCache($db);
if ( class_exists('UILang') ){ // Issue 11 backport shim.
        $CPSensor = $UIL->CWA['Sensor'];
        $CPSig = $UIL->CWA['Sig'];
        $CPSA = $UIL->CPA['SrcAddr'];
        $CPDA = $UIL->CPA['DstAddr'];
        $CPLast = $UIL->CWA['Last'];
        $CPFirst = $UIL->CWA['First'];
        $CPTotal = $UIL->CWA['Total'];
}else{
        $CPSensor = _SENSOR;
        $CPSig = _SIGNATURE;
        $CPSA = _NBSOURCEADDR;
        $CPDA = _NBDESTADDR;
        $CPLast = _LAST;
        $CPFirst = _FIRST;
        $CPTotal = _TOTAL;
}
$submit = ImportHTTPVar('submit', VAR_ALPHA | VAR_SPACE, array(_SELECTED, _ALLONSCREEN, _ENTIREQUERY));
$sort_order = ImportHTTPVar('sort_order', VAR_LETTER | VAR_USCORE);
$caller = ImportHTTPVar('caller', VAR_LETTER | VAR_USCORE);
$cs = new CriteriaState('base_stat_alerts.php');
$cs->ReadState();
if ( $caller == 'most_frequent' && $sort_order = 'occur_d' ){
        // Interim Issue #120 Fix
        $sort_order = $CPTotal.'_occur_d';
}
if ( $caller == 'last_alerts' && $sort_order = 'last_d' ){
        // Interim Issue #122 Fix
        $sort_order = $CPLast.'_last_d';
}
$qs = new QueryState();
if ( $caller == 'most_frequent' || $caller == 'last_alerts' ){
        // Issue(s) #120 & #122 Fix
        $qs->current_sort_order = $sort_order;
}
$qs->AddCannedQuery(
        "most_frequent", $freq_num_alerts, _MOSTFREQALERTS, $CPTotal.'_occur_d'
);
$qs->AddCannedQuery(
        "last_alerts", $last_num_ualerts, _LASTALERTS, $CPLast.'_last_d'
);
$qs->MoveView($submit); // Increment the view if necessary.
$page_title = _ALERTTITLE;
if( $qs->isCannedQuery() ){
        $page_title . ': ' . $qs->GetCurrentCannedQueryDesc();
}
PrintBASESubHeader( $page_title, $page_title, $cs->GetBackLink(), 1 );
if( $debug_mode > 0 ){ // Dump debugging info on the shared state.
        PrintCriteriaState();
}
$criteria_clauses = ProcessCriteria();
// Issue #114 fix
NLIO("<div style='overflow:hidden'>", 2);
NLIO("<div style='float: left; width: 60%;'>", 3);
PrintCriteria('');
NLIO('</div>', 3);
NLIO("<div style='float: right; width: 40%;'>", 3);
// RFE by Joel. Wanted the Summary Statistics box on the base_stat_alerts page.
PrintFramedBoxHeader(_QSCSUMM, '#669999', 0, 4);
NLIO('<td>',6);
if ( isset($show_summary_stats) ){ // Issue #5
        if ( getenv('TRAVIS') && version_compare(PHP_VERSION, "5.3.0", "<") ){
                // Issue #5 Test Shim
                $where_sql = " WHERE ";
                $criteria_sql = " 1 = 1 ";
                $join_sql = "";
        }
        PrintGeneralStats(
                $db, 1, $show_summary_stats, "$join_sql ", "$where_sql $criteria_sql"
        );
}
NLIO("<ul class='stats'><li>");
NLIO('<a href="base_stat_time.php">' . _QSCTIMEPROF . '</a> ' . _QSCOFALERTS);
NLIO('</li></ul>');
PrintFramedBoxFooter(1,4);
NLIO ('</div>',3);
NLIO ('</div>',2);
if (is_object($cs)){ // Issue #5
  $from = " FROM acid_event ".$criteria_clauses[0];
  $where = ($criteria_clauses[1] != "") ? " WHERE ".$criteria_clauses[1] : " ";
}else{
        $from = " FROM acid_event ";
        $where = " ";
}
  $qs->AddValidAction("ag_by_id");
  $qs->AddValidAction("ag_by_name");
  $qs->AddValidAction("add_new_ag");
  $qs->AddValidAction("del_alert");
  $qs->AddValidAction("email_alert");
  $qs->AddValidAction("email_alert2");
  $qs->AddValidAction("csv_alert");
  $qs->AddValidAction("archive_alert");
  $qs->AddValidAction("archive_alert2");

