*
- * Copyright (C) 2000, 2001 Carnegie Mellon University
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: extracts and calculates the data to plot
@@ -45,8 +45,8 @@
'"Check the Graphing abstraction library variable $ChartLib_path'.
' in acid_conf.php
- The underlying graphing library currently used is PHPlot, that can be downloaded
- at http://www.phplot.com . Without this
+ The underlying graphing library currently used is JPGraph, that can be downloaded
+ at http://www.aditus.nu/jpgraph/index.php . Without this
library no graphing operations can be performed.';
die();
@@ -54,26 +54,43 @@
}
function LoadGraphingLib($path)
-{
- $last_char = substr($path, strlen($path)-1, 1);
+{
+ $libs = array ("jpgraph.php",
+ "jpgraph_line.php",
+ "jpgraph_bar.php",
+ "jpgraph_canvas.php",
+ "jpgraph_error.php",
+ "jpgraph_log.php",
+ "jpgraph_pie.php",
+ "jpgraph_pie3d.php",
+ "jpgraph_scatter.php",
+ "jpgraph_radar.php" );
- if ( $last_char == "\\" || $last_char == "/" )
- {
- VerifyGraphingLib($path."phplot.php");
- include($path."phplot.php");
- }
- else if ( strstr($path,"/") || $path == "" )
+ for ( $i = 0; $i < count($libs); $i++ )
{
- VerifyGraphingLib($path."/phplot.php");
- include($path."/phplot.php");
- }
- else if ( strstr($path,"\\") )
- {
- VerifyGraphingLib($path."\\phplot.php");
- include($path."\\phplot.php");
+ $last_char = substr($path, strlen($path)-1, 1);
+
+ if ( $last_char == "\\" || $last_char == "/" )
+ {
+ VerifyGraphingLib($path.$libs[$i]);
+ include( $path.$libs[$i] );
+ }
+ else if ( strstr($path,"/") || $path == "" )
+ {
+ VerifyGraphingLib($path."/".$libs[$i]);
+ include($path."/".$libs[$i]);
+ }
+ else if ( strstr($path,"\\") )
+ {
+ VerifyGraphingLib($path."\\".$libs[$i]);
+ include($path."\\".$libs[$i]);
+ }
+ else
+ {
+ echo "ERROR: Unable to load graphing library file:".$libs[$i];
+ return;
+ }
}
- else
- echo "ERROR: Unable to load graphing library";
}
/* Generates the required SQL from the chart time criteria */
@@ -318,7 +335,7 @@
function GetIPDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
{
- GLOBAL $db, $debug_mode;
+ GLOBAL $db, $debug_mode;
if ( $chart_type == 6 )
$sql = "SELECT DISTINCT ip_src, COUNT(acid_event.cid) ".
@@ -352,7 +369,7 @@
function GetPortDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
{
- GLOBAL $db, $debug_mode;
+ GLOBAL $db, $debug_mode;
if ( ($chart_type == 8) || ($chart_type == 9) )
$sql = "SELECT DISTINCT layer4_dport, COUNT(acid_event.cid) ".
@@ -386,13 +403,12 @@
function GetClassificationDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
{
- GLOBAL $db, $debug_mode;
-
-
+ GLOBAL $db, $debug_mode;
+
$sql = "SELECT DISTINCT sig_class_id, COUNT(acid_event.cid) ".
"FROM acid_event ".$criteria[0].
- "WHERE ".$criteria[1]." AND layer4_dport is NOT NULL ".
- "GROUP BY sig_class_id ORDER BY sig_class_id";
+ "WHERE ".$criteria[1]. /* " AND layer4_dport is NOT NULL ". */
+ " GROUP BY sig_class_id ORDER BY sig_class_id";
if ( $debug_mode > 0) echo $sql.",
*
- * Copyright (C) 2000, 2001 Carnegie Mellon University
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: Displays the actual .GIF/.PNG/.TIFF image
@@ -13,6 +13,7 @@
* Input GET/POST variables
* - width: chart width
* - height: chart width
+ * - pmargin0-3: plot margins
* - title: chart title
* - xaxis_label: x-axis label
* - yaxis_label: y-axis label
@@ -23,105 +24,120 @@
*/
include ("acid_conf.php");
+ include ("acid_state_common.inc");
include ("acid_graph_common.php");
session_start();
- session_register('xdata');
- LoadGraphingLib($ChartLib_path);
-
- /* Verifies that the chart width is not too small
- *
- * algorithm: width >= const + number_of_points * factor
- */
- $width_const = 50;
- $width_factor = 10;
-
- if ( $width < ($width_const + count ($data) * $width_factor)) {
- $width = $width_const + count ($data) * $width_factor;
- }
+ $xdata = $HTTP_SESSION_VARS['xdata'];
+ $width = ImportHTTPVar("width");
+ $height = ImportHTTPVar("height");
+ $pmargin0 = ImportHTTPVar("pmargin0");
+ $pmargin1 = ImportHTTPVar("pmargin1");
+ $pmargin2 = ImportHTTPVar("pmargin2");
+ $pmargin3 = ImportHTTPVar("pmargin3");
+ $title = ImportHTTPVar("title");
+ $xaxis_label = ImportHTTPVar("xaxis_label");
+ $yaxis_label = ImportHTTPVar("yaxis_label");
+ $yaxis_scale = ImportHTTPVar("yaxis_scale");
+ $xaxis_grid = ImportHTTPVar("xaxis_grid");
+ $yaxis_grid = ImportHTTPVar("yaxis_grid");
+ $rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl");
+ $style = ImportHTTPVar("style");
- $graph = new PHPlot($width, $height);
- $graph->SetIsInline("0");
- $graph->SetBrowserCache("0");
-
- /* Allocate enough space for the X,Y-axis data label */
- $x_maxlength = 10; /* 10 is the PHP default size */
+ LoadGraphingLib($ChartLib_path);
- /* Create the data array */
+ /* Create the data and label array */
for ($i = 0; $i < count($xdata); $i++)
{
- if ( $style != "pie" )
- {
- $xdata_graph[$i] = array($xdata[$i][0], $xdata[$i][1]);
- }
- else
- {
- $xdata[$i] = array( count($data)+1 );
- $xdata[$i][0] = $datalbl[$i];
- for ( $j = 1; $j < $i; $j++)
- $xdata[$i][$j] = 0;
- $xdata[$i][$i+1] = $data[$i];
-
- $legend[$i] = $datalbl[$i];
- }
-
- if (strlen($xdata[$i][0]) > $x_maxlength)
- {
- // if the label is too small, expand the label size to fit
- $x_maxlength = strlen($xdata[$i][0]);
- }
+ $xlabel[$i] = $xdata[$i][0];
+ $ydata[$i] = $xdata[$i][1];
}
- $graph->SetDataType("text-data");
- $graph->SetPlotType($style);
-
+ if ( $style == "pie" )
+ $graph = new PieGraph($width, $height);
+ else
+ $graph = new Graph($width, $height);
+
+ /* Set Margins */
+ $graph->img->SetMargin($pmargin0,$pmargin1,$pmargin2,$pmargin3);
+ $graph->img->SetAntiAliasing();
+
+ //$graph->SetShadow();
+
+ /* Set Plot type */
switch($style)
{
- case "bars":
- $graph->SetDataType("text-data");
- break;
- case "linepoints":
- $graph->SetDataType("text-data");
+ case "bar":
+ $plot[0] = new BarPlot($ydata);
break;
case "pie":
- $graph->SetDataType("text-data");
- $graph->SetLegend($legend);
+ $plot[0] = new PiePlot3D($ydata);
break;
- case "thinbarline":
- $graph->SetDataType("data-data");
+ case "line":
+ $plot[0] = new LinePlot($ydata);
break;
}
- /* read the X-axis labels as text */
- $graph->SetXGridLabelType ("title");
+ //$plot[0]->SetColor("#000000");
+
+ if ( ($style == "bar") || ($style == "line") )
+ {
+ /* Set Scale */
+ if ( $yaxis_scale == 1 )
+ $graph->SetScale("textlog");
+ else
+ $graph->SetScale("textlin");
+
+ $plot[0]->SetFillColor("#BE0505");
+ //$plot[0]->SetFillColor($GLOBALS['chart_bar_color_default']);
+
+ /* Set Gridlines */
+ if ( $xaxis_grid == 1 )
+ $graph->xgrid->Show(true);
+ else
+ $graph->xgrid->Show(false);
+
+ if ( $yaxis_grid == 1 )
+ $graph->ygrid->Show(true);
+ else
+ $graph->ygrid->Show(false);
+
+ /* Set Axis Labels */
+ $graph->xaxis->title->Set($xaxis_label);
+ $graph->yaxis->title->Set($yaxis_label);
+
+ //$graph->xaxis->SetFont(FF_ARIAL,FS_NORMAL,11);
+
+ $graph->xaxis->SetTickLabels($xlabel);
+
+ if ( $rotate_xaxis_lbl == 1 )
+ $graph->xaxis->SetLabelAngle(90);
+ }
+
+ if ( $style == "pie" )
+ {
+ $plot[0]->SetLegends($xlabel);
+ }
+
+ //$plot[0]->ShowValue(true);
+ //$plot[0]->SetShadow();
+
+ /* Set Title */
+ //$graph->title->SetFont(FF_COMIC,FS_NORMAL,18);
+ $graph->title->Set($title);
+
+
+ $graph->Add($plot[0]);
+
+ $graph->Stroke();
+?>
+
+
+
+
+
+
- $graph->SetPrecisionY(0);
- $graph->SetPrecisionX(0);
- $graph->SetBackgroundColor($chart_bg_color_default);
- $graph->SetLightGridColor($chart_lgrid_color_default);
- /* Check if need to rotate X-Axis label */
- if ( $rotate_xaxis_lbl == 1 )
- $graph->SetXDataLabelAngle(90);
-
- $graph->SetFileFormat($chart_file_format);
- //$graph->SetUseTTF("0");
-
- /* Set y-axis scale */
- if ( $yaxis_scale == 1 )
- $graph->SetYScaleType("log");
-
- $graph->SetXDataLabelMaxlength($x_maxlength);
- $graph->SetDrawYGrid("1");
- $graph->SetDataValues($xdata_graph);
- $graph->SetXLabel($xaxis_label);
- $graph->SetYLabel($yaxis_label);
- $graph->SetTitle($title);
- $graph->SetDataColors( array( $chart_bar_color_default ),
- array("black") );
- //$graph->SetBackgroundColor("grey");
- $graph->DrawGraph();
- //$graph->DrawLegend(100, 100, '');
-?>
\ No newline at end of file
diff -Naur acid/acid_graph_form.php acidfp/acid_graph_form.php
--- acid/acid_graph_form.php 1969-12-31 19:00:00.000000000 -0500
+++ acidfp/acid_graph_form.php 2003-12-17 14:16:39.000000000 -0500
@@ -0,0 +1,214 @@
+,
+ *
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: displays form for graphing
+ */
+
+ echo '
,
*
- * Copyright (C) 2000, 2001 Carnegie Mellon University
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose:
@@ -27,9 +27,12 @@
$cs->ReadState();
session_start();
- session_register('xdata');
$submit = ImportHTTPVar("submit");
+
+ $height = ImportHTTPVar("height");
+ $width = ImportHTTPVar("width");
+ $user_chart_title = ImportHTTPVar("user_chart_title");
$data_source = ImportHTTPVar("data_source");
$chart_type = ImportHTTPVar("chart_type");
$chart_interval = ImportHTTPVar("chart_interval");
@@ -46,6 +49,19 @@
$chart_style = ImportHTTPVar("chart_style");
$rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl");
+ $yaxis_scale = ImportHTTPVar("yaxis_scale");
+ $xaxis_grid = ImportHTTPVar("xaxis_grid");
+ $yaxis_grid = ImportHTTPVar("yaxis_grid");
+
+ $pmargin0 = ImportHTTPVar("pmargin0");
+ $pmargin1 = ImportHTTPVar("pmargin1");
+ $pmargin2 = ImportHTTPVar("pmargin2");
+ $pmargin3 = ImportHTTPVar("pmargin3");
+
+ $xaxis_label_inc = ImportHTTPVar("xaxis_label_inc");
+
+ $min_size = ImportHTTPVar("min_size");
+ $aggregate_type = ImportHTTPVar("aggregate_type");
$page_title = "Graph Alert Data";
PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
@@ -60,19 +76,21 @@
if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db);
?>
-
-
-
';
+ $HTTP_SESSION_VARS['xdata'] = $xdata;
echo "
";
+ "&yaxis_scale=".$yaxis_scale.
+ "&xaxis_grid=".$xaxis_grid.
+ "&yaxis_grid=".$yaxis_grid.
+ "&style=".$chart_style."\">";
echo '
diff -Naur acid/acid_log_error.inc acidfp/acid_log_error.inc
--- acid/acid_log_error.inc 2002-03-03 18:02:44.000000000 -0500
+++ acidfp/acid_log_error.inc 2003-12-17 14:16:39.000000000 -0500
@@ -32,12 +32,27 @@
GLOBAL $HTTP_SERVER_VARS, $DBtype, $ADODB_vers, $HTTP_SESSION_VARS;
$tmp = session_encode();
+
+ if ( isset($HTTP_SERVER_VARS['HTTP_REFERER']) )
+ $http_referer = $HTTP_SERVER_VARS['HTTP_REFERER'];
+ else
+ $http_referer = "";
+ if ( isset($HTTP_SERVER_VARS['HTTP_USER_AGENT']) )
+ $http_user_agent = $HTTP_SERVER_VARS['HTTP_USER_AGENT'];
+ else
+ $http_user_agent = "";
+
+ if ( isset($HTTP_SERVER_VARS['SERVER_SOFTWARE']) )
+ $server_software = $HTTP_SERVER_VARS['SERVER_SOFTWARE'];
+ else
+ $server_software = "";
+
echo "
- URL: '".$HTTP_SERVER_VARS["PHP_SELF"]."' (referred by: '".$HTTP_SERVER_VARS["HTTP_REFERER"]."')
+ URL: '".$HTTP_SERVER_VARS["PHP_SELF"]."' (referred by: '".$http_referer."')
PARAMETERS: '".$HTTP_SERVER_VARS["QUERY_STRING"]."
- CLIENT: ".$HTTP_SERVER_VARS["HTTP_USER_AGENT"]."
- SERVER: ".$HTTP_SERVER_VARS["SERVER_SOFTWARE"]."
+ CLIENT: ".$http_user_agent."
+ SERVER: ".$server_software."
SERVER HW: ".php_uname()."
DATABASE TYPE: $DBtype DB ABSTRACTION VERSION: $ADODB_vers
PHP VERSION: ".phpversion()." PHP API: ".php_sapi_name()."
@@ -55,4 +70,4 @@
echo " ";
}
-?>
+?>
\ No newline at end of file
diff -Naur acid/acid_main.php acidfp/acid_main.php
--- acid/acid_main.php 2002-03-03 18:02:44.000000000 -0500
+++ acidfp/acid_main.php 2003-12-17 14:17:10.000000000 -0500
@@ -49,8 +49,14 @@
include_once("acid_db_common.php");
RegisterGlobalState();
- InitGlobalState();
- PreserveHistory();
+ //InitGlobalState();
+
+ /* Initialize the history */
+ $HTTP_SESSION_VARS = NULL;
+ InitArray($HTTP_SESSION_VARS['back_list'], 1, 3, "");
+ $HTTP_SESSION_VARS['back_list_cnt'] = 0;
+
+ PushHistory();
?>
@@ -138,7 +144,7 @@
Search Graph Alert data EXPERIMENTAL )
+Graph Alert data
Snapshot
@@ -196,7 +202,7 @@
echo '
-
+
Most recent Alerts:
any protocol ,
@@ -217,6 +223,10 @@
?>
Most
recent Unique Alerts
+ Network Fingerprints: most recent ;
+ by address ,
+ port ,
+ service
Last Source Ports:
@@ -249,7 +259,7 @@
-
+
Most
frequent Alerts
diff -Naur acid/acid_maintenance.php acidfp/acid_maintenance.php
--- acid/acid_maintenance.php 2002-03-03 18:02:44.000000000 -0500
+++ acidfp/acid_maintenance.php 2003-12-17 14:16:39.000000000 -0500
@@ -4,7 +4,7 @@
*
* Author: Roman Danyliw ,
*
- * Copyright (C) 2000, 2001 Carnegie Mellon University
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: status and event/dns/whois cache maintenance
@@ -42,8 +42,10 @@
if ( $debug_mode > 0 )
echo "submit = '$submit'";
- set_time_limit($max_script_runtime);
+ if ( ini_get("safe_mode") != true )
+ set_time_limit($max_script_runtime);
+ $repair_output = NULL;
if ( $submit == "Update Alert Cache" )
{
UpdateAlertCache($db);
@@ -71,14 +73,18 @@
DropWhoisCache($db);
UpdateWhoisCache($db);
}
+ else if ( $submit == "Repair Tables")
+ {
+ $repair_output = RepairDBTables($db);
+ }
echo '
";
+
';
echo '
diff -Naur acid/acid_net.inc acidfp/acid_net.inc
--- acid/acid_net.inc 2002-03-03 18:02:44.000000000 -0500
+++ acidfp/acid_net.inc 2003-12-17 14:16:39.000000000 -0500
@@ -4,7 +4,7 @@
*
* Author: Roman Danyliw ,
*
- * Copyright (C) 2000 Carnegie Mellon University
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: TCP/IP network routines
@@ -17,7 +17,7 @@
* Purpose: convert a text string IPv4 address into its 32-bit numeric
* equivalent
*
- * Arguments: $IP_str => dotted IPv4 address string (e.g. 1.2.3.4)
+ :* Arguments: $IP_str => dotted IPv4 address string (e.g. 1.2.3.4)
*
* Returns: 32-bit integer equivalent of the dotted address
* (e.g. 255.255.255.255 => 4294967295 )
@@ -143,7 +143,7 @@
$current_time = date("Y-m-d H:i:s",$current_unixtime);
$sql = "SELECT ipc_ip,ipc_fqdn,".$db->acidSQL_UNIXTIME("(ipc_dns_timestamp)", "","").",ipc_dns_timestamp".
