1<?php
2/*******************************************************************************
3** Basic Analysis and Security Engine (BASE)
4** Copyright (C) 2004 BASE Project Team
5** Copyright (C) 2000 Carnegie Mellon University
6**
7** (see the file 'base_main.php' for license details)
8**
9** Project Leads: Kevin Johnson <kjohnson@secureideas.net>
10**                Sean Muller <samwise_diver@users.sourceforge.net>
11** Built upon work by Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
12**
13** Purpose: summary statistics
14********************************************************************************
15** Authors:
16********************************************************************************
17** Kevin Johnson <kjohnson@secureideas.net
18**
19********************************************************************************
20*/
21defined( '_BASE_INC' ) or die( 'Accessing this file directly is not allowed.' );
22include_once("$BASE_path/includes/base_constants.inc.php");
23
24function SensorCnt($db, $join = "", $where = "")
25{
26   if ( $join == "" && $where == "" )
27      $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event");
28   else
29      $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event $join $where");
30   $myrow = $result->baseFetchRow();
31   $num = $myrow[0];
32   $result->baseFreeRows();
33
34   return $num;
35}
36
37function SensorTotal($db)
38{
39   $result = $db->baseExecute("SELECT COUNT(DISTINCT sensor.sid) FROM sensor");
40   $myrow = $result->baseFetchRow();
41   $num = $myrow[0];
42   $result->baseFreeRows();
43
44   return $num;
45}
46
47function EventCnt($db, $join = "", $where = "")
48{
49   if ( $join == "" && $where == "" )
50      $result = $db->baseExecute("SELECT count(*) FROM acid_event");
51   else
52      $result = $db->baseExecute("SELECT COUNT(acid_event.sid) FROM acid_event $join $where");
53
54   $myrow = $result->baseFetchRow();
55   $num = $myrow[0];
56   $result->baseFreeRows();
57
58   return $num;
59}
60
61/*
62 * Takes: Numeric sensor ID from the Sensor table (SID), and
63 *	  database connection.
64 *
65 * Returns: The number of unique alert descriptions for the
66 * 	    given sensor ID.
67 *
68 */
69function UniqueCntBySensor($sensorID, $db)
70{
71
72  /* Calculate the Unique Alerts */
73  $query = "SELECT COUNT(DISTINCT signature) FROM acid_event WHERE sid = '" . $sensorID . "'";
74  $result = $db->baseExecute($query);
75
76  if ( $result )
77  {
78     $row = $result->baseFetchRow();
79     $num = $row[0];
80     $result->baseFreeRows();
81  }
82  else
83     $num = 0;
84
85  return $num;
86}
87
88/*
89 * Takes: Numeric sensor ID from the Sensor table (SID), and
90 *        database connection.
91 *
92 * Returns: The total number of alerts for the given sensor ID
93 */
94function EventCntBySensor($sensorID, $db)
95{
96   $query = "SELECT count(*) FROM acid_event where sid = '" .$sensorID. "'";
97
98   $result = $db->baseExecute($query);
99   $myrow = $result->baseFetchRow();
100   $num = $myrow[0];
101   $result->baseFreeRows();
102
103   return $num;
104}
105
106function MinDateBySensor($sensorID, $db)
107{
108   $query = "SELECT min(timestamp) FROM acid_event WHERE sid= '". $sensorID."'";
109
110   $result = $db->baseExecute($query);
111   $myrow = $result->baseFetchRow();
112   $num = $myrow[0];
113   $result->baseFreeRows();
114
115   return $num;
116}
117
118
119function MaxDateBySensor($sensorID, $db)
120{
121   $query = "SELECT max(timestamp) FROM acid_event WHERE sid='".$sensorID."'";
122
123   $result = $db->baseExecute($query);
124   $myrow = $result->baseFetchRow();
125   $num = $myrow[0];
126   $result->baseFreeRows();
127
128   return $num;
129}
130
131function UniqueDestAddrCntBySensor( $sensorID, $db )
132{
133   $query = "SELECT COUNT(DISTINCT ip_dst) from acid_event WHERE sid='" . $sensorID . "'";