  $qs->AddValidActionOp(_SELECTED);
  $qs->AddValidActionOp(_ALLONSCREEN);

  $qs->SetActionSQL($from.$where);
$et->Mark("Initialization");
  $qs->RunAction($submit, PAGE_STAT_ALERTS, $db);
$et->Mark("Alert Action");
// Get total number of events.
// This is expensive, don't do it if we're avoiding count().
// Michael Stone 2005-03-09
if ( $avoid_counts != 1 ){
        $event_cnt = EventCnt($db);
}
// Create SQL to get Unique Alerts.
$cnt_sql = "SELECT count(DISTINCT signature) ".$from.$where;
// Run the query to determine the number of rows (No LIMIT).
$qs->GetNumResultRows($cnt_sql, $db);
$et->Mark("Counting Result size");
// Setup the Query Results Table.
// Common SQL Strings
$OB = ' ORDER BY';
$qro = new QueryResultsOutput("base_stat_alerts.php?caller=".$caller);
$qro->AddTitle('');
$qro->AddTitle( $CPSig,
        "sig_a", " ", "$OB sig_name ASC",
        "sig_d", " ", "$OB sig_name DESC"
);
if ( $db->baseGetDBversion() >= 103 ){
        $qro->AddTitle( _CHRTCLASS,
                "class_a", ", MIN(sig_class_id) ", "$OB sig_class_id ASC ",
                "class_d", ", MIN(sig_class_id) ", "$OB sig_class_id DESC ",
                'left'
        );
}
$qro->AddTitle( $CPTotal,
        "occur_a", " ", "$OB sig_cnt ASC",
        "occur_d", " ", "$OB sig_cnt DESC", 'right'
);
$qro->AddTitle( $CPSensor);
$qro->AddTitle( $CPSA,
        "saddr_a", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt ASC",
        "saddr_d", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt DESC",
        'right'
);
$qro->AddTitle( $CPDA,
        "daddr_a", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt ASC",
        "daddr_d", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt DESC",
        'right'
);
$qro->AddTitle( $CPFirst,
        "first_a", ", min(timestamp) AS first_timestamp ",
        "$OB first_timestamp ASC",
        "first_d", ", min(timestamp) AS first_timestamp ",
        "$OB first_timestamp DESC"
);
if ( isset($show_previous_alert) && $show_previous_alert == 1 ){
        $qro->AddTitle(_PREVIOUS);
}
$qro->AddTitle( $CPLast,
        "last_a", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp ASC",
        "last_d", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp DESC"
);

// mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY.
// mstone 20050405 add sid & ip counts.
// Issue #168
$sql = "SELECT DISTINCT signature, count(signature) as sig_cnt, ".
                "min(timestamp), max(timestamp), sig_name, count(DISTINCT(sid)), ".
                "count(DISTINCT(ip_src)), count(DISTINCT(ip_dst)), sig_class_id ";
$sqlPFX = $from.$where." GROUP BY signature, sig_name, sig_class_id ";
$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());
if ( !is_null($sort_sql) ){
        $sqlPFX = $sort_sql[0].$sqlPFX.$sort_sql[1];
}
$sql .= $sqlPFX;
// Run the Query again for the actual data (with the LIMIT), if any.
$result = $qs->ExecuteOutputQuery($sql, $db);
$et->Mark("Retrieve Query Data");
if ( $debug_mode > 0 ){
        if ( $qs->isCannedQuery() ){
                $CCF = 'Yes';
                $qs->PrintCannedQueryList();
        }else{
                $CCF = 'No';
        }
        print "Canned Query: $CCF <br/>";
        $qs->DumpState();
        print "SQL Executed: $sql <br/>";
}
$qs->PrintResultCnt(); // Print current view number and # of rows.

  echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_alerts.php">';
  