" FROM acid_ip_cache ".
- " WHERE ipc_ip = $ip32 ";
+ " WHERE ipc_ip = '$ip32' ";
$result = $db->acidExecute($sql);
$ip_cache = $result->acidFetchRow();
@@ -160,7 +160,8 @@
}
else /* cache hit */
{
- if ( ( ($ip_cache[2] / 60)+$cache_lifetime ) <= ($current_unixtime / 60) )
+ if ( (( ($ip_cache[2] / 60)+$cache_lifetime ) <= ($current_unixtime / 60)) &&
+ ($ip_cache[2] != "") )
{
/* valid entry */
if ( ($ip_cache[2] != "") && ($ip_cache[2] != 0) )
@@ -176,7 +177,7 @@
/* Update entry in cache regardless of whether can resolve */
$sql = "UPDATE acid_ip_cache SET ipc_fqdn='$tmp', ".
- " ipc_dns_timestamp='$current_time' WHERE ipc_ip=$ip32";
+ " ipc_dns_timestamp='$current_time' WHERE ipc_ip='$ip32'";
$db->acidExecute($sql);
}
}
@@ -209,7 +210,7 @@
$current_time = date("Y-m-d H:i:s",$current_unixtime);
$sql = "SELECT ipc_ip,ipc_whois,".$db->acidSQL_UNIXTIME("(ipc_whois_timestamp)", "","").",ipc_whois_timestamp".
" FROM acid_ip_cache ".
- " WHERE ipc_ip = $ip32 ";
+ " WHERE ipc_ip = '$ip32' ";
$result = $db->acidExecute($sql);
$whois_cache = $result->acidFetchRow();
@@ -247,7 +248,7 @@
/* Update entry in cache regardless of whether can resolve */
$sql = "UPDATE acid_ip_cache SET ipc_whois='".getSafeSQLString($tmp)."', ".
- " ipc_whois_timestamp='$current_time' WHERE ipc_ip=$ip32";
+ " ipc_whois_timestamp='$current_time' WHERE ipc_ip='$ip32'";
$db->acidExecute($sql);
}
}
diff -Naur acid/acid_output_html.inc acidfp/acid_output_html.inc
--- acid/acid_output_html.inc 2002-03-03 18:02:44.000000000 -0500
+++ acidfp/acid_output_html.inc 2003-12-17 14:16:39.000000000 -0500
@@ -4,7 +4,7 @@
*
* Author: Roman Danyliw ,
*
- * Copyright (C) 2001 Carnegie Mellon University
+ * Copyright (C) 2001,2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: Prints or generates HTML to display
@@ -15,7 +15,8 @@
GLOBAL $debug_mode, $ACID_VERSION, $html_no_cache,
$max_script_runtime;
- set_time_limit($max_script_runtime);
+ if ( ini_get("safe_mode") != true )
+ set_time_limit($max_script_runtime);
echo '
@@ -96,11 +97,11 @@
function PrintFreshPage($refresh_stat_page, $stat_page_refresh_time)
{
- GLOBAL $PHP_SELF;
+ GLOBAL $HTTP_SERVER_VARS;
if ( $refresh_stat_page )
echo '';
}
-function qroPrintEntry($value)
+function qroPrintEntry($value, $halign="center", $valign="top", $passthru="")
{
- echo "\n".
+ echo " \n".
" \n".
" $value\n".
" \n".
diff -Naur acid/acid_qry_alert.php acidfp/acid_qry_alert.php
--- acid/acid_qry_alert.php 2002-03-03 18:02:44.000000000 -0500
+++ acidfp/acid_qry_alert.php 2003-12-17 14:16:39.000000000 -0500
@@ -4,7 +4,7 @@
*
* Author: Roman Danyliw ,
*
- * Copyright (C) 2001 Carnegie Mellon University
+ * Copyright (C) 2001,2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: displays a single alert
@@ -55,7 +55,7 @@
* to the history.
*/
$submit = ImportHTTPVar("submit");
- $QUERY_STRING = "submit=".rawurlencode($submit);
+ $HTTP_SERVER_VARS["QUERY_STRING"] = "submit=".rawurlencode($submit);
$et = new EventTiming($debug_time_mode);
$cs = new CriteriaState("acid_qry_alert.php");
@@ -79,6 +79,7 @@
$qs->AddValidAction("ag_by_id");
$qs->AddValidAction("ag_by_name");
+ $qs->AddValidAction("add_new_ag");
$qs->AddValidAction("del_alert");
$qs->AddValidAction("email_alert");
$qs->AddValidAction("email_alert2");
@@ -205,7 +206,7 @@
$sql4 = "SELECT acid_ag_alert.ag_id, ag_name, ag_desc ".
"FROM acid_ag_alert LEFT JOIN acid_ag ON acid_ag_alert.ag_id = acid_ag.ag_id ".
- "WHERE ag_sid=".$sid." AND ag_cid=".$cid;
+ "WHERE ag_sid='".$sid."' AND ag_cid='".$cid."'";
$result4 = $db->acidExecute($sql4);
$num = $result4->acidRecordCount();
@@ -540,11 +541,16 @@
$work = str_replace("\n","",$myrow2[0]);
/*
- * depending on how the packet logged, 32-bits of NULL padding after
- * the checksum may still be present.
+ * - depending on how the packet logged, 32-bits of NULL padding after
+ * the checksum may still be present.
*/
if ( substr($work, 0, 8) == "00000000" )
$offset = 8;
+ /* for dest. unreachable, frag needed and DF bit set indent the padding
+ * of MTU of next hop
+ */
+ else if ( ($ICMPitype == "3") && ($ICMPicode == "4") )
+ $offset += 8;
$icmp_src = hexdec($work[24+$offset].$work[25+$offset]).".".
hexdec($work[26+$offset].$work[27+$offset]).".".
@@ -556,7 +562,7 @@
hexdec($work[38+$offset].$work[39+$offset]);
$icmp_proto = hexdec($work[18+$offset].$work[19+$offset]);
- $hdr_offset = ($work[$offset+1]) * 8 + offset;
+ $hdr_offset = ($work[$offset+1]) * 8 + $offset;
$icmp_src_port = hexdec($work[$hdr_offset].$work[$hdr_offset+1].$work[$hdr_offset+2].$work[$hdr_offset+3]);
$icmp_dst_port = hexdec($work[$hdr_offset+4].$work[$hdr_offset+5].$work[$hdr_offset+6].$work[$hdr_offset+7]);
diff -Naur acid/acid_qry_common.php acidfp/acid_qry_common.php
--- acid/acid_qry_common.php 2002-03-03 18:02:44.000000000 -0500
+++ acidfp/acid_qry_common.php 2003-12-17 14:16:39.000000000 -0500
@@ -5,7 +5,7 @@
* Author: Roman Danyliw ,
* MSSQL support by Charles Hand
*
- * Copyright (C) 2000, 2001 Carnegie Mellon University
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* Portions Copyright (C) 2001 Iowa National Guard
* (see the file 'acid_main.php' for license details)
*
@@ -17,67 +17,52 @@
function PrintCriteriaState()
{
- GLOBAL $time, $time_cnt,
- $sig, $sig_type,
- $sensor,
- $ag,
- $ip_addr, $ip_addrs, $ip_addr_cnt,
- $ip_field, $ip_field_cnt,
- $tcp_port, $tcp_port_cnt,
- $tcp_flags,
- $tcp_field, $tcp_field_cnt,
- $udp_port, $udp_port_cnt,
- $udp_field, $udp_field_cnt,
- $icmp_field, $icmp_field_cnt,
- $data, $data_cnt,
- $layer4, $MAX_ROWS,
- $new, $submit, $sort_order, $num_result_rows,
- $current_view, $caller, $action, $action_arg,
- $sort_order, $debug_mode;
-
- if ( $debug_mode >= 2 )
- {
- echo "";
- echo "sensor: $sensorAG: $agsignature ";
- print_r($sig);
- echo "time ($time_cnt): IP addresses ($ip_addr_cnt): IP fields ($ip_field_cnt): TCP ports ($tcp_port_cnt): TCP flags: TCP field ($tcp_field_cnt): UDP ports ($udp_port_cnt): UDP field ($udp_field_cnt): ICMP field ($icmp_field_cnt): Data ($data_cnt): ";
- }
-
- if ( $debug_mode >= 1 )
- {
- echo "
- new: '$new'
- submit: '$submit'
- sort_order: '$sort_order'
- num_result_rows: '$num_result_rows' current_view: '$current_view'
- layer4: '$layer4' caller: '$caller'
- action: '$action' action_arg: '$action_arg'
- ";
- }
+ GLOBAL $HTTP_SESSION_VARS, $layer4,
+ $new, $submit, $sort_order, $num_result_rows,
+ $current_view, $caller, $action, $action_arg,
+ $sort_order;
+
+ if ( $GLOBALS['debug_mode'] >= 2 )
+ {
+ echo "";
+ echo "sensor: ".$HTTP_SESSION_VARS['sensor']."AG: ".$HTTP_SESSION_VARS['ag']."signature \n";
+ print_r($HTTP_SESSION_VARS['sig']);
+ echo "time (".$HTTP_SESSION_VARS['time_cnt']."): IP addresses (".$HTTP_SESSION_VARS['ip_addr_cnt']."): IP fields (".$HTTP_SESSION_VARS['ip_field_cnt']."): TCP ports (".$HTTP_SESSION_VARS['tcp_port_cnt']."): TCP flags: TCP field (".$HTTP_SESSION_VARS['tcp_field_cnt']."): UDP ports (".$HTTP_SESSION_VARS['udp_port_cnt']."): UDP field (".$HTTP_SESSION_VARS['udp_field_cnt']."): ICMP field (".$HTTP_SESSION_VARS['icmp_field_cnt']."): Data (".$HTTP_SESSION_VARS['data_cnt']."): ";
+ }
+
+ if ( $GLOBALS['debug_mode'] >= 1 )
+ {
+ echo "
+ new: '$new'
+ submit: '$submit'
+ sort_order: '$sort_order'
+ num_result_rows: '$num_result_rows' current_view: '$current_view'
+ layer4: '$layer4' caller: '$caller'
+ action: '$action' action_arg: '$action_arg'
+ ";
+ }
}
function FieldRows2sql($field, $cnt, &$s_sql)
@@ -88,8 +73,8 @@
$tmp = "";
if ( $field[$i][3] != "" && $field[$i][1] != " ")
{
- $tmp = $field[$i][0]." ".$field[$i][1]." ".$field[$i][2]."".
- $field[$i][3]."".$field[$i][4]." ".$field[$i][5];
+ $tmp = $field[$i][0]." ".$field[$i][1]." ".$field[$i][2]." '".
+ $field[$i][3]."' ".$field[$i][4]." ".$field[$i][5];
}
else
{
@@ -139,7 +124,7 @@
for ( $i = 0; $i < $cnt; $i++ )
{
$tmp = "";
- if ( $field[$i][1] != " " && $field[$i][1] != "")
+ if ( isset($field[$i]) && $field[$i][1] != " " && $field[$i][1] != "")
{
$op = $field[$i][1];
@@ -250,12 +235,15 @@
}
else
{
- if ( ($field[$i][2] != " " || $field[$i][3] != "" || $field[$i][4] != " ") &&
+ if ( isset($field[$i]) )
+ {
+ if ( ($field[$i][2] != " " || $field[$i][3] != "" || $field[$i][4] != " ") &&
$field[$i][1] == " ")
- ErrorMessage("Criteria warning: A date/time value of '".
- $field[$i][2]."-".$field[$i][3]."-".$field[$i][4]." ".
- $field[$i][5].":".$field[6].":".$field[7]."' was entered
- but no operator was selected.");
+ ErrorMessage("Criteria warning: A date/time value of '".
+ $field[$i][2]."-".$field[$i][3]."-".$field[$i][4]." ".
+ $field[$i][5].":".$field[6].":".$field[7]."' was entered
+ but no operator was selected.");
+ }
}
if ( $i > 0 && $field[$i-1][9] == ' ' && $field[$i-1][4] != " ")
@@ -357,54 +345,10 @@
function PrintCriteria($caller)
{
- GLOBAL $db, $cs, $last_num_alerts, $time, $time_cnt, $sig, $sig_type,
- $sensor, $ag, $sig_class,
- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
- $icmp_field, $icmp_field_cnt,
- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
- $layer4, $data, $data_cnt, $data_encode, $save_criteria;
-
- /* Generate the Criteria entered into a human readable form */
- $human_fields["ip_src"] = "Source Address";
- $human_fields["ip_dst"] = "Dest. Address";
- $human_fields["ip_both"] = "Source or Dest. Address";
- $human_fields["ip_ttl"] = "TTL";
- $human_fields["ip_tos"] = "TOS";
- $human_fields["ip_id"] = "ID";
- $human_fields["ip_off"] = "offset";
- $human_fields["ip_len"] = "length";
- $human_fields["ip_csum"] = "chksum";
- $human_fields["layer4_sport"] = "source port";
- $human_fields["layer4_dport"] = "dest port";
- $human_fields[""] = "";
- $human_fields["tcp_win"] = "window";
- $human_fields["tcp_urp"] = "urp";
- $human_fields["tcp_seq"] = "seq #";
- $human_fields["tcp_ack"] = "ack";
- $human_fields["tcp_off"] = "offset";
- $human_fields["tcp_res"] = "res";
- $human_fields["tcp_csum"] = "chksum";
- $human_fields["udp_len"] = "length";
- $human_fields["udp_csum"] = "chksum";
- $human_fields["icmp_type"] = "type";
- $human_fields["icmp_code"] = "code";
- $human_fields["icmp_csum"] = "chksum";
- $human_fields["icmp_id"] = "id";
- $human_fields["icmp_seq"] = "seq";
- $human_fields["LIKE"] = "contains";
- $human_fields["="] = "=";
- $human_fields["1"] = "F";
- $human_fields["2"] = "S";
- $human_fields["4"] = "R";
- $human_fields["8"] = "P";
- $human_fields["16"] = "A";
- $human_fields["32"] = "U";
- $human_fields["64"] = "[R0]";
- $human_fields["128"] = "[R1]";
+ GLOBAL $db, $cs, $last_num_alerts,
+ $save_criteria;
- //$save_criteria = ' Queried DB on : '.date("D F d, Y H:i:s",time()).'
+ /* Generate the Criteria entered into a human readable form */
$save_criteria = '
@@ -430,85 +374,15 @@
return;
}
-// if ( $have_meta == 1 )
-// {
$tmp_len = strlen($save_criteria);
- if ( $sensor != " " && $sensor != "" )
- $save_criteria = $save_criteria.'Sensor = ['.$sensor.'] '.
- GetSensorName($sensor, $db).
- $cs->GetClearCriteriaString("sensor").'unclassified '.$time[$i][0].' time '.$time[$i][1].' [ ';
-
- /* date */
- if ( $time[$i][2] == " " && $time[$i][3] == "" && $time[$i][4] == " " )
- $save_criteria = $save_criteria." any date ";
- else
- $save_criteria = $save_criteria.(($time[$i][2] == " ") ? "* / " : $time[$i][2]." / ").
- (($time[$i][3] == "" ) ? "* / " : $time[$i][3]." / ").
- (($time[$i][4] == " ") ? "* " : $time[$i][4]." ");
- $save_criteria = $save_criteria.'] [';
- /* time */
- if ( $time[$i][5] == "" && $time[$i][6] == "" && $time[$i][7] == "" )
- $save_criteria = $save_criteria."any time ";
- else
- $save_criteria = $save_criteria.(($time[$i][5] == "") ? "* : " : $time[$i][5]." : ").
- (($time[$i][6] == "") ? "* : " : $time[$i][6]." : ").
- (($time[$i][7] == "") ? "* " : $time[$i][7]." ");
- $save_criteria = $save_criteria.$time[$i][8].$time[$i][9];
- $save_criteria = $save_criteria.']';
- $save_criteria = $save_criteria.' any ';
@@ -519,114 +393,28 @@
IP Criteria
';
-// if ( $have_ip == 1 )
-// {
- $tmp_len = strlen($save_criteria);
- $have_criteria = 0;
- for ( $i = 0; $i < $ip_addr_cnt; $i++ )
- {
- $tmp = "";
- if ( isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" )
- {
- $tmp = $tmp.$ip_addr[$i][3];
- if ( $ip_addr[$i][4] != "" )
- {
- $tmp = $tmp.".".$ip_addr[$i][4];
- if ( $ip_addr[$i][5] != "" )
- {
- $tmp = $tmp.".".$ip_addr[$i][5];
- if ( $ip_addr[$i][6] != "" )
- {
- if ( ($ip_addr[$i][3].".".$ip_addr[$i][4].".".