134
135   $result = $db->baseExecute($query);
136   $row = $result->baseFetchRow();
137   $num = $row[0];
138   $result->baseFreeRows();
139
140   return $num;
141}
142
143function UniqueSrcAddrCntBySensor( $sensorID, $db )
144{
145   $query = "SELECT COUNT(DISTINCT ip_src) from acid_event WHERE sid='" . $sensorID . "'";
146
147   $result = $db->baseExecute($query);
148   $row = $result->baseFetchRow();
149   $num = $row[0];
150   $result->baseFreeRows();
151
152   return $num;
153}
154
155function TCPPktCnt($db)
156{
157   $result = $db->baseExecute("SELECT count(*) FROM acid_event WHERE ip_proto=6");
158   $myrow = $result->baseFetchRow();
159   $num = $myrow[0];
160   $result->baseFreeRows();
161
162   return $num;
163}
164
165function UDPPktCnt($db)
166{
167   $result = $db->baseExecute("SELECT count(*) FROM acid_event WHERE ip_proto=17");
168   $myrow = $result->baseFetchRow();
169   $num = $myrow[0];
170   $result->baseFreeRows();
171
172   return $num;
173}
174
175function ICMPPktCnt($db)
176{
177   $result = $db->baseExecute("SELECT count(*) FROM acid_event WHERE ip_proto=1");
178   $myrow = $result->baseFetchRow();
179   $num = $myrow[0];
180   $result->baseFreeRows();
181
182   return $num;
183}
184
185function PortscanPktCnt($db)
186{
187   $result = $db->baseExecute("SELECT count(*) FROM acid_event WHERE ip_proto=255");
188   $myrow = $result->baseFetchRow();
189   $num = $myrow[0];
190   $result->baseFreeRows();
191
192   return $num;
193}
194
195function UniqueSrcIPCnt($db, $join = "", $where = "")
196{
197   if ( $join == "" && $where == "" )
198     $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src) FROM acid_event");
199   else
200     $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src) FROM acid_event $join WHERE $where"); //.
201                                //"WHERE acid_event.sid > 0 $where");
202
203   $row = $result->baseFetchRow();
204   $num = $row[0];
205   $result->baseFreeRows();
206
207   return $num;
208}
209
210function UniqueDstIPCnt($db, $join = "", $where = "")
211{
212   if ( $join == "" && $where == "" )
213     $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_dst) FROM acid_event");
214   else
215     $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_dst) FROM acid_event $join WHERE $where"); //.
216                                //"WHERE acid_event.sid > 0 $where");
217
218   $row = $result->baseFetchRow();
219   $num = $row[0];
220   $result->baseFreeRows();
221
222   return $num;
223}
224
225function UniqueIPCnt($db, $join = "", $where = "")
226{
227   $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src), ".
228                              "COUNT(DISTINCT acid_event.ip_dst) FROM acid_event $join $where");
229
230   $row = $result->baseFetchRow();
231   $num1 = $row[0];
232   $num2 = $row[1];
233   $result->baseFreeRows();
234
235   return array ( $num1, $num2 );
236}
237
238function StartStopTime(&$start_time, &$stop_time, $db)
239{
240   $result = $db->baseExecute("SELECT (SELECT timestamp FROM acid_event ORDER BY timestamp ASC LIMIT 1), ".
241                              "(SELECT timestamp FROM acid_event ORDER BY timestamp DESC LIMIT 1)");
242   $myrow = $result->baseFetchRow();
243   $start_time = $myrow[0];
244   $stop_time = $myrow[1];
245   $result->baseFreeRows();
246}
247
248function UniqueAlertCnt($db, $join = "", $where = "")
249{
250   $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.signature) FROM acid_event $join ".
251                                 "$where");
252
253   $row = $result->baseFetchRow();
254   $num = $row[0];
255   $result->baseFreeRows();
256
257   return $num;
258}
259
260function UniquePortCnt($db, $join = "", $where = "")
261{
262   if ( $join == "" && $where == "")
263     $result = $db->baseExecute("SELECT COUNT(DISTINCT layer4_sport),  ".