  $qro->PrintHeader();

  $i = 0;
  // The below is due to changes in the queries...
  // We need to verify that it works all the time -- Kevin
  $and = (strpos($where, "WHERE") != 0 ) ? " AND " : " WHERE ";
  while ( ($myrow = $result->baseFetchRow()) && ($i < $qs->GetDisplayRowCnt()) )
  {
     $sig_id = $myrow[0];

     /* get Total Occurrence */
     $total_occurances = $myrow[1];

     /* Get other data */
     $sig_name = $myrow[4];
     $num_sensors = $myrow[5];
     $num_src_ip = $myrow[6];
     $num_dst_ip = $myrow[7];

     /* First and Last timestamp of this signature */
     $start_time = $myrow[2];
     $stop_time = $myrow[3];

                // mstone 20050406 only do this if we're going to provide links to the
                // first/last or if we're going to show the previous event time
                if ( isset($show_first_last_links) && isset($show_previous_alert) ){
                        if ( $show_first_last_links == 1 || $show_previous_alert == 1 ){
       $temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.
               "signature='".$sig_id."'
               ORDER BY timestamp DESC";
       $result2 = $db->baseExecute($temp, 0, 2);
       $last = $result2->baseFetchRow();
       $last_num = $total_occurances - 1;

       /* Getting the previous timestamp of this signature 
        * (I.E. The occurances before Last Timestamp) 
        */
       if ( $show_previous_alert == 1 )
       {
          if ( $total_occurances == 1 )
          {
             $prev = $last;
             $prev_time = $prev[0];
             $prev_num = 0;
          }
          else
          {
                  $prev = $result2->baseFetchRow();
                  $prev_time = $prev[0];
                    $prev_num = $total_occurances - 2;
                  $result2->baseFreeRows();
          }
       }
     }

     if ($show_first_last_links == 1) {
       /* Doing the same as above for the first entry that we are searching for.
        * The reason for doing this is because some older DB's such as ones using ODBC
        * probably don't support the move() function. Therefore, for the older DB's 
        * to get the first entry from the $temp variable above, we would need to 
        * continue to call MoveNext() for each and every entry for that signature. For 
        * signatures with a large amount of alerts(i.e. >1000), this could cause a severe
        * performance hit for those users.
        */ 
       $temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.
               "signature='".$sig_id."'
               ORDER BY timestamp ASC";
       $result2 = $db->baseExecute($temp, 0, 1);
       $first = $result2->baseFetchRow();
       $first_num = 0;
       $result2->baseFreeRows();
     }

                }
                // Print out (Colored Version) -- Alejandro
                if ( isset($colored_alerts) && $colored_alerts == 1 ){
                        $tmp = GetSignaturePriority($sig_id, $db);
                        $tmp2 = $colored_alerts;
                }else{
                        $tmp = $i;
                        $tmp2 = 0;
                }
                qroPrintEntryHeader($tmp, $tmp2);
                $tmp_rowid = rawurlencode($sig_id);
                $tmp = "_lst[$i]";
                qroPrintCheckBox($tmp, $tmp_rowid);
                $tmp = '';
                qroPrintEntry(BuildSigByID($sig_id, $db), 'left');
                if ( $db->baseGetDBversion() >= 103 ){
                        qroPrintEntry(
                                GetSigClassName(GetSigClassID($sig_id, $db), $db),
                                'left'
                        );
                }
                qroPrintEntry(
                        '<A HREF="base_qry_main.php?new=1amp;&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.
                   (rawurlencode($sig_id)).'&amp;sig_type=1'.
                   '&amp;submit='._QUERYDBP.'&amp;num_result_rows=-1">'.$total_occurances.'</A>'.
                   /* mstone 20050309 lose this if we're not showing stats */
                   (($avoid_counts != 1)?('('.(round($total_occurances/$event_cnt*100)).'%)'):('')),
                        'right'
                );
     qroPrintEntry('<A HREF="base_stat_sensor.php?sig%5B0%5D=%3D&amp;sig%5B1%5D='.
                    rawurlencode($sig_id).'&amp;sig_type=1">'.$num_sensors.'</A>');

