1<?php 2/******************************************************************************* 3** Basic Analysis and Security Engine (BASE) 4** Copyright (C) 2004 BASE Project Team 5** Copyright (C) 2000 Carnegie Mellon University 6** 7** (see the file 'base_main.php' for license details) 8** 9** Project Leads: Kevin Johnson <kjohnson@secureideas.net> 10** Sean Muller <samwise_diver@users.sourceforge.net> 11** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com> 12** 13** Purpose: summary statistics 14******************************************************************************** 15** Authors: 16******************************************************************************** 17** Kevin Johnson <kjohnson@secureideas.net 18** 19******************************************************************************** 20*/ 21defined( '_BASE_INC' ) or die( 'Accessing this file directly is not allowed.' ); 22include_once("$BASE_path/includes/base_constants.inc.php"); 23 24function SensorCnt($db, $join = "", $where = "") 25{ 26 if ( $join == "" && $where == "" ) 27 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event"); 28 else 29 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event $join $where"); 30 $myrow = $result->baseFetchRow(); 31 $num = $myrow[0]; 32 $result->baseFreeRows(); 33 34 return $num; 35} 36 37function SensorTotal($db) 38{ 39 $result = $db->baseExecute("SELECT COUNT(DISTINCT sensor.sid) FROM sensor"); 40 $myrow = $result->baseFetchRow(); 41 $num = $myrow[0]; 42 $result->baseFreeRows(); 43 44 return $num; 45} 46 47function EventCnt($db, $join = "", $where = "") 48{ 49 if ( $join == "" && $where == "" ) 50 $result = $db->baseExecute("SELECT count(*) FROM acid_event"); 51 else 52 $result = $db->baseExecute("SELECT COUNT(acid_event.sid) FROM acid_event $join $where"); 53 54 $myrow = $result->baseFetchRow(); 55 $num = $myrow[0]; 56 $result->baseFreeRows(); 57 58 return $num; 59} 60 61/* 62 * Takes: Numeric sensor ID from the Sensor table (SID), and 63 * database connection. 64 * 65 * Returns: The number of unique alert descriptions for the 66 * given sensor ID. 67 * 68 */ 69function UniqueCntBySensor($sensorID, $db) 70{ 71 72 /* Calculate the Unique Alerts */ 73 $query = "SELECT COUNT(DISTINCT signature) FROM acid_event WHERE sid = '" . $sensorID . "'"; 74 $result = $db->baseExecute($query); 75 76 if ( $result ) 77 { 78 $row = $result->baseFetchRow(); 79 $num = $row[0]; 80 $result->baseFreeRows(); 81 } 82 else 83 $num = 0; 84 85 return $num; 86} 87 88/* 89 * Takes: Numeric sensor ID from the Sensor table (SID), and 90 * database connection. 91 * 92 * Returns: The total number of alerts for the given sensor ID 93 */ 94function EventCntBySensor($sensorID, $db) 95{ 96 $query = "SELECT count(*) FROM acid_event where sid = '" .$sensorID. "'"; 97 98 $result = $db->baseExecute($query); 99 $myrow = $result->baseFetchRow(); 100 $num = $myrow[0]; 101 $result->baseFreeRows(); 102 103 return $num; 104} 105 106function MinDateBySensor($sensorID, $db) 107{ 108 $query = "SELECT min(timestamp) FROM acid_event WHERE sid= '". $sensorID."'"; 109 110 $result = $db->baseExecute($query); 111 $myrow = $result->baseFetchRow(); 112 $num = $myrow[0]; 113 $result->baseFreeRows(); 114 115 return $num; 116} 117 118 119function MaxDateBySensor($sensorID, $db) 120{ 121 $query = "SELECT max(timestamp) FROM acid_event WHERE sid='".