264                                "COUNT(DISTINCT layer4_dport) FROM acid_event");
265   else
266     $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport),  ".
267                                "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join ".
268                                "$where");
269
270   $row = $result->baseFetchRow();
271   $result->baseFreeRows();
272
273   return array( $row[0], $row[1]);
274}
275
276function UniqueTCPPortCnt($db, $join = "", $where = "")
277{
278   if ( $join == "" && $where == "")
279     $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport),  ".
280                              "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ".
281                              "WHERE ip_proto='".TCP."'");
282   else
283     $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport),  ".
284                              "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join".
285                              " $where AND ip_proto='".TCP."'");
286
287   $row = $result->baseFetchRow();
288   $result->baseFreeRows();
289
290   return array( $row[0], $row[1]);
291}
292
293function UniqueUDPPortCnt($db, $join = "", $where = "")
294{
295   if ( $join == "" && $where == "")
296     $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport),  ".
297                              "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ".
298                              "WHERE ip_proto='".UDP."'");
299   else
300     $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport),  ".
301                              "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join".
302                              " $where AND ip_proto='".UDP."'");
303
304   $row = $result->baseFetchRow();
305   $result->baseFreeRows();
306
307   return array( $row[0], $row[1]);
308}
309
310function UniqueLinkCnt($db, $join = "", $where = "")
311{
312   if (!stristr($where, "WHERE") && $where != "")
313	$where = " WHERE $where ";
314
315   if ( $db->DB_type == "mysql" )
316   {
317     if ( $join == "" && $where == "")
318       $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto) FROM acid_event");
319     else
320       $result = $db->baseExecute("SELECT COUNT(DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto) FROM acid_event $join $where");
321
322     $row = $result->baseFetchRow();
323     $result->baseFreeRows();
324   }
325   else
326   {
327     if ( $join == "" && $where == "")
328       $result = $db->baseExecute("SELECT DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto FROM acid_event");
329     else
330       $result = $db->baseExecute("SELECT DISTINCT acid_event.ip_src, acid_event.ip_dst, acid_event.ip_proto FROM acid_event $join $where");
331
332     $row[0] = $result->baseRecordCount();
333     $result->baseFreeRows();
334   }
335
336   return $row[0];
337}
338
339function PrintGeneralStats($db, $compact, $show_stats, $join = "", $where = "", $show_total_events = false)
340{
341   if ( $show_stats == 1 )
342   {
343     $sensor_cnt = SensorCnt($db, $join, $where);
344     $sensor_total = SensorTotal($db);
345     $unique_alert_cnt = UniqueAlertCnt($db, $join, $where);
346     $event_cnt = EventCnt($db, $join, $where);
347     $unique_ip_cnt = UniqueIPCnt($db, $join, $where);
348     $unique_links_cnt = UniqueLinkCnt($db, $join, $where);
349     $unique_port_cnt = UniquePortCnt($db, $join, $where);
350     $unique_tcp_port_cnt = UniqueTCPPortCnt($db, $join, $where);
351     $unique_udp_port_cnt = UniqueUDPPortCnt($db, $join, $where);
352   }
353
354   if ( $db->baseGetDBversion() >= 103 )
355   {
356      /* mstone 20050309 this is an expensive calculation -- let's only do it if we're going to use it */
357      if ($show_stats == 1) {
358      	$result = $db->baseExecute("SELECT count(DISTINCT(sig_class_id)) FROM acid_event");
359      	$myrow = $result->baseFetchRow();
360      	$class_cnt = $myrow[0];
361      	$result->baseFreeRows();
362      }
363
364      $class_cnt_info[0] = " <strong>"._SCCATEGORIES." </strong>";
365      $class_cnt_info[1] = "<a href=\"base_stat_class.php?sort_order=class_a\">";
366      $class_cnt_info[2] = "</a>";
367   }
368
369   $sensor_cnt_info[0] = "<strong>"._SCSENSORTOTAL."</strong>\n";
370   $sensor_cnt_info[1] = "<a href=\"base_stat_sensor.php\">";
371   $sensor_cnt_info[2] = "</a> / ";
372
373   $unique_alert_cnt_info[0] = "<strong>"._UNIALERTS.":</strong>\n";
374   $unique_alert_cnt_info[1] = "<a href=\"base_stat_alerts.php\">";
375   $unique_alert_cnt_info[2] = "</a>";
376
377   $event_cnt_info[0] = "<strong>"._SCTOTALNUMALERTS."</strong>\n";
378   $event_cnt_info[1] = '<a href="base_qry_main.php?&amp;num_result_rows=-1'.