     if ( $db->baseGetDBversion() >= 100 )
        $addr_link = '&amp;sig_type=1&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.rawurlencode($sig_id);
     else
        $addr_link = '&amp;sig%5B0%5D=%3D&amp;sig%5B1%5D='.rawurlencode($sig_id);

        qroPrintEntry(
                BuildUniqueAddressLink( 1, $addr_link )."$num_src_ip</a>",'right'
        );
        qroPrintEntry(
                BuildUniqueAddressLink( 2, $addr_link)."$num_dst_ip</a>",'right'
        );
        if ( isset($show_first_last_links) && $show_first_last_links == 1 ){
       qroPrintEntry('<FONT>'.
                     '<A HREF="base_qry_alert.php?'.
                     'submit=%23'.$first_num.'-%28'.$first[1].'-'.$first[2].'%29">'.
                     $start_time.'</FONT>');

       if ( $show_previous_alert == 1 )
          qroPrintEntry('<FONT>'.
                        '<A HREF="base_qry_alert.php?'.
                        'submit=%23'.$prev_num.'-%28'.$prev[1].'-'.$prev[2].'%29">'.
                        $prev_time.'</FONT>');

       qroPrintEntry('<FONT>'.
                     '<A HREF="base_qry_alert.php?'.
                     'submit=%23'.$last_num.'-%28'.$last[1].'-'.$last[2].'%29">'.
                     $stop_time.'</FONT>');
     } else {
       qroPrintEntry('<FONT>'.$start_time.'</FONT>');
       if ( $show_previous_alert == 1 )
         qroPrintEntry('<FONT>'.$prev_time.'</FONT>');
       qroPrintEntry('<FONT>'.$stop_time.'</FONT>');
     }

     qroPrintEntryFooter();

     $i++;
     $prev_time = null;
  }

$result->baseFreeRows();

$qro->PrintFooter();
$qs->PrintBrowseButtons();
$qs->PrintAlertActionButtons();
$qs->SaveState();
ExportHTTPVar("sort_order", $sort_order);
NLIO('</form>',2);
$et->Mark("Get Query Elements");
PrintBASESubFooter();
?>