$sensorID."'"; 122 123 $result = $db->baseExecute($query); 124 $myrow = $result->baseFetchRow(); 125 $num = $myrow[0]; 126 $result->baseFreeRows(); 127 128 return $num; 129} 130 131function UniqueDestAddrCntBySensor( $sensorID, $db ) 132{ 133 $query = "SELECT COUNT(DISTINCT ip_dst) from acid_event WHERE sid='" . $sensorID . "'"; 134 135 $result = $db->baseExecute($query); 136 $row = $result->baseFetchRow(); 137 $num = $row[0]; 138 $result->baseFreeRows(); 139 140 return $num; 141} 142 143function UniqueSrcAddrCntBySensor( $sensorID, $db ) 144{ 145 $query = "SELECT COUNT(DISTINCT ip_src) from acid_event WHERE sid='" . $sensorID . "'"; 146 147 $result = $db->baseExecute($query); 148 $row = $result->baseFetchRow(); 149 $num = $row[0]; 150 $result->baseFreeRows(); 151 152 return $num; 153} 154 155function TCPPktCnt($db) 156{ 157 $result = $db->baseExecute("SELECT count(*) FROM acid_event WHERE ip_proto=6"); 158 $myrow = $result->baseFetchRow(); 159 $num = $myrow[0]; 160 $result->baseFreeRows(); 161 162 return $num; 163} 164 165function UDPPktCnt($db) 166{ 167 $result = $db->baseExecute("SELECT count(*) FROM acid_event WHERE ip_proto=17"); 168 $myrow = $result->baseFetchRow(); 169 $num = $myrow[0]; 170 $result->baseFreeRows(); 171 172 return $num; 173} 174 175function ICMPPktCnt($db) 176{ 177 $result = $db->baseExecute("SELECT count(*) FROM acid_event WHERE ip_proto=1"); 178 $myrow = $result->baseFetchRow(); 179 $num = $myrow[0]; 180 $result->baseFreeRows(); 181 182 return $num; 183} 184 185function PortscanPktCnt($db) 186{ 187 $result = $db->baseExecute("SELECT count(*) FROM acid_event WHERE ip_proto=255"); 188 $myrow = $result->baseFetchRow(); 189 $num = $myrow[0]; 190 $result->baseFreeRows(); 191 192 return $num; 193} 194 195function UniqueSrcIPCnt($db, $join = "", $where = "") 196{ 197 if ( $join == "" && $where == "" ) 198 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src) FROM acid_event"); 199 else 200 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src) FROM acid_event $join WHERE $where"); //. 201 //"WHERE acid_event.sid > 0 $where"); 202 203 $row = $result->baseFetchRow(); 204 $num = $row[0]; 205 $result->baseFreeRows(); 206 207 return $num; 208} 209 210function UniqueDstIPCnt($db, $join = "", $where = "") 211{ 212 if ( $join == "" && $where == "" ) 213 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_dst) FROM acid_event"); 214 else 215 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_dst) FROM acid_event $join WHERE $where"); //. 216 //"WHERE acid_event.sid > 0 $where"); 217 218 $row = $result->baseFetchRow(); 219 $num = $row[0]; 220 $result->baseFreeRows(); 221 222 return $num; 223} 224 225function UniqueIPCnt($db, $join = "", $where = "") 226{ 227 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src), ". 228 "COUNT(DISTINCT acid_event.ip_dst) FROM acid_event $join $where"); 229 230 $row = $result->baseFetchRow(); 231 $num1 = $row[0]; 232 $num2 = $row[1]; 233 $result->baseFreeRows(); 234 235 return array ( $num1, $num2 ); 236} 237 238function StartStopTime(&$start_time, &$stop_time, $db) 239{ 240 $result = $db->baseExecute("SELECT (SELECT timestamp FROM acid_event ORDER BY timestamp ASC LIMIT 1), ". 