1<?php
2/*******************************************************************************
3** Basic Analysis and Security Engine (BASE)
4** Copyright (C) 2004 BASE Project Team
5** Copyright (C) 2000 Carnegie Mellon University
6**
7** (see the file 'base_main.php' for license details)
8**
9** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
10**                Sean Muller <samwise_diver@users.sourceforge.net>
11** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
12**
13** Purpose: Displays statistics on communication links (IP addresses)
14**
15** Input GET/POST variables
16**   - caller
17**   - submit:
18********************************************************************************
19** Authors:
20********************************************************************************
21** Kevin Johnson <kjohnson@secureideas.net
22**
23********************************************************************************
24*/
25
26  include ("base_conf.php");
27  include ("$BASE_path/includes/base_constants.inc.php");
28  include ("$BASE_path/includes/base_include.inc.php");
29  include_once ("$BASE_path/base_db_common.php");
30  include_once ("$BASE_path/base_qry_common.php");
31  include_once ("$BASE_path/base_stat_common.php");
32
33  $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE, array(_SELECTED, _ALLONSCREEN, _ENTIREQUERY));
34	$sort_order=ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE);
35 	$action = ImportHTTPVar("action", VAR_ALPHA);
36
37  $et = new EventTiming($debug_time_mode);
38  $cs = new CriteriaState("base_stat_iplink.php");
39  $cs->ReadState();
40
41   // Check role out and redirect if needed -- Kevin
42  $roleneeded = 10000;
43  $BUser = new BaseUser();
44  if (($BUser->hasRole($roleneeded) == 0) && ($Use_Auth_System == 1))
45    base_header("Location: ". $BASE_urlpath . "/index.php");
46
47  $qs = new QueryState();
48  $qs->AddCannedQuery("most_frequent", $freq_num_alerts, _MOSTFREQALERTS, "occur_d");
49  $qs->AddCannedQuery("last_alerts", $last_num_ualerts, _LASTALERTS, "last_d");
50
51  $qs->MoveView($submit);             /* increment the view if necessary */
52
53  $page_title = _SIPLTITLE;
54  if ( $qs->isCannedQuery() )
55	{
56		if ($action == "")
57		{
58    	PrintBASESubHeader($page_title.": ".$qs->GetCurrentCannedQueryDesc(),
59     	                   $page_title.": ".$qs->GetCurrentCannedQueryDesc(),
60      	                 $cs->GetBackLink(), 1);
61		}
62		else
63		{
64			PrintBASESubHeader($page_title.": ".$qs->GetCurrentCannedQueryDesc(),
65     	                   $page_title.": ".$qs->GetCurrentCannedQueryDesc(),
66      	                 $cs->GetBackLink(), $refresh_all_pages);
67		}
68	}
69  else
70	{
71		if ($action == "")
72		{
73    	PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), 1);
74		}
75		else
76		{
77			PrintBASESubHeader($page_title, $page_title, $cs->GetBackLink(), $refresh_all_pages);
78		}
79	}
80
81  /* Connect to the Alert database */
82  $db = NewBASEDBConnection($DBlib_path, $DBtype);
83  $db->baseDBConnect($db_connect_method,
84                     $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
85
86  if ( $event_cache_auto_update == 1 )  UpdateAlertCache($db);
87
88  $criteria_clauses = ProcessCriteria();
89  PrintCriteria("");
90
91  $from = " FROM acid_event ".$criteria_clauses[0];
92  $where = " WHERE ".$criteria_clauses[1];
93
94  $qs->AddValidAction("ag_by_id");
95  $qs->AddValidAction("ag_by_name");
96  $qs->AddValidAction("add_new_ag");
97  $qs->AddValidAction("del_alert");
98  $qs->AddValidAction("email_alert");
99  $qs->AddValidAction("email_alert2");
100  $qs->AddValidAction("csv_alert");
101  $qs->AddValidAction("archive_alert");
102  $qs->AddValidAction("archive_alert2");
103
104  $qs->AddValidActionOp(_SELECTED);
105  $qs->AddValidActionOp(_ALLONSCREEN);
106
107  $qs->SetActionSQL($from.$where);
108  $et->Mark("Initialization");
109
110  $qs->RunAction($submit, PAGE_STAT_IPLINK, $db);
111  $et->Mark("Alert Action");
112
113  /* Run the query to determine the number of rows (No LIMIT)*/
114  $qs->current_view = 0;
115  $qs->num_result_rows = UniqueLinkCnt($db, $criteria_clauses[0], $criteria_clauses[1]);
116  $et->Mark("Counting Result size");
117
118  /* Setup the Query Results Table */
119  $qro = new QueryResultsOutput("base_stat_iplink.php?caller=".$caller);
120
121  $qro->AddTitle(" ");
122  $qro->AddTitle(_SIPLSOURCEFGDN);
123  $qro->AddTitle(_PSSRCIP,
124                 "sip_a", "", " ORDER BY ip_src ASC",
125                 "sip_d", "", " ORDER BY ip_src DESC");
126  $qro->AddTitle(_SIPLDIRECTION);
127  $qro->AddTitle(_PSDSTIP,
128                 "dip_a", "", " ORDER BY ip_dst ASC",
129                 "dip_d", "", " ORDER BY ip_dst DESC");
130  $qro->AddTitle(_SIPLDESTFGDN);
131  $qro->AddTitle(_SIPLPROTO);
132  $qro->AddTitle(_SIPLUNIDSTPORTS);
133  $qro->AddTitle(_SIPLUNIEVENTS);
134  $qro->AddTitle(_SIPLTOTALEVENTS);
135
136  $sort_sql = $qro->GetSortSQL($qs->GetCurrentSort(), $qs->GetCurrentCannedQuerySort());
137
138  $sql = "SELECT DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto ".
