From ChekMate Security Group
<?php
#################################################################################
#
# base_summary.php - Reports events from BASE in more meaningful presentation
# Copyright (C) 2005 Shannon McNaught
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
#################################################################################
###################################
#
# Change the following parameters
#
###################################
$db_server = 'localhost';
$db_user = 'username';
$db_pwd = 'password';
$db_name = 'database';
$URL = $_SERVER['PHP_SELF'];
$db_link = @mysql_pconnect($db_server, $db_user, $db_pwd) or exit('Could not connect: ' . mysql_error());
$db = @mysql_select_db($db_name, $db_link) or exit('Could not select database: ' . mysql_error());
if (!isset($_GET['timeperiod'])) {
$timeperiod = 21600;
} else {
$timeperiod = $_GET['timeperiod'];
}
$friendly_time = $timeperiod / 60;
if ($friendly_time < 60) {
$friendly_time = "$friendly_time minutes";
} else {
$friendly_time = $friendly_time / 60;
if ($friendly_time < 24) {
$friendly_time = "$friendly_time hour(s)";
} else {
$friendly_time = $friendly_time / 24;
$friendly_time = "$friendly_time day(s)";
}
}
$timewindow = "(timestamp > (NOW() - INTERVAL $timeperiod SECOND))";
$select =mysql_query("SELECT * FROM acid_event WHERE $timewindow") or die(mysql_error());
$total_events = mysql_num_rows($select);
$select =mysql_query("SELECT DISTINCT signature FROM acid_event WHERE $timewindow") or die(mysql_error());
$total_sigs = mysql_num_rows($select);
$select =mysql_query("SELECT DISTINCT ip_src FROM acid_event WHERE $timewindow") or die(mysql_error());
$total_src = mysql_num_rows($select);
$select =mysql_query("SELECT DISTINCT ip_dst FROM acid_event WHERE $timewindow") or die(mysql_error());
$total_dst = mysql_num_rows($select);
$select =mysql_query("SELECT max(timestamp) AS max, min(timestamp) AS min FROM acid_event WHERE $timewindow") or die(mysql_error());
$row=mysql_fetch_object($select);
$max = $row->max;
$min = $row->min;
echo "<font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><hr noshade><br>\n";
echo "<center><font size=3><b>BASE Summary Report</b></font></center>\n";
echo "<center><font size=3><b>Time window: $friendly_time between $min and $max.</b></font></center>\n";
echo "<br><hr noshade><br>\n";
echo "Alert Protocol Type : [ <a href=#TCP>TCP</a> ] - [ <a href=#UDP>UDP</a> ] - [ <a href=#ICMP>ICMP</a> ] - [ <a href=#Portscan>Portscan</a> ] <br>\n";
echo "Alert Time Window : [ <a href=$URL?timeperiod=900>15 Mins</a> ] - [ <a href=$URL?timeperiod=3600>1 Hour</a> ] - [ <a href=$URL?timeperiod=7200>2 Hours</a> ] - [ <a href=$URL?timeperiod=21600>6 Hours</a> ] - [ <a href=$URL?timeperiod=43200>12 Hours</a> ] - [ <a href=$URL?timeperiod=86400>1 Day</a> ] - [ <a href=$URL?timeperiod=172800>2 Days</a> ] - [ <a href=$URL?timeperiod=604800>7 Days</a> ] - [ <a href=$URL?timeperiod=1209600>14 Days</a> ] - [ <a href=$URL?timeperiod=31536000>All Alerts</a> ]<br>\n";
echo "<br><hr noshade><br>\n";
echo "<table border=1 width=100%>\n";
echo "<tr><th align=left><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">Signature</font></th><th align=right width=11%><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">Alerts</font></th><th align=right width=11%><font size=1>IP Src Addr</font></th><th align=right width=11%><font size=1>IP Dst Addr</font></th><th align=right width=11%><font size=1>Last Timestamp</font></th></tr>\n";
echo "<tr><th align=left><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"> Total Number of Unique Alerts: $total_sigs </font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $total_events . "</font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $total_src . "</font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $total_dst . "</font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $max . "</font></th></tr>\n";
build_proto_summary($timewindow, $timeperiod, 6,"TCP","#FFFFFF","#FFFFAA","#FFFF66") ;
build_proto_summary($timewindow, $timeperiod, 17,"UDP","#FFFFFF","#FFC0C0","#FF8080");
build_proto_summary($timewindow, $timeperiod,1,"ICMP","#FFFFFF","#C0FFFF","#80FFFF");