241 "(SELECT timestamp FROM acid_event ORDER BY timestamp DESC LIMIT 1)"); 242 $myrow = $result->baseFetchRow(); 243 $start_time = $myrow[0]; 244 $stop_time = $myrow[1]; 245 $result->baseFreeRows(); 246} 247 248function UniqueAlertCnt($db, $join = "", $where = "") 249{ 250 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.signature) FROM acid_event $join ". 251 "$where"); 252 253 $row = $result->baseFetchRow(); 254 $num = $row[0]; 255 $result->baseFreeRows(); 256 257 return $num; 258} 259 260function UniquePortCnt($db, $join = "", $where = "") 261{ 262 if ( $join == "" && $where == "") 263 $result = $db->baseExecute("SELECT COUNT(DISTINCT layer4_sport), ". 264 "COUNT(DISTINCT layer4_dport) FROM acid_event"); 265 else 266 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ". 267 "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join ". 268 "$where"); 269 270 $row = $result->baseFetchRow(); 271 $result->baseFreeRows(); 272 273 return array( $row[0], $row[1]); 274} 275 276function UniqueTCPPortCnt($db, $join = "", $where = "") 277{ 278 if ( $join == "" && $where == "") 279 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ". 280 "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ". 281 "WHERE ip_proto='".TCP."'"); 282 else 283 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ". 284 "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join". 285 " $where AND ip_proto='".TCP."'"); 286 287 $row = $result->baseFetchRow(); 288 $result->baseFreeRows(); 289 290 return array( $row[0], $row[1]); 291} 292 293function UniqueUDPPortCnt($db, $join = "", $where = "") 294{ 295 if ( $join == "" && $where == "") 296 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ". 297 "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ". 298 "WHERE ip_proto='".UDP."'"); 299 else 300 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ". 301 "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join". 302 " $where AND ip_proto='".UDP."'"); 303 304 $row = $result->baseFetchRow(); 305 $result->baseFreeRows(); 306 307 return array( $row[0], $row[1]); 308} 309 310function UniqueLinkCnt($db, $join = "", $where = "") 311{ 312 if (!stristr($where, "WHERE") && $where != "") 313 $where = " WHERE $where "; 314 315 if ( $db->DB_type == "mysql" ) 316 { 317 if ( $join == "" && $where == "") 318 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto) FROM acid_event"); 319 else 320 $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto) FROM acid_event $join $where"); 321 322 $row = $result->baseFetchRow(); 323 $result->baseFreeRows(); 324 } 325 else 326 { 327 if ( $join == "" && $where == "") 328 $result = $db->baseExecute("SELECT DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto FROM acid_event"); 329 else 330 $result = $db->baseExecute("SELECT DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto FROM acid_event $join $where"); 331 332 $row[0] = $result->baseRecordCount(); 333 $result->baseFreeRows(); 334 } 335 336 return $row[0]; 337} 338 339function PrintGeneralStats($db, $compact, $show_stats, $join = "", $where = "", $show_total_events = false) 340{ 341 if ( $show_stats == 1 ) 342 { 343 $sensor_cnt = SensorCnt($db, $join, $where); 344 $sensor_total = SensorTotal($db); 345 $unique_alert_cnt = UniqueAlertCnt($db, $join, $where); 346 $event_cnt = EventCnt($db, $join, $where); 