- $ip_addr[$i][5].".".$ip_addr[$i][6]) == NULL_IP)
- $tmp = " unknown ";
- else
- $tmp = $tmp.".".$ip_addr[$i][6];
- }
- else
- $tmp = $tmp.'.*';
- }
- else
- $tmp = $tmp.'.*.*';
- }
- else
- $tmp = $tmp.'.*.*.*';
- }
- /* Make sure that the IP isn't blank */
- if ( $tmp != "" )
- {
- $mask = "";
- if ( $ip_addr[$i][10] != "" )
- $mask = "/".$ip_addr[$i][10];
-
- $save_criteria = $save_criteria.$ip_addr[$i][0].
- $human_fields[($ip_addr[$i][1])].' '.$ip_addr[$i][2].
- ' '.$tmp.' '.$ip_addr[$i][8].' '.$ip_addr[$i][9].$mask.
- $cs->GetClearCriteriaString("ip_addr")." any ';
+ if ( !$cs->criteria['ip_addr']->isEmpty() || !$cs->criteria['ip_field']->isEmpty() )
+ {
+ $save_criteria = $save_criteria.$cs->criteria['ip_addr']->Description();
+ $save_criteria = $save_criteria.$cs->criteria['ip_field']->Description();
+ }
+ else
+ $save_criteria = $save_criteria.' any ';
$save_criteria = $save_criteria.' ';
- if ( $layer4 == "TCP" )
- {
- $save_criteria = $save_criteria.'
-
- TCP Criteria
- ';
+ $save_criteria = $save_criteria.' ';
+ $save_criteria = $save_criteria.$cs->criteria['layer4']->Description();
+ $save_criteria = $save_criteria.' ';
- if ( $have_tcp == 1 )
+ if ( $cs->criteria['layer4']->Get() == "TCP" )
+ {
+ if ( !$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty() )
{
- $have_criteria = 0;
- for ( $i = 0; $i < $tcp_port_cnt; $i++ )
- {
- if ($tcp_port[$i][1] != " " && $tcp_port[$i][3] != "" )
- {
- $save_criteria = $save_criteria.$tcp_port[$i][0].$human_fields[($tcp_port[$i][1])].' '.
- $tcp_port[$i][2].' '.$tcp_port[$i][3].$tcp_port[$i][4].' '.$tcp_port[$i][5];
- $have_criteria++;
- }
- }
-
- if ( $have_criteria > 0 )
- $save_criteria = $save_criteria. $cs->GetClearCriteriaString("tcp_port").' any ';
@@ -634,43 +422,12 @@
$save_criteria = $save_criteria.'
- UDP Criteria
- ';
-
- if ( $have_udp == 1 )
+ if ( !$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty() )
{
-
- $have_criteria = 0;
- for ( $i = 0; $i < $udp_port_cnt; $i++ )
- {
- if ($udp_port[$i][1] != " " && $udp_port[$i][3] != "" )
- {
- $save_criteria = $save_criteria.$udp_port[$i][0].$human_fields[($udp_port[$i][1])].' '.
- $udp_port[$i][2].' '.$udp_port[$i][3].$udp_port[$i][4].' '.$udp_port[$i][5];
- $have_criteria = 1;
- }
- }
-
- if ($have_criteria)
- $save_criteria = $save_criteria.$cs->GetClearCriteriaString("udp_port").' any ';
@@ -678,36 +435,20 @@
$save_criteria = $save_criteria.' ';
}
- else if ( $layer4 == "ICMP" )
+ else if ( $cs->criteria['layer4']->Get() == "ICMP" )
{
- $save_criteria = $save_criteria.'
-
- ICMP Criteria
- ';
-
- if ( $have_icmp == 1 )
+ if ( !$cs->criteria['icmp_field']->isEmpty() )
{
- for ( $i = 0; $i < $icmp_field_cnt; $i++ )
- {
- if ($icmp_field[$i][1] != " " && $icmp_field[$i][3] != "" )
- $save_criteria = $save_criteria.$icmp_field[$i][0].$human_fields[($icmp_field[$i][1])].' '.
- $icmp_field[$i][2].' '.$icmp_field[$i][3].$icmp_field[$i][4].' '.$icmp_field[$i][5];
- }
-
- $save_criteria = $save_criteria.$cs->GetClearCriteriaString("icmp_field");
+ $save_criteria = $save_criteria.$cs->criteria['icmp_field']->Description();
}
else
$save_criteria = $save_criteria.' any ';
$save_criteria = $save_criteria.' ';
}
-
else
{
- $save_criteria = $save_criteria.'
-
- Layer 4 Criteria
- none ';
+ $save_criteria = $save_criteria.' none ';
}
/* Payload ************** */
@@ -715,26 +456,9 @@
Payload Criteria
';
- if ( $have_data == 1 )
- {
- if ( $data_encode[0] != " " && $data_encode[1] != " ")
- {
- $save_criteria = $save_criteria.' (data encoded as '.$data_encode[0];
- $save_criteria = $save_criteria.' => '.$data_encode[1];
- $save_criteria = $save_criteria.') any ';
@@ -758,20 +482,13 @@
' '.
'
';
-
echo $save_criteria;
}
/********************************************************************************************/
function ProcessCriteria()
{
- GLOBAL $db, $time, $time_cnt, $sig, $sig_type, $sig_class, $sensor, $ag,
- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
- $icmp_field, $icmp_field_cnt,
- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
- $layer4, $data, $data_cnt, $data_encode, $save_criteria,
+ GLOBAL $db,
$join_sql, $where_sql, $criteria_sql, $sql, $debug_mode,
$caller, $DBtype;
@@ -794,10 +511,43 @@
/* ********************** Meta Criteria ******************************************** */
+ /* XXX-SEC */
+ GLOBAL $cs;
+
+ $sig = $cs->criteria['sig']->criteria;
+ $sig_type = $cs->criteria['sig']->sig_type;
+ $sig_class = $cs->criteria['sig_class']->criteria;
+ $sig_priority = $cs->criteria['sig_priority']->criteria;
+ $ag = $cs->criteria['ag']->criteria;
+ $sensor = $cs->criteria['sensor']->criteria;
+ $time = $cs->criteria['time']->criteria;
+ $time_cnt = $cs->criteria['time']->GetFormItemCnt();
+ $ip_addr = $cs->criteria['ip_addr']->criteria;
+ $ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt();
+ $layer4 = $cs->criteria['layer4']->criteria;
+ $ip_field = $cs->criteria['ip_field']->criteria;
+ $ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt();
+ $tcp_port = $cs->criteria['tcp_port']->criteria;
+ $tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt();
+ $tcp_flags = $cs->criteria['tcp_flags']->criteria;
+ $tcp_field = $cs->criteria['tcp_field']->criteria;
+ $tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt();
+ $udp_port = $cs->criteria['udp_port']->criteria;
+ $udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt();
+ $udp_field = $cs->criteria['udp_field']->criteria;
+ $udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt();
+ $icmp_field = $cs->criteria['icmp_field']->criteria;
+ $icmp_field_cnt= $cs->criteria['icmp_field']->GetFormItemCnt();
+ $data = $cs->criteria['data']->criteria;
+ $data_cnt = $cs->criteria['data']->GetFormItemCnt();
+ $data_encode = $cs->criteria['data']->data_encode;
+
$tmp_meta = "";
/* Sensor */
if ( $sensor != "" && $sensor != " " )
- $tmp_meta = $tmp_meta." AND acid_event.sid=".$sensor;
+ $tmp_meta = $tmp_meta." AND acid_event.sid='".$sensor."'";
+ else
+ $cs->criteria['sensor']->Set("");
/* Alert Group */
if ( $ag != "" && $ag != " " )
@@ -805,9 +555,11 @@
$tmp_meta = $tmp_meta." AND ag_id =".$ag;
$join_sql = $join_sql.$ag_join_sql;
}
+ else
+ $cs->criteria['ag']->Set("");
/* Signature */
- if ( $sig[0] != " " && $sig[0] != "" && $sig[1] != "" )
+ if ( (isset($sig[0]) && $sig[0] != " " && $sig[0] != "") && (isset($sig[1]) && $sig[1] != "") )
{
$sig_neg = "";
if ( $sig[2] == "!=" )
@@ -839,35 +591,44 @@
$tmp_meta = $tmp_meta." AND ".$sig_neg." (signature LIKE '%".$sig[1]."%') ";
}
}
+ else
+ $cs->criteria['sig']->Set("");
/* Signature Classification */
if ( $sig_class != " " && $sig_class != "" && $sig_class != "0")
{
- $tmp_meta = $tmp_meta." AND sig_class_id = ".$sig_class;
+ $tmp_meta = $tmp_meta." AND sig_class_id = '".$sig_class."'";
}
else if ($sig_class == "0")
{
- $tmp_meta = $tmp_meta." AND (sig_class_id is null OR sig_class_id = 0)";
+ $tmp_meta = $tmp_meta." AND (sig_class_id is null OR sig_class_id = '0')";
}
+ else
+ $cs->criteria['sig_class']->Set("");
- /* Date/Time */
- DateTimeRows2sql($time, $time_cnt, $tmp_meta);
-
- if ( $tmp_meta != "" )
+ /* Signature Priority */
+ if ( $sig_priority[1] != " " && $sig_priority[1] != "" && $sig_priority[1] != "0")
+ {
+ $tmp_meta = $tmp_meta." AND sig_priority ".$sig_priority[0]." '".$sig_priority[1]."'";
+ }
+ else if ($sig_priority[1] == "0")
{
- $have_meta = 1;
- $criteria_sql = $criteria_sql.$tmp_meta;
+ $tmp_meta = $tmp_meta." AND (sig_priority is null OR sig_priority = '0')";
}
else
- $have_meta = 0;
+ $cs->criteria['sig_priority']->Set("");
- /* ********************** IP Criteria ********************************************** */
+ /* Date/Time */
+ if ( DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0 )
+ $cs->criteria['time']->SetFormItemCnt(0);
- // $tmp_cnt = strlen($criteria_sql);
+ $criteria_sql = $criteria_sql.$tmp_meta;
+
+ /* ********************** IP Criteria ********************************************** */
/* IP Addresses */
$tmp2 = "";
-
+
for ( $i = 0; $i < $ip_addr_cnt; $i++ )
{
$tmp = "";
@@ -888,11 +649,11 @@
{
if ( $ip_addr[$i][10] == "" )
{
- $tmp = $tmp." acid_event.".$ip_addr[$i][1].$ip_addr[$i][2].
+ $tmp = $tmp." acid_event.".$ip_addr[$i][1].$ip_addr[$i][2]."'".
acidIP2Long($ip_addr[$i][3].".".
$ip_addr[$i][4].".".
$ip_addr[$i][5].".".
- $ip_addr[$i][6])." ";
+ $ip_addr[$i][6])."' ";
}
else
{
@@ -905,10 +666,10 @@
else
$tmp_op = "";
- $tmp = $tmp.$tmp_op." (acid_event.".$ip_addr[$i][1].">=".
- acidIP2Long($mask[0])." AND ".
- "acid_event.".$ip_addr[$i][1]."<=".
- acidIP2Long($mask[1]).")";
+ $tmp = $tmp.$tmp_op." (acid_event.".$ip_addr[$i][1].">= '".
+ acidIP2Long($mask[0])."' AND ".
+ "acid_event.".$ip_addr[$i][1]."<= '".
+ acidIP2Long($mask[1])."')";
}
}
}
@@ -923,8 +684,9 @@
else
$tmp = "(".$tmp_src.') AND ('.$tmp_dst.')';
}
-
- $tmp = $ip_addr[$i][0]."(".$tmp.")".$ip_addr[$i][8].$ip_addr[$i][9];
+
+ if ( $tmp != "" )
+ $tmp = $ip_addr[$i][0]."(".$tmp.")".$ip_addr[$i][8].$ip_addr[$i][9];
}
else if ( (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" ) || $ip_addr[$i][1] != " " )
{
@@ -959,42 +721,38 @@
if ( $tmp2 != "" )
$criteria_sql = $criteria_sql." AND ( ".$tmp2." )";
-
- $tmp_cnt = strlen($criteria_sql);
+ else
+ $cs->criteria['ip_addr']->SetFormItemCnt(0);
/* IP Fields */
- FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql);
-
- if ( $tmp_cnt != strlen($criteria_sql) )
- $have_ip = 1;
- else
- $have_ip = 0;
+ if ( FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0 )
+ $cs->criteria['ip_field']->SetFormItemCnt(0);
/* Layer-4 encapsulation */
- /* if ( $caller != "" $caller == "" ||
- $caller == "last_tcp" || $caller == "last_udp" || $caller == "last_icmp" ) */
- if ( $layer4 == "TCP" )
- $criteria_sql = $criteria_sql." AND acid_event.ip_proto= 6";
- else if ( $layer4 == "UDP" )
- $criteria_sql = $criteria_sql." AND acid_event.ip_proto= 17";
- else if ( $layer4 == "ICMP" )
- $criteria_sql = $criteria_sql." AND acid_event.ip_proto= 1";
+ if ( $layer4 == "TCP" )
+ $criteria_sql = $criteria_sql." AND acid_event.ip_proto= '6'";
+ else if ( $layer4 == "UDP" )
+ $criteria_sql = $criteria_sql." AND acid_event.ip_proto= '17'";
+ else if ( $layer4 == "ICMP" )
+ $criteria_sql = $criteria_sql." AND acid_event.ip_proto= '1'";
+ else
+ $cs->criteria['layer4']->Set("");
- /* Build the final IP criteria */
- if ( $have_ip == 1 )
+ /* Join the iphdr table if necessary */
+ if ( !$cs->criteria['ip_field']->isEmpty() )
$join_sql = $ip_join_sql.$join_sql;
/* ********************** TCP Criteria ********************************************** */
if ( $layer4 == "TCP" )
{
- $have_tcp = 0;
$proto_tmp = "";
/* TCP Ports */
- FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp);
- if ( $proto_tmp != "" ) $have_tcp = 1;
+ if ( FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0 )
+ $cs->criteria['tcp_port']->SetFormItemCnt(0);
+
$criteria_sql = $criteria_sql.$proto_tmp;
+
$proto_tmp = "";
-
/* TCP Flags */
if ( isset($tcp_flags) )
{
@@ -1012,17 +770,18 @@
}
/* TCP Fields */
- FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp);
+ if ( FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0 )
+ $cs->criteria['tcp_field']->SetFormItemCnt(0);
/* TCP Options
* - not implemented
*/
- if ( $proto_tmp != "" )
+ if ( !$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty() )
{
- $have_tcp = 1;
$criteria_sql = $criteria_sql.$proto_tmp;
- $join_sql = $tcp_join_sql.$join_sql;
+ if ( !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty() )
+ $join_sql = $tcp_join_sql.$join_sql;
}
}
@@ -1030,22 +789,23 @@
if ( $layer4 == "UDP" )
{
$proto_tmp = "";
- $have_udp = 0;
/* UDP Ports */
- FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp);
- if ( $proto_tmp != "" ) $have_udp = 1;
+ if ( FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0 )
+ $cs->criteria['udp_port']->SetFormItemCnt(0);
+
$criteria_sql = $criteria_sql.$proto_tmp;
$proto_tmp = "";
/* UDP Fields */
- FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp);
+ if ( FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0 )
+ $cs->criteria['udp_field']->SetFormItemCnt(0);
- if ( $proto_tmp != "" )
+ if ( !$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty() )
{
- $have_udp = 1;
$criteria_sql = $criteria_sql.$proto_tmp;
- $join_sql = $udp_join_sql.$join_sql;
+ if ( !$cs->criteria['udp_field']->isEmpty() )
+ $join_sql = $udp_join_sql.$join_sql;
}
}
@@ -1053,33 +813,30 @@
if ( $layer4 == "ICMP" )
{
$proto_tmp = "";
+
/* ICMP Fields */
- FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp);
+ if ( FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0 )
+ $cs->criteria['icmp_field']->SetFormItemCnt(0);
- if ( $proto_tmp != "" )
+ if ( !$cs->criteria['icmp_field']->isEmpty() )
{
- $have_icmp = 1;
$criteria_sql = $criteria_sql.$proto_tmp;
$join_sql = $icmp_join_sql.$join_sql;
}
- else
- $have_icmp = 0;
}
/* ********************** Payload Criteria ***************************************** */
$tmp_payload = "";
- DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload);
+ if ( DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload) == 0 )
+ $cs->criteria['data']->SetFormItemCnt(0);
- if ( $tmp_payload != "" )
+ if ( !$cs->criteria['data']->isEmpty() )
{
- $have_data = 1;
$criteria_sql = $criteria_sql.$tmp_payload;
$join_sql = $data_join_sql.$join_sql;
}
- else
- $have_data = 0;
-
+
$csql[0] = $join_sql;
$csql[1] = $criteria_sql;
diff -Naur acid/acid_qry_form.php acidfp/acid_qry_form.php
--- acid/acid_qry_form.php 2002-03-03 18:02:44.000000000 -0500