139         $sort_sql[0].$from.$where.$sort_sql[1];
140
141  /* Run the Query again for the actual data (with the LIMIT) */
142  $qs->current_view = $submit;
143  $result = $qs->ExecuteOutputQuery($sql, $db);
144  $et->Mark("Retrieve Query Data");
145
146  if ( $debug_mode == 1 )
147  {
148     $qs->PrintCannedQueryList();
149     $qs->DumpState();
150     echo "$sql<BR>";
151  }
152
153  /* Print the current view number and # of rows */
154  $qs->PrintResultCnt();
155
156  echo '<FORM METHOD="post" NAME="PacketForm" ACTION="base_stat_iplink.php">';
157
158  $qro->PrintHeader();
159
160  $i = 0;
161  while ( ($myrow = $result->baseFetchRow()) && ($i < $qs->GetDisplayRowCnt()) )
162  {
163     $sip = $myrow[0];
164     $dip = $myrow[1];
165     $proto = $myrow[2];
166
167		if ($resolve_IP == 1)
168		{
169    	$sip_fqdn = baseGetHostByAddr(baseLong2IP($sip), $db, $dns_cache_lifetime);
170     	$dip_fqdn = baseGetHostByAddr(baseLong2IP($dip), $db, $dns_cache_lifetime);
171		}
172		else
173		{
174			$sip_fqdn =_PSNODNS;
175			$sip_fqdn =_PSNODNS;
176		}
177
178     /* Get stats on the link */
179     if ( $sip && $dip )
180     {
181        $temp = "SELECT COUNT(DISTINCT layer4_dport), ".
182                 "COUNT(acid_event.cid), COUNT(DISTINCT acid_event.signature)  ".
183                 $from.$where." AND acid_event.ip_src='".$sip."' AND acid_event.ip_dst='".$dip."' AND acid_event.ip_proto='".$proto."'";
184
185        $result2 = $db->baseExecute($temp);
186        $row = $result2->baseFetchRow();
187        $num_occurances = $row[1];
188        $num_unique_dport = $row[0];
189        $num_unique = $row[2];
190        $result2->baseFreeRows();
191
192        /* Print out */
193        qroPrintEntryHeader($i);
194
195        $tmp_ip_criteria =
196          '&amp;ip_addr%5B0%5D%5B0%5D=+&amp;ip_addr%5B0%5D%5B1%5D=ip_src&amp;ip_addr%5B0%5D%5B2%5D=%3D'.
197          '&amp;ip_addr%5B0%5D%5B3%5D='.baseLong2IP($sip).
198          '&amp;ip_addr%5B0%5D%5B8%5D=+&amp;ip_addr%5B0%5D%5B9%5D=AND'.
199          '&amp;ip_addr%5B1%5D%5B0%5D=+&amp;ip_addr%5B1%5D%5B1%5D=ip_dst&amp;ip_addr%5B1%5D%5B2%5D=%3D'.
200          '&amp;ip_addr%5B1%5D%5B3%5D='.baseLong2IP($dip).
201          '&amp;ip_addr%5B1%5D%5B8%5D=+&amp;ip_addr%5B1%5D%5B9%5D=+'.
202          '&amp;ip_addr_cnt=2&amp;layer4='.IPProto2str($proto).
203          '&amp;sort_order='.$sort_order;
204
205        $tmp_rowid = $sip . "_" . $dip . "_" . $proto;
206        echo '    <TD><INPUT TYPE="checkbox" NAME="action_chk_lst['.$i.']" VALUE="'.$tmp_rowid.'"></TD>';
207        echo '        <INPUT TYPE="hidden" NAME="action_lst['.$i.']" VALUE="'.$tmp_rowid.'">';
208
209        qroPrintEntry('<FONT>'.$sip_fqdn.'</FONT>');
210        qroPrintEntry(BuildAddressLink(baseLong2IP($sip), 32).baseLong2IP($sip).'</A>');
211        qroPrintEntry('-->');
212        qroPrintEntry(BuildAddressLink(baseLong2IP($dip), 32).baseLong2IP($dip).'</A>');
213        qroPrintEntry('<FONT>'.$dip_fqdn.'</FONT>');
214        qroPrintEntry('<FONT>'.IPProto2str($proto).'</FONT>');
215
216        $tmp = '<A HREF="base_stat_ports.php?port_type=2&amp;proto='.$proto.$tmp_ip_criteria.'">';
217        qroPrintEntry($tmp.$num_unique_dport.'</A>');
218
219        $tmp = '<A HREF="base_stat_alerts.php?foo=1'.$tmp_ip_criteria.'">';
220        qroPrintEntry($tmp.$num_unique.'</A>');
221
222        $tmp = '<A HREF="base_qry_main.php?new=1'.
223                      '&amp;num_result_rows=-1'.
224                      '&amp;submit='._QUERYDBP.'&amp;current_view=-1'.$tmp_ip_criteria.'">';
225        qroPrintEntry($tmp.$num_occurances.'</A>');
226
227        qroPrintEntryFooter();
228     }
229     $i++;
230  }
231
232  $result->baseFreeRows();
233
234  $qro->PrintFooter();
235
236  $qs->PrintBrowseButtons();
237  $qs->PrintAlertActionButtons();
238  $qs->SaveState();
239	ExportHTTPVar("sort_order", $sort_order);
240  echo "\n</FORM>\n";
241
242  PrintBASESubFooter();
243
244  $et->Mark("Get Query Elements");
245  $et->PrintTiming();
246  echo "</body>\r\n</html>";
247?>
248