1	<?php
2	// Basic Analysis and Security Engine (BASE)
3	// Copyright (C) 2019-2023 Nathan Gibbs
4	// Copyright (C) 2004 BASE Project Team
5	// Copyright (C) 2000 Carnegie Mellon University
6	//
7	// For license info: See the file 'base_main.php'
8	//
9	// Project Lead: Nathan Gibbs
10	// Built upon work by: Kevin Johnson & the BASE Project Team
11	// Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
12	//
13	// Purpose: Displays statistics on the detected alerts.
14	//
15	// Author(s): Nathan Gibbs
16	// Kevin Johnson
17	// Joel Esler
18	//
19	// Input GET/POST variables
20	// - caller
21	// - submit
22	// - sort_order
23
24	$sc = DIRECTORY_SEPARATOR;	×
25	require_once("includes$sc" . 'base_krnl.php');	×
26	include_once("$BASE_path/includes/base_include.inc.php");	×
27	include_once("$BASE_path/base_db_common.php");	×
28	include_once("$BASE_path/base_qry_common.php");	×
29	include_once("$BASE_path/base_stat_common.php");	×
30
31	AuthorizedRole(10000);	×
32	$db = NewBASEDBConnection($DBlib_path, $DBtype); // Connect to DB.	×
33	$db->baseDBConnect(	×
34	$db_connect_method,$alert_dbname, $alert_host, $alert_port, $alert_user,
35	$alert_password
36	);
37	UpdateAlertCache($db);	×
38	if ( class_exists('UILang') ){ // Issue 11 backport shim.	×
39	$CPSensor = $UIL->CWA['Sensor'];	×
40	$CPSig = $UIL->CWA['Sig'];	×
41	$CPSA = $UIL->CPA['SrcAddr'];	×
42	$CPDA = $UIL->CPA['DstAddr'];	×
43	$CPLast = $UIL->CWA['Last'];	×
44	$CPFirst = $UIL->CWA['First'];	×
45	$CPTotal = $UIL->CWA['Total'];	×
46	}else{	×
47	$CPSensor = _SENSOR;	×
48	$CPSig = _SIGNATURE;	×
49	$CPSA = _NBSOURCEADDR;	×
50	$CPDA = _NBDESTADDR;	×
51	$CPLast = _LAST;	×
52	$CPFirst = _FIRST;	×
53	$CPTotal = _TOTAL;	×
54	}
55	$submit = ImportHTTPVar('submit', VAR_ALPHA \| VAR_SPACE, array(_SELECTED, _ALLONSCREEN, _ENTIREQUERY));	×
56	$sort_order = ImportHTTPVar('sort_order', VAR_LETTER \| VAR_USCORE);	×
57	$caller = ImportHTTPVar('caller', VAR_LETTER \| VAR_USCORE);	×
58	$cs = new CriteriaState('base_stat_alerts.php');	×
59	$cs->ReadState();	×
60	if ( $caller == 'most_frequent' && $sort_order = 'occur_d' ){	×
61	// Interim Issue #120 Fix
62	$sort_order = $CPTotal.'_occur_d';	×
63	}
64	if ( $caller == 'last_alerts' && $sort_order = 'last_d' ){	×
65	// Interim Issue #122 Fix
66	$sort_order = $CPLast.'_last_d';	×
67	}
68	$qs = new QueryState();	×
69	if ( $caller == 'most_frequent' \|\| $caller == 'last_alerts' ){	×
70	// Issue(s) #120 & #122 Fix
71	$qs->current_sort_order = $sort_order;	×
72	}
73	$qs->AddCannedQuery(	×
74	"most_frequent", $freq_num_alerts, _MOSTFREQALERTS, $CPTotal.'_occur_d'
75	);
76	$qs->AddCannedQuery(	×
77	"last_alerts", $last_num_ualerts, _LASTALERTS, $CPLast.'_last_d'
78	);
79	$qs->MoveView($submit); // Increment the view if necessary.	×
80	$page_title = _ALERTTITLE;	×
81	if( $qs->isCannedQuery() ){	×
82	$page_title . ': ' . $qs->GetCurrentCannedQueryDesc();	×
83	}
84	PrintBASESubHeader( $page_title, $page_title, $cs->GetBackLink(), 1 );	×
85	if( $debug_mode > 0 ){ // Dump debugging info on the shared state.	×
86	PrintCriteriaState();	×
87	}
88	$criteria_clauses = ProcessCriteria();	×
89	// Issue #114 fix
90	NLIO("<div style='overflow:hidden'>", 2);	×
91	NLIO("<div style='float: left; width: 60%;'>", 3);	×
92	PrintCriteria('');	×
93	NLIO('</div>', 3);	×
94	NLIO("<div style='float: right; width: 40%;'>", 3);	×
95	// RFE by Joel. Wanted the Summary Statistics box on the base_stat_alerts page.
