1<?php 2/******************************************************************************* 3** Basic Analysis and Security Engine (BASE) 4** Copyright (C) 2004 BASE Project Team 5** Copyright (C) 2000 Carnegie Mellon University 6** 7** (see the file 'base_main.php' for license details) 8** 9** Project Leads: Kevin Johnson <kjohnson@secureideas.net> 10** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com> 11** 12** Purpose: displays a single alert 13** 14** Input GET/POST variables 15** - caller 16** - submit: 17******************************************************************************** 18** Authors: 19******************************************************************************** 20** Kevin Johnson <kjohnson@secureideas.net 21** 22******************************************************************************** 23*/ 24 25 include ("base_conf.php"); 26 include ("$BASE_path/includes/base_constants.inc.php"); 27 include ("$BASE_path/includes/base_include.inc.php"); 28 include_once ("$BASE_path/base_db_common.php"); 29 include_once ("$BASE_path/base_qry_common.php"); 30 include_once ("$BASE_path/base_stat_common.php"); 31 32 // Check role out and redirect if needed -- Kevin 33 $roleneeded = 10000; 34 $payload = FALSE; 35 $offset = 0; 36 $BUser = new BaseUser(); 37 if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) 38 base_header("Location: ". $BASE_urlpath . "/index.php"); 39 40 # set cookie for packet display 41 if (isset($_GET['asciiclean'])) { 42 1 == $_GET['asciiclean'] ? setcookie('asciiclean', 'clean') : setcookie('asciiclean', 'normal'); 43 } 44 45 $sf_portscan_flag = 0; 46 47 48 49 50function PrintCleanURL() 51{ 52 // This function creates the url to display the cleaned up payload -- Kevin 53 $query = CleanVariable($_SERVER["QUERY_STRING"], VAR_PERIOD | VAR_DIGIT | VAR_PUNC | VAR_LETTER); 54 $sort_order=ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE); 55 56 if ( (isset($_GET['asciiclean']) && $_GET['asciiclean'] == 1) || ( isset($_COOKIE['asciiclean']) && ($_COOKIE['asciiclean'] == "clean") && (!isset($_GET['asciiclean'])) ) ) 57 { 58 //create link to non-cleaned payload display 59 $url = '<center><a href="base_qry_alert.php?' . $query; 60 $url.= '&sort_order='.urlencode($sort_order).'&asciiclean=0">'._QANORMALD.'</a></center>'; 61 return $url; 62 } 63 else 64 { 65 //create link to cleaned payload display 66 $url = '<center><a href="base_qry_alert.php?' . $query; 67 $url.= '&sort_order='.urlencode($sort_order).'&asciiclean=1">'._QAPLAIND.'</a></center>'; 68 return $url; 69 } 70 71} 72 73function PrintBinDownload($db, $cid, $sid){ 74// Offering a URL to a download possibility: 75 $query = CleanVariable($_SERVER["QUERY_STRING"], VAR_PERIOD | VAR_DIGIT | VAR_PUNC | VAR_LETTER); 76 if ( isset($_GET['asciiclean']) && ($_GET['asciiclean'] == 1) || ( (isset($_COOKIE['asciiclean']) && $_COOKIE['asciiclean'] == "clean") && (!isset($_GET['asciiclean'])) ) ){ 77 $url = '<center><a href="base_payload.php?' . $query; 78 $url.= '&download=1&cid='.urlencode($cid).'&sid='.urlencode($sid).'&asciiclean=1">Download of Payload</a></center>'; 79 } else { 80 $url = '<center><a href="base_payload.php?' . $query; 81 $url.= '&download=1&cid='.urlencode($cid).'&sid='.urlencode($sid).'&asciiclean=0">Download of Payload</a></center>'; 82 } 83 return $url; 84} 85 86function PrintPcapDownload($db, $cid, $sid) 87{ 88 if (!isset($db)) 89 { 90 error_log("ERROR: \$db is NOT set."); 91 ErrorMessage(__FILE__ . ":" . __LINE__ . ": db is NOT set. Ignoring."); 92 $debug_str = "<BR><PRE>\n\n" . debug_print_backtrace() . "\n\n</PRE><BR>\n"; 93 ErrorMessage($debug_str); 94 } 95 96 97 if (!isset($db->DB)) 98 { 99 error_log("ERROR: \$db->DB is NOT set."); 100 ErrorMessage(__FILE__ . ":" . __LINE__ . ": db->DB is NOT set. Ignoring."); 101 $debug_str = "<BR><PRE>\n\n" . debug_print_backtrace() . "\n\n</PRE><BR>\n"; 102 ErrorMessage($debug_str); 103 } 104 105 if (!is_array($db->DB->MetaColumnNames('data'))) 106 { 107 error_log("ERROR: \$db->DB->MetaColumnNames('data') is NOT an array."); 108 ErrorMessage(__FILE__ . ":" . __LINE__ . ": db->DB->MetaColumnNames('data') is NOT an array. Ignoring."); 109 print "<BR><PRE>\n\n"; 110 debug_print_backtrace(); 111 print "\n\n" ; 112 var_dump($db->DB->MetaColumnNames('data')); 113 print "</PRE><BR>\n\n" ; 114 } 115 116 117 if ( !in_array("pcap_header", $db->DB->MetaColumnNames('data')) || 118 !in_array("data_header", $db->DB->MetaColumnNames('data'))) { 119 $type = 3; 120 } else { 121 $type = 2; 122 } 123 124 $query = CleanVariable($_SERVER["QUERY_STRING"], VAR_PERIOD | VAR_DIGIT | VAR_PUNC | VAR_LETTER); 125 if ( (isset($_GET['asciiclean']) && $_GET['asciiclean'] == 1) || ( isset($_COOKIE['asciiclean']) && ($_COOKIE["asciiclean"] == "clean") && (!isset($_GET['asciiclean'])) ) ){ 126 $url = '<center><a href="base_payload.php?' . $query; 127 $url.