OSSIM of security.php source code analysis

Enterprise 2019-08-04 21:40:44 views: null

Here began one of the most important document security.php source event event analysis module (located in / usr / share / ossim / www / dashboard / sections / widgets / data /) analysis.

// reference documents, the library initialization function

require_once 'av_init.php';       
require_once 'sensor_filter.php';
require_once '../widget_common.php';
require_once 'common.php';

// Check for permission to access this menu 

Session::logcheck("dashboard-menu", "ControlPanelExecutive");
Session::logcheck("analysis-menu", "EventsForensics");

// Start the database connection

$db    = new ossim_db(TRUE);
$conn  = $db->connect();

// Get the current user information
$user = Session::get_session_user();
type setting security controls
$type = GET("type");
// at The ID of the widget
$id = GET("id");
// type validation

ossim_valid($type,      OSS_TEXT,                                       'illegal:' . _("type"));
ossim_valid($id,        OSS_DIGIT, OSS_NULLABLE,        'illegal:' . _("Widget ID"));

// end verification

// array containing information about the control, which is the tag cloud chart information and information

$winfo          = array();
$chart_info = array();

// if the ID is empty, it means that we in the wizard pre-visualization. We can get all the information from the get parameter.
if (!isset($id) || empty($id))
{
$winfo['height'] = GET("height");// define the height of the control
$winfo['wtype'] = GET("wtype");// defined types: Chart tag clouds, etc.
$winfo['asset'] = GET("asset");// define asset
$chart_info = json_decode(GET("value"),true);// chart type, parameters Legend

}
The else // If the ID is not empty, we are under normal circumstances, in this case, we get information from the database to load from the dashboard controls.
{
$winfo = get_widget_data($conn, $id);// Check widget_common.php
$chart_info = $winfo['params'];// chart type, the parameter legend
}
// the Validation

ossim_valid($winfo['wtype'],    OSS_TEXT,                                                               'illegal:' . _("Type"));
ossim_valid($winfo['height'],   OSS_DIGIT,                                                              'illegal:' . _("Widget ID"));
ossim_valid($winfo['asset'],    OSS_HEX,OSS_SCORE,OSS_ALPHA,OSS_USER,   'illegal:' . _("Asset/User/Entity"));

if (is_array($chart_info) && !empty($chart_info))
{
        $validation = get_array_validation();
        foreach($chart_info as $key=>$val)
        {
        if ($validation[$key] == '')
        {
                continue;
        }
                eval("ossim_valid(\"\$val\", ".$validation[$key].", 'illegal:" . _($key)."');");
        }
}

if (ossim_error())
{
        die(ossim_error());
}

// End of validation.

$assets_filters = array();
$assets_filters = get_asset_filters($conn, $winfo['asset']);

// variable to store information in a chart

$ data = array (); // define a self-control array
$ label = array (); // custom tag array
$ links = array (); // definition of each link element array

session_write_close();
// control data will be calculated based on the type of control

switch($type)
{
        case "tcp":

// filter assets
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
// Maximum number *** displayed in the widget.
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
// SQL query, such as the use of parameters in the query
$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=6 $query_where group by port order by num desc limit $limit";
// echo $ sql;

$rs = $conn->CacheExecute($sql);
if (!$rs)
                {
                    print $conn->ErrorMsg();
                }
                else
 {
                        $array_aux = array();
                    while (!$rs->EOF)
                    {
                                $array_aux[$rs->fields["port"]] = $rs->fields["num"];
                                $link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?tcp_port[0][0]=&tcp_port[0][1]=layer4_dport&tcp_port[0][2]==&tcp_port[0][3]='.$rs->fields["port"].'&tcp_port[0][4]=&tcp_port[0][5]=&tcp_flags[0]=&layer4=TCP&num_result_rows=-1&current_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
                                $links[$rs->fields["port"]] = $link;
                                $rs->MoveNext();
}

// sort the results by name, port, rather than the number of ***.

ksort($array_aux);
      $data   = array_values($array_aux);
      $label  = array_keys($array_aux);

// display icon

$serie  = 'Amount of Attacks';
                        $colors = "#333333";
                }
                break;
        case "udp":