96	PrintFramedBoxHeader(_QSCSUMM, '#669999', 0, 4);	×
97	NLIO('<td>',6);	×
98	if ( isset($show_summary_stats) ){ // Issue #5	×
99	if ( getenv('TRAVIS') && version_compare(PHP_VERSION, "5.3.0", "<") ){	×
100	// Issue #5 Test Shim
101	$where_sql = " WHERE ";	×
102	$criteria_sql = " 1 = 1 ";	×
103	$join_sql = "";	×
104	}
105	PrintGeneralStats(	×
106	$db, 1, $show_summary_stats, "$join_sql ", "$where_sql $criteria_sql"	×
107	);
108	}
109	NLIO("<ul class='stats'><li>");	×
110	NLIO('<a href="base_stat_time.php">' . _QSCTIMEPROF . '</a> ' . _QSCOFALERTS);	×
111	NLIO('</li></ul>');	×
112	PrintFramedBoxFooter(1,4);	×
113	NLIO ('</div>',3);	×
114	NLIO ('</div>',2);	×
115	if (is_object($cs)){ // Issue #5	×
116	$from = " FROM acid_event ".$criteria_clauses[0];	×
117	$where = ($criteria_clauses[1] != "") ? " WHERE ".$criteria_clauses[1] : " ";	×
118	}else{	×
119	$from = " FROM acid_event ";	×
120	$where = " ";	×
121	}
122	$qs->AddValidAction("ag_by_id");	×
123	$qs->AddValidAction("ag_by_name");	×
124	$qs->AddValidAction("add_new_ag");	×
125	$qs->AddValidAction("del_alert");	×
126	$qs->AddValidAction("email_alert");	×
127	$qs->AddValidAction("email_alert2");	×
128	$qs->AddValidAction("csv_alert");	×
129	$qs->AddValidAction("archive_alert");	×
130	$qs->AddValidAction("archive_alert2");	×
131
132	$qs->AddValidActionOp(_SELECTED);	×
133	$qs->AddValidActionOp(_ALLONSCREEN);	×
134
135	$qs->SetActionSQL($from.$where);	×
136	$et->Mark("Initialization");	×
137	$qs->RunAction($submit, PAGE_STAT_ALERTS, $db);	×
138	$et->Mark("Alert Action");	×
139	// Get total number of events.
140	// This is expensive, don't do it if we're avoiding count().
141	// Michael Stone 2005-03-09
142	if ( $avoid_counts != 1 ){	×
143	$event_cnt = EventCnt($db);	×
144	}
145	// Create SQL to get Unique Alerts.
146	$cnt_sql = "SELECT count(DISTINCT signature) ".$from.$where;	×
147	// Run the query to determine the number of rows (No LIMIT).
148	$qs->GetNumResultRows($cnt_sql, $db);	×
149	$et->Mark("Counting Result size");	×
150	// Setup the Query Results Table.
151	// Common SQL Strings
152	$OB = ' ORDER BY';	×
153	$qro = new QueryResultsOutput("base_stat_alerts.php?caller=".$caller);	×
154	$qro->AddTitle('');	×
155	$qro->AddTitle( $CPSig,	×
156	"sig_a", " ", "$OB sig_name ASC",	×
157	"sig_d", " ", "$OB sig_name DESC"	×
158	);
159	if ( $db->baseGetDBversion() >= 103 ){	×
160	$qro->AddTitle( _CHRTCLASS,	×
161	"class_a", ", MIN(sig_class_id) ", "$OB sig_class_id ASC ",	×
162	"class_d", ", MIN(sig_class_id) ", "$OB sig_class_id DESC ",	×
163	'left'
164	);
165	}
166	$qro->AddTitle( $CPTotal,	×
167	"occur_a", " ", "$OB sig_cnt ASC",	×
168	"occur_d", " ", "$OB sig_cnt DESC", 'right'	×
169	);
170	$qro->AddTitle( $CPSensor);	×
171	$qro->AddTitle( $CPSA,	×
172	"saddr_a", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt ASC",	×
173	"saddr_d", ", count(DISTINCT ip_src) AS saddr_cnt ", "$OB saddr_cnt DESC",	×
174	'right'
175	);
176	$qro->AddTitle( $CPDA,	×
177	"daddr_a", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt ASC",	×
178	"daddr_d", ", count(DISTINCT ip_dst) AS daddr_cnt ", "$OB daddr_cnt DESC",	×
179	'right'
180	);
181	$qro->AddTitle( $CPFirst,	×
182	"first_a", ", min(timestamp) AS first_timestamp ",
183	"$OB first_timestamp ASC",	×
184	"first_d", ", min(timestamp) AS first_timestamp ",
185	"$OB first_timestamp DESC"	×
186	);
187	if ( isset($show_previous_alert) && $show_previous_alert == 1 ){	×
188	$qro->AddTitle(_PREVIOUS);	×