379                        '&amp;submit='._QUERYDBP.'&amp;current_view=-1">';
380   $event_cnt_info[2] = "</a>";
381
382   $unique_src_ip_cnt_info[0] = _SCSRCIP;
383   $unique_src_ip_cnt_info[1] = " ".BuildUniqueAddressLink(1);
384   $unique_src_ip_cnt_info[2] = "</a>";
385   $unique_dst_ip_cnt_info[0] = _SCDSTIP;
386   $unique_dst_ip_cnt_info[1] = " ".BuildUniqueAddressLink(2);
387   $unique_dst_ip_cnt_info[2] = "</a>";
388
389   $unique_links_info[0] = _SCUNILINKS;
390   $unique_links_info[1] = " <a href=\"base_stat_iplink.php\">";
391   $unique_links_info[2] = "</a>";
392
393   $unique_src_port_cnt_info[0] = _SCSRCPORTS;
394   $unique_src_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=1&amp;proto=-1\">";
395   $unique_src_port_cnt_info[2] = "</a>";
396   $unique_dst_port_cnt_info[0] = _SCDSTPORTS;
397   $unique_dst_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=2&amp;proto=-1\">";
398   $unique_dst_port_cnt_info[2] = "</a>";
399
400   $unique_tcp_src_port_cnt_info[0] = "TCP (";
401   $unique_tcp_src_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=1&amp;proto=".TCP."\">";
402   $unique_tcp_src_port_cnt_info[2] = "</a>)";
403   $unique_tcp_dst_port_cnt_info[0] = "TCP (";
404   $unique_tcp_dst_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=2&amp;proto=".TCP."\">";
405   $unique_tcp_dst_port_cnt_info[2] = "</a>)";
406
407   $unique_udp_src_port_cnt_info[0] = "UDP (";
408   $unique_udp_src_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=1&amp;proto=".UDP."\">";
409   $unique_udp_src_port_cnt_info[2] = "</a>)";
410   $unique_udp_dst_port_cnt_info[0] = "UDP (";
411   $unique_udp_dst_port_cnt_info[1] = " <a href=\"base_stat_ports.php?port_type=2&amp;proto=".UDP."\">";
412   $unique_udp_dst_port_cnt_info[2] = "</a>)";
413
414
415   if ( $show_stats == 1 )
416   {
417   echo $sensor_cnt_info[0].
418        $sensor_cnt_info[1].
419        $sensor_cnt.
420        $sensor_cnt_info[2].
421        $sensor_total."\n<br />";
422
423   echo $unique_alert_cnt_info[0].
424        $unique_alert_cnt_info[1].
425        $unique_alert_cnt.
426        $unique_alert_cnt_info[2];
427
428   if ( $db->baseGetDBversion() >= 103 )
429      echo "<br />".
430           $class_cnt_info[0].
431           $class_cnt_info[1].
432           $class_cnt.
433           $class_cnt_info[2];
434
435   echo "<br />";
436
437   echo $event_cnt_info[0].
438        $event_cnt_info[1].
439        $event_cnt.
440        $event_cnt_info[2];
441
442   echo "<ul>";
443
444   echo "<li>".
445        $unique_src_ip_cnt_info[0].
446        $unique_src_ip_cnt_info[1].
447        $unique_ip_cnt[0].
448        $unique_src_ip_cnt_info[2] .
449        "</li>";
450
451   echo "<li>".
452        $unique_dst_ip_cnt_info[0].
453        $unique_dst_ip_cnt_info[1].
454        $unique_ip_cnt[1].
455        $unique_dst_ip_cnt_info[2] .
456        "</li>";
457
458   echo "<li>".
459        $unique_links_info[0].
460        $unique_links_info[1].