+++ acidfp/acid_qry_form.php 2003-12-17 14:16:39.000000000 -0500
@@ -4,40 +4,40 @@
*
* Author: Roman Danyliw ,
*
- * Copyright (C) 2000, 2001 Carnegie Mellon University
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: renders the HTML form to gather search criteria
*
*/
-if ( $submit == "TCP" ) { $layer4 = "TCP"; }
-if ( $submit == "UDP" ) { $layer4 = "UDP"; }
-if ( $submit == "ICMP" ) { $layer4 = "ICMP"; }
-if ( $submit == "no layer4" ) { $layer4 = ""; }
-
-if ( $submit == "ADD Time" && $time_cnt < $MAX_ROWS)
- AddCriteriaFormRow($submit, $layer4, $time_cnt, $time, TIME_CFCNT);
-if ( $submit == "ADD Addr" && $ip_addr_cnt < $MAX_ROWS)
- AddCriteriaFormRow($submit, $layer4, $ip_addr_cnt, $ip_addr, IPADDR_CFCNT);
-if ( $submit == "ADD IP Field" && $ip_field_cnt < $MAX_ROWS)
- AddCriteriaFormRow($submit, $layer4, $ip_field_cnt, $ip_field, PROTO_CFCNT);
+if ( $submit == "TCP" ) { $cs->criteria['layer4']->Set("TCP"); }
+if ( $submit == "UDP" ) { $cs->criteria['layer4']->Set("UDP"); }
+if ( $submit == "ICMP" ) { $cs->criteria['layer4']->Set("ICMP"); }
+if ( $submit == "no layer4" ) { $cs->criteria['layer4']->Set(""); }
+
+if ( $submit == "ADD Time" && $cs->criteria['time']->GetFormItemCnt() < $MAX_ROWS)
+ $cs->criteria['time']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+if ( $submit == "ADD Addr" && $cs->criteria['ip_addr']->GetFormItemCnt() < $MAX_ROWS)
+ $cs->criteria['ip_addr']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+if ( $submit == "ADD IP Field" && $cs->criteria['ip_field']->GetFormItemCnt() < $MAX_ROWS)
+ $cs->criteria['ip_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
/*if ( $submit == "ADD IP Option Field" && $ip_opt_cnt < $MAX_ROWS)
{ $submit = $layer4; $ip_opt_cnt++; }*/
-if ( $submit == "ADD TCP Port" && $tcp_port_cnt < $MAX_ROWS)
- AddCriteriaFormRow($submit, $layer4, $tcp_port_cnt, $tcp_port, TCPPORT_CFCNT);
-if ( $submit == "ADD TCP Field" && $tcp_field_cnt < $MAX_ROWS)
- AddCriteriaFormRow($submit, $layer4, $tcp_field_cnt, $tcp_field, PROTO_CFCNT);
+if ( $submit == "ADD TCP Port" && $cs->criteria['tcp_port']->GetFormItemCnt() < $MAX_ROWS)
+ $cs->criteria['tcp_port']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+if ( $submit == "ADD TCP Field" && $cs->criteria['tcp_field']->GetFormItemCnt() < $MAX_ROWS)
+ $cs->criteria['tcp_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
/*if ( $submit == "ADD TCP Option Field" && $tcp_opt_cnt < $MAX_ROWS)
{ $submit = $layer4; $tcp_opt_cnt++; } */
-if ( $submit == "ADD UDP Port" && $udp_port_cnt < $MAX_ROWS)
- AddCriteriaFormRow($submit, $layer4, $udp_port_cnt, $udp_port, PROTO_CFCNT);
-if ( $submit == "ADD UDP Field" && $udp_field_cnt < $MAX_ROWS)
- AddCriteriaFormRow($submit, $layer4, $udp_field_cnt, $udp_field, PROTO_CFCNT);
-if ( $submit == "ADD ICMP Field" && $icmp_field_cnt < $MAX_ROWS)
- AddCriteriaFormRow($submit, $layer4, $icmp_field_cnt, $icmp_field, PROTO_CFCNT);
-if ( $submit == "ADD Payload" && $data_cnt < $MAX_ROWS)
- AddCriteriaFormRow($submit, $layer4, $data_cnt, $data, PAYLOAD_CFCNT);
+if ( $submit == "ADD UDP Port" && $cs->criteria['udp_port']->GetFormItemCnt() < $MAX_ROWS)
+ $cs->criteria['udp_port']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+if ( $submit == "ADD UDP Field" && $cs->criteria['udp_field']->GetFormItemCnt() < $MAX_ROWS)
+ $cs->criteria['udp_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+if ( $submit == "ADD ICMP Field" && $cs->criteria['icmp_field']->GetFormItemCnt() < $MAX_ROWS)
+ $cs->criteria['icmp_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+if ( $submit == "ADD Payload" && $cs->criteria['data']->GetFormItemCnt() < $MAX_ROWS)
+ $cs->criteria['data']->AddFormItem($submit, $cs->criteria['layer4']->Get());
echo '
@@ -50,93 +50,25 @@
';
@@ -208,73 +93,13 @@
';
-if ( $layer4 == "TCP" )
+if ( $cs->criteria['layer4']->Get() == "TCP" )
{
echo '
@@ -344,79 +152,16 @@
echo 'Port: ';
echo ' ';
- for ( $i = 0; $i < $tcp_port_cnt; $i++ )
- {
- echo ' __';
- echo ' ( { port }';
- echo ' Source';
- echo ' Dest <';
- echo ' " '.chk_select($tcp_port[$i][2],">"). '>>';
- echo ' =").'>>= __';
- echo ' (';
- echo ' ) __';
- echo ' OR';
- echo ' AND
Flags: ';
- echo '{ flags }';
- echo ' is';
- echo ' contains ';
- echo ' ';
+ $cs->criteria['tcp_flags']->PrintForm();
echo ' Misc: ';
echo ' ';
- for ( $i = 0; $i < $tcp_field_cnt; $i++ )
- {
- echo ' __';
- echo ' ( { field }';
- echo ' seq #';
- echo ' ack';
- echo ' offset';
- echo ' res';
- echo ' window';
- echo ' chksum';
- echo ' urp <';
- echo ' " '.chk_select($tcp_field[$i][2],">"). '>>';
- echo ' =").'>>= __';
- echo ' (';
- echo ' ) __';
- echo ' OR';
- echo ' AND Option: ';
echo ' ';
@@ -449,7 +194,7 @@
';
}
-if ( $layer4 == "UDP" )
+if ( $cs->criteria['layer4']->Get() == "UDP" )
{
echo '
@@ -464,64 +209,17 @@
echo 'Port: ';
echo ' ';
- for ( $i = 0; $i < $udp_port_cnt; $i++ )
- {
- echo ' __';
- echo ' ( { port }';
- echo ' Source';
- echo ' Dest <';
- echo ' " '.chk_select($udp_port[$i][2],">"). '>>';
- echo ' =").'>>= __';
- echo ' (';
- echo ' ) __';
- echo ' OR';
- echo ' AND Misc: ';
echo ' ';
- for ( $i = 0; $i < $udp_field_cnt; $i++ )
- {
- echo ' __';
- echo ' ( { field }';
- echo ' length';
- echo ' chksum <';
- echo ' " '.chk_select($udp_field[$i][2],">"). '>>';
- echo ' =").'>>= __';
- echo ' (';
- echo ' ) __';
- echo ' OR';
- echo ' AND Misc: ';
echo ' ';
- for ( $i = 0; $i < $icmp_field_cnt; $i++ )
- {
- echo ' __';
- echo ' (
- { field }';
- echo ' type';
- echo ' code';
- echo ' id';
- echo ' seq #';
- echo ' chksum ';
- echo '
- <';
- echo ' " '.chk_select($icmp_field[$i][2],">"). '>>';
- echo ' =").'>>= ';
- echo ' __';
- echo ' (';
- echo ' ) __';
- echo ' OR';
- echo ' AND ,
*
- * Copyright (C) 2000, 2001 Carnegie Mellon University
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose:
@@ -50,109 +50,6 @@
*
* $sort_order: how to sort the output
*
- * Meta
- * ====
- *
- * $ag: AG ID
- *
- * $sensor: sensor ID
- *
- * $sig[3]: stores signature
- * - [0] : exactly, roughly [1] : signature
- * - [2] : =, !=
- *
- * $sig_class: signature classification
- *
- * $time[MAX][10]: stores the date/time of the packet detection
- * - [][0] : ( [][5] : hour
- * - [][1] : =, !=, <, <=, >, >= [][6] : minute
- * - [][2] : month [][7] : second
- * - [][3] : day [][8] : (, )
- * - [][4] : year [][9] : AND, OR
- *
- * $time_cnt : number of rows in the $time[][] structure
- *
- * IP Variables
- * ============
- *
- * $ip_addr[MAX][10]: stores an ip address parameters/operators row
- * - [][0] : ( [][5] : octet3 of address
- * - [][1] : source, dest [][6] : octet4 of address
- * - [][2] : =, != [][7] : network mask
- * - [][3] : octet1 of address [][8] : (, )
- * - [][4] : octet2 of address [][9] : AND, OR
- *
- * $ip_addr_cnt: number of rows in the $ip_addr[][] structure
- *
- * $ip_field[MAX][6]: stores all other ip fields parameters/operators row
- * - [][0] : ( [][3] : field value
- * - [][1] : TOS, TTL, ID, offset, length [][4] : (, )
- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
- *
- * $ip_field_cnt: number of rows in the $ip_field[][] structure
- *
- * TCP Variables
- * =============
- *
- * $tcp_port[MAX][6]: stores all port parameters/operators row
- * - [][0] : ( [][3] : port value
- * - [][1] : Source Port, Dest Port [][4] : (, )
- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
- *
- * $tcp_port_cnt: number of rows in the $tcp_port[][] structure
- *
- * $tcp_flags[7]: stores all other tcp flags parameters/operators row
- * - [0] : is, contains [4] : 8 (RST)
- * - [1] : 1 (FIN) [5] : 16 (ACK)
- * - [2] : 2 (SYN) [6] : 32 (URG)
- * - [3] : 4 (PUSH)
- *
- * $tcp_field[MAX][6]: stores all other tcp fields parameters/operators row
- * - [][0] : ( [][3] : field value
- * - [][1] : windows, URP [][4] : (, )
- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
- *
- * $tcp_field_cnt: number of rows in the $tcp_field[][] structure
- *
- * UDP Variables
- * =============
- *
- * $udp_port[MAX][6]: stores all port parameters/operators row
- * - [][0] : ( [][3] : port value
- * - [][1] : Source Port, Dest Port [][4] : (, )
- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
- *
- * $udp_port_cnt: number of rows in the $udp_port[][] structure
- *
- * $udp_field[MAX][6]: stores all other udp fields parameters/operators row
- * - [][0] : ( [][3] : field value
- * - [][1] : length [][4] : (, )
- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
- *
- * $udp_field_cnt: number of rows in the $udp_field[][] structure
- *
- * ICMP Variables
- * ==============
- * $icmp_field[MAX][6]: stores all other icmp fields parameters/operators row
- * - [][0] : ( [][3] : field value
- * - [][1] : code, length [][4] : (, )
- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
- *
- * $icmp_field_cnt: number of rows in the $icmp_field[][] structure
- *
- * Payload Variables
- * =================
- * $data_encode[2]: how the payload should be interpreted and converted
- * - [0] : encoding type (hex, ascii)
- * - [1] : conversion type (hex, ascii)
- *
- * $data[MAX][5]: stores all the payload related parameters/operators row
- * - [][0] : ( [][3] : (, )
- * - [][1] : =, != [][4] : AND, OR
- * - [][2] : field value
- *
- * $data_cnt: number of rows in the $data[][] structure
- *
* ----- Search Result Variables ----
* $action_chk_lst[]: array of check boxes to determine if an alert
* was selected for action
@@ -173,18 +70,16 @@
$et = new EventTiming($debug_time_mode);
$cs = new CriteriaState("acid_qry_main.php", "&new=1&submit=Query+DB");
- $new = ImportHTTPVar("new");
+ $new = ImportHTTPVar("new", VAR_DIGIT);
$submit = ImportHTTPVar("submit");
- $layer4 = ImportHTTPVar("layer4");
-/* Code to correct 'interesting' (read: unexplained) browser behavior
- */
+/* Code to correct 'interesting' (read: unexplained) browser behavior */
/* Something with Netscape 4.75 such that the $submit variable is no recognized
* under certain circumstances. This one is a result of using HTTPS and
* clicking on TCP traffic profile from acid_main.php
*/
-if ( $layer4 != "" && $submit == "" )
+if ( $cs->criteria['layer4']->Get() != "" && $submit == "" )
$submit = "Query DB";
/* End 'interesting' browser code fixes */
@@ -192,42 +87,10 @@
/* Totally new Search */
if ( ($new == 1) && ($submit == "") )
{
- /* Read the state to import the history */
- $cs->ReadState();
-
- /*
- * Save the variables associated with keeping history,
- * or they will be deleted in the InitState() call
- */
- $save_back_list = $GLOBALS['back_list'];
- $save_back_list_cnt = $GLOBALS['back_list_cnt'];
-
$cs->InitState();
-
- /* Restore the history variables */
- $back_list = $save_back_list;
- $back_list_cnt = $save_back_list_cnt;
-
- $time_cnt = 1;
- $ip_addr_cnt = 1;
- $ip_field_cnt = 1;
- $tcp_port_cnt = 1;
- $tcp_field_cnt = 1;
- $udp_port_cnt = 1;
- $udp_field_cnt = 1;
- $icmp_field_cnt = 1;
- $data_cnt = 1;
- $layer4 = "";
}
- /* if scrolling between pages read the session */
- /* if access the first query result page from the criteria specification
- * then read the session and migrate the POST variables into the session
- */
- else
- {
- $cs->ReadState();
- }
+ $cs->ReadState();
$qs = new QueryState();
$qs->AddCannedQuery("last_tcp", $last_num_alerts, "Last TCP", "time_d");
@@ -277,7 +140,7 @@
if ( $submit == "Query DB" ||
$submit == "Selected" || $submit == "ALL on Screen" || $submit == "Entire Query" ||
$qs->isCannedQuery() ||
- $sort_order != "" )
+ $qs->GetCurrentSort() != "" )
{
/* Init and run the action */
$criteria_clauses = ProcessCriteria();
@@ -287,6 +150,7 @@
$qs->AddValidAction("ag_by_id");
$qs->AddValidAction("ag_by_name");
+ $qs->AddValidAction("add_new_ag");
$qs->AddValidAction("del_alert");
$qs->AddValidAction("email_alert");
$qs->AddValidAction("email_alert2");
@@ -298,13 +162,14 @@
$qs->AddValidActionOp("ALL on Screen");
$qs->AddValidActionOp("Entire Query");
- $qs->SetActionSQL("SELECT acid_event.sid, acid_event.cid $from $where");
+ $qs->SetActionSQL("SELECT acid_event.sid, acid_event.cid $from $where");
$et->Mark("Initialization");
$qs->RunAction($submit, PAGE_QRY_ALERTS, $db);
$et->Mark("Alert Action");
if ( $debug_mode > 0 ) ErrorMessage("Initial/Canned Query or Sort Clicked");
+
include("acid_qry_sqlcalls.php");
}
/* Return the input form to get more criteria from user */
@@ -313,32 +178,6 @@
include("acid_qry_form.php");
}
-/* Stores the neccessary variables for shared state between calls */
-
-/* These variables will ultimately be stored in the session, but are
- * temporarily required while criteria is being entered in the form
- */
-//if ( ($HTTP_POST_VARS["new"] == 1) || ($HTTP_GET_VARS["new"] == 1) )
-if ( $new == 1 )
-{
- echo '
+ *
+ * Copyright (C) 2001,2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: displays a single alert
+ *
+ * Input GET/POST variables
+ * - caller
+ * - submit:
+ *
+ */
+
+ include ("acid_constants.inc");
+ include ("acid_conf.php");
+ include ("acid_include.inc");
+ include_once ("acid_db_common.php");
+ include_once ("acid_qry_common.php");
+ include_once ("acid_stat_common.php");
+
+function PrintPacketLookupBrowseButtons($seq, $save_sql, $db, &$previous_button, &$next_button)
+{
+ echo "\n\n\n";
+
+ $result2 = $db->acidExecute($save_sql);
+
+ if ( $seq == 0 )
+ $previous_button = '[ First ]'."\n";
+
+ $i = 0;
+ while ($i <= $seq+1 )
+ {
+ $myrow2 = $result2->acidFetchRow();
+
+ if ( $myrow2 == "" )
+ $next_button = '[ Last ]'."\n";
+ else if ( $i == $seq-1 )
+ $previous_button = '[".
+ "".$ref_system." ".