189	}
190	$qro->AddTitle( $CPLast,	×
191	"last_a", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp ASC",	×
192	"last_d", ", max(timestamp) AS last_timestamp ", "$OB last_timestamp DESC"	×
193	);
194
195	// mstone 20050309 add sig_name to GROUP BY & query so it can be used in postgres ORDER BY.
196	// mstone 20050405 add sid & ip counts.
197	// Issue #168
198	$sql = "SELECT DISTINCT signature, count(signature) as sig_cnt, ".	×
199	"min(timestamp), max(timestamp), sig_name, count(DISTINCT(sid)), ".
200	"count(DISTINCT(ip_src)), count(DISTINCT(ip_dst)), sig_class_id ";
201	$sqlPFX = $from.$where." GROUP BY signature, sig_name, sig_class_id ";	×
202	$sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());	×
203	if ( !is_null($sort_sql) ){	×
204	$sqlPFX = $sort_sql[0].$sqlPFX.$sort_sql[1];	×
205	}
206	$sql .= $sqlPFX;	×
207	// Run the Query again for the actual data (with the LIMIT), if any.
208	$result = $qs->ExecuteOutputQuery($sql, $db);	×
209	$et->Mark("Retrieve Query Data");	×
210	if ( $debug_mode > 0 ){	×
211	if ( $qs->isCannedQuery() ){	×
212	$CCF = 'Yes';	×
213	$qs->PrintCannedQueryList();	×
214	}else{	×
215	$CCF = 'No';	×
216	}
217	print "Canned Query: $CCF <br/>";	×
218	$qs->DumpState();	×
219	print "SQL Executed: $sql <br/>";	×
220	}
221	$qs->PrintResultCnt(); // Print current view number and # of rows.	×
222
223	echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_alerts.php">';	×
224
225	$qro->PrintHeader();	×
226
227	$i = 0;	×
228	// The below is due to changes in the queries...
229	// We need to verify that it works all the time -- Kevin
230	$and = (strpos($where, "WHERE") != 0 ) ? " AND " : " WHERE ";	×
231	while ( ($myrow = $result->baseFetchRow()) && ($i < $qs->GetDisplayRowCnt()) )	×
232	{
233	$sig_id = $myrow[0];	×
234
235	/* get Total Occurrence */
236	$total_occurances = $myrow[1];	×
237
238	/* Get other data */
239	$sig_name = $myrow[4];	×
240	$num_sensors = $myrow[5];	×
241	$num_src_ip = $myrow[6];	×
242	$num_dst_ip = $myrow[7];	×
243
244	/* First and Last timestamp of this signature */
245	$start_time = $myrow[2];	×
246	$stop_time = $myrow[3];	×
247
248	// mstone 20050406 only do this if we're going to provide links to the
249	// first/last or if we're going to show the previous event time
250	if ( isset($show_first_last_links) && isset($show_previous_alert) ){	×
251	if ( $show_first_last_links == 1 \|\| $show_previous_alert == 1 ){	×
252	$temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.	×
253	"signature='".$sig_id."'
254	ORDER BY timestamp DESC";
255	$result2 = $db->baseExecute($temp, 0, 2);	×
256	$last = $result2->baseFetchRow();	×
257	$last_num = $total_occurances - 1;	×
258
259	/* Getting the previous timestamp of this signature
260	* (I.E. The occurances before Last Timestamp)
261	*/
262	if ( $show_previous_alert == 1 )	×
263	{
264	if ( $total_occurances == 1 )	×
265	{
266	$prev = $last;	×
267	$prev_time = $prev[0];	×
268	$prev_num = 0;	×
269	}
270	else	×
271	{
272	$prev = $result2->baseFetchRow();	×
273	$prev_time = $prev[0];	×
274	$prev_num = $total_occurances - 2;	×
275	$result2->baseFreeRows();	×
276	}
277	}
278	}
279
280	if ($show_first_last_links == 1) {	×
281	/* Doing the same as above for the first entry that we are searching for.
282	* The reason for doing this is because some older DB's such as ones using ODBC
283	* probably don't support the move() function. Therefore, for the older DB's
