From ChekMate Security Group
<?php
#################################################################################
#
# base_details.php - Reports events from BASE in more meaningful presentation
# Copyright (C) 2005 Shannon McNaught
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#################################################################################
#################################################################################
#
# Change the following parameters:
#
#################################################################################
$db_server = 'localhost';
$db_user = 'username';
$db_pwd = 'password';
$db_name = 'database';
$URL = $_SERVER['PHP_SELF'];
$db_link = @mysql_pconnect($db_server, $db_user, $db_pwd) or exit('Could not connect: ' . mysql_error());
$db = @mysql_select_db($db_name, $db_link) or exit('Could not select database: ' . mysql_error());
if (!isset($_GET['sid'])) {
echo "<font color=red><b>Error: SID Not Supplied. Using Default.</b></font><br>";
$sig_sid = 1;
} else {
$sig_sid = $_GET['sid'];
}
$query = "select distinct acid_event.signature, acid_event.sig_name from signature, acid_event where signature.sig_name = acid_event.sig_name and signature.sig_sid = $sig_sid";
$oselect =mysql_query($query) or die(mysql_error());
$vrow=mysql_fetch_object($oselect);
$signature = $vrow->signature;
if (!isset($_GET['timeperiod'])) {
$timeperiod = 21600;
} else {
$timeperiod = $_GET['timeperiod'];
}
$friendly_time = $timeperiod / 60;
if ($friendly_time < 60) {
$friendly_time = "$friendly_time minutes";
} else {
$friendly_time = $friendly_time / 60;
if ($friendly_time < 24) {
$friendly_time = "$friendly_time hour(s)";
} else {
$friendly_time = $friendly_time / 24;
$friendly_time = "$friendly_time day(s)";
}
}
$timewindow = "(timestamp > (NOW() - INTERVAL $timeperiod SECOND))";
$select =mysql_query("SELECT DISTINCT sig_name FROM acid_event WHERE $timewindow AND signature = $signature") or die(mysql_error());
$row=mysql_fetch_object($select);
$sig_name = $row->sig_name;
$select =mysql_query("SELECT max(timestamp) AS max, min(timestamp) AS min FROM acid_event WHERE $timewindow AND signature = $signature") or die(mysql_error());
$row=mysql_fetch_object($select);
$max = $row->max;
$min = $row->min;
echo "<font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><hr noshade><br>\n";
echo "<center><font size=3><b>BASE Detail Report for <br>$sig_name <font size=1>(SID$sig_sid) [BASE-Ref$signature]</font> </b></font></center>\n";
echo "<center><font size=3><b>Time window: $friendly_time between $min and $max.</b></font></center>\n";
echo "<br><hr noshade>\n";
echo "<table width=100%><tr><td align=left><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">Alert Time Window : [ <a href=$URL?timeperiod=900&sid=$sig_sid>15 Mins</a> ] - [ <a href=$URL?timeperiod=3600&sid=$sig_sid>1 Hour</a> ] - [ <a href=$URL?timeperiod=7200&sid=$sig_sid>2 Hours</a> ] - [ <a href=$URL?timeperiod=21600&sid=$sig_sid>6 Hours</a> ] - [ <a href=$URL?timeperiod=43200&sid=$sig_sid>12 Hours</a> ] - [ <a href=$URL?timeperiod=86400&sid=$sig_sid>1 Day</a> ] - [ <a href=$URL?timeperiod=172800&sid=$sig_sid>2 Days</a> ] - [ <a href=$URL?timeperiod=604800&sid=$sig_sid>7 Days</a> ] - [ <a href=$URL?timeperiod=1209600&sid=$sig_sid>14 Days</a> ] - [ <a href=$URL?timeperiod=31536000&sid=$sig_sid>All Alerts</a> ]</font></td>\n";
echo "<td align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><b><a href=base_summary.php?timeperiod=$timeperiod>Return to Summary</a></font></td></tr></table>";
echo "<hr noshade><br>\n";
build_detail($timewindow,$signature,"#FFFFFF","#FFFFAA",$sig_name, $max) ;
echo "</table></font>\n";
function build_detail($timewindow, $signature, $abgcolor, $bbgcolor, $sig_name, $last_ts) {