= '&download='.urlencode($type).'&cid='.urlencode($cid).'&sid='.urlencode($sid).'&asciiclean=1">Download in pcap format</a></center>'; 128 } else { 129 $url = '<center><a href="base_payload.php?' . $query; 130 $url.= '&download='.urlencode($type).'&cid='.urlencode($cid).'&sid='.urlencode($sid).'&asciiclean=0">Download in pcap format</a></center>'; 131 } 132 return $url; 133} 134 135function PrintPacketLookupBrowseButtons($seq, $save_sql, $db, &$previous_button, &$next_button) 136{ 137 $sf_portscan_flag = 0; 138 139 140 echo "\n\n<!-- Single Alert Browsing Buttons -->\n"; 141 142 $result2 = $db->baseExecute($save_sql); 143 144 if ( $seq == 0 ) 145 $previous_button = '[ '._FIRST.' ]'."\n"; 146 147 $i = 0; 148 while ($i <= $seq+1 ) 149 { 150 $myrow2 = $result2->baseFetchRow(); 151 152 if ( $myrow2 == "" ) 153 $next_button = '[ '._LAST.' ]'."\n"; 154 else if ( $i == $seq-1 ) { 155 $previous_button = '<INPUT TYPE="submit" NAME="submit" VALUE="<< '._PREVIOUS.' #'; 156 $previous_button.= ($seq-1).'-('.$myrow2[0].'-'.$myrow2[1].')">'."\n"; 157 } 158 else if ( $i == $seq+1 ) { 159 $next_button = '<INPUT TYPE="submit" NAME="submit" VALUE=">> '._NEXT.' #'; 160 $next_button.= ($seq+1).'-('.$myrow2[0].'-'.$myrow2[1].')">'."\n"; 161 } 162 $i++; 163 } 164 165 $result2->baseFreeRows(); 166} 167 168 /* 169 * Need to import $submit and set the $QUERY_STRING early to support 170 * the back button. Otherwise, the value of $submit will not be passed 171 * to the history. 172 */ 173 174 /* This call can include "#xx-(xx-xx)" values and "submit" values. */ 175 $submit = ImportHTTPVar("submit", VAR_DIGIT | VAR_PUNC | VAR_LETTER, array(_SELECTED, _ALLONSCREEN, _ENTIREQUERY)); 176 177 $_SERVER["QUERY_STRING"] = "submit=".rawurlencode($submit); 178 179 $et = new EventTiming($debug_time_mode); 180 $cs = new CriteriaState("base_qry_main.php", "&new=1&submit="._QUERYDBP); 181 $cs->ReadState(); 182 183 $qs = new QueryState(); 184 185 $page_title = _ALERT; 186 PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), $refresh_all_pages); 187 188 /* Connect to the Alert database */ 189 $db = NewBASEDBConnection($DBlib_path, $DBtype); 190 $db->baseDBConnect($db_connect_method, 191 $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); 192 193 PrintCriteria(""); 194 $criteria_clauses = ProcessCriteria(); 195 196 $from = " FROM acid_event ".$criteria_clauses[0]; 197 $where = " WHERE ".$criteria_clauses[1]; 198 199 $qs->AddValidAction("ag_by_id"); 200 $qs->AddValidAction("ag_by_name"); 201 $qs->AddValidAction("add_new_ag"); 202 $qs->AddValidAction("del_alert"); 203 $qs->AddValidAction("email_alert"); 204 $qs->AddValidAction("email_alert2"); 205 $qs->AddValidAction("archive_alert"); 206 $qs->AddValidAction("archive_alert2"); 207 208 $qs->AddValidActionOp(_SELECTED); 209 210 $qs->SetActionSQL($from.$where); 211 212 $et->Mark("Initialization"); 213 214 $qs->RunAction($submit, PAGE_ALERT_DISPLAY, $db); 215 $et->Mark("Alert Action"); 216 217 /* If get a valid (sid,cid) store it in $caller. 218 * But if $submit is returning from an alert action 219 * get the (sid,cid) back from $caller 220 */ 221 if ( $submit == _SELECTED ) 222 $submit = ImportHTTPVar("caller", VAR_DIGIT | VAR_PUNC); 223 else 224 $caller = $submit; 225 226 /* Setup the Query Results Table -- However, this data structure is not 227 * really used for output. Rather, it duplicates the sort SQL set in 228 * base_qry_sqlcalls.php 229 */ 230 $qro = new QueryResultsOutput(""); 231 232 $qro->AddTitle("Signature", 233 "sig_a", " ", " ORDER BY sig_name ASC", 234 "sig_d", " ", " ORDER BY sig_name DESC"); 235 $qro->AddTitle("Timestamp", 236 "time_a", " ", " ORDER BY timestamp ASC ", 237 "time_d", " ", " ORDER BY timestamp DESC "); 238 $qro->AddTitle("Source<BR>Address", 239 "sip_a", " ", " ORDER BY ip_src ASC", 240 "sip_d", " ", " ORDER BY ip_src DESC"); 241 $qro->AddTitle("Dest.<BR>Address", 242 "dip_a", " ", " ORDER BY ip_dst ASC", 243 "dip_d", " ", " ORDER BY ip_dst DESC"); 244 $qro->AddTitle("Layer 4<BR>Proto", 245 "proto_a", " ", " ORDER BY layer4_proto ASC", 246 "proto_d", " ", " ORDER BY layer4_proto DESC"); 247 248 $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), ""); 249 $save_sql = "SELECT acid_event.sid, acid_event.cid".