// assets filters.
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
// *** maximum number displayed in the control.
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
// SQL query
execution: using the parameters in the query
$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=17 $query_where group by port order by num desc limit $limit";

// echo $ sql;

$rs = $conn->CacheExecute($sql);
                if (!$rs)
                {
                    print $conn->ErrorMsg();
                }
                else
                {
 $array_aux = array();
                    while (!$rs->EOF)
                    {
                                $array_aux[$rs->fields["port"]] = $rs->fields["num"];
                                $link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?udp_port[0][0]=&udp_port[0][1]=layer4_dport&udp_port[0][2]==&udp_port[0][3]='.$rs->fields["port"].'&udp_port[0][4]=&udp_port[0][5]=&udp_flags[0]=&layer4=UDP&num_result_rows=-1&current_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
                                $links[$rs->fields["port"]] = $link;
                                $rs->MoveNext();
                    }

/ Sort the results represented here by name the port, rather than the number of ***.

ksort($array_aux);
                        $data   = array_values($array_aux);
                        $label  = array_keys($array_aux);

// chart shows

 $serie  = 'Amount of Attacks';
                        $colors = "#333333";
                }
                break;
        case "promiscuous":

// define the date range.
$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;
// filter assets
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
// set limits hosts displayed in the control.

$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;

// connect to the SIEM console page

 $forensic_link  = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');

// SQL query, the user parameter query

$sqlgraph       = "select count(distinct(ip_dst)) as num_events,ip_src as name from alienvault_siem.po_acid_event AS acid_event WHERE 1=1 $query_where group by ip_src having ip_src>0x00000000000000000000000000000000 order by num_events desc limit 
$limit";
$rg = $conn->CacheExecute($sqlgraph);
                if (!$rg)
                {
                    print $conn->ErrorMsg();
                }
                else
                {
                    while (!$rg->EOF)
                    {
                        $data[]  = $rg->fields["num_events"];
                                $label[] = inet_ntop($rg->fields["name"]);
                                $links[] = $forensic_link . '&ip_addr[0][0]=+&ip_addr[0][1]=ip_src&ip_addr[0][2]=%3D&ip_addr[0][3]=' . inet_ntop($rg->fields["name"]) . '&ip_addr[0][8]=+&ip_addr[0][9]=+&ip_addr_cnt=1';
                        $rg->MoveNext();
                    }
                }
$colors = get_widget_colors(count($data));
                break;
        case "unique":

// date range

$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;
// filter assets

$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
// host limit displayed in the control.

$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;

// link to the SIEM console page

$forensic_link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
... ...

// display the number of hours in the control.
$max = ($chart_info['range'] == '')? 16 : $chart_info['range'];
// data retrieval widget

 $fdate  = gmdate("Y-m-d H",$timetz-(3600*($max-1)));
 $values = SIEM_trends($max, $assets_filters, $fdate);

// valid format the information processing program format.

for ($i=$max-1; $i>=0; $i--)
                {
                        $tref    = $timetz-(3600*$i);
                        $h       = gmdate("j G",$tref)."h";
                        $label[] = preg_replace("/\d+ /","",$h);
                        $data[]  = ($values[$h]!="") ? $values[$h] : 0;
... ...
$db->close();

// now call handler to draw the correct widget
require 'handler.php';

Tips: The source code can be seen in alienvault_siem.acid_event table, database analysis of all events related OSSIM storage you can refer to a book OSSIM difficult to resolve.

Guess you like

Origin blog.51cto.com/chenguang/2426473
Recommended
Ranking
SpringBoot-integrate redis
[Sword pointing to offer] Interview question 03: Repeated numbers in an array
Arrangement "Offer Penalty for prove safety" string
Browser prevent the automatic generation of fill and Echo have been saved account solutions
Work hard and never slacken——2022 Yinmai Information Year-End Summary
Install jdk7 on Linux system
App common dependency management tools
EduCoder-Web程序设计基础-html5— 给表单组件添加说明-第1关:label标签相关概念
Machine learning - clustering - density clustering algorithm notes
Ant's large model is exposed, AI+ finance enters the "big model" era
Daily
More
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)

Code World

© 2018 codetd.com