$select =mysql_query("SELECT * FROM acid_event WHERE $timewindow AND signature=$signature") or die(mysql_error());
$total_events = mysql_num_rows($select);
$select =mysql_query("SELECT DISTINCT ip_src FROM acid_event WHERE $timewindow AND signature=$signature") or die(mysql_error());
$total_src = mysql_num_rows($select);
$select =mysql_query("SELECT DISTINCT ip_dst FROM acid_event WHERE $timewindow AND signature=$signature") or die(mysql_error());
$total_dst = mysql_num_rows($select);
$select =mysql_query("SELECT DISTINCT Ip_src, Ip_dst, Ip_proto, count(cid) AS Num FROM acid_event WHERE $timewindow AND signature=$signature GROUP BY Ip_src, Ip_dst, Ip_proto ORDER BY Num DESC, Ip_src, Ip_proto") or die(mysql_error());
$total_links = mysql_num_rows($select);
echo "<table border=1 width=100%>\n";
echo "<tr><th align=left><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">Signature</dth><th align=right width=11%><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">Alerts</font></th><th align=right width=11%><font size=1>IP Src Addr</font></th><th align=right width=11%><font size=1>IP Dst Addr</font></th><th align=right width=11%><font size=1>Last Timestamp</font></th></tr>\n";
echo "<tr><th align=left><table border=0 cellspacing=0 cellpadding=0 width=100%><tr><th align=left><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"> $sig_name</font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">Total Number of Unique Links : $total_links</font></th></tr></table></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $total_events . "</font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $total_src . "</font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $total_dst . "</font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $last_ts . "</font></th></tr>\n";
while($row=mysql_fetch_object($select)) {
$Ip_proto = $row->Ip_proto;
$Ip_src = $row->Ip_src;
$Ip_src_addr = Long2IP($Ip_src);
$Ip_dst = $row->Ip_dst;
$Ip_dst_addr = Long2IP($Ip_dst);
$total_events = $row->Num;
if ($Ip_proto == 1) { $Ip_protoname = "ICMP"; $bbgcolor = "C0FFFF";}
if ($Ip_proto == 6) { $Ip_protoname = "TCP"; $bbgcolor = "FFFFAA";}
if ($Ip_proto == 17) { $Ip_protoname = "UDP"; $bbgcolor = "FFC0C0";}
if ($Ip_proto == 255) { $Ip_protoname = "portscan"; $bbgcolor = "C0C0FF";}
$oselect =mysql_query("SELECT MAX(timestamp) as LastTimestamp FROM acid_event WHERE $timewindow AND signature = $signature AND Ip_src=$Ip_src AND Ip_dst=$Ip_dst") or die(mysql_error());
$vrow=mysql_fetch_object($oselect);
$last_timestamp = $vrow->LastTimestamp;
if ($bgcolor == $bbgcolor) { $bgcolor = $abgcolor; } else { $bgcolor = $bbgcolor; }
echo "<tr bgcolor=$bgcolor><td><table border=0 cellspacing=0 cellpadding=0 width=100%><tr><td align=left><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"> ($Ip_protoname) - $Ip_src_addr <-> $Ip_dst_addr</td><td align=right><font size=1> <a href=\"http://www.snort.org/pub-bin/sigs.cgi?sid=$sig_sid \" target=\"_new\"><font color=\"#000000\">Snort.org</font></a></font></td></tr></table></td><td align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><a href=\"/base/base_qry_main.php?new=1&sig_type=1&sig[0]==&sig[1]=$signature&submit=Query+DB&num_result_rows=-1\"><font color=\"#000000\">$total_events</font></a></font></td><td align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><a href=\"/base/base_stat_ipaddr.php?ip=$Ip_src_addr&netmask=32\"><font color=\"#000000\">$Ip_src_addr</font></a></font></td><td align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><a href=\"/base/base_stat_ipaddr.php?ip=$Ip_dst_addr&netmask=32\"><font color=\"#000000\">$Ip_dst_addr</font></a></font></td><td align=right nowrap><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">$last_timestamp</font></td></tr>\n";
}
}
?>