$sort_sql[0]. 250 $from.$where.$sort_sql[1]; 251 252 if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db); 253 254 GetQueryResultID($submit, $seq, $sid, $cid); 255 256 if ( $debug_mode > 0 ) 257 echo "\n====== Alert Lookup =======<BR> 258 sid = $sid<BR> 259 cid = $cid<BR> 260 seq = $seq<BR>\n". 261 "===========================<BR>\n"; 262 263 /* Verify that have extracted (sid, cid) correctly */ 264 if ( !($sid > 0 && $cid > 0) ) 265 { 266 ErrorMessage(_QAINVPAIR." (".$sid.",".$cid.")"); 267 exit(); 268 } 269 270 echo "<FORM METHOD=\"GET\" ACTION=\"base_qry_alert.php\">\n"; 271 PrintPacketLookupBrowseButtons($seq, $save_sql, $db, $previous, $next); 272 echo "<CENTER>\n<B>"._ALERT." #".($seq)."</B><BR>\n$previous    \n$next\n</CENTER>\n"; 273 echo "<HR>\n"; 274 275 /* Make Selected */ 276 echo "\n<INPUT TYPE=\"hidden\" NAME=\"action_chk_lst[0]\" VALUE=\"$submit\">\n"; 277 278 /* Event */ 279 $sql2 = "SELECT signature, timestamp FROM acid_event WHERE sid='".filterSql($sid)."' AND cid='".filterSql($cid)."'"; 280 if ($debug_mode > 0) 281 { 282 print "<BR><BR>\n\n" . __FILE__ . ":" . __LINE__ . ": DEBUG: \$sql2 = \"$sql2\"<BR><BR>\n\n"; 283 } 284 $result2 = $db->baseExecute($sql2); 285 $myrow2 = $result2->baseFetchRow(); 286 287 if ( $myrow2[0] == "" ) 288 { 289 echo '<CENTER><B>'; 290 ErrorMessage(_QAALERTDELET); 291 echo '</CENTER></B>'; 292 } 293 294 /* Get sensor parameters: */ 295 $sql4 = "SELECT hostname, interface, filter, encoding, detail FROM sensor WHERE sid='".filterSql($sid)."'"; 296 $result4 = $db->baseExecute($sql4); 297 $myrow4 = $result4->baseFetchRow(); 298 $result4->baseFreeRows(); 299 $encoding = $myrow4[3]; 300 $detail = $myrow4[4]; 301 302 echo ' 303 <BLOCKQUOTE> 304 <TABLE BORDER=1 width="90%"> 305 <TR><TD CLASS="metatitle" WIDTH=50 ALIGN=CENTER ROWSPAN=4>Meta 306 <TD> 307 <TABLE BORDER=1 CELLPADDING=4> 308 <TR><TD CLASS="plfieldhdr" >'._ID.' #</TD> 309 <TD CLASS="plfieldhdr">'._CHRTTIME.'</TD> 310 <TD CLASS="plfieldhdr">'._QATRIGGERSIG.'</TD></TR> 311 <TR><TD CLASS="plfield">'.($sid." - ".$cid).'</TD> 312 <TD CLASS="plfield">'.htmlspecialchars($myrow2[1]).'</TD> 313 <TD CLASS="plfield">'.(GetTagTriger(BuildSigByID($myrow2[0], $db), $db, $sid, $cid)).'</TD></TR> 314 </TABLE> 315 </TD> 316 </TR>'; 317 318 echo ' <TR> 319 <TD> 320 <TABLE BORDER=1 CELLPADDING=4> 321 <TR><TD CLASS="metatitle" ALIGN=CENTER ROWSPAN=2>'._SENSOR.'</TD> 322 <TD class="plfieldhdr">',_SENSOR.' '._ADDRESS,'</TD> 323 <TD class="plfieldhdr">'._INTERFACE.'</TD> 324 <TD class="plfieldhdr">'._FILTER.'</TD> 325 </TR> 326 <TR><TD class="plfield">'.htmlspecialchars($myrow4[0]).'</TD> 327 <TD class="plfield">'. 328 ( ($myrow4[1] == "") ? " <I>"._NONE."</I> " : $myrow4[1] ).'</TD> 329 <TD class="plfield">'. 330 ( ($myrow4[2] == "") ? " <I>"._NONE."</I> " : $myrow4[2] ).'</TD> 331 </TR> 332 </TABLE> 333 </TR>'; 334 335 if ( $resolve_IP == 1 ) 336 { 337 echo ' <TR> 338 <TD> 339 <TABLE BORDER=1 CELLPADDING=4> 340 <TR><TD CLASS="iptitle" ALIGN=CENTER ROWSPAN=2>FQDN</TD> 341 <TD class="plfieldhdr">'._SENSOR.' '._NAME.'</TD> 342 </TR> 343 <TR><TD class="plfield">'; 344 # Is this a dotted IPv4 address? 345 $pattern = '/(\d{1,3}\.){3}\d{1,3}/'; 346 if (preg_match($pattern, $myrow4[0])) 347 { 348 echo baseGetHostByAddr($myrow4[0], $db, $dns_cache_lifetime); 349 } 350 else 351 { 352 echo $myrow4[0]; 353 } 354 echo ' </TD> 355 </TR> 356 </TABLE> 357 </TR>'; 358 } 359 360 $result4->baseFreeRows(); 361 362 $sql4 = "SELECT acid_ag_alert.ag_id, ag_name, ag_desc ". 363 "FROM acid_ag_alert LEFT JOIN acid_ag ON acid_ag_alert.ag_id = acid_ag.ag_id ". 364 "WHERE ag_sid='".$sid."' AND ag_cid='".$cid."'"; 365 $result4 = $db->baseExecute($sql4); 366 $num = $result4->baseRecordCount(); 367 368 echo ' <TR> 369 <TD> 370 <TABLE BORDER=1 CELLPADDING=4> 371 <TR><TD CLASS="metatitle" ALIGN=CENTER ROWSPAN='.($num+1).'>'._ALERTGROUP.'</TD>'; 372 373 if ( $num > 0 ) 374 echo ' <TD class="plfieldhdr">'._ID.'</TD> 375 <TD class="plfieldhdr">'._NAME.'</TD> 376 <TD class="plfieldhdr">'._DESC.'</TD></TR>'; 377 else 378 echo ' <TD> <I>'._NONE.'</I> </TD></TR>'; 379 380 for ($i = 0; $i < $num; $i++) 381 { 382 $myrow4 = $result4->baseFetchRow(); 383 384 echo ' <TR><TD class="plfield">'.htmlspecialchars($myrow4[0]).'</TD> 385 <TD class="plfield">'.htmlspecialchars($myrow4[1]).'</TD> 386 <TD class="plfield">'.htmlspecialchars($myrow4[2]).'