1<?php 2/******************************************************************************* 3** Basic Analysis and Security Engine (BASE) 4** Copyright (C) 2004 BASE Project Team 5** Copyright (C) 2000 Carnegie Mellon University 6** 7** (see the file 'base_main.php' for license details) 8** 9** Project Leads: Kevin Johnson <kjohnson@secureideas.net> 10** Sean Muller <samwise_diver@users.sourceforge.net> 11** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com> 12** 13** Purpose: Displays statistics on communication links (IP addresses) 14** 15** Input GET/POST variables 16** - caller 17** - submit: 18******************************************************************************** 19** Authors: 20******************************************************************************** 21** Kevin Johnson <kjohnson@secureideas.net 22** 23******************************************************************************** 24*/ 25 26 include ("base_conf.php"); 27 include ("$BASE_path/includes/base_constants.inc.php"); 28 include ("$BASE_path/includes/base_include.inc.php"); 29 include_once ("$BASE_path/base_db_common.php"); 30 include_once ("$BASE_path/base_qry_common.php"); 31 include_once ("$BASE_path/base_stat_common.php"); 32 33 $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(_SELECTED, _ALLONSCREEN, _ENTIREQUERY)); 34 $sort_order=ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE); 35 $action = ImportHTTPVar("action", VAR_ALPHA); 36 37 $et = new EventTiming($debug_time_mode); 38 $cs = new CriteriaState("base_stat_iplink.php"); 39 $cs->ReadState(); 40 41 // Check role out and redirect if needed -- Kevin 42 $roleneeded = 10000; 43 $BUser = new BaseUser(); 44 if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1)) 45 base_header("Location: ". $BASE_urlpath . "/index.php"); 46 47 $qs = new QueryState(); 48 $qs->AddCannedQuery("most_frequent", $freq_num_alerts, _MOSTFREQALERTS, "occur_d"); 49 $qs->AddCannedQuery("last_alerts", $last_num_ualerts, _LASTALERTS, "last_d"); 50 51 $qs->MoveView($submit); /* increment the view if necessary */ 52 53 $page_title = _SIPLTITLE; 54 if ( $qs->isCannedQuery() ) 55 { 56 if ($action == "") 57 { 58 PrintBASESubHeader($page_title.": ".$qs->GetCurrentCannedQueryDesc(), 59 $page_title.": ".$qs->GetCurrentCannedQueryDesc(), 60 $cs->GetBackLink(), 1); 61 } 62 else 63 { 64 PrintBASESubHeader($page_title.": ".$qs->GetCurrentCannedQueryDesc(), 65 $page_title.": ".$qs->GetCurrentCannedQueryDesc(), 66 $cs->GetBackLink(), $refresh_all_pages); 67 } 68 } 69 else 70 { 71 if ($action == "") 72 { 73 PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1); 74 } 75 else 76 { 77 PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), $refresh_all_pages); 78 } 79 } 80 81 /* Connect to the Alert database */ 82 $db = NewBASEDBConnection($DBlib_path, $DBtype); 83 $db->baseDBConnect($db_connect_method, 84 $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password); 85 86 if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db); 87 88 $criteria_clauses = ProcessCriteria(); 89 PrintCriteria(""); 90 91 $from = " FROM acid_event ".$criteria_clauses[0]; 92 $where = " WHERE ".$criteria_clauses[1]; 93 94 $qs->AddValidAction("ag_by_id"); 95 $qs->AddValidAction("ag_by_name"); 96 $qs->AddValidAction("add_new_ag"); 97 $qs->AddValidAction("del_alert"); 98 $qs->AddValidAction("email_alert"); 99 $qs->AddValidAction("email_alert2"); 100 $qs->AddValidAction("csv_alert"); 101 $qs->AddValidAction("archive_alert"); 102 $qs->AddValidAction("archive_alert2"); 103 104 $qs->AddValidActionOp(_SELECTED); 105 $qs->AddValidActionOp(_ALLONSCREEN); 106 107 $qs->SetActionSQL($from.$where); 108 $et->Mark("Initialization"); 109 110 $qs->RunAction($submit, PAGE_STAT_IPLINK, $db); 111 $et->Mark("Alert Action"); 112 113 /* Run the query to determine the number of rows (No LIMIT)*/ 114 $qs->current_view = 0; 115 $qs->num_result_rows = UniqueLinkCnt($db, $criteria_clauses[0], $criteria_clauses[1]); 116 $et->Mark("Counting Result size"); 117 118 /* Setup the Query Results Table */ 119 $qro = new QueryResultsOutput("base_stat_iplink.php?caller=".