347 $unique_ip_cnt = UniqueIPCnt($db, $join, $where); 348 $unique_links_cnt = UniqueLinkCnt($db, $join, $where); 349 $unique_port_cnt = UniquePortCnt($db, $join, $where); 350 $unique_tcp_port_cnt = UniqueTCPPortCnt($db, $join, $where); 351 $unique_udp_port_cnt = UniqueUDPPortCnt($db, $join, $where); 352 } 353 354 if ( $db->baseGetDBversion() >= 103 ) 355 { 356 /* mstone 20050309 this is an expensive calculation -- let's only do it if we're going to use it */ 357 if ($show_stats == 1) { 358 $result = $db->baseExecute("SELECT count(DISTINCT(sig_class_id)) FROM acid_event"); 359 $myrow = $result->baseFetchRow(); 360 $class_cnt = $myrow[0]; 361 $result->baseFreeRows(); 362 } 363 364 $class_cnt_info[0] = " <strong>"._SCCATEGORIES." </strong>"; 365 $class_cnt_info[1] = "<a href=\"base_stat_class.php?sort_order=class_a\">"; 366 $class_cnt_info[2] = "</a>"; 367 } 368 369 $sensor_cnt_info[0] = "<strong>"._SCSENSORTOTAL."</strong>\n"; 370 $sensor_cnt_info[1] = "<a href=\"base_stat_sensor.php\">"; 371 $sensor_cnt_info[2] = "</a> / "; 372 373 $unique_alert_cnt_info[0] = "<strong>"._UNIALERTS.":</strong>\n"; 374 $unique_alert_cnt_info[1] = "<a href=\"base_stat_alerts.php\">"; 375 $unique_alert_cnt_info[2] = "</a>"; 376 377 $event_cnt_info[0] = "<strong>"._SCTOTALNUMALERTS."</strong>\n"; 378 $event_cnt_info[1] = '<a href="base_qry_main.php?&num_result_rows=-1'. 379 '&submit='._QUERYDBP.'&current_view=-1">'; 380 $event_cnt_info[2] = "</a>"; 381 382 $unique_src_ip_cnt_info[0] = _SCSRCIP; 383 $unique_src_ip_cnt_info[1] = " ".BuildUniqueAddressLink(1); 384 $unique_src_ip_cnt_info[2] = "</a>"; 385 $unique_dst_ip_cnt_info[0] = _SCDSTIP; 386 $unique_dst_ip_cnt_info[1] = " ".BuildUniqueAddressLink(2); 387 $unique_dst_ip_cnt_info[2] = "</a>"; 388 389 $unique_links_info[0] = _SCUNILINKS; 390 $unique_links_info[1] = " <a href=\"base_stat_iplink.php\">"; 391 $unique_links_info[2] = "</a>"; 392 393 $unique_src_port_cnt_info[0] = _SCSRCPORTS; 394 $unique_src_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=1&proto=-1\">"; 395 $unique_src_port_cnt_info[2] = "</a>"; 396 $unique_dst_port_cnt_info[0] = _SCDSTPORTS; 397 $unique_dst_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=2&proto=-1\">"; 398 $unique_dst_port_cnt_info[2] = "</a>"; 399 400 $unique_tcp_src_port_cnt_info[0] = "TCP ("; 401 $unique_tcp_src_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=1&proto=".TCP."\">"; 402 $unique_tcp_src_port_cnt_info[2] = "</a>)"; 403 $unique_tcp_dst_port_cnt_info[0] = "TCP ("; 404 $unique_tcp_dst_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=2&proto=".TCP."\">"; 405 $unique_tcp_dst_port_cnt_info[2] = "</a>)"; 406 407 $unique_udp_src_port_cnt_info[0] = "UDP ("; 408 $unique_udp_src_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=1&proto=".UDP."\">"; 409 $unique_udp_src_port_cnt_info[2] = "</a>)"; 410 $unique_udp_dst_port_cnt_info[0] = "UDP ("; 411 $unique_udp_dst_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=2&proto=".UDP."\">"; 412 $unique_udp_dst_port_cnt_info[2] = "</a>)"; 413 414 415 if ( $show_stats == 1 ) 416 { 417 echo $sensor_cnt_info[0]. 418 $sensor_cnt_info[1]. 419 $sensor_cnt. 420 $sensor_cnt_info[2]. 421 $sensor_total."\n<br />"; 422 423 echo $unique_alert_cnt_info[0]. 424 $unique_alert_cnt_info[1]. 