461        $unique_links_cnt.
462        $unique_links_info[2] .
463        "</li>";
464
465   echo "<li>";
466       if ( $compact == 0 )
467           echo "<p>";
468
469   echo $unique_src_port_cnt_info[0].
470        $unique_src_port_cnt_info[1].
471        $unique_port_cnt[0].
472        $unique_src_port_cnt_info[2] .
473        "</li>";
474
475   if ( $compact == 0 )
476     echo "<li><ul><li>";
477   else
478     echo "<li>&nbsp;&nbsp;--&nbsp;&nbsp;";
479
480   echo $unique_tcp_src_port_cnt_info[0].
481        $unique_tcp_src_port_cnt_info[1].
482        $unique_tcp_port_cnt[0].
483        $unique_tcp_src_port_cnt_info[2].
484        "&nbsp;&nbsp;".
485        $unique_udp_src_port_cnt_info[0].
486        $unique_udp_src_port_cnt_info[1].
487        $unique_udp_port_cnt[0].
488        $unique_udp_src_port_cnt_info[2];
489
490   if ( $compact == 0 )
491     echo "</li></ul></li>";
492
493   echo "<li>".
494        $unique_dst_port_cnt_info[0].
495        $unique_dst_port_cnt_info[1].
496        $unique_port_cnt[1].
497        $unique_dst_port_cnt_info[2] .
498        "</li>";
499
500   if ( $compact == 0 )
501     echo "<li><ul><li>";
502   else
503     echo "<li>&nbsp;&nbsp;--&nbsp;&nbsp;";
504
505   echo $unique_tcp_dst_port_cnt_info[0].
506        $unique_tcp_dst_port_cnt_info[1].
507        $unique_tcp_port_cnt[1].
508        $unique_tcp_dst_port_cnt_info[2].
509        "&nbsp;&nbsp;".
510        $unique_udp_dst_port_cnt_info[0].
511        $unique_udp_dst_port_cnt_info[1].
512        $unique_udp_port_cnt[1].
513        $unique_udp_dst_port_cnt_info[2];
514
515   if ( $compact == 0 )
516     echo "</li></ul>";
517
518   echo "</li></ul>";
519   }
520   else
521   {
522      if ( $show_total_events )
523      {
524         $event_cnt = EventCnt($db, $join, $where);
525         echo "<li>".
526               $event_cnt_info[0].
527               $event_cnt_info[1].
528               $event_cnt.
529               $event_cnt_info[2]."</li><li><p>";
530      }
531      echo "<ul style='padding-left:20px'>" .
532           "  <li>".$sensor_cnt_info[1]._SCSENSORS. "</a></li>" .
533           "  <li>".$unique_alert_cnt_info[1]._UNIALERTS.$unique_alert_cnt_info[2] . "</li>";
534
535     if ( $db->baseGetDBversion() >= 103 )
536        echo "<li>&nbsp;&nbsp;&nbsp;( ".$class_cnt_info[1]._SCCLASS."</a> )</li>";
537       echo
538           "  <li>"._SCUNIADDRESS.
539             $unique_src_ip_cnt_info[1]._SCSOURCE.' | '.$unique_src_ip_cnt_info[2].
540             $unique_dst_ip_cnt_info[1]._SCDEST.$unique_dst_ip_cnt_info[2].
541           "</li><li>".
542             $unique_links_info[1].$unique_links_info[0].$unique_links_info[2].
543           "</li><li>".
544             $unique_src_port_cnt_info[1]._SCSOURCE." ".$unique_src_port_cnt_info[2]._SCPORT.": ".
545             $unique_tcp_src_port_cnt_info[1]." TCP</a> | ".
546             $unique_udp_src_port_cnt_info[1]." UDP</a>".
547           "</li><li>".
548             $unique_dst_port_cnt_info[1]._SCDEST." ".$unique_dst_port_cnt_info[2]._SCPORT.": ".
549             $unique_tcp_dst_port_cnt_info[1]." TCP</a> | ".
550             $unique_udp_dst_port_cnt_info[1]." UDP</a>" .
551           "</li></li>";
552   }
553}
554
555?>
556