</TD> 387 </TR>'; 388 } 389 echo ' </TABLE>'; 390 $result4->baseFreeRows(); 391 392 echo ' </TR> 393 </TABLE>'; 394 $result2->baseFreeRows(); 395 396 /* IP */ 397 $sql2 = "SELECT ip_src, ip_dst, ". 398 "ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum, ip_proto". 399 " FROM iphdr WHERE sid='".$sid."' AND cid='".$cid."'"; 400 401 $result2 = $db->baseExecute($sql2); 402 $myrow2 = $result2->baseFetchRow(); 403 404 $layer4_proto = -1; 405 if ( $myrow2[0] != "" ) 406 { 407 $sql3 = "SELECT * FROM opt WHERE sid='".$sid."' AND cid='".$cid."' AND opt_proto='0'"; 408 $result3 = $db->baseExecute($sql3); 409 $num_opt = $result3->baseRecordCount(); 410 411 echo ' 412 <TABLE BORDER=1 WIDTH="90%"> 413 <TR><TD CLASS="iptitle" WIDTH=50 ROWSPAN=3 ALIGN=CENTER>IP'; 414 echo ' <TD>'; 415 echo ' <TABLE BORDER=1 CELLPADDING=2>'; 416 echo ' <TR><TD class="plfieldhdr">'._NBSOURCEADDR.'</TD> 417 <TD class="plfieldhdr"> '._NBDESTADDR.' </TD> 418 <TD class="plfieldhdr">Ver</TD> 419 <TD class="plfieldhdr">Hdr Len</TD> 420 <TD class="plfieldhdr">TOS</TD> 421 <TD class="plfieldhdr">'._LENGTH.'</TD> 422 <TD class="plfieldhdr">'._ID.'</TD> 423 <TD class="plfieldhdr">fragment</TD> 424 <TD class="plfieldhdr">offset</TD> 425 <TD class="plfieldhdr">TTL</TD> 426 <TD class="plfieldhdr">chksum</TD></TR>'; 427 echo ' <TR><TD class="plfield"> 428 <A HREF="base_stat_ipaddr.php?ip='.baseLong2IP($myrow2[0]).'&netmask=32">'. 429 baseLong2IP($myrow2[0]).'</A></TD>'; 430 echo ' <TD class="plfield"> 431 <A HREF="base_stat_ipaddr.php?ip='.baseLong2IP($myrow2[1]).'&netmask=32">'. 432 baseLong2IP($myrow2[1]).'</A></TD>'; 433 echo ' <TD class="plfield">'.htmlspecialchars($myrow2[2]).'</TD>'; 434 echo ' <TD class="plfield">'.($myrow2[3] << 2).'</TD>'; /* ihl is in 32 bit words, must be multiplied by 4 to show in bytes */ 435 echo ' <TD class="plfield">'.htmlspecialchars($myrow2[4]).'</TD>'; 436 echo ' <TD class="plfield">'.htmlspecialchars($myrow2[5]).'</TD>'; 437 echo ' <TD class="plfield">'.htmlspecialchars($myrow2[6]).'</TD>'; 438 echo ' <TD class="plfield">'; 439 if ($myrow2[7] == 1) 440 echo 'yes'; 441 else 442 echo 'no'; 443 echo '</TD>'; 444 list( , $my_offset, ) = unpack("n", pack("S", $myrow2[8])); 445 echo ' <TD class="plfield">'. ($my_offset * 8) .'</TD>'; 446 echo ' <TD class="plfield">'.htmlspecialchars($myrow2[9]).'</TD>'; 447 echo ' <TD class="plfield">'.htmlspecialchars($myrow2[10]).'<BR>= 0x'.dechex($myrow2[10]).'</TD></TR>'; 448 echo ' </TABLE>'; 449 450 if ( $resolve_IP == 1 ) 451 { 452 echo ' <TR> 453 <TD> 454 <TABLE BORDER=1 CELLPADDING=4> 455 <TR><TD CLASS="iptitle" ALIGN=CENTER ROWSPAN=2>FQDN</TD> 456 <TD class="plfieldhdr">'._SOURCENAME.'</TD> 457 <TD class="plfieldhdr">'._DESTNAME.'</TD> 458 </TR> 459 <TR><TD class="plfield">'. 460 (baseGetHostByAddr(baseLong2IP($myrow2[0]), 461 $db, $dns_cache_lifetime)).'</TD> 462 <TD class="plfield">'. 463 (baseGetHostByAddr(baseLong2IP($myrow2[1]), 464 $db, $dns_cache_lifetime)).'</TD> 465 </TR> 466 </TABLE> 467 </TR>'; 468 } 469 470 echo ' <TR>'; 471 echo ' <TD>'; 472 echo ' <TABLE BORDER=1 CELLPADDING=4>'; 473 echo ' <TR><TD CLASS="iptitle" ALIGN=CENTER ROWSPAN='.(($num_opt != 0) ? ($num_opt+1) : 1).'>'._OPTIONS.'</TD>'; 474 475 $layer4_proto = $myrow2[11]; 476 477 if ( $num_opt > 0 ) 478 { 479 echo ' <TD></TD> 480 <TD class="plfieldhdr">'._CODE.'</TD> 481 <TD class="plfieldhdr">'._LENGTH.'</TD> 482 <TD class="plfieldhdr" ALIGN=CENTER>'._DATA.'</TD>'; 483 484 for ( $i = 0; $i < $num_opt; $i++) 485 { 486 $myrow3 = $result3->baseFetchRow(); 487 echo ' <TR><TD>#'.($i+1).'</TD>'; 488 echo ' <TD class="plfield">'.IPOption2str($myrow3[4]).'</TD>'; 489 echo ' <TD class="plfield">'.htmlspecialchars($myrow3[5]).'</TD>'; 490 echo ' <TD class="plfield">'; 491 if ($myrow3[6] != "" ) 492 echo $myrow3[6]; 493 else 494 echo ' '; 495 echo '</TD></TR>'; 496 } 497 } 498 else 499 { 500 echo ' <TD>     <I>'._NONE.' </I></TD></TR>'; 501 } 502 echo ' </TABLE></TD></TR>'; 503 504 505 echo '</TABLE>'; 506 $result3->baseFreeRows(); 507 } 508 $result2->baseFreeRows(); 509 510 511 /* If we have FLoP's (Fast Logging Project for Snort) extended 512 * database schema then we can show mac addresses from `data_header` 513 * field from `data` table 514 */ 515 if (!isset($db)) 516 { 517 error_log("ERROR: \$db is NOT set."); 518 ErrorMessage(__FILE__ . ":" . __LINE__ . ": db is NOT set. Ignoring."); 519 $debug_str = "<BR><PRE>\n\n" . debug_print_backtrace() . "\n\n</PRE><BR>\n"; 520 ErrorMessage($debug_str); 521 } 522 523 524 if (!isset($db->DB)) 525 { 526 error_log("ERROR: \$db->DB is NOT