+ "] ";
+ else if ( $style == 2 )
+ return "[".$ref_system."/$ref_tag] ";
+ }
+ else
+ {
+ return $ref_system;
+ }
+}
+
function GetSignatureReference($sig_id, $db, $style)
{
$ref = "";
- $temp_sql = "SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id=".$sig_id;
+ $temp_sql = "SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='".$sig_id."'";
$tmp_sig_ref = $db->acidExecute($temp_sql);
if ( $tmp_sig_ref )
@@ -84,7 +124,7 @@
{
$mysig_ref = $tmp_sig_ref->acidFetchRow();
- $temp_sql = "SELECT ref_system_id, ref_tag FROM reference WHERE ref_id=".$mysig_ref[1];
+ $temp_sql = "SELECT ref_system_id, ref_tag FROM reference WHERE ref_id='".$mysig_ref[1]."'";
$tmp_ref_tag = $db->acidExecute($temp_sql);
if ( $tmp_ref_tag )
@@ -94,63 +134,39 @@
$ref_system = GetRefSystemName($myrow[0], $db);
}
- $href = "";
- if ( strncasecmp($ref_system,"arachNIDS",9) == 0)
- {
- if ( $style == 1 )
- $href = "arachNIDS ";
- else if ( $style == 2 )
- $href = "[arachNIDS/$ref_tag] ";
- }
- elseif ( strncasecmp($ref_system,"cve",3) == 0)
- {
- if ( $style == 1 )
- $href = "CVE ";
- else if ( $style == 2 )
- $href = "[CVE/$ref_tag] ";
- }
- elseif ( strncasecmp($ref_system,"bugtraq",7) == 0)
- {
- if ( $style == 1 )
- $href = "bugtraq ";
- else if ( $style == 2 )
- $href = "[Bugtraq/$ref_tag] ";
- }
- elseif ( strncasecmp($ref_system,"McAfee",6) == 0 )
- {
- if ( $style == 1 )
- $href = "McAfee ";
- else if ( $style == 2 )
- $href = "[McAfee/$ref_tag] ";
- }
- elseif ( strncasecmp($ref_system,"url",3) == 0 )
- {
- if ( $style == 1 )
- $href = "url ";
- else if ( $style == 2 )
- $href = "[url/$ref_tag] ";
-
- }
- else
- {
- $href = $ref_system;
- }
+ $ref = $ref.GetSingleSignatureReference($ref_system, $ref_tag, $style);
- if ( $style == 1 )
- $ref = $ref."[$href] ";
- else if ( $style == 2 )
- $ref = $ref.$href;
-
+ /* Automatically add an ICAT reference is a CVE reference exists */
+ if ( $ref_system == "cve" )
+ $ref = $ref.GetSingleSignatureReference("icat", $ref_tag, $style);
+
$tmp_ref_tag->acidFreeRows();
}
$tmp_sig_ref->acidFreeRows();
}
+ if ( $db->acidGetDBVersion() >= 103 )
+ {
+ $tmp_sql = "SELECT sig_sid FROM signature WHERE sig_id='".$sig_id."'";
+ $tmp_sig_sid = $db->acidExecute($tmp_sql);
+
+ if ( $tmp_sig_sid )
+ {
+ $myrow = $tmp_sig_sid->acidFetchRow();
+ $sig_sid = $myrow[0];
+ }
+ }
+ else
+ $sig_sid = "";
+
+ $href = "";
+
+ /* snort.org should be documenting all official signatures,
+ * so automatically add a link
+ */
+ if ( $sig_sid != "")
+ $ref = $ref.GetSingleSignatureReference("snort", $sig_sid, $style);
+
return $ref;
}
@@ -171,9 +187,9 @@
$replace=array("\\1\\2 ",
"\\1\\2\\3 ",
- "BUGTRAQ ID \\1 ",
- "MCAFEE ID \\1 ",
- "\\1 ");
+ "BUGTRAQ ID \\1 ",
+ "MCAFEE ID \\1 ",
+ "\\1 ");
$msg = preg_replace($pattern, $replace, $signature);
@@ -208,7 +224,6 @@
* RETURNS: a formatted signature and the associated references
*/
{
- //echo "sig_id = $sig_idunclassified ";
$sql = "SELECT sig_class_name FROM sig_class ".
- "WHERE sig_class_id = $class_id";
+ "WHERE sig_class_id = '$class_id'";
$result = $db->acidExecute($sql);
$row = $result->acidFetchRow();
diff -Naur acid/acid_stat_alerts.php acidfp/acid_stat_alerts.php
--- acid/acid_stat_alerts.php 2002-03-03 18:02:45.000000000 -0500
+++ acidfp/acid_stat_alerts.php 2003-12-17 14:16:39.000000000 -0500
@@ -55,6 +55,7 @@
$qs->AddValidAction("ag_by_id");
$qs->AddValidAction("ag_by_name");
+ $qs->AddValidAction("add_new_ag");
$qs->AddValidAction("del_alert");
$qs->AddValidAction("email_alert");
$qs->AddValidAction("email_alert2");
diff -Naur acid/acid_stat_class.php acidfp/acid_stat_class.php
--- acid/acid_stat_class.php 2002-03-03 18:02:45.000000000 -0500
+++ acidfp/acid_stat_class.php 2003-12-17 14:16:39.000000000 -0500
@@ -53,6 +53,7 @@
$qs->AddValidAction("ag_by_id");
$qs->AddValidAction("ag_by_name");
+ $qs->AddValidAction("add_new_ag");
$qs->AddValidAction("del_alert");
$qs->AddValidAction("email_alert");
$qs->AddValidAction("email_alert2");
diff -Naur acid/acid_stat_common.php acidfp/acid_stat_common.php
--- acid/acid_stat_common.php 2002-03-03 18:02:45.000000000 -0500
+++ acidfp/acid_stat_common.php 2003-12-17 14:16:39.000000000 -0500
@@ -4,10 +4,10 @@
*
* Author: Roman Danyliw ,
*
- * Copyright (C) 2000 Carnegie Mellon University
+ * Copyright (C) 2000-2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
- * Purpose:
+ * Purpose: summary statistics
*
*/
@@ -16,7 +16,7 @@
function SensorCnt($db, $join = "", $where = "")
{
if ( $join == "" && $where == "" )
- $result = $db->acidExecute("SELECT count(*) FROM sensor");
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event");
else
$result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event $join $where");
$myrow = $result->acidFetchRow();
@@ -52,7 +52,7 @@
{
/* Calculate the Unique Alerts */
- $query = "SELECT COUNT(DISTINCT signature) FROM acid_event WHERE sid = " . $sensorID . ";";
+ $query = "SELECT COUNT(DISTINCT signature) FROM acid_event WHERE sid = '" . $sensorID . "'";
$result = $db->acidExecute($query);
if ( $result )
@@ -75,7 +75,7 @@
*/
function EventCntBySensor($sensorID, $db)
{
- $query = "SELECT count(*) FROM acid_event where sid = " .$sensorID. ";";
+ $query = "SELECT count(*) FROM acid_event where sid = '" .$sensorID. "'";
$result = $db->acidExecute($query);
$myrow = $result->acidFetchRow();
@@ -87,7 +87,7 @@
function MinDateBySensor($sensorID, $db)
{
- $query = "SELECT min(timestamp) FROM acid_event WHERE sid=" . $sensorID . ";";
+ $query = "SELECT min(timestamp) FROM acid_event WHERE sid= '". $sensorID."'";
$result = $db->acidExecute($query);
$myrow = $result->acidFetchRow();
@@ -100,7 +100,7 @@
function MaxDateBySensor($sensorID, $db)
{
- $query = "SELECT max(timestamp) FROM acid_event WHERE sid=" . $sensorID . ";";
+ $query = "SELECT max(timestamp) FROM acid_event WHERE sid='".$sensorID."'";
$result = $db->acidExecute($query);
$myrow = $result->acidFetchRow();
@@ -112,7 +112,7 @@
function UniqueDestAddrCntBySensor( $sensorID, $db )
{
- $query = "SELECT COUNT(DISTINCT ip_dst) from acid_event WHERE sid=" . $sensorID . ";";
+ $query = "SELECT COUNT(DISTINCT ip_dst) from acid_event WHERE sid='" . $sensorID . "'";
$result = $db->acidExecute($query);
$row = $result->acidFetchRow();
@@ -124,7 +124,7 @@
function UniqueSrcAddrCntBySensor( $sensorID, $db )
{
- $query = "SELECT COUNT(DISTINCT ip_src) from acid_event WHERE sid=" . $sensorID . ";";
+ $query = "SELECT COUNT(DISTINCT ip_src) from acid_event WHERE sid='" . $sensorID . "'";
$result = $db->acidExecute($query);
$row = $result->acidFetchRow();
@@ -136,7 +136,7 @@
function TCPPktCnt($db)
{
- $result = $db->acidExecute("SELECT count(*) FROM tcphdr;");
+ $result = $db->acidExecute("SELECT count(*) FROM acid_event WHERE ip_proto=6");
$myrow = $result->acidFetchRow();
$num = $myrow[0];
$result->acidFreeRows();
@@ -146,7 +146,7 @@
function UDPPktCnt($db)
{
- $result = $db->acidExecute("SELECT count(*) FROM udphdr;");
+ $result = $db->acidExecute("SELECT count(*) FROM acid_event WHERE ip_proto=17");
$myrow = $result->acidFetchRow();
$num = $myrow[0];
$result->acidFreeRows();
@@ -156,7 +156,7 @@
function ICMPPktCnt($db)
{
- $result = $db->acidExecute("SELECT count(*) FROM icmphdr;");
+ $result = $db->acidExecute("SELECT count(*) FROM acid_event WHERE ip_proto=1");
$myrow = $result->acidFetchRow();
$num = $myrow[0];
$result->acidFreeRows();
@@ -273,11 +273,11 @@
if ( $join == "" && $where == "")
$result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
"COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ".
- "WHERE ip_proto=".TCP);
+ "WHERE ip_proto='".TCP."'");
else
$result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
"COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join".
- " $where AND ip_proto=".TCP);
+ " $where AND ip_proto='".TCP."'");
$row = $result->acidFetchRow();
$result->acidFreeRows();
@@ -290,11 +290,11 @@
if ( $join == "" && $where == "")
$result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
"COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ".
- "WHERE ip_proto=".UDP);
+ "WHERE ip_proto='".UDP."'");
else
$result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
"COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join".
- " $where AND ip_proto=".UDP);
+ " $where AND ip_proto='".UDP."'");
$row = $result->acidFetchRow();
$result->acidFreeRows();
diff -Naur acid/acid_state_citems.inc acidfp/acid_state_citems.inc
--- acid/acid_state_citems.inc 1969-12-31 19:00:00.000000000 -0500
+++ acidfp/acid_state_citems.inc 2003-12-17 14:16:39.000000000 -0500
@@ -0,0 +1,1462 @@
+,
+ *
+ * Copyright (C) 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: individual criteria classes
+ *
+ */
+
+class BaseCriteria
+{
+ var $criteria;
+ var $export_name;
+
+ var $db;
+ var $cs;
+
+ function BaseCriteria($db, $cs, $name)
+ {
+ $this->db = &$db;
+ $this->cs = &$cs;
+
+ $this->export_name = $name;
+ $this->criteria = NULL;
+ }
+
+ function Init()
+ {
+ }
+
+ function Import()
+ {
+ /* imports criteria from POST, GET, or the session */
+ }
+
+ function Clear()
+ {
+ /* clears the criteria */
+ }
+
+ function Sanitize()
+ {
+ /* clean/validate the criteria */
+ }
+
+ function SanitizeElement()
+ {
+ /* clean/validate the criteria */
+ }
+
+ function PrintForm()
+ {
+ /* prints the HTML form to input the criteria */
+ }
+
+ function AddFormItem()
+ {
+ /* adding another item to the HTML form */
+ }
+
+ function GetFormItemCnt()
+ {
+ /* returns the number of items in this form element */
+ }
+
+ function SetFormItemCnt()
+ {
+ /* sets the number of items in this form element */
+ }
+
+ function Set($value)
+ {
+ /* set the value of this criteria */
+ }
+
+ function Get()
+ {
+ /* returns the value of this criteria */
+ }
+
+ function ToSQL()
+ {
+ /* convert this criteria to SQL */
+ }
+
+ function Description()
+ {
+ /* generate human-readable description of this criteria */
+ }
+
+ function isEmpty()
+ {
+ /* returns if the criteria is empty */
+ }
+};
+
+class SingleElementCriteria extends BaseCriteria
+{
+ function Import()
+ {
+ GLOBAL $HTTP_SESSION_VARS;
+
+ $this->criteria = SetSessionVar($this->export_name);
+
+ $HTTP_SESSION_VARS[$this->export_name] = &$this->criteria;
+ }
+
+ function Sanitize()
+ {
+ $this->SanitizeElement();
+ }
+
+ function GetFormItemCnt()
+ {
+ return -1;
+ }
+
+ function Set($value)
+ {
+ $this->criteria = $value;
+ }
+
+ function Get()
+ {
+ return $this->criteria;
+ }
+ function isEmpty()
+ {
+ if ( $this->criteria == "" )
+ return true;
+ else
+ return false;
+ }
+};
+
+class MultipleElementCriteria extends BaseCriteria
+{
+ var $element_cnt;
+ var $criteria_cnt;
+ var $valid_field_list;
+
+ function MultipleElementCriteria($db, $cs, $export_name, $element_cnt, $field_list = NULL)
+ {
+ $this->BaseCriteria(&$db, &$cs, $export_name);
+
+ $this->element_cnt = $element_cnt;
+ $this->criteria_cnt = 0;
+ $this->valid_field_list = $field_list;
+ }
+
+ function Init()
+ {
+ GLOBAL $HTTP_SESSION_VARS;
+
+ InitArray($this->criteria, $GLOBALS['MAX_ROWS'], $this->element_cnt, "");
+ $this->criteria_cnt = 1;
+
+ $HTTP_SESSION_VARS[$this->export_name."_cnt"] = &$this->criteria_cnt;
+ }
+
+ function Import()
+ {
+ GLOBAL $HTTP_SESSION_VARS;
+
+ $this->criteria = SetSessionVar($this->export_name);
+ $this->criteria_cnt = SetSessionVar($this->export_name."_cnt");
+
+ $HTTP_SESSION_VARS[$this->export_name] = &$this->criteria;
+ $HTTP_SESSION_VARS[$this->export_name."_cnt"] = &$this->criteria_cnt;
+ }
+
+ function Sanitize()
+ {
+ if ( in_array("criteria", array_keys(get_object_vars($this))) )
+ //if ( isset($this->criteria) )
+ {
+ for($i=0; $i < $this->element_cnt; $i++)
+ {
+ if ( isset($this->criteria[$i]) )
+ $this->SanitizeElement($i);
+ }
+ }
+ }
+
+ function SanitizeElement($i)
+ {
+ }
+
+ function GetFormItemCnt()
+ {
+ return $this->criteria_cnt;
+ }
+
+ function SetFormItemCnt($value)
+ {
+ $this->criteria_cnt = $value;
+ }
+
+ function AddFormItem(&$submit, $submit_value)
+ {
+ AddCriteriaFormRow($submit, $submit_value, &$this->criteria_cnt, $this->criteria, $this->element_cnt);
+ }
+
+ function Set($value)
+ {
+ $this->criteria = $value;
+ }
+
+ function Get()
+ {
+ return $this->criteria;
+ }
+
+ function isEmpty()
+ {
+ if ( $this->criteria_cnt == 0 )
+ return true;
+ else
+ return false;
+ }
+
+ function PrintForm($field_list, $blank_field_string, $add_button_string)
+ {
+ for ( $i = 0; $i < $this->criteria_cnt; $i++ )
+ {
+ echo ' ';
+ echo ' criteria[$i][0]," ").'>__ ';
+ echo ' criteria[$i][0],"(").'>( ';
+ echo ' ';
+
+ echo ' ';
+ echo ' criteria[$i][1]," ").'>'.$blank_field_string.' ';
+
+ reset($field_list);
+ foreach( $field_list as $field_name => $field_human_name )
+ {
+ echo ' criteria[$i][1],$field_name).'>'.$field_human_name.' ';
+ }
+ echo ' ';
+
+ echo ' ';
+ echo ' criteria[$i][2],"="). '>= ';
+ echo ' criteria[$i][2],"!=").'>!= ';
+ echo ' criteria[$i][2],"<"). '>< ';
+ echo ' criteria[$i][2],"<=").'><= ';
+ echo ' criteria[$i][2],">"). '>> ';
+ echo ' criteria[$i][2],">=").'>>= ';
+ echo ' ';
+
+ echo ' ';
+ echo ' criteria[$i][4]," ").'>__criteria[$i][4],"(").'>( ';
+ echo ' criteria[$i][4],")").'>) ';
+ echo ' ';
+
+ echo ' ';
+ echo ' criteria[$i][5]," "). '>__ ';
+ echo ' criteria[$i][5],"OR"). '>OR ';
+ echo ' criteria[$i][5],"AND").'>AND ';
+ echo ' ';
+ if ( $i == $this->criteria_cnt-1 )
+ echo ' criteria[0]," "). '>{ signature }';
+ echo ' criteria[0],"="). '>exactly ';
+ echo ' criteria[0],"LIKE").'>roughly criteria[2],"="). '>=';
+ echo ' criteria[2],"!="). '>!=';
+ echo '
+ { Select Signature from List }';
+
+ if ($tmp_result)
+ {
+ while ( $myrow = $tmp_result->acidFetchRow() )
+ echo ' '.$myrow[0];
+ $tmp_result->acidFreeRows();
+ }
+ echo '
+ criteria, " ").'>{ any Classification }
+ criteria, "null").'>-unclassified-';
+
+ $temp_sql = "SELECT sig_class_id, sig_class_name FROM sig_class";
+ $tmp_result = $this->db->acidExecute($temp_sql);
+ if ( $tmp_result )
+ {
+ while ( $myrow = $tmp_result->acidFetchRow() )
+ echo ' criteria, $myrow[0]).'>'.
+ $myrow[1];
+
+ $tmp_result->acidFreeRows();
+ }
+ echo ' ';
+ }
+ }
+
+ function ToSQL()
+ {
+ /* convert this criteria to SQL */
+ }
+
+ function Description()
+ {
+ $tmp = "";
+
+ if ( $this->db->acidGetDBVersion() >= 103 )
+ {
+ if ( $this->criteria != " " && $this->criteria != "" )
+ {
+ if ( $this->criteria == "null")
+ $tmp = $tmp.'Signature Classification = '.
+ 'unclassified
+ criteria[0],"="). '>__
+ criteria[0],"=").'>==
+ criteria[0],"!=").'>!=
+ criteria[0],"<"). '><
+ criteria[0],">").'>>
+ criteria[0],"><="). '><=
+ criteria[0],">=").'>>= ';
+
+ echo '
+ criteria[1], " ").'>{ any Priority }
+ criteria[1], "null").'>-unclassified- ';
+ $temp_sql = "select DISTINCT sig_priority from signature ORDER BY sig_priority ASC ";
+ $tmp_result = $this->db->acidExecute($temp_sql);
+ if ( $tmp_result )
+ {
+ while ( $myrow = $tmp_result->acidFetchRow() )
+ echo 'criteria[1], $myrow[0]).'>'.