425 $unique_alert_cnt. 426 $unique_alert_cnt_info[2]; 427 428 if ( $db->baseGetDBversion() >= 103 ) 429 echo "<br />". 430 $class_cnt_info[0]. 431 $class_cnt_info[1]. 432 $class_cnt. 433 $class_cnt_info[2]; 434 435 echo "<br />"; 436 437 echo $event_cnt_info[0]. 438 $event_cnt_info[1]. 439 $event_cnt. 440 $event_cnt_info[2]; 441 442 echo "<ul>"; 443 444 echo "<li>". 445 $unique_src_ip_cnt_info[0]. 446 $unique_src_ip_cnt_info[1]. 447 $unique_ip_cnt[0]. 448 $unique_src_ip_cnt_info[2] . 449 "</li>"; 450 451 echo "<li>". 452 $unique_dst_ip_cnt_info[0]. 453 $unique_dst_ip_cnt_info[1]. 454 $unique_ip_cnt[1]. 455 $unique_dst_ip_cnt_info[2] . 456 "</li>"; 457 458 echo "<li>". 459 $unique_links_info[0]. 460 $unique_links_info[1]. 461 $unique_links_cnt. 462 $unique_links_info[2] . 463 "</li>"; 464 465 echo "<li>"; 466 if ( $compact == 0 ) 467 echo "<p>"; 468 469 echo $unique_src_port_cnt_info[0]. 470 $unique_src_port_cnt_info[1]. 471 $unique_port_cnt[0]. 472 $unique_src_port_cnt_info[2] . 473 "</li>"; 474 475 if ( $compact == 0 ) 476 echo "<li><ul><li>"; 477 else 478 echo "<li> -- "; 479 480 echo $unique_tcp_src_port_cnt_info[0]. 481 $unique_tcp_src_port_cnt_info[1]. 482 $unique_tcp_port_cnt[0]. 483 $unique_tcp_src_port_cnt_info[2]. 484 " ". 485 $unique_udp_src_port_cnt_info[0]. 486 $unique_udp_src_port_cnt_info[1]. 487 $unique_udp_port_cnt[0]. 488 $unique_udp_src_port_cnt_info[2]; 489 490 if ( $compact == 0 ) 491 echo "</li></ul></li>"; 492 493 echo "<li>". 494 $unique_dst_port_cnt_info[0]. 495 $unique_dst_port_cnt_info[1]. 496 $unique_port_cnt[1]. 497 $unique_dst_port_cnt_info[2] . 498 "</li>"; 499 500 if ( $compact == 0 ) 501 echo "<li><ul><li>"; 502 else 503 echo "<li> -- "; 504 505 echo $unique_tcp_dst_port_cnt_info[0]. 506 $unique_tcp_dst_port_cnt_info[1]. 507 $unique_tcp_port_cnt[1]. 508 $unique_tcp_dst_port_cnt_info[2]. 509 " ". 510 $unique_udp_dst_port_cnt_info[0]. 511 $unique_udp_dst_port_cnt_info[1]. 512 $unique_udp_port_cnt[1]. 513 $unique_udp_dst_port_cnt_info[2]; 514 515 if ( $compact == 0 ) 516 echo "</li></ul>"; 517 518 echo "</li></ul>"; 519 } 520 else 521 { 522 if ( $show_total_events ) 523 { 524 $event_cnt = EventCnt($db, $join, $where); 525 echo "<li>". 526 $event_cnt_info[0]. 527 $event_cnt_info[1]. 528 $event_cnt. 529 $event_cnt_info[2]."</li><li><p>"; 530 } 531 echo "<ul style='padding-left:20px'>" . 532 " <li>".$sensor_cnt_info[1]._SCSENSORS. "</a></li>" . 533 " <li>".$unique_alert_cnt_info[1]._UNIALERTS.$unique_alert_cnt_info[2] . "</li>"; 534 535 if ( $db->baseGetDBversion() >= 103 ) 536 echo "<li> ( ".$class_cnt_info[1]._SCCLASS."</a> )</li>"; 537 echo 538 " <li>"._SCUNIADDRESS. 539 $unique_src_ip_cnt_info[1]._SCSOURCE.' | '.$unique_src_ip_cnt_info[2]. 540 $unique_dst_ip_cnt_info[1]._SCDEST.$unique_dst_ip_cnt_info[2]. 541 "</li><li>". 542 $unique_links_info[1].$unique_links_info[0].$unique_links_info[2]. 543 "</li><li>". 544 $unique_src_port_cnt_info[1]._SCSOURCE." ".$unique_src_port_cnt_info[2]._SCPORT.": ". 545 $unique_tcp_src_port_cnt_info[1]." TCP</a> | ". 546 $unique_udp_src_port_cnt_info[1]." UDP</a>". 547 "</li><li>". 548 $unique_dst_port_cnt_info[1]._SCDEST." ".$unique_dst_port_cnt_info[2]._SCPORT.": ". 549 $unique_tcp_dst_port_cnt_info[1]." TCP</a> | ". 550 $unique_udp_dst_port_cnt_info[1]." UDP</a>" . 551 "</li></li>"; 552 } 553} 554 555?> 556