set."); 527 ErrorMessage(__FILE__ . ":" . __LINE__ . ": db->DB is NOT set. Ignoring."); 528 $debug_str = "<BR><PRE>\n\n" . debug_print_backtrace() . "\n\n</PRE><BR>\n"; 529 ErrorMessage($debug_str); 530 } 531 532 if (!is_array($db->DB->MetaColumnNames('data'))) 533 { 534 error_log("ERROR: \$db->DB->MetaColumnNames('data') is NOT an array."); 535 ErrorMessage(__FILE__ . ":" . __LINE__ . ": db->DB->MetaColumnNames('data') is NOT an array. Ignoring."); 536 print "<BR><PRE>\n\n"; 537 debug_print_backtrace(); 538 print "\n\n" ; 539 var_dump($db->DB->MetaColumnNames('data')); 540 print "</PRE><BR>\n\n" ; 541 } 542 543 544 if (in_array("data_header", $db->DB->MetaColumnNames('data'))) { 545 546 $sql5 = "SELECT data_header FROM data WHERE sid='$sid' AND cid='$cid'"; 547 $result5 = $db->baseExecute($sql5); 548 $myrow5 = $result5->baseFetchRow(); 549 $result5->baseFreeRows(); 550 551 if (is_array($myrow5)) 552 { 553 if ( $debug_mode > 0 ) { 554 echo "<debug><BR>"; 555 echo "Encoding: $encoding<BR>"; 556 echo "Data header: <$myrow5[0]><BR>"; 557 echo "strlen: " . strlen($myrow5[0]); 558 echo "<br>Base64 decoded: <" . base64_decode($myrow5[0]) . "><BR>"; 559 echo "strlen: " . strlen(base64_decode($myrow5[0])); 560 echo "<br>bin2hex: <" . bin2hex(base64_decode($myrow5[0])) . "><BR>"; 561 echo "strlen: " . strlen(bin2hex(base64_decode($myrow5[0]))); 562 echo "<BR></debug><BR>"; 563 } 564 565 /* 0 == hex, 1 == base64, 2 == ascii; cf. snort-2.4.4/src/plugbase.h */ 566 if ($encoding == 0) { 567 $t = $myrow5[0]; 568 } elseif ($encoding == 1) { 569 $t = bin2hex(base64_decode($myrow5[0])); 570 } else { 571 echo "<BR><BR>This type of encoding is not supported. Please use either hex oder "; 572 echo "base64 encoding. Do not use ascii, because ascii encoding loses data.<BR><BR>"; 573 } 574 575 /* from here on $t is in hex format, even if original encoding was base64 */ 576 577 /* "MACDAD" (ascii code in hex: 4d 41 43 44 41 44) is a key word used by 578 * sfPortscan, rather than a real MAC address; cf. 579 * snort-2.6.0/doc/README.sfportscan 580 * snort-2.6.0/src/preprocessors/spp_sfportscan.c 581 * snort-2.6.0/src/preprocessors/flow/portscan/flowps_snort.c */ 582 if ( strlen($t) >= 24 && strncmp($t, '4d41434441444d4143444144', 24) != 0) 583 { 584 $dst_mac = $t[0].$t[1].':'.$t[2].$t[3].':'.$t[4].$t[5].':'.$t[6].$t[7].':'.$t[8].$t[9].':'.$t[10].$t[11]; 585 $src_mac = $t[12].$t[13].':'.$t[14].$t[15].':'.$t[16].$t[17].':'.$t[18].$t[19].':'.$t[20].$t[21].':'.$t[22].$t[23]; 586 587 echo ' 588 <TABLE BORDER=1 WIDTH="90%"> 589 <TR><TD CLASS="iptitle" WIDTH=50 ROWSPAN=3 ALIGN=CENTER>MAC'; 590 echo ' <TD>'; 591 echo ' <TABLE BORDER=1 CELLPADDING=2>'; 592 echo ' <TR><TD class="plfieldhdr">'._NBSOURCEADDR.'</TD> 593 <TD class="plfieldhdr"> '._NBDESTADDR.' </TD></TR> 594 <TR><TD>'. $src_mac .'</TD> 595 <TD>'. $dst_mac .'</TD></TR> 596 <TR><TD>'. GetVendor($src_mac) .'</TD> 597 <TD>'. GetVendor($dst_mac) .'</TD></TR>'; 598 echo ' </TABLE>'; 599 echo '</TABLE></TD></TR>'; 600 } 601 else 602 { 603 /* "MACDAD" indicates that this is an sfportscan packet. This means 604 the database does NOT contain a real packet. Therefore 605 building a pcap file won't be possible. */ 606 $sf_portscan_flag = 1; 607 } 608 } 609 } 610 611 612 /* TCP */ 613 if ( $layer4_proto == "6" ) 614 { 615 $sql2 = "SELECT tcp_sport, tcp_dport, tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, ". 616 " tcp_csum, tcp_urp FROM tcphdr WHERE sid='".$sid."' AND cid='".$cid."'"; 617 $result2 = $db->baseExecute($sql2); 618 $myrow2 = $result2->baseFetchRow(); 619 620 $sql3 = "SELECT * FROM opt WHERE sid='".$sid."' AND cid='".$cid."' AND opt_proto='6'"; 621 $result3 = $db->baseExecute($sql3); 622 $num_opt = $result3->baseRecordCount(); 623 624 echo ' 625 <TABLE BORDER=1 WIDTH="90%"> 626 <TR><TD CLASS="layer4title" WIDTH=50 ROWSPAN=2 ALIGN=CENTER>TCP'; 627 echo ' <TD>'; 628 echo ' <TABLE BORDER=1 CELLPADDING=2>'; 629 echo ' <TR><TD class="plfieldhdr">'._SHORTSOURCE.'<BR> '._PORT.'</TD> 630 <TD class="plfieldhdr"> '._SHORTDEST.'<BR>   '._PORT.'  </TD> 631 <TD class="plfieldhdr">R<BR>1</TD> 632 <TD class="plfieldhdr">R<BR>0</TD> 633 <TD class="plfieldhdr">U<BR>R<BR>G</TD> 634 <TD class="plfieldhdr">A<BR>C<BR>K</TD> 635 <TD class="plfieldhdr">P<BR>S<BR>H</TD> 636 <TD class="plfieldhdr">R<BR>S<BR>T</TD> 637 <TD class="plfieldhdr">S<BR>Y<BR>N</TD> 638 <TD class="plfieldhdr">F<BR>I<BR>N</TD> 639 <TD class="plfieldhdr">seq #</TD> 640 <TD class="plfieldhdr">ack</TD> 641 <TD class="plfieldhdr">offset</TD> 642 <TD class="plfieldhdr">res</TD> 643 <TD class="plfieldhdr">window</TD> 644 <TD class="plfieldhdr">urp</TD> 645 <TD class="plfieldhdr">chksum</TD></TR>'; 646 $src_port = $myrow2[0].'