+ $myrow[0];
+
+ $tmp_result->acidFreeRows();
+ }
+ echo ' ';
+ }
+ }
+
+ function ToSQL()
+ {
+ /* convert this criteria to SQL */
+ }
+
+ function Description()
+ {
+ $tmp = "";
+
+ if ( $this->db->acidGetDBVersion() >= 103 )
+ {
+ if ( $this->criteria[1] != " " && $this->criteria[1] != "" )
+ {
+ if ( $this->criteria[1] == null)
+ $tmp = $tmp.'Signature Priority = '.
+ 'none
+ criteria, " ").'>{ any Alert Group }';
+
+ $temp_sql = "SELECT ag_id, ag_name FROM acid_ag";
+ $tmp_result = $this->db->acidExecute($temp_sql);
+ if ( $tmp_result )
+ {
+ while ( $myrow = $tmp_result->acidFetchRow() )
+ echo ' criteria, $myrow[0]).'>'.
+ '['.$myrow[0].'] '.$myrow[1];
+
+ $tmp_result->acidFreeRows();
+ }
+ echo ' ';
+ }
+
+ function ToSQL()
+ {
+ /* convert this criteria to SQL */
+ }
+
+ function Description()
+ {
+ $tmp = "";
+
+ if ( $this->criteria != " " && $this->criteria != "" )
+ $tmp = $tmp.'Alert Group = ['.$this->criteria.'] '.GetAGNameByID($this->criteria, $this->db).
+ $this->cs->GetClearCriteriaString($this->export_name).'
+ criteria, " ").'>{ any sensor }';
+
+ $temp_sql = "SELECT sid, hostname, interface, filter FROM sensor";
+ $tmp_result = $this->db->acidExecute($temp_sql);
+ if ( $tmp_result->row )
+ {
+ while ( $myrow = $tmp_result->acidFetchRow() )
+ echo ' criteria, $myrow[0]).'>'.
+ '['.$myrow[0].'] '.GetSensorName($myrow[0], $this->db);
+
+ $tmp_result->acidFreeRows();
+ }
+
+ echo ' ';
+ }
+
+ function ToSQL()
+ {
+ /* convert this criteria to SQL */
+ }
+
+ function Description()
+ {
+ $tmp = "";
+
+ if ( $this->criteria != " " && $this->criteria != "" )
+ $tmp = $tmp.'Sensor = ['.$this->criteria.'] '.
+ GetSensorName($this->criteria, $this->db).
+ $this->cs->GetClearCriteriaString($this->export_name).'criteria[$i][0]," ").'>__';
+ echo ' criteria[$i][0],"(").'>( criteria[$i][1]," "). '>{ time }';
+ echo ' criteria[$i][1],"="). '>=';
+ echo ' criteria[$i][1],"!=").'>!=';
+ echo ' criteria[$i][1],"<"). '><';
+ echo ' criteria[$i][1],"<=").'><=';
+ echo ' criteria[$i][1],">"). '>>';
+ echo ' criteria[$i][1],">=").'>>= criteria[$i][2]," " ).'>{ month }';
+ echo ' criteria[$i][2],"01").'>Jan';
+ echo ' criteria[$i][2],"02").'>Feb';
+ echo ' criteria[$i][2],"03").'>Mar';
+ echo ' criteria[$i][2],"04").'>Apr';
+ echo ' criteria[$i][2],"05").'>May';
+ echo ' criteria[$i][2],"06").'>Jun';
+ echo ' criteria[$i][2],"07").'>Jly';
+ echo ' criteria[$i][2],"08").'>Aug';
+ echo ' criteria[$i][2],"09").'>Sep';
+ echo ' criteria[$i][2],"10").'>Oct';
+ echo ' criteria[$i][2],"11").'>Nov';
+ echo ' criteria[$i][2],"12").'>Dec criteria[$i][4]," ").'>{ year }';
+ echo ' criteria[$i][4],"1999").'>1999';
+ echo ' criteria[$i][4],"2000").'>2000';
+ echo ' criteria[$i][4],"2001").'>2001';
+ echo ' criteria[$i][4],"2002").'>2002';
+ echo ' criteria[$i][4],"2003").'>2003';
+ echo ' criteria[$i][4],"2004").'>2004 : ';
+ echo ': ';
+ echo 'criteria[$i][8]," ").'>__';
+ echo ' criteria[$i][8],"(").'>(';
+ echo ' criteria[$i][8],")").'>) criteria[$i][9]," "). '>__';
+ echo ' criteria[$i][9],"OR"). '>OR';
+ echo ' criteria[$i][9],"AND").'>AND '.$this->criteria[$i][0].' time '.$this->criteria[$i][1].' [ ';
+
+ /* date */
+ if ( $this->criteria[$i][2] == " " && $this->criteria[$i][3] == "" && $this->criteria[$i][4] == " " )
+ $tmp = $tmp." any date ";
+ else
+ $tmp = $tmp.(($this->criteria[$i][2] == " ") ? "* / " : $this->criteria[$i][2]." / ").
+ (($this->criteria[$i][3] == "" ) ? "* / " : $this->criteria[$i][3]." / ").
+ (($this->criteria[$i][4] == " ") ? "* " : $this->criteria[$i][4]." ");
+ $tmp = $tmp.'] [ ';
+ /* time */
+ if ( $this->criteria[$i][5] == "" && $this->criteria[$i][6] == "" && $this->criteria[$i][7] == "" )
+ $tmp = $tmp."any time ";
+ else
+ $tmp = $tmp.(($this->criteria[$i][5] == "") ? "* : " : $this->criteria[$i][5]." : ").
+ (($this->criteria[$i][6] == "") ? "* : " : $this->criteria[$i][6]." : ").
+ (($this->criteria[$i][7] == "") ? "* " : $this->criteria[$i][7]." ");
+ $tmp = $tmp.$this->criteria[$i][8].'] '.$this->criteria[$i][9];
+ $tmp = $tmp.'criteria[$i][0]," ").'>__';
+ echo ' criteria[$i][0],"(").'>(
+ criteria[$i][1]," " ).'>{ address }
+ criteria[$i][1],"ip_src").'>Source
+ criteria[$i][1],"ip_dst").'>Dest
+ criteria[$i][1],"ip_both").'>Src or Dest
+ ';
+ echo '
+ criteria[$i][2],"="). '>=
+ criteria[$i][2],"!=").'>!=
+ ';
+
+ if ( $GLOBALS['ip_address_input'] == 2 )
+ echo ' . ';
+ echo ' . ';
+ echo ' . ';
+ echo ' criteria[$i][8]," ").'>__';
+ echo ' criteria[$i][8],"(").'>(';
+ echo ' criteria[$i][8],")").'>) criteria[$i][9]," "). '>__';
+ echo ' criteria[$i][9],"OR"). '>OR';
+ echo ' criteria[$i][9],"AND").'>AND criteria[0]," ").'>{ flags }';
+ echo ' criteria[0],"is").'>is';
+ echo ' criteria[0],"contains").'>contains ';
+ echo ' ';
+ }
+
+ function ToSQL()
+ {
+ /* convert this criteria to SQL */
+ }
+
+ function Description()
+ {
+ $human_fields["1"] = "F";
+ $human_fields["2"] = "S";
+ $human_fields["4"] = "R";
+ $human_fields["8"] = "P";
+ $human_fields["16"] = "A";
+ $human_fields["32"] = "U";
+ $human_fields["64"] = "[R0]";
+ $human_fields["128"] = "[R1]";
+ $human_fields["LIKE"] = "contains";
+ $human_fields["="] = "=";
+
+ $tmp = "";
+
+ if ( isset($this->criteria[0]) && ($this->criteria[0] != " ") && ($this->criteria[0] != "") )
+ {
+ $tmp = $tmp.'flags '.$this->criteria[0].' ';
+ for ( $i = 8; $i >=1; $i-- )
+ if ( $this->criteria[$i] == "" )
+ $tmp = $tmp.'-';
+ else
+ $tmp = $tmp.$human_fields[($this->criteria[$i])];
+
+ $tmp = $tmp.$this->cs->GetClearCriteriaString("tcp_flags").'Input Criteria Encoding Type: ';
+ echo 'data_encode[0]," ").'>{ Encoding }';
+ echo ' data_encode[0],"hex").'>hex';
+ echo ' data_encode[0],"ascii").'>ascii Convert To (when searching): ';
+ echo 'data_encode[1]," ").'>{ Convert To }';
+ echo ' data_encode[1],"hex").'>hex';
+ echo ' data_encode[1],"ascii").'>ascii criteria[$i][0]," ").'>__';
+ echo ' criteria[$i][0],"(").'>( criteria[$i][1]," "). '>{ payload }';
+ echo ' criteria[$i][1],"LIKE"). '>has ';
+ echo ' criteria[$i][1],"NOT LIKE").'>has NOT criteria[$i][3]," ").'>__';
+ echo ' criteria[$i][3],"(").'>(';
+ echo ' criteria[$i][3],")").'>) criteria[$i][4]," "). '>__';
+ echo ' criteria[$i][4],"OR"). '>OR';
+ echo ' criteria[$i][4],"AND").'>AND ,
*
- * Copyright (C) 2000, 2001 Carnegie Mellon University
+ * Copyright (C) 2000-2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: routines to manipulate shared state (session
* information)
*
*/
-
+/* ***********************************************************************
+ * Function: InitArray()
+ *
+ * @doc Defines an initializes a 1 or 2 dimensional PHP array.
+ *
+ * @param $a (in/out) array to initialize
+ * @param $dim1 number of elements of first dimension
+ * @param $dim2 number of elements of second dimension
+ * @param $value default value
+ *
+ ************************************************************************/
function InitArray(&$a, $dim1, $dim2, $value)
{
$a = "";
/* determine the number of dimensions in the array */
if ( $dim2 == 0 ) /* 1-dim */
- for ( $i = 0; $i < $dim2; $i++ )
+ for ( $i = 0; $i < $dim1; $i++ )
$a[$i] = $value;
else /* 2-dim */
for ( $i = 0; $i < $dim1; $i++ )
@@ -25,70 +35,16 @@
$a[$i][$j] = $value;
}
-function InitGlobalState()
-{
- GLOBAL $time, $time_cnt, $sig, $sig_class, $sensor, $ag,
- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
- $icmp_field, $icmp_field_cnt,
- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
- $layer4, $data, $data_cnt, $data_encode, $save_criteria,
- $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode,
- $back_list, $back_list_cnt;
- GLOBAL $MAX_ROWS;
-
- $caller = "";
- $layer4 = "";
-
- InitArray($back_list, 1, 3, "");
- $back_list_cnt = 0;
-
- $ag = "";
- $sensor = "";
- InitArray($sig, 3, 0, "");
- $sig_class = "";
- InitArray($time, $MAX_ROWS, TIME_CFCNT, "");
- $time_cnt = 0;
-
- InitArray($ip_addr, $MAX_ROWS, IPADDR_CFCNT, "");
- $ip_addr_cnt = 0;
- InitArray($ip_field, $MAX_ROWS, PROTO_CFCNT, "");
- $ip_field_cnt = 0;
-
- InitArray($tcp_port, $MAX_ROWS, PROTO_CFCNT, "");
- $tcp_port_cnt = 0;
- InitArray($tcp_flags, $MAX_ROWS, TCPFLAGS_CFCNT, "");
- InitArray($tcp_field, $MAX_ROWS, PROTO_CFCNT, "");
- $tcp_field_cnt = 0;
-
- InitArray($udp_port, $MAX_ROWS, PROTO_CFCNT, "");
- $udp_port_cnt = 0;
- InitArray($udp_field, $MAX_ROWS, PROTO_CFCNT, "");
- $udp_field_cnt = 0;
-
- InitArray($icmp_field, $MAX_ROWS, PROTO_CFCNT, "");
- $icmp_field_cnt = 0;
-
- InitArray($data_encode, 2, 0, "");
- InitArray($data, $MAX_ROWS, PAYLOAD_CFCNT, "");
- $data_cnt = 0;
-}
-
+/* ***********************************************************************
+ * Function: RegisterGlobalState()
+ *
+ * @doc Application-specific wrapper for PHP session_start(). It performs
+ * a couple of additional configuration checks (notably for custom
+ * PHP session handlers).
+ *
+ ************************************************************************/
function RegisterGlobalState()
{
- GLOBAL $time, $time_cnt, $sig, $sensor, $ag,
- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
- $icmp_field, $icmp_field_cnt,
- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
- $layer4, $data, $data_cnt, $data_encode, $save_criteria,
- $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode,
- $back_list, $back_list_cnt;
-
- GLOBAL $MAX_ROWS;
-
/* Deal with user specified session handlers */
if (session_module_name() == "user" )
{
@@ -125,170 +81,199 @@
session_start();
- session_register('back_list');
- session_register('back_list_cnt');
- session_register('layer4');
-
- session_register('ag');
- session_register('sig_type');
- session_register('sig');
- session_register('sig_class');
- session_register('sensor');
- session_register('time');
- session_register('time_cnt');
-
- session_register('ip_addr');
- session_register('ip_addr_cnt');
- session_register('ip_field');
- session_register('ip_field_cnt');
-
- session_register('tcp_port');
- session_register('tcp_port_cnt');
- session_register('tcp_flags');
- session_register('tcp_field');
- session_register('tcp_field_cnt');
-
- session_register('udp_port');
- session_register('udp_port_cnt');
- session_register('udp_field');
- session_register('udp_field_cnt');
-
- session_register('icmp_field');
- session_register('icmp_field_cnt');
-
- session_register('data_encode');
- session_register('data');
- session_register('data_cnt');
-
- if ( $debug_mode > 0 )
+ if ( $GLOBALS['debug_mode'] > 0 )
echo 'Session Registered ,
*
- * Copyright (C) 2001 Carnegie Mellon University
+ * Copyright (C) 2001-2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: routines to manipulate shared state (session
@@ -13,65 +13,100 @@
*/
include_once("acid_state_common.inc");
+include_once("acid_state_citems.inc");
class CriteriaState
{
- var $valid_criteria_list = array("layer4",
- "ag",
- "sig",
- "sig_class",
- "sensor",
- "time",
- "ip_addr",
- "ip_field",
- "tcp_port",
- "tcp_flags",
- "tcp_field",
- "udp_port",
- "udp_field",
- "icmp_field",
- "data");
-
var $clear_criteria_name;
var $clear_criteria_element;
var $clear_url;
var $clear_url_params;
+ var $criteria;
+
function CriteriaState($url, $params = "")
{
- $this->clear_url = $url;
- $this->clear_url_params = $params;
+ $this->clear_url = $url;
+ $this->clear_url_params = $params;
+
+ /* XXX-SEC */
+ GLOBAL $db;
+
+ $this->criteria['sig'] = new SignatureCriteria(&$db, &$this, "sig");
+ $this->criteria['sig_class'] = new SignatureClassificationCriteria(&$db, &$this, "sig_class");
+ $this->criteria['sig_priority'] = new SignaturePriorityCriteria(&$db, &$this, "sig_priority");
+ $this->criteria['ag'] = new AlertGroupCriteria(&$db, &$this, "ag");
+ $this->criteria['sensor'] = new SensorCriteria(&$db, &$this, "sensor");
+ $this->criteria['time'] = new TimeCriteria(&$db, &$this, "time", TIME_CFCNT);
+ $this->criteria['ip_addr'] = new IPAddressCriteria(&$db, &$this, "ip_addr", IPADDR_CFCNT);
+ $this->criteria['layer4'] = new Layer4Criteria(&$db, &$this, "layer4");
+ $this->criteria['ip_field'] = new IPFieldCriteria(&$db, &$this, "ip_field", PROTO_CFCNT);
+ $this->criteria['tcp_port'] = new TCPPortCriteria(&$db, &$this, "tcp_port", PROTO_CFCNT);
+ $this->criteria['tcp_flags'] = new TCPFlagsCriteria(&$db, &$this, "tcp_flags");
+ $this->criteria['tcp_field'] = new TCPFieldCriteria(&$db, &$this, "tcp_field", PROTO_CFCNT);
+ $this->criteria['udp_port'] = new UDPPortCriteria(&$db, &$this, "udp_port", PROTO_CFCNT);
+ $this->criteria['udp_field'] = new UDPFieldCriteria(&$db, &$this, "udp_field", PROTO_CFCNT);
+ $this->criteria['icmp_field'] = new ICMPFieldCriteria(&$db, &$this, "icmp_field", PROTO_CFCNT);
+ $this->criteria['data'] = new DataCriteria(&$db, &$this, "data", PAYLOAD_CFCNT);
+
+ /*
+ * For new criteria, add a call to the appropriate constructor here, and implement
+ * the appropriate class in acid_stat_citems.inc.