build_proto_summary($timewindow, $timeperiod,255,"Portscan","#FFFFFF","#C0C0FF","#8080FF");
echo "</table></font>\n";
function build_proto_summary($timewindow, $timeperiod, $ip_proto, $ip_proto_name, $abgcolor, $bbgcolor, $bgheader) {
$select =mysql_query("SELECT * FROM acid_event WHERE $timewindow AND ip_proto = $ip_proto") or die(mysql_error());
$total_events = mysql_num_rows($select);
$select =mysql_query("SELECT DISTINCT ip_src FROM acid_event WHERE $timewindow AND ip_proto = $ip_proto") or die(mysql_error());
$total_src = mysql_num_rows($select);
$select =mysql_query("SELECT DISTINCT ip_dst FROM acid_event WHERE $timewindow AND ip_proto = $ip_proto") or die(mysql_error());
$total_dst = mysql_num_rows($select);
$select =mysql_query("SELECT MAX(timestamp) as LastTimestamp FROM acid_event WHERE $timewindow AND ip_proto = $ip_proto") or die(mysql_error());
$row=mysql_fetch_object($select);
$last_ts = $row->LastTimestamp;
$select =mysql_query("SELECT DISTINCT signature, sig_name, count(cid) AS Num FROM acid_event WHERE $timewindow AND ip_proto = $ip_proto GROUP BY signature ORDER BY Num DESC ") or die(mysql_error());
$total_proto = mysql_num_rows($select);
echo "<tr><td colspan=5> </td></tr>\n";
echo "<tr bgcolor=$bgheader><th align=left><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><A NAME=$ip_proto_name>$ip_proto_name</a> ($total_proto) </font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $total_events . "</font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $total_src . "</font></th><th align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $total_dst . "</font></th><th align=right nowrap><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\">" . $last_ts . "</font></th></tr>\n";
while($row=mysql_fetch_object($select)) {
$signature = $row->signature;
$sig_name = $row->sig_name;
$oselect =mysql_query("SELECT * FROM acid_event WHERE $timewindow AND ip_proto = $ip_proto AND signature = $signature") or die(mysql_error());
$total_events = mysql_num_rows($oselect);
$oselect =mysql_query("SELECT DISTINCT ip_src FROM acid_event WHERE $timewindow AND ip_proto = $ip_proto AND signature = $signature") or die(mysql_error());
$total_src = mysql_num_rows($oselect);
$oselect =mysql_query("SELECT DISTINCT ip_dst FROM acid_event WHERE $timewindow AND ip_proto = $ip_proto AND signature = $signature") or die(mysql_error());
$total_dst = mysql_num_rows($oselect);
$oselect =mysql_query("SELECT MAX(timestamp) as LastTimestamp FROM acid_event WHERE $timewindow AND ip_proto = $ip_proto AND signature = $signature") or die(mysql_error());
$vrow=mysql_fetch_object($oselect);
$last_timestamp = $vrow->LastTimestamp;
$oselect =mysql_query("SELECT sig_sid FROM signature WHERE sig_id = $signature") or die(mysql_error());
$vrow=mysql_fetch_object($oselect);
$sig_sid = $vrow->sig_sid;
if ($bgcolor == $bbgcolor) { $bgcolor = $abgcolor; } else { $bgcolor = $bbgcolor; }
echo "<tr bgcolor=$bgcolor><td><table border=0 cellspacing=0 cellpadding=0 width=100%><tr><td align=left nowrap><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"> $sig_name</td><td align=right nowrap><font size=1> <a href=\"base_details.php?timeperiod=$timeperiod&sid=$sig_sid\" ><font color=\"#000000\">Details</font></a> <a href=\"http://www.snort.org/pub-bin/sigs.cgi?sid=$sig_sid \" target=\"_new\"><font color=\"#000000\">Snort.org</font></a></font></td></tr></table></td><td align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><a href=\"/base/base_qry_main.php?new=1&sig_type=1&sig[0]==&sig[1]=$signature&submit=Query+DB&num_result_rows=-1\"><font color=\"#000000\">$total_events</font></a></font></td><td align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><a href=\"/base/base_stat_uaddr.php?addr_type=1&sig_type=1&sig[0]==&sig[1]=$signature\"><font color=\"#000000\">$total_src</font></a></font></td><td align=right><font size=1 face=\"Verdana, Arial, sans-serif, Helvetica\"><a href=\"/base/base_stat_uaddr.php?addr_type=2&sig_type=1&sig[0]==&sig[1]=$signature\"><font color=\"#000000\">$total_dst</font></a></font></td><td align=right nowrap><font size=1 face=\"Verdana,Arial, sans-serif, Helvetica\">$last_timestamp</font></td></tr>\n";
}
}
?>