<BR>'; 647 foreach ($external_port_link as $name => $baseurl) { 648 $src_port = $src_port.'[<A HREF="'.$baseurl.$myrow2[0].'" TARGET="_ACID_PORT_">'.$name.'</A>] '; 649 } 650 $dst_port = $myrow2[1].'<BR>'; 651 foreach ($external_port_link as $name => $baseurl) { 652 $dst_port = $dst_port.'[<A HREF="'.$baseurl.$myrow2[1].'" TARGET="_ACID_PORT_">'.$name.'</A>] '; 653 } 654 echo ' <TR><TD class="plfield">'.$src_port.'</TD>'; 655 echo ' <TD class="plfield">'.$dst_port.'</TD>'; 656 echo ' <TD class="plfield">'; 657 if ( ($myrow2[6] & 128) != 0 ) 658 echo 'X'; 659 else 660 echo ' '; 661 echo ' </TD><TD class="plfield">'; 662 if ( ($myrow2[6] & 64 ) != 0 ) 663 echo 'X'; 664 else 665 echo ' '; 666 echo ' </TD><TD class="plfield">'; 667 if ( ($myrow2[6] & 32) != 0 ) 668 echo 'X'; 669 else 670 echo ' '; 671 echo ' </TD><TD class="plfield">'; 672 if ( ($myrow2[6] & 16 ) != 0 ) 673 echo 'X'; 674 else 675 echo ' '; 676 echo ' </TD><TD class="plfield">'; 677 if ( ($myrow2[6] & 8) != 0 ) 678 echo 'X'; 679 else 680 echo ' '; 681 echo ' </TD><TD class="plfield">'; 682 if ( ($myrow2[6] & 4 ) != 0 ) 683 echo 'X'; 684 else 685 echo ' '; 686 echo ' </TD><TD class="plfield">'; 687 if ( ($myrow2[6] & 2 ) != 0 ) 688 echo 'X'; 689 else 690 echo ' '; 691 echo ' </TD><TD class="plfield">'; 692 if ( ($myrow2[6] & 1 ) != 0 ) 693 echo 'X'; 694 else 695 echo ' '; 696 echo ' </TD>'; 697 698 echo ' <TD class="plfield">'.$myrow2[2].'</TD>'; 699 echo ' <TD class="plfield">'.$myrow2[3].'</TD>'; 700 701 /* data offset is in 32 bit words, cf. RFC 793, 3.1 (= p. 16), 702 * PrintTCPHeader() in snort-2.6.0/src/log.c 703 * DecodeTCP() in snort-2.6.0/src/decode.c 704 * #define TCP_OFFSET(tcph) in snort-2.6.0/src/decode.h 705 * Database() in snort-2.6.0/src/output-plugins/spo_database.c */ 706 echo ' <TD class="plfield">'. ($myrow2[4] << 2) .'</TD>'; 707 echo ' <TD class="plfield">'.$myrow2[5].'</TD>'; 708 echo ' <TD class="plfield">'.$myrow2[7].'</TD>'; 709 echo ' <TD class="plfield">'.$myrow2[9].'</TD>'; 710 echo ' <TD class="plfield">'.$myrow2[8].'<BR>=<BR>0x'.dechex($myrow2[8]).'</TD></TR>'; 711 echo ' </TABLE></TR>'; 712 echo ' <TR>'; 713 echo ' <TD>'; 714 echo ' <TABLE BORDER=1 CELLPADDING=4>'; 715 echo ' <TR><TD CLASS="layer4title" ALIGN=CENTER ROWSPAN='.(($num_opt != 0) ? ($num_opt+1) : 1).'>'._OPTIONS.'</TD>'; 716 717 if ( $num_opt != 0) 718 { 719 echo ' <TD></TD> 720 <TD class="plfieldhdr">'._CODE.'</TD> 721 <TD class="plfieldhdr">'._LENGTH.'</TD> 722 <TD class="plfieldhdr">'._DATA.'</TD>'; 723 724 /* Check which kind of encoding is used: */ 725 $sql4 = 'SELECT encoding FROM sensor WHERE sid='.$sid; 726 $result4 = $db->baseExecute($sql4); 727 $myrow4 = $result4->baseFetchRow(); 728 $result4->baseFreeRows(); 729 730 for ( $i = 0; $i < $num_opt; $i++) 731 { 732 $myrow3 = $result3->baseFetchRow(); 733 echo ' <TR><TD class="plfield">#'.($i+1).'</TD>'; 734 echo ' <TD class="plfield">'.TCPOption2str($myrow3[4]).'</TD>'; 735 echo ' <TD class="plfield">'.$myrow3[5].'</TD>'; 736 echo ' <TD class="plfield">'; 737 738 if ($myrow4[0] == 1) 739 /* base64 encoding */ 740 { 741 if ($myrow3[5] > 0) 742 { 743 $mystr = bin2hex(base64_decode($myrow3[6])); 744 for ($j = 0; $j < $myrow3[5] * 2; $j = $j + 2) 745 { 746 echo $mystr[$j]; 747 echo $mystr[$j + 1]; 748 echo ' '; 749 } 750 echo '<BR>'; 751 if (TCPOption2str($myrow3[4]) == "(8) TS") 752 /* timestamp: cf. RFC 1323, 3.2 */ 753 { 754 /* TSval */ 755 $tmpstr = ""; 756 for ($j = 0; $j < 8; $j++) 757 { 758 $tmpstr = $tmpstr . $mystr[$j]; 759 } 760 $TSval = hexdec($tmpstr); 761 echo ' TSval: ' . $TSval . '<BR>'; 762 763 /* TSecr */ 764 $tmpstr = ""; 765 for ($j = 8; $j < 16; $j++) 766 { 767 $tmpstr = $tmpstr . $mystr[$j]; 768 } 769 $TSecr = hexdec($tmpstr); 770 echo ' TSecr: ' . $TSecr . '<BR>'; 771 } 772 773 echo ' </TD></TR>'; 774 } 775 else 776 { 777 echo '{No data}</TD></TR>'; 778 } 779 } 780 else 781 { 782 /* hexadecimal encoding (and ASCII) */ 783 if ($myrow3[6] != "" ) 784 echo $myrow3[6]; 785 else 786 echo ' '; 787 echo '</TD></TR>'; 788 } 789 } 790 } 791 else 792 { 793 echo ' <TD class="plfield"> <I>'._NONE.' </I></TD></TR>'; 794 } 795 echo ' </TABLE></TD></TR>'; 796 797 echo '</TABLE>'; 798 799 $result2->baseFreeRows(); 800 $result3->baseFreeRows(); 801 } 802 803 /* UDP */ 804 if ( $layer4_proto == "17" ) 805 { 806 807 $sql2 = "SELECT * FROM udphdr WHERE sid='".