security.php Source Analysis of OSSIM

Next, we begin to analyze the security.php source code, which is an important file of event in the dashboard sub-module.

// Referencing files, initializing function libraries

require_once 'av_init.php';       
require_once 'sensor_filter.php';
require_once '../widget_common.php';
require_once 'common.php';

// Check if you have permission to access this menu

Session::logcheck("dashboard-menu", "ControlPanelExecutive");
Session::logcheck("analysis-menu", "EventsForensics");

// Start database connection

$db    = new ossim_db(TRUE);
$conn  = $db->connect();

// Get current user information
$user = Session::get_session_user();
Setting the type of security control
$type = GET("type");
//ID of the widget
$id = GET("id");
// Type validation

ossim_valid($type,      OSS_TEXT,                                       'illegal:' . _("type"));
ossim_valid($id,        OSS_DIGIT, OSS_NULLABLE,        'illegal:' . _("Widget ID"));

// End validation

// Array information containing controls, such as chart information and label cloud information

$winfo          = array();
$chart_info = array();

// If the ID is empty, it means that we are in the wizard's pre-visualization. We can get all the information from the get parameter.
if (!isset($id) || empty($id))
{
$winfo['height'] = GET("height"); // Define control height
$winfo ['wtype'] = GET ('wtype'); // Definition Type: Chart Label Cloud, etc.
$winfo ['asset'] = GET ("asset"); // Define assets
Chart_info = json_decode (GET ("value"), true); // chart type, legend parameters, etc.

}
Others//If the ID is not empty, we normally load controls from the dashboard, in which case we get information from the database.
{
Winfo = get_widget_data ($conn, $id); // Check widget_common.php
chart_info = $winfo['params']; // chart type, legend parameters
}
// Validation

ossim_valid($winfo['wtype'],    OSS_TEXT,                                                               'illegal:' . _("Type"));
ossim_valid($winfo['height'],   OSS_DIGIT,                                                              'illegal:' . _("Widget ID"));
ossim_valid($winfo['asset'],    OSS_HEX,OSS_SCORE,OSS_ALPHA,OSS_USER,   'illegal:' . _("Asset/User/Entity"));

if (is_array($chart_info) && !empty($chart_info))
{
        $validation = get_array_validation();
        foreach($chart_info as $key=>$val)
        {
        if ($validation[$key] == '')
        {
                continue;
        }
                eval("ossim_valid(\"\$val\", ".$validation[$key].", 'illegal:" . _($key)."');");
        }
}

if (ossim_error())
{
        die(ossim_error());
}

// End of validation.

$assets_filters = array();
$assets_filters = get_asset_filters($conn, $winfo['asset']);

// Variables that store chart information

$data = array (); // Define an array of controls themselves
$label = array(); // Define tag array
$links = array(); // Defines an array of links for each element

session_write_close();
// Control data will be calculated based on the type of control

switch($type)
{
        case "tcp":

// Asset filter
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
// Maximum *** times displayed in widgets.
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
// SQL queries, such as using parameters in queries
$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=6 $query_where group by port order by num desc limit $limit";
// echo $sql;

$rs = $conn->CacheExecute($sql);
if (!$rs)
                {
                    print $conn->ErrorMsg();
                }
                else
 {
                        $array_aux = array();
                    while (!$rs->EOF)
                    {
                                $array_aux[$rs->fields["port"]] = $rs->fields["num"];
                                $link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?tcp_port[0][0]=&tcp_port[0][1]=layer4_dport&tcp_port[0][2]==&tcp_port[0][3]='.$rs->fields["port"].'&tcp_port[0][4]=&tcp_port[0][5]=&tcp_flags[0]=&layer4=TCP&num_result_rows=-1¤t_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
                                $links[$rs->fields["port"]] = $link;
                                $rs->MoveNext();
}

// Sort the results by port name, not the number of *** ports.

ksort($array_aux);
      $data   = array_values($array_aux);
      $label  = array_keys($array_aux);

// Icon display

$serie  = 'Amount of Attacks';
                        $colors = "#333333";
                }
                break;
        case "udp":

// Asset filters.
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
// Maximum number of times *** is displayed in the control.
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
// SQL Query
Execution: Using parameters in queries
$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=17 $query_where group by port order by num desc limit $limit";

// echo $sql;

$rs = $conn->CacheExecute($sql);
                if (!$rs)
                {
                    print $conn->ErrorMsg();
                }
                else
                {
 $array_aux = array();
                    while (!$rs->EOF)
                    {
                                $array_aux[$rs->fields["port"]] = $rs->fields["num"];
                                $link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?udp_port[0][0]=&udp_port[0][1]=layer4_dport&udp_port[0][2]==&udp_port[0][3]='.$rs->fields["port"].'&udp_port[0][4]=&udp_port[0][5]=&udp_flags[0]=&layer4=UDP&num_result_rows=-1¤t_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
                                $links[$rs->fields["port"]] = $link;
                                $rs->MoveNext();
                    }

/ This means sorting the results by port name, not the number of *** ports.

ksort($array_aux);
                        $data   = array_values($array_aux);
                        $label  = array_keys($array_aux);

// Chart display

 $serie  = 'Amount of Attacks';
                        $colors = "#333333";
                }
                break;
        case "promiscuous":

// Define the date range.
$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;
// Filtering assets
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
// Set the restrictions that the host displays in the control.

$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;

// Connect to SIEM console page

 $forensic_link  = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');

// SQL query, user parameter query

$sqlgraph       = "select count(distinct(ip_dst)) as num_events,ip_src as name from alienvault_siem.po_acid_event AS acid_event WHERE 1=1 $query_where group by ip_src having ip_src>0x00000000000000000000000000000000 order by num_events desc limit 
$limit";
$rg = $conn->CacheExecute($sqlgraph);
                if (!$rg)
                {
                    print $conn->ErrorMsg();
                }
                else
                {
                    while (!$rg->EOF)
                    {
                        $data[]  = $rg->fields["num_events"];
                                $label[] = inet_ntop($rg->fields["name"]);
                                $links[] = $forensic_link . '&ip_addr[0][0]=+&ip_addr[0][1]=ip_src&ip_addr[0][2]=%3D&ip_addr[0][3]=' . inet_ntop($rg->fields["name"]) . '&ip_addr[0][8]=+&ip_addr[0][9]=+&ip_addr_cnt=1';
                        $rg->MoveNext();
                    }
                }
$colors = get_widget_colors(count($data));
                break;
        case "unique":

// Date range

$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;
// Filtering assets

$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
// Restrictions on host display in controls.

$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;

// Link to SIEM console page

$forensic_link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
... ...

// The number of hours displayed in the control.
$max = ($chart_info['range'] == '')? 16 : $chart_info['range'];
// Retrieving widget data

 $fdate  = gmdate("Y-m-d H",$timetz-(3600*($max-1)));
 $values = SIEM_trends($max, $assets_filters, $fdate);

// Format the information into a format that is valid for the processing program.

for ($i=$max-1; $i>=0; $i--)
                {
                        $tref    = $timetz-(3600*$i);
                        $h       = gmdate("j G",$tref)."h";
                        $label[] = preg_replace("/\d+ /","",$h);
                        $data[]  = ($values[$h]!="") ? $values[$h] : 0;
... ...
$db->close();

// Now call the handler to draw the correct widget
require 'handler.php';

Tips: The source code shows that all events are stored in the alienvault_siem.acid_event table. For OSSIM database analysis, you can refer to the book OSSIM Difficulty Resolution.

Keywords: Linux PHP SQL Session Database

Added by kaukab on Sun, 04 Aug 2019 13:25:58 +0300