+ */
}
function InitState()
{
- RegisterGlobalState();
- InitGlobalState();
+ RegisterGlobalState();
+
+ $valid_criteria_list = array_keys($this->criteria);
+
+ foreach ( $valid_criteria_list as $cname )
+ $this->criteria[$cname]->Init();
}
function ReadState()
{
- GLOBAL $time, $time_cnt, $sig, $sig_type,
- $sensor, $ag, $sig_class,
- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
- $icmp_field, $icmp_field_cnt,
- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
- $layer4, $data, $data_cnt, $data_encode, $QUERY_STRING, $PHP_SELF, $debug_mode,
- $back_list, $back_list_cnt;
-
- RegisterGlobalState();
- ImportGlobalState();
-
- $this->clear_criteria_name = ImportHTTPVar("clear_criteria");
- $this->clear_criteria_element = ImportHTTPVar("clear_criteria_element");
-
- if ( $this->clear_criteria_name != "" )
- $this->ClearCriteriaStateElement($this->clear_criteria_name,
- $this->clear_criteria_element);
- if ( $GLOBALS['maintain_history'] == 1 )
- PreserveHistory();
+ RegisterGlobalState();
+
+ /*
+ * If the BACK button was clicked, shuffle the appropriate
+ * criteria variables from the $back_list (history) array into
+ * the current session ($HTTP_SESSION_VARS)
+ */
+ if ( ($GLOBALS['maintain_history'] == 1) &&
+ (ImportHTTPVar("back", VAR_DIGIT) == 1) )
+ {
+ PopHistory();
+ }
+
+ /*
+ * Import, update and sanitize all persistant criteria variables
+ */
+ $valid_criteria_list = array_keys($this->criteria);
+ foreach ( $valid_criteria_list as $cname )
+ {
+ $this->criteria[$cname]->Import();
+ $this->criteria[$cname]->Sanitize();
+ }
+
+ /*
+ * Check whether criteria elements need to be cleared
+ */
+ $this->clear_criteria_name = ImportHTTPVar("clear_criteria", "",
+ array_keys($this->criteria));
+ $this->clear_criteria_element = ImportHTTPVar("clear_criteria_element", "",
+ array_keys($this->criteria));
+
+ if ( $this->clear_criteria_name != "" )
+ $this->ClearCriteriaStateElement($this->clear_criteria_name,
+ $this->clear_criteria_element);
+
+ /*
+ * Save the current criteria into $back_list (history)
+ */
+ if ( $GLOBALS['maintain_history'] == 1 )
+ PushHistory();
}
function GetBackLink()
@@ -87,151 +122,155 @@
function ClearCriteriaStateElement($name, $element)
{
- GLOBAL $time, $time_cnt, $sig, $sig_type,
- $sensor, $ag, $sig_class,
- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
- $icmp_field, $icmp_field_cnt,
- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
- $layer4, $data, $data_cnt, $data_encode;
+ $valid_criteria_list = array_keys($this->criteria);
- if ( in_array($name, $this->valid_criteria_list) )
+ if ( in_array($name, $valid_criteria_list) )
{
ErrorMessage("Removing '$name' from criteria");
-
- switch($name)
- {
- case "sensor":
- $sensor = "";
- break;
- case "ag":
- $ag = "";
- break;
- case "sig":
- $sig = "";
- break;
- case "sig_class":
- $sig_class = "";
- break;
- case "time":
- unset($time);
- $time_cnt = 0;
- break;
- case "ip_addr":
- unset($ip_addr);
- $ip_addr_cnt = 0;
- break;
- case "ip_field":
- unset($ip_field);
- $ip_field_cnt = 0;
- break;
- case "tcp_port":
- unset($tcp_port);
- $tcp_port_cnt = 0;
- break;
- case "tcp_flags":
- unset($tcp_flags);
- $tcp_flags_cnt = 0;
- break;
- case "tcp_field":
- unset($tcp_field);
- $tcp_field_cnt = 0;
- break;
- case "udp_port":
- unset($udp_port);
- $udp_port_cnt = 0;
- break;
- case "udp_field":
- unset($udp_field);
- $udp_field_cnt = 0;
- break;
- case "icmp_field":
- unset($icmp_field);
- $icmp_field_cnt = 0;
- break;
- case "data":
- unset($data);
- $data_cnt = 0;
- break;
- }
+
+ $this->criteria[$name]->Init();
}
else
ErrorMessage("Invalid criteria element");
}
}
-function PreserveHistory()
+/* ***********************************************************************
+ * Function: PopHistory()
+ *
+ * @doc Remove and restore the last entry of the history list (i.e.,
+ * hit the back button in the browser)
+ *
+ * @see PushHistory PrintBackButton
+ *
+ ************************************************************************/
+function PopHistory()
+{
+ GLOBAL $HTTP_SESSION_VARS;
+
+ if ( $HTTP_SESSION_VARS['back_list_cnt'] >= 0 )
+ {
+ /* Remove the state of the page from which the back button was
+ * just hit
+ */
+ unset($HTTP_SESSION_VARS['back_list'][$HTTP_SESSION_VARS['back_list_cnt']]);
+
+ /*
+ * save a copy of the $back_list because session_destroy()/session_decode() will
+ * overwrite it.
+ */
+ $save_back_list = $HTTP_SESSION_VARS['back_list'];
+ $save_back_list_cnt = $HTTP_SESSION_VARS['back_list_cnt']-1;
+
+ /* Restore the session
+ * - destroy all variables in the current session
+ * - restore proper back_list history entry into the current variables (session)
+ * - but, first delete the currently restored entry and
+ * decremement the history stack
+ * - push saved back_list back into session
+ */
+ session_unset();
+
+ if ( $GLOBALS['debug_mode'] > 2 )
+ ErrorMessage("Popping a History Entry from #".$save_back_list_cnt);
+
+ session_decode($save_back_list[$save_back_list_cnt]["session"]);
+ unset($save_back_list[$save_back_list_cnt]);
+ --$save_back_list_cnt;
+
+ $HTTP_SESSION_VARS['back_list'] = $save_back_list;
+ $HTTP_SESSION_VARS['back_list_cnt'] = $save_back_list_cnt;
+ }
+}
+
+/* ***********************************************************************
+ * Function: PushHistory()
+ *
+ * @doc Save the current criteria into the history list ($back_list,
+ * $back_list_cnt) in order to support the ACID back button.
+ *
+ * @see PopHistory PrintBackButton
+ *
+ ************************************************************************/
+function PushHistory()
{
- GLOBAL $back_list_cnt, $back_list, $PHP_SELF, $QUERY_STRING, $debug_mode;
-
- /* If the BACK button was clicked, extract the old criteria */
- if ( ImportHTTPVar("back") == 1 )
- {
- --$back_list_cnt;
- if ( $back_list_cnt >= 0 )
- {
- if ( $debug_mode > 0 )
- {
- $tmp_num = $back_list_cnt + 1;
- ErrorMessage("Back (from ".$back_list[$tmp_num]["PHP_SELF"].")");
- ErrorMessage("Import (historical) state from #".$back_list_cnt);
- }
-
- session_decode($back_list[$back_list_cnt]["session"]);
- $back_list = & $GLOBALS['back_list'];
- }
- }
-
- /* Save criteria of current page into history
- * Note: the $back_list need not be saved
- */
- session_unregister('back_list');
- $full_session = session_encode();
- session_register('back_list');
- $back_list_cnt = & $GLOBALS['back_list_cnt'];
-
- ++$back_list_cnt;
- $back_list[$back_list_cnt] = array ("PHP_SELF" => $PHP_SELF,
- "QUERY_STRING" => $QUERY_STRING,
- "session" => $full_session );
+ GLOBAL $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_POST_VARS;
+
+ if ( $GLOBALS['debug_mode'] > 1 )
+ {
+ ErrorMessage("Saving state (into ".$HTTP_SESSION_VARS['back_list_cnt'].")");
+ }
+
+ /* save the current session without the $back_list into the history
+ * - make a temporary copy of the $back_list
+ * - NULL-out the $back_list in $HTTP_SESSION_VARS (so that
+ * the current session is serialized without these variables)
+ * - serialize the current session
+ * - fix-up the QUERY_STRING
+ * - make a new QUERY_STRING that includes the temporary QueryState variables
+ * - remove &back=1 from any QUERY_STRING
+ * - add the current session into the $back_list (history)
+ */
+ $tmp_back_list = $HTTP_SESSION_VARS['back_list'];
+ $tmp_back_list_cnt = $HTTP_SESSION_VARS['back_list_cnt'];
+
+ $HTTP_SESSION_VARS['back_list'] = NULL;
+ $HTTP_SESSION_VARS['back_list_cnt'] = -1;
+
+ $full_session = session_encode();
+ $HTTP_SESSION_VARS['back_list'] = $tmp_back_list;
+ $HTTP_SESSION_VARS['back_list_cnt'] = $tmp_back_list_cnt;
+
+ $query_string = $HTTP_SERVER_VARS["QUERY_STRING"];
+ if ( isset($HTTP_POST_VARS['caller']) ) $query_string .= "&caller=".$HTTP_POST_VARS['caller'];
+ if ( isset($HTTP_POST_VARS['num_result_rows']) ) $query_string .= "&num_result_rows=".$HTTP_POST_VARS['num_result_rows'];
+ if ( isset($HTTP_POST_VARS['sort_order']) ) $query_string .= "&sort_order=".$HTTP_POST_VARS['sort_order'];
+ if ( isset($HTTP_POST_VARS['current_view']) ) $query_string .= "¤t_view=".$HTTP_POST_VARS['current_view'];
+ if ( isset($HTTP_POST_VARS['submit']) ) $query_string .= "&submit=".$HTTP_POST_VARS['submit'];
+
+ $query_string = ereg_replace("back=1&", "", $query_string);
+
+ ++$HTTP_SESSION_VARS['back_list_cnt'];
+ $HTTP_SESSION_VARS['back_list'][$HTTP_SESSION_VARS['back_list_cnt']] =
+ array ("PHP_SELF" => $HTTP_SERVER_VARS["PHP_SELF"],
+ "QUERY_STRING" => $query_string, /*$HTTP_SERVER_VARS["QUERY_STRING"], */
+ "session" => $full_session );
- if ( $debug_mode > 0 )
+ if ( $GLOBALS['debug_mode'] > 1 )
{
- echo "History depth = $back_list_cnt";
- print_r($back_list);
- echo " ";
+ ErrorMessage("Insert session into slot #".$HTTP_SESSION_VARS['back_list_cnt']);
+
+ echo "Back List (Cnt = ".$HTTP_SESSION_VARS['back_list_cnt'].") ";
+ print_r($HTTP_SESSION_VARS['back_list']);
+ echo " ";
}
}
+/* ***********************************************************************
+ * Function: PrintBackButton()
+ *
+ * @doc Returns a string with the URL of the previously viewed
+ * page. Clicking this link is equivalent to using the browser
+ * back-button, but all the associated ACID meta-information
+ * propogates correctly.
+ *
+ * @see PushHistory PopHistory
+ *
+ ************************************************************************/
function PrintBackButton()
{
- GLOBAL $back_list, $back_list_cnt;
+ GLOBAL $HTTP_SESSION_VARS;
if ( $GLOBALS['maintain_history'] == 0 )
return "Back ";
- $back_list = & $GLOBALS['back_list'];
- $back_list_cnt = & $GLOBALS['back_list_cnt'];
-
- $criteria_num = $back_list_cnt - 1;
-
- if ( isset($back_list[$criteria_num]["PHP_SELF"]) )
+ $criteria_num = $HTTP_SESSION_VARS['back_list_cnt'] - 1;
+
+ if ( isset($HTTP_SESSION_VARS['back_list'][$criteria_num]["PHP_SELF"]) )
- return "Back Back ";
}
diff -Naur acid/acid_state_query.inc acidfp/acid_state_query.inc
--- acid/acid_state_query.inc 2002-03-03 18:02:45.000000000 -0500
+++ acidfp/acid_state_query.inc 2003-12-17 14:16:39.000000000 -0500
@@ -120,7 +120,6 @@
function AddValidActionOp($action_op)
{
$this->valid_action_op_list[ count($this->valid_action_op_list) ] = $action_op;
- //array_push($this->valid_action_op_list, $action_op);
}
function SetActionSQL($sql)
@@ -312,30 +311,30 @@
function ReadState()
{
- $this->current_canned_query = ImportHTTPVar("caller");
- $this->num_result_rows = ImportHTTPVar("num_result_rows");
- $this->current_sort_order = ImportHTTPVar("sort_order");
- $this->current_view = ImportHTTPVar("current_view");
- $this->action_arg = ImportHTTPVar("action_arg");
- $this->action_chk_lst = ImportHTTPVar("action_chk_lst");
- $this->action_lst = ImportHTTPVar("action_lst");
- $this->action = ImportHTTPVar("action");
+ $this->current_canned_query = ImportHTTPVar("caller", VAR_LETTER | VAR_USCORE);
+ $this->num_result_rows = ImportHTTPVar("num_result_rows", VAR_DIGIT);
+ $this->current_sort_order = ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE);
+ $this->current_view = ImportHTTPVar("current_view", VAR_DIGIT);
+ $this->action_arg = ImportHTTPVar("action_arg", VAR_ALPHA | VAR_PERIOD | VAR_USCORE | VAR_AT);
+ $this->action_chk_lst = ImportHTTPVar("action_chk_lst", VAR_DIGIT);
+ $this->action_lst = ImportHTTPVar("action_lst", VAR_DIGIT);
+ $this->action = ImportHTTPVar("action", VAR_LETTER | VAR_USCORE);
}
function SaveState()
{
- echo "\n";
- ExportHTTPVar("caller", $this->current_canned_query);
- ExportHTTPVar("num_result_rows", $this->num_result_rows);
- ExportHTTPVar("sort_order", $this->current_sort_order);
- ExportHTTPVar("current_view", $this->current_view);
+ echo "\n";
+ ExportHTTPVar("caller", $this->current_canned_query);
+ ExportHTTPVar("num_result_rows", $this->num_result_rows);
+ ExportHTTPVar("sort_order", $this->current_sort_order);
+ ExportHTTPVar("current_view", $this->current_view);
}
function SaveStateGET()
{
- return "?caller=".$this->current_canned_query.
- "&num_result_rows=".$this->num_result_rows.
- "¤t_view=".$this->current_view;
+ return "?caller=".$this->current_canned_query.
+ "&num_result_rows=".$this->num_result_rows.
+ "¤t_view=".$this->current_view;
}
function DumpState()
diff -Naur acid/acid_stat_fingerprints.php acidfp/acid_stat_fingerprints.php
--- acid/acid_stat_fingerprints.php 1969-12-31 19:00:00.000000000 -0500
+++ acidfp/acid_stat_fingerprints.php 2004-02-06 11:56:05.000000000 -0500
@@ -0,0 +1,251 @@
+,
+ *
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: Displays stats on an individual IP address
+ *
+ * Input GET/POST variables
+ * - action:
+ * - submit:
+ * - ip:
+ * - netmask:
+ */
+
+ $start = time();
+
+ include("acid_constants.inc");
+ include("acid_conf.php");
+ include("acid_include.inc");
+ include_once("acid_db_common.php");
+ include_once("acid_common.php");
+
+ $et = new EventTiming($debug_time_mode);
+ $cs = new CriteriaState("acid_stat_ipaddr.php");
+ $cs->ReadState();
+
+ $sortby = ImportHTTPVar("sortby");
+ $dir = ImportHTTPVar("dir");
+ $iddir = $sigdir = $fstdir = $lstdir = $addrdir = $portdir = $protodir = $servdir = $hopsdir = "ASC";
+
+ if ( $dir == "" )
+ {
+ $dir="ASC";
+ }
+
+ if ( $sortby == "" || $sortby == "addr" )
+ {
+
+ if ( $dir == "DESC" )
+ {
+ $orderby = "fpevent.ip_src DESC, fpevent.port_src";
+ $addrdir = "ASC";
+ }
+ else
+ {
+ $orderby = "fpevent.ip_src ASC, fpevent.port_src";
+ $addrdir = "DESC";
+ }
+ }
+ if ( $sortby == "port" )
+ {
+
+ if ( $dir == "DESC" )
+ {
+ $orderby = "fpevent.port_src DESC, fpevent.ip_src";
+ $portdir = "ASC";
+ }
+ else
+ {
+ $orderby = "fpevent.port_src ASC, fpevent.ip_src";
+ $portdir = "DESC";
+ }
+ }
+ if ( $sortby == "fseen" )
+ {
+
+ if ( $dir == "DESC" )
+ {
+ $orderby="fpevent.firstseen DESC, fpevent.ip_src";
+ $fstdir = "ASC";
+ }
+ else
+ {
+ $orderby="fpevent.firstseen ASC, fpevent.ip_src";
+ $fstdir = "DESC";
+ }
+ }
+ if ( $sortby == "lseen" )
+ {
+ if ( $dir == "DESC" )
+ {
+ $orderby="fpevent.lastseen DESC, fpevent.ip_src";
+ $lstdir="ASC";
+ }
+ else
+ {
+ $orderby="fpevent.lastseen ASC, fpevent.ip_src";
+ $lstdir="DESC";
+ }
+ }
+ if ( $sortby == "sig" )
+ {
+
+ if ( $dir == "DESC" )
+ {
+ $orderby="signature.sig_name DESC, fpevent.ip_src";
+ $sigdir = "ASC";
+ }
+ else
+ {
+ $orderby="signature.sig_name ASC, fpevent.ip_src";
+ $sigdir = "DESC";
+ }
+ }
+ if ( $sortby == "proto" )
+ {
+
+ if ( $dir == "DESC" )
+ {
+ $orderby="fpevent.protocol DESC, fpevent.ip_src";
+ $protodir = "ASC";
+ }
+ else
+ {
+ $orderby="fpevent.protocol ASC, fpevent.ip_src";
+ $protodir = "DESC";
+ }
+ }
+ if ( $sortby == "serv" )
+ {
+
+ if ( $dir == "DESC" )
+ {
+ $orderby="services.name DESC, fpevent.ip_src";
+ $servdir = "ASC";
+ }
+ else
+ {
+ $orderby="services.name ASC, fpevent.ip_src";
+ $servdir = "DESC";
+ }
+ }
+ if ( $sortby == "id" )
+ {
+
+ if ( $dir == "DESC" )
+ {
+ $orderby="fpevent.sid DESC, fpevent.cid DESC";
+ $iddir = "ASC";
+ }
+ else
+ {
+ $orderby="fpevent.sid ASC, fpevent.cid ASC";
+ $iddir = "DESC";
+ }
+ }
+ if ( $sortby == "hops" )
+ {
+
+ if ( $dir == "DESC" )
+ {
+ $orderby="fpevent.hopcount DESC, fpevent.ip_src";
+ $hopsdir = "ASC";
+ }
+ else
+ {
+ $orderby="fpevent.hopcount ASC, fpevent.ip_src";
+ $hopsdir = "DESC";
+ }
+ }
+
+
+
+ $page_title = 'Network Fingerprints';
+ PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
+
+
+ /* Connect to the Alert database */
+ $db = NewACIDDBConnection($DBlib_path, $DBtype);
+ $db->acidDBConnect($db_connect_method,
+ $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
+
+ if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db);
+
+ /* SDR BEGIN */
+ echo '';
+
+ $temp = "SELECT fpevent.sid, fpevent.cid, signature.sig_name, fpevent.firstseen, fpevent.lastseen, ".
+ "fpevent.ip_src, fpevent.port_src, fpevent.protocol, services.name, fpevent.hopcount ".
+ "FROM fpevent,signature,services ".
+ "WHERE ( fpevent.signature = signature.sig_id ".
+ "AND fpevent.port_src = services.port AND fpevent.protocol = services.protocol ) ".
+ "ORDER BY ".$orderby;
+/*
+ echo "Query is: ".$temp;
+*/
+ $result2 = $db->acidExecute($temp);
+
+ echo '
+ ';
+
+ /* SDR END */
+
+
+
+ PrintACIDSubFooter();
+?>
+
+
+
+
+
diff -Naur acid/acid_stat_ipaddr.php acidfp/acid_stat_ipaddr.php
--- acid/acid_stat_ipaddr.php 2002-03-03 18:02:45.000000000 -0500
+++ acidfp/acid_stat_ipaddr.php 2003-12-17 14:17:10.000000000 -0500
@@ -4,7 +4,7 @@
*
* Author: Roman Danyliw ,
*
- * Copyright (C) 2000, 2001 Carnegie Mellon University
+ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
* (see the file 'acid_main.php' for license details)
*
* Purpose: Displays stats on an individual IP address
@@ -215,8 +215,9 @@
//if ( !VerifySocketSupport() )
echo '
ARIN |
- RIPE
- APNIC RIPE |
+ APNIC |
+ LACNIC External: '.
'DNS | '.
@@ -269,7 +270,7 @@
/* Number of Sensors, First, and Last timestamp */
$temp = "SELECT COUNT(DISTINCT sid), MIN(timestamp), MAX(timestamp) FROM acid_event ".
- "WHERE (ip_src = $ip_src32 OR ip_dst = $ip_dst32 )";
+ "WHERE (ip_src = '$ip_src32' OR ip_dst = '$ip_dst32' )";
$result2 = $db->acidExecute($temp);
$row2 = $result2->acidFetchRow();
@@ -279,14 +280,14 @@
$result2->acidFreeRows();
/* Unique instances as Source Address */
- $temp = "SELECT COUNT(sid) from acid_event WHERE ip_src=$ip_src32";
+ $temp = "SELECT COUNT(sid) from acid_event WHERE ip_src='$ip_src32'";
$result2 = $db->acidExecute($temp);
$row2 = $result2->acidFetchRow();
$num_src_ip = $row2[0];
$result2->acidFreeRows();
/* Unique instances Dest. Address */
- $temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst=$ip_dst32";
+ $temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst='$ip_dst32'";
$result2 = $db->acidExecute($temp);
$row2 = $result2->acidFetchRow();
$num_dst_ip = $row2[0];
@@ -309,6 +310,46 @@
Network Fingerprints
+
+
+ ID
+ Signature
+ First Seen
+ Last Seen
+ Port
+ Protocol
+ Service
+ ';
+ while ( $row2 = $result2->acidFetchRow() )
+ {
+ echo '
+
+ '.$row2[0].'-'.$row2[1].'
+ '.$row2[2].'
+ '.$row2[3].'
+ '.$row2[4].'
+ '.$row2[5].'
+ '.$row2[6].'
+ '.$row2[7].'
+ ';
+ }
+ $result2->acidFreeRows();
+ echo '
';
+
+ /* SDR END */
+
if ( $action == "events" )
{
echo '
- Time
- # of Alerts
+ Time
+ # of Alerts
Alerts 2000
2001
2002
+ 2003
+ 2004
';
if ( $i == 0 ) echo ' -- ';
diff -Naur acid/acid_stat_uaddr.php acidfp/acid_stat_uaddr.php
--- acid/acid_stat_uaddr.php 2002-03-03 18:02:45.000000000 -0500
+++ acidfp/acid_stat_uaddr.php 2003-12-17 14:16:39.000000000 -0500
@@ -33,8 +33,15 @@
$et = new EventTiming($debug_time_mode);
$cs = new CriteriaState("acid_stat_uaddr.php", "&addr_type=$addr_type");
+
$cs->ReadState();
+/* Dump some debugging information on the shared state */
+if ( $debug_mode > 0 )
+{
+ PrintCriteriaState();
+}
+
$qs = new QueryState();
$qs->AddCannedQuery("most_frequent", $freq_num_uaddr, "Most Frequent IP addresses", "occur_d");
//$qs->AddCannedQuery("last_addr", $last_num_uaddr, "Last IP addresses", "last_d");
@@ -71,7 +78,6 @@
$criteria_clauses = ProcessCriteria();
PrintCriteria("");
- echo $time[0][2];
$criteria = $criteria_clauses[0]." ".$criteria_clauses[1];
$from = $criteria_clauses[0];
diff -Naur acid/acid_style.css acidfp/acid_style.css
--- acid/acid_style.css 2002-03-03 18:02:45.000000000 -0500
+++ acidfp/acid_style.css 2003-12-17 14:17:10.000000000 -0500
@@ -17,7 +17,7 @@
P, B, A, BODY, FORM, TD, INPUT, SELECT, OPTION, TR, OL, UL, MENU, BLOCKQUOTE, FONT, DIV, H4, H5, H6 {
FONT-FAMILY: arial,helvetica,sans-serif;
- font-size: 12pt;
+ font-size: 10pt;
}
H3 {
@@ -60,6 +60,15 @@
font-size: 10pt;
}
+A.table {
+ FONT-FAMILY: arial,helvetica;
+ COLOR: yellow;
+ BACKGROUND-COLOR: black;
+ font-size: 12pt;
+ font-weight: bold;
+ text-align: center;
+}
+
table {
}
@@ -106,7 +115,6 @@
text-align: center;
}
-
td.plfield {
FONT-FAMILY: verdana,arial,helvetica;
COLOR: black;
@@ -120,7 +128,7 @@
font-weight: bold;
COLOR: white;
BACKGROUND-COLOR: #AA0000;
- font-size: 12pt;
+ font-size: 10pt;
}
td.iptitle {
@@ -128,7 +136,7 @@
font-weight: bold;
COLOR: white;
BACKGROUND-COLOR: #333399;
- font-size: 12pt;
+ font-size: 10pt;
}
td.layer4title {
@@ -136,7 +144,7 @@
font-weight: bold;
COLOR: white;
BACKGROUND-COLOR: #009966;
- font-size: 12pt;
+ font-size: 10pt;
}
td.payloadtitle {
@@ -144,7 +152,7 @@
font-weight: bold;
COLOR: white;
BACKGROUND-COLOR: #660099;
- font-size: 12pt;
+ font-size: 10pt;
}
td.sectiontitle {
@@ -152,13 +160,6 @@
font-weight: bold;
COLOR: white;
BACKGROUND-COLOR: #669999;
- font-size: 12pt;
+ font-size: 10pt;
}
-
-
-
-
-
-
-
diff -Naur acid/CHANGELOG acidfp/CHANGELOG
--- acid/CHANGELOG 2002-03-03 18:02:45.000000000 -0500
+++ acidfp/CHANGELOG 2003-12-17 14:16:39.000000000 -0500
@@ -1,5 +1,61 @@
??/??/????: 0.9.6
+ - 01/08/2003: 0.9.6b23
+ - [01/08/2003] rdd
+ - 2003-2004 added to combo-boxes as time criteria
+
+ - [12/12/2002] rdd
+ - acid_net.inc
+ detect invalid IP adddress cache entries and update them
+ appropriately
+
+ - [11/12/2002] Christian Berg
+ - Check if PHP safe_mode is used before trying to set_time_limit()
+
+ - [10/15/2002] rdd
+ - acid_qry_sqlcalls.php:
+ fixed SQL generated when sorting by IP protocol on the
+ Alert Listing page
+ - acid_graph_form.php:
+ replace typo of ')
+ - tweaked SQL to always quote constants for better index use with the
+ PostgreSQL query optimizer (reported: Mike Gahagan )
+ - fix to ICMP decode
+ - added timezone to date in email export
+ - updated McAfee and Snort signature reference URLs
+ - complete re-write of state handling code (support without using
+ PHP's register_globals)
+ - input validation checks for criteria variables
+ - addded $external_sig_link configuration variable to eliminate
+ hardcoded URLs in the signature references
+ - added ICAT signature reference support
+ - use JPGraph library for alert graphing
+ - added pie chart support
+ - added classification vs. number of alerts chart
+ - added sensor vs. number of alerts chart
+
- 03/03/2002: 0.9.6b21
- CSV-formatted email alert action
- fixed bug in SQL generated when classification criteria is not set
diff -Naur acid/create_acid_tbls_mssql_extra.sql acidfp/create_acid_tbls_mssql_extra.sql
--- acid/create_acid_tbls_mssql_extra.sql 1969-12-31 19:00:00.000000000 -0500
+++ acidfp/create_acid_tbls_mssql_extra.sql 2003-12-17 14:16:39.000000000 -0500
@@ -0,0 +1,68 @@
+-- Copyright (C) 2002 Carnegie Mellon University
+--
+-- Author: Roman Danyliw
+--
+-- This program is free software; you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation; either version 2 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program; if not, write to the Free Software
+-- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+--
+-- - Purpose:
+-- Add referential integrity to the database schema
+
+ALTER TABLE acid_event
+ ADD CONSTRAINT acid_event_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE acid_ag_alert
+ ADD CONSTRAINT acid_ag_alert_fkey_sid_cid
+ FOREIGN KEY (ag_sid,ag_cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE iphdr
+ ADD CONSTRAINT iphdr_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE tcphdr
+ ADD CONSTRAINT tcphdr_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE udphdr
+ ADD CONSTRAINT udphdr_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE icmphdr
+ ADD CONSTRAINT icmphdr_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE opt
+ ADD CONSTRAINT opt_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE data
+ ADD CONSTRAINT data_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
diff -Naur acid/create_acid_tbls_pgsql_extra.sql acidfp/create_acid_tbls_pgsql_extra.sql
--- acid/create_acid_tbls_pgsql_extra.sql 1969-12-31 19:00:00.000000000 -0500
+++ acidfp/create_acid_tbls_pgsql_extra.sql 2003-12-17 14:16:39.000000000 -0500
@@ -0,0 +1,68 @@
+-- Copyright (C) 2002 Carnegie Mellon University
+--
+-- Author: Roman Danyliw
+--
+-- This program is free software; you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation; either version 2 of the License, or
+-- (at your option) any later version.
+--
+-- This program is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program; if not, write to the Free Software
+-- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+--
+-- - Purpose:
+-- Add referential integrity to the database schema
+
+ALTER TABLE acid_event
+ ADD CONSTRAINT acid_event_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE acid_ag_alert
+ ADD CONSTRAINT acid_ag_alert_fkey_sid_cid
+ FOREIGN KEY (ag_sid,ag_cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE iphdr
+ ADD CONSTRAINT iphdr_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE tcphdr
+ ADD CONSTRAINT tcphdr_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE udphdr
+ ADD CONSTRAINT udphdr_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE icmphdr
+ ADD CONSTRAINT icmphdr_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE opt
+ ADD CONSTRAINT opt_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
+
+ALTER TABLE data
+ ADD CONSTRAINT data_fkey_sid_cid
+ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
+ ON DELETE CASCADE
+ ON UPDATE CASCADE;
diff -Naur acid/README acidfp/README
--- acid/README 2002-03-03 18:02:45.000000000 -0500
+++ acidfp/README 2003-12-17 14:16:39.000000000 -0500
@@ -14,7 +14,7 @@
CVS : cvs.acidlab.sourceforge.net
-------------------------------------------------------------------------------
-** Copyright (C) 2000, 2001 Carnegie Mellon University
+** Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
@@ -63,7 +63,6 @@
- tcpdump binary logs
o using logsnorter (www.snort.org/downloads/logsnorter-0.2.tar.gz)
- - Cisco PIX
- ipchains
- iptables
- ipfw
@@ -98,7 +97,7 @@
Version: 1.7+
Description: Network Intrusion Detection System
Reason: Detects security events
- Homepage: http://www.snort.com/
+ Homepage: http://www.snort.org/
- Package: logsnorter
Version: 0.2+
@@ -132,11 +131,11 @@
Reason: PHP provides no clean database API
Homepage: http://php.weblogs.com/adodb/
- o Package: PHPlot
- Version: 4.4.6+
+ o Package: JPGraph
+ Version: 1.8+
Description: PHP chart library
- Reason: Set of PHP classes over GD to generate charts
- Homepage: http://www.phplot.com
+ Reason: PHP4 graphing library
+ Homepage: http://www.aditus.nu/jpgraph/
Type: optional
o Package: GD
@@ -146,6 +145,24 @@
Homepage: http://www.boutell.com/gd/
Type: optional
+ The following are GD dependencies:
+
+ o Package: libpng
+ Description: PNG library
+ Reason: PNG format support for GD
+ Homepage: http://www.libpng.org/pub/png/
+
+ o Package: libjpeg-6b
+ Description: JPEG library
+ Reason: JPEG format support for GD
+ Homepage: http://www.ijg.org/
+
+ o Package: zlib
+ Version: 1.8.*
+ Description: compression library
+ Reason: Compression support for GD
+ Homepage: http://www.gzip.org/zlib/
+
o Any web browser capable of supporting cookies
@@ -303,7 +320,7 @@
under Windows, http://www.php.net/manual/en/install-windows.php.
o PHP will execute more efficiently if run as an Apache module
- (--with-apache in the ./configure script). However, it is possible to
+ (--with-apxs in the ./configure script). However, it is possible to
run PHP as a CGI application and under different web servers. It should
be noted that these configurations are untested.
@@ -353,25 +370,19 @@
$ tar xvfz adodb112.tgz
$ cd ..
-7. Uncompress and install PHPlot 4.4.6+. Again, this installation should
- involve only copying the files into a directory viewable by the web
+7. Uncompress and install JPGraph 1.8+. This installation should
+ involve copying the files into a directory viewable by the web
server and PHP.
[UNIX]
- $ cp phplot-4.4.6.tar.gz /home/httpd/html
+ $ cp jpgraph1.8.tar.gz /home/httpd/html
$ cd /home/httpd/html
- $ tar xvfz phplot-4.4.6.tar.gz
+ $ tar xvfz jpgraph.1.8.tar.gz
$ cd ..
-8. [OPTIONAL] Confirm that GD support has been properly configured in
- PHP by opening a browser and attempting to view the PHPlot diagnostics page
- examples/test_setup.php (the full URL will depend on where PHPlot was
- installed; e.g. http://mywebserver/phplot/examples/test_setup.php). If
- PHP has been configured correctly, at least one chart graphic should be
- seen on this page. Otherwise, PHP has not been configured correctly with
- GD support.
+ See the JPGraph README file for additional documentation.
-9. Uncompress and install ACID by copying and expanding it to a directory
+8. Uncompress and install ACID by copying and expanding it to a directory
viewable by the web server and PHP.
[UNIX]
@@ -380,7 +391,7 @@
$ tar xvfz acid-0.9.6.tar.gz
$ cd acid
-10. Verify that cookie support in the browser is enabled.
+9. Verify that cookie support in the browser is enabled.
[Netscape 4.*]
@@ -409,7 +420,7 @@
IV. CONFIGURATION
_____________________________________
-11. The file 'acid_conf.php' controls the configuration of ACID.
+10. The file 'acid_conf.php' controls the configuration of ACID.
Note: 'acid_conf.php' is PHP code which will be included in each
ACID page request. As such, it is imperative that the opening
@@ -461,7 +472,8 @@
[OPTIONAL for chart support]
- o $ChartLib_path : full path to the PHPlot install
+ o $ChartLib_path : full path to the JPGraph install; the directory
+ in which the file 'jpgraph.php' is located
(Note: do not include a trailing '\' character)
o $chart_file_format : graphic format to use for generated charts
@@ -473,7 +485,7 @@
o $portscan_file : full path to a Snort portscan log file
-12. Open the acid_main.php page in a browser. If the any database changes
+11. Open the acid_main.php page in a browser. If the any database changes
are required, ACID will prompt for action.
For new databases, several ACID specific tables will need to be created.
@@ -494,7 +506,7 @@
After the tables are created, ACID will return status indicating success.
-13. Read the security notes about deploying ACID.
+12. Read the security notes about deploying ACID.
V. SECURITY