$sid."' AND cid='".$cid."'"; 808 $result2 = $db->baseExecute($sql2); 809 $myrow2 = $result2->baseFetchRow(); 810 811 echo ' 812 <TABLE BORDER=1 WIDTH="90%"> 813 <TR><TD CLASS="layer4title" WIDTH=50 ROWSPAN=2 ALIGN=CENTER>UDP</TD>'; 814 echo ' <TD>'; 815 echo ' <TABLE BORDER=1 CELLPADDING=2>'; 816 echo ' <TR><TD class="plfieldhdr">'._SOURCEPORT.'</TD> 817 <TD class="plfieldhdr">'._DESTPORT.'</TD> 818 <TD class="plfieldhdr">'._LENGTH.'</TD></TR>'; 819 820 $src_port = $myrow2[2].'<BR>'; 821 foreach ($external_port_link as $name => $baseurl) { 822 $src_port = $src_port.'[<A HREF="'.$baseurl.$myrow2[2].'" TARGET="_ACID_PORT_">'.$name.'</A>] '; 823 } 824 825 $dst_port = $myrow2[3].'<BR>'; 826 foreach ($external_port_link as $name => $baseurl) { 827 $dst_port = $dst_port.'[<A HREF="'.$baseurl.$myrow2[3].'" TARGET="_ACID_PORT_">'.$name.'</A>] '; 828 } 829 830 echo ' <TR><TD class="plfield">'.$src_port.'</TD>'; 831 echo ' <TD class="plfield">'.$dst_port.'</TD>'; 832 echo ' <TD class="plfield">'.$myrow2[4].'</TD></TR>'; 833 echo ' </TABLE></TD></TR>'; 834 echo '</TABLE>'; 835 836 $result2->baseFreeRows(); 837 } 838 839 /* ICMP */ 840 if ( $layer4_proto == "1" ) 841 { 842 $sql2 = "SELECT icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq FROM icmphdr ". 843 "WHERE sid='".$sid."' AND cid='".$cid."'"; 844 $result2 = $db->baseExecute($sql2); 845 $myrow2 = $result2->baseFetchRow(); 846 $ICMPitype = $myrow2[0]; 847 $ICMPicode = $myrow2[1]; 848 849 850 echo ' 851 <TABLE BORDER=1 WIDTH="90%"> 852 <TR><TD class="layer4title" WIDTH=50 ROWSPAN=2 ALIGN=CENTER>ICMP'; 853 echo ' <TD>'; 854 echo ' <TABLE BORDER=1 CELLPADDING=2>'; 855 echo ' <TR><TD class="plfieldhdr">'._TYPE.'</TD> 856 <TD class="plfieldhdr">'._CODE.'</TD> 857 <TD class="plfieldhdr">checksum</TD>'; 858 if ($ICMPitype == "5") { 859 echo ' <TD class="plfieldhdr">gateway address</TD>'; 860 echo ' <TD class="plfieldhdr">gateway hostname</TD>'; 861 } else { 862 echo ' <TD class="plfieldhdr">'._ID.'</TD> 863 <TD class="plfieldhdr">seq #</TD>'; 864 } 865 866 echo ' </TR>'; 867 echo ' <TR><TD class="plfield">('.$myrow2[0].') '.ICMPType2str($myrow2[0]).'</TD>'; 868 echo ' <TD class="plfield">('.$myrow2[1].') '.ICMPCode2str($myrow2[0],$myrow2[1]).'</TD>'; 869 echo ' <TD class="plfield">'.$myrow2[2].'<BR>=<BR>0x'. dechex($myrow2[2]) .'</TD>'; 870 871 if ($ICMPitype == "5") { 872 $gateway_numeric_ip = (integer)($myrow2[3] / 256) . "." . ($myrow2[3] % 256) . ".". (integer)($myrow2[4] / 256) . "." . ($myrow2[4] % 256); 873 $gateway_hostname = basegetHostByAddr($gateway_numeric_ip, $db, $dns_cache_lifetime); 874 875 echo ' <TD class="plfield"><A HREF="base_stat_ipaddr.php?ip=' . $gateway_numeric_ip . '&netmask=32" TARGET="_PL_SIP">' . $gateway_numeric_ip . '</A></TD>'; 876 echo ' <TD class="plfield">' . $gateway_hostname . '</TD>'; 877 } else { 878 echo ' <TD class="plfield">'.$myrow2[3].'</TD>'; 879 echo ' <TD class="plfield">'.$myrow2[4].'</TD>'; 880 } 881 882 echo ' </TR>'; 883 echo ' </TABLE>'; 884 echo '</TABLE>'; 885 886 887 888 $result2->baseFreeRows(); 889 } 890 891 /* Print the Payload */ 892 $sql2 = "SELECT data_payload FROM data WHERE sid='".$sid."' AND cid='".$cid."'"; 893 $result2 = $db->baseExecute($sql2); 894 $myrow2 = $result2->baseFetchRow(); 895 $result2->baseFreeRows(); 896 !empty($myrow2) ? $payload = $myrow2[0] : ''; 897 898 echo ' 899 <TABLE BORDER=1 WIDTH="90%"> 900 <TR><TD class="payloadtitle" WIDTH=50 ROWSPAN=2 ALIGN=CENTER>Payload'; 901 echo("<br><br>".PrintCleanURL()); 902 echo("<br>".PrintBinDownload($db, $cid, $sid)); 903 if ($sf_portscan_flag != 1) 904 { 905 echo("<br>".PrintPcapDownload($db, $cid, $sid)); 906 } 907 else 908 { 909 echo "<br>(Download in pcap format is NOT possible with portscan data)"; 910 } 911 echo ' <TD>'; 912 913 if ( $payload ) 914 { 915 /* print the packet based on encoding type */ 916 PrintPacketPayload($payload, $encoding, 1); 917 918 if ( $layer4_proto == "1" ) 919 { 920 if ( /* IF ICMP source quench */ 921 ($ICMPitype == "4" && $ICMPicode == "0") || 922 /* IF ICMP redirect */ 923 ($ICMPitype == "5") || 924 /* IF ICMP parameter problem */ 925 ($ICMPitype == "12" && $ICMPicode == "0") || 926 /* IF ( network, host, port unreachable OR 927 frag needed OR network admin prohibited OR filtered) */ 928 ($ICMPitype == "3" || $ICMPitype == "11" ) && 929 $ICMPicode == "0" || $ICMPicode == "1" || 930 $ICMPicode == "3" || $ICMPicode == "4" || 931 $ICMPicode == "9" || $ICMPicode == "13" ) 932 { 933 /* 0 == hex, 1 == base64, 2 == ascii; cf. snort-2.4.4/src/plugbase.h */ 934 if ($encoding == 1) { 935 /* encoding is base64 */ 936 $work = bin2hex(base64_decode(str_replace("\n","",$payload))); 937 } else { 938 /* assuming that encoding is hex */ 939 $work = str_replace("\n","",$payload); 940 } 941 942 943 944 945 946 947 /* 948 * - depending on how the packet logged, 32-bits of NULL padding after 949 * the checksum may still be present. 950 */ 951 if ( substr($work, 0, 8) == "00000000" ) { 952 $offset = 8; 953 } 954 /* for dest. unreachable, frag needed and DF bit set indent the padding 955 * of MTU of next hop 956 */ 957 else if ( ($ICMPitype == "3") && ($ICMPicode == "4") ) { 958 $offset += 8; 959 } 960 961 962 $icmp_proto = hexdec($work[18+$offset].$work[19+$offset]); 963 964 $payload_ip_checksum = "0x" . 965 ($work[20 + $offset] . $work[21 + $offset]) . 966 ($work[22 + $offset] . $work[23 + $offset]); 967 968 $icmp_src = hexdec($work[24+$offset].$work[25+$offset]).".". 969 hexdec($work[26+$offset].$work[27+$offset]).".". 970 hexdec($work[28+$offset].$work[29+$offset]).".". 971 hexdec($work[30+$offset].$work[31+$offset]); 972 $icmp_dst = hexdec($work[32+$offset].$work[33+$offset]).".". 973 hexdec($work[34+$offset].$work[35+$offset]).".". 974 hexdec($work[36+$offset].$work[37+$offset]).".". 975 hexdec($work[38+$offset].$work[39+$offset]); 976 977 978 979 980 981 $hdr_offset = ($work[$offset+1]) * 8 + $offset; 982 $icmp_src_port = hexdec($work[$hdr_offset].$work[$hdr_offset+1].$work[$hdr_offset+2].$work[$hdr_offset+3]); 983 $icmp_dst_port = hexdec($work[$hdr_offset+4].$work[$hdr_offset+5].$work[$hdr_offset+6].$work[$hdr_offset+7]); 984 985 986 if ($ICMPitype == "5") { 987 $seq_no_hex = ($work[ 8 + $hdr_offset]) . ($work[ 9 + $hdr_offset]) . 988 ($work[10 + $hdr_offset]) . ($work[11 + $hdr_offset]) . 989 ($work[12 + $hdr_offset]) . ($work[13 + $hdr_offset]) . 990 ($work[14 + $hdr_offset]) . ($work[15 + $hdr_offset]); 991 $seq_no = hexdec($seq_no_hex); 992 } 993 994 995 996 echo '<TABLE BORDER=1>'; 997 echo '<TR>'; 998 999 echo '<TD class="plfieldhdr">Protocol</TD>'; 1000 echo '<TD class="plfieldhdr">Org.Source<BR>IP</TD>'; 1001 echo '<TD class="plfieldhdr">Org.Source<BR>Name</TD>'; 1002 1003 if ( $icmp_proto == "6" || $icmp_proto == "17" ) { 1004 echo '<TD class="plfieldhdr">Org.Source<BR>Port</TD>'; 1005 } 1006 1007 echo '<TD class="plfieldhdr">Org.Destination<BR>IP</TD>'; 1008 echo '<TD class="plfieldhdr">Org.Destination<BR>Name</TD>'; 1009 1010 if ( $icmp_proto == "6" || $icmp_proto == "17" ) { 1011 echo '<TD class="plfieldhdr">Org.Destination<BR>Port</TD>'; 1012 } 1013 1014 if ( $ICMPitype == "5" ) { 1015 echo '<TD class="plfieldhdr">IP Hdr Checksum</TD>'; 1016 echo '<TD class="plfieldhdr">Sequence Number</TD>'; 1017 } 1018 1019 echo '</TR>'; 1020 echo '<TR>'; 1021 1022 1023 1024 echo '<TD class="plfield">'.IPProto2Str($icmp_proto).'</TD>'; 1025 echo '<TD class="plfield">'; 1026 echo '<A HREF="base_stat_ipaddr.php?ip='.$icmp_src.'&netmask=32" TARGET="_PL_SIP">'.$icmp_src.'</A></TD>'; 1027 echo '<TD class="plfield">'.baseGetHostByAddr($icmp_src, $db, $dns_cache_lifetime).'</TD>'; 1028 1029 if ( $icmp_proto == "6" || $icmp_proto == "17" ) { 1030 echo '<TD class="plfield">'.$icmp_src_port.'</TD>'; 1031 } 1032 1033 echo '<TD class="plfield">'; 1034 echo '<A HREF="base_stat_ipaddr.php?ip='.$icmp_dst.'&netmask=32" TARGET="_PL_DIP">'.$icmp_dst.'</A></TD>'; 1035 echo '<TD class="plfield">'.baseGetHostByAddr($icmp_dst, $db, $dns_cache_lifetime).'</TD>'; 1036 1037 if ( $icmp_proto == "6" || $icmp_proto == "17" ) { 1038 echo '<TD class="plfield">'.$icmp_dst_port.'</TD>'; 1039 } 1040 1041 if ($ICMPitype == "5") { 1042 echo '<TD class="plfield">' . $payload_ip_checksum . '</TD>'; 1043 echo '<TD class="plfield">' . $seq_no . '</TD>'; 1044 } 1045 1046 echo '</TR>'; 1047 echo '</TABLE>'; 1048 } 1049 } 1050 } 1051 else 1052 { 1053 /* Don't have payload so lets print out why by checking the detail level */ 1054 1055 /* if have fast detail level */ 1056 if ( $detail == "0" ) 1057 echo '<BR>   <I>'._QANOPAYLOAD.'</I><BR>'; 1058 else 1059 echo '<BR>   <I>'._NONE.' </I><BR>'; 1060 } 1061 1062 echo '</TABLE></BLOCKQUOTE><P>'; 1063 1064 echo "<CENTER>$previous     $next</CENTER>"; 1065 1066 $qs->PrintAlertActionButtons(); 1067 $qs->SaveState(); 1068 ExportHTTPVar("caller", $caller); 1069 1070 echo "\n</FORM>\n"; 1071 1072 PrintBASESubFooter(); 1073 1074 $et->Mark("Get Query Elements"); 1075 $et->PrintTiming(); 1076 echo "</body>\r\n</html>"; 1077?> 1078