$caller); 120 121 $qro->AddTitle(" "); 122 $qro->AddTitle(_SIPLSOURCEFGDN); 123 $qro->AddTitle(_PSSRCIP, 124 "sip_a", "", " ORDER BY ip_src ASC", 125 "sip_d", "", " ORDER BY ip_src DESC"); 126 $qro->AddTitle(_SIPLDIRECTION); 127 $qro->AddTitle(_PSDSTIP, 128 "dip_a", "", " ORDER BY ip_dst ASC", 129 "dip_d", "", " ORDER BY ip_dst DESC"); 130 $qro->AddTitle(_SIPLDESTFGDN); 131 $qro->AddTitle(_SIPLPROTO); 132 $qro->AddTitle(_SIPLUNIDSTPORTS); 133 $qro->AddTitle(_SIPLUNIEVENTS); 134 $qro->AddTitle(_SIPLTOTALEVENTS); 135 136 $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort()); 137 138 $sql = "SELECT DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto ". 139 $sort_sql[0].$from.$where.$sort_sql[1]; 140 141 /* Run the Query again for the actual data (with the LIMIT) */ 142 $qs->current_view = $submit; 143 $result = $qs->ExecuteOutputQuery($sql, $db); 144 $et->Mark("Retrieve Query Data"); 145 146 if ( $debug_mode == 1 ) 147 { 148 $qs->PrintCannedQueryList(); 149 $qs->DumpState(); 150 echo "$sql<BR>"; 151 } 152 153 /* Print the current view number and # of rows */ 154 $qs->PrintResultCnt(); 155 156 echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_iplink.php">'; 157 158 $qro->PrintHeader(); 159 160 $i = 0; 161 while ( ($myrow = $result->baseFetchRow()) && ($i < $qs->GetDisplayRowCnt()) ) 162 { 163 $sip = $myrow[0]; 164 $dip = $myrow[1]; 165 $proto = $myrow[2]; 166 167 if ($resolve_IP == 1) 168 { 169 $sip_fqdn = baseGetHostByAddr(baseLong2IP($sip), $db, $dns_cache_lifetime); 170 $dip_fqdn = baseGetHostByAddr(baseLong2IP($dip), $db, $dns_cache_lifetime); 171 } 172 else 173 { 174 $sip_fqdn =_PSNODNS; 175 $sip_fqdn =_PSNODNS; 176 } 177 178 /* Get stats on the link */ 179 if ( $sip && $dip ) 180 { 181 $temp = "SELECT COUNT(DISTINCT layer4_dport), ". 182 "COUNT(acid_event.cid), COUNT(DISTINCT acid_event.signature) ". 183 $from.$where." AND acid_event.ip_src='".$sip."' AND acid_event.ip_dst='".$dip."' AND acid_event.ip_proto='".$proto."'"; 184 185 $result2 = $db->baseExecute($temp); 186 $row = $result2->baseFetchRow(); 187 $num_occurances = $row[1]; 188 $num_unique_dport = $row[0]; 189 $num_unique = $row[2]; 190 $result2->baseFreeRows(); 191 192 /* Print out */ 193 qroPrintEntryHeader($i); 194 195 $tmp_ip_criteria = 196 '&ip_addr%5B0%5D%5B0%5D=+&ip_addr%5B0%5D%5B1%5D=ip_src&ip_addr%5B0%5D%5B2%5D=%3D'. 197 '&ip_addr%5B0%5D%5B3%5D='.baseLong2IP($sip). 198 '&ip_addr%5B0%5D%5B8%5D=+&ip_addr%5B0%5D%5B9%5D=AND'. 199 '&ip_addr%5B1%5D%5B0%5D=+&ip_addr%5B1%5D%5B1%5D=ip_dst&ip_addr%5B1%5D%5B2%5D=%3D'. 200 '&ip_addr%5B1%5D%5B3%5D='.baseLong2IP($dip). 201 '&ip_addr%5B1%5D%5B8%5D=+&ip_addr%5B1%5D%5B9%5D=+'. 202 '&ip_addr_cnt=2&layer4='.IPProto2str($proto). 203 '&sort_order='.$sort_order; 204 205 $tmp_rowid = $sip . "_" . $dip . "_" . $proto; 206 echo ' <TD><INPUT TYPE="checkbox" NAME="action_chk_lst['.$i.']" VALUE="'.$tmp_rowid.'"></TD>'; 207 echo ' <INPUT TYPE="hidden" NAME="action_lst['.$i.']" VALUE="'.$tmp_rowid.'">'; 208 209 qroPrintEntry('<FONT>'.$sip_fqdn.'</FONT>'); 210 qroPrintEntry(BuildAddressLink(baseLong2IP($sip), 32).baseLong2IP($sip).'</A>'); 211 qroPrintEntry('-->'); 212 qroPrintEntry(BuildAddressLink(baseLong2IP($dip), 32).baseLong2IP($dip).'</A>'); 213 qroPrintEntry('<FONT>'.$dip_fqdn.'</FONT>'); 214 qroPrintEntry('<FONT>'.IPProto2str($proto).'</FONT>'); 215 216 $tmp = '<A HREF="base_stat_ports.php?port_type=2&proto='.$proto.$tmp_ip_criteria.'">'; 217 qroPrintEntry($tmp.$num_unique_dport.'</A>'); 218 219 $tmp = '<A HREF="base_stat_alerts.php?foo=1'.$tmp_ip_criteria.'">'; 220 qroPrintEntry($tmp.$num_unique.'</A>'); 221 222 $tmp = '<A HREF="base_qry_main.php?new=1'. 223 '&num_result_rows=-1'. 224 '&submit='._QUERYDBP.'&current_view=-1'.$tmp_ip_criteria.'">'; 225 qroPrintEntry($tmp.$num_occurances.'</A>'); 226 227 qroPrintEntryFooter(); 228 } 229 $i++; 230 } 231 232 $result->baseFreeRows(); 233 234 $qro->PrintFooter(); 235 236 $qs->PrintBrowseButtons(); 237 $qs->PrintAlertActionButtons(); 238 $qs->SaveState(); 239 ExportHTTPVar("sort_order", $sort_order); 240 echo "\n</FORM>\n"; 241 242 PrintBASESubFooter(); 243 244 $et->Mark("Get Query Elements"); 245 $et->PrintTiming(); 246 echo "</body>\r\n</html>"; 247?> 248