284	* to get the first entry from the $temp variable above, we would need to
285	* continue to call MoveNext() for each and every entry for that signature. For
286	* signatures with a large amount of alerts(i.e. >1000), this could cause a severe
287	* performance hit for those users.
288	*/
289	$temp = "SELECT timestamp, acid_event.sid, acid_event.cid ".$from.$where.$and.	×
290	"signature='".$sig_id."'
291	ORDER BY timestamp ASC";
292	$result2 = $db->baseExecute($temp, 0, 1);	×
293	$first = $result2->baseFetchRow();	×
294	$first_num = 0;	×
295	$result2->baseFreeRows();	×
296	}
297
298	}
299	// Print out (Colored Version) -- Alejandro
300	if ( isset($colored_alerts) && $colored_alerts == 1 ){	×
301	$tmp = GetSignaturePriority($sig_id, $db);	×
302	$tmp2 = $colored_alerts;	×
303	}else{	×
304	$tmp = $i;	×
305	$tmp2 = 0;	×
306	}
307	qroPrintEntryHeader($tmp, $tmp2);	×
308	$tmp_rowid = rawurlencode($sig_id);	×
309	$tmp = "_lst[$i]";	×
310	qroPrintCheckBox($tmp, $tmp_rowid);	×
311	$tmp = '';	×
312	qroPrintEntry(BuildSigByID($sig_id, $db), 'left');	×
313	if ( $db->baseGetDBversion() >= 103 ){	×
314	qroPrintEntry(	×
315	GetSigClassName(GetSigClassID($sig_id, $db), $db),	×
316	'left'
317	);
318	}
319	qroPrintEntry(	×
320	'<A HREF="base_qry_main.php?new=1amp;&sig%5B0%5D=%3D&sig%5B1%5D='.
321	(rawurlencode($sig_id)).'&sig_type=1'.	×
322	'&submit='._QUERYDBP.'&num_result_rows=-1">'.$total_occurances.'</A>'.
323	/* mstone 20050309 lose this if we're not showing stats */
324	(($avoid_counts != 1)?('('.(round($total_occurances/$event_cnt*100)).'%)'):('')),	×
325	'right'
326	);
327	qroPrintEntry('<A HREF="base_stat_sensor.php?sig%5B0%5D=%3D&sig%5B1%5D='.	×
328	rawurlencode($sig_id).'&sig_type=1">'.$num_sensors.'</A>');	×
329
330	if ( $db->baseGetDBversion() >= 100 )	×
331	$addr_link = '&sig_type=1&sig%5B0%5D=%3D&sig%5B1%5D='.rawurlencode($sig_id);	×
332	else	×
333	$addr_link = '&sig%5B0%5D=%3D&sig%5B1%5D='.rawurlencode($sig_id);	×
334
335	qroPrintEntry(	×
336	BuildUniqueAddressLink( 1, $addr_link )."$num_src_ip</a>",'right'	×
337	);
338	qroPrintEntry(	×
339	BuildUniqueAddressLink( 2, $addr_link)."$num_dst_ip</a>",'right'	×
340	);
341	if ( isset($show_first_last_links) && $show_first_last_links == 1 ){	×
342	qroPrintEntry('<FONT>'.	×
343	'<A HREF="base_qry_alert.php?'.
344	'submit=%23'.$first_num.'-%28'.$first[1].'-'.$first[2].'%29">'.	×
345	$start_time.'</FONT>');
346
347	if ( $show_previous_alert == 1 )	×
348	qroPrintEntry('<FONT>'.	×
349	'<A HREF="base_qry_alert.php?'.
350	'submit=%23'.$prev_num.'-%28'.$prev[1].'-'.$prev[2].'%29">'.	×
351	$prev_time.'</FONT>');
352
353	qroPrintEntry('<FONT>'.	×
354	'<A HREF="base_qry_alert.php?'.
355	'submit=%23'.$last_num.'-%28'.$last[1].'-'.$last[2].'%29">'.	×
356	$stop_time.'</FONT>');
357	} else {	×
358	qroPrintEntry('<FONT>'.$start_time.'</FONT>');	×
359	if ( $show_previous_alert == 1 )	×
360	qroPrintEntry('<FONT>'.$prev_time.'</FONT>');	×
361	qroPrintEntry('<FONT>'.$stop_time.'</FONT>');	×
362	}
363
364	qroPrintEntryFooter();	×
365
366	$i++;	×
367	$prev_time = null;	×
368	}
369
370	$result->baseFreeRows();	×
371
372	$qro->PrintFooter();	×
373	$qs->PrintBrowseButtons();	×
374	$qs->PrintAlertActionButtons();	×
375	$qs->SaveState();	×
376	ExportHTTPVar("sort_order", $sort_order);	×
377	NLIO('</form>',2);	×
378	$et->Mark("Get Query Elements");	×
379	PrintBASESubFooter();	×
380	?>

NathanGibbs3 / BASE / 627

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous