+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: extracts and calculates the data to plot
+@@ -45,8 +45,8 @@
+ '"Check the Graphing abstraction library variable $ChartLib_path'.
+ ' in acid_conf.php
+
+- The underlying graphing library currently used is PHPlot, that can be downloaded
+- at http://www.phplot.com . Without this
++ The underlying graphing library currently used is JPGraph, that can be downloaded
++ at http://www.aditus.nu/jpgraph/index.php . Without this
+ library no graphing operations can be performed.';
+
+ die();
+@@ -54,26 +54,43 @@
+ }
+
+ function LoadGraphingLib($path)
+-{
+- $last_char = substr($path, strlen($path)-1, 1);
++{
++ $libs = array ("jpgraph.php",
++ "jpgraph_line.php",
++ "jpgraph_bar.php",
++ "jpgraph_canvas.php",
++ "jpgraph_error.php",
++ "jpgraph_log.php",
++ "jpgraph_pie.php",
++ "jpgraph_pie3d.php",
++ "jpgraph_scatter.php",
++ "jpgraph_radar.php" );
+
+- if ( $last_char == "\\" || $last_char == "/" )
+- {
+- VerifyGraphingLib($path."phplot.php");
+- include($path."phplot.php");
+- }
+- else if ( strstr($path,"/") || $path == "" )
++ for ( $i = 0; $i < count($libs); $i++ )
+ {
+- VerifyGraphingLib($path."/phplot.php");
+- include($path."/phplot.php");
+- }
+- else if ( strstr($path,"\\") )
+- {
+- VerifyGraphingLib($path."\\phplot.php");
+- include($path."\\phplot.php");
++ $last_char = substr($path, strlen($path)-1, 1);
++
++ if ( $last_char == "\\" || $last_char == "/" )
++ {
++ VerifyGraphingLib($path.$libs[$i]);
++ include( $path.$libs[$i] );
++ }
++ else if ( strstr($path,"/") || $path == "" )
++ {
++ VerifyGraphingLib($path."/".$libs[$i]);
++ include($path."/".$libs[$i]);
++ }
++ else if ( strstr($path,"\\") )
++ {
++ VerifyGraphingLib($path."\\".$libs[$i]);
++ include($path."\\".$libs[$i]);
++ }
++ else
++ {
++ echo "ERROR: Unable to load graphing library file:".$libs[$i];
++ return;
++ }
+ }
+- else
+- echo "ERROR: Unable to load graphing library";
+ }
+
+ /* Generates the required SQL from the chart time criteria */
+@@ -318,7 +335,7 @@
+
+ function GetIPDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
+ {
+- GLOBAL $db, $debug_mode;
++ GLOBAL $db, $debug_mode;
+
+ if ( $chart_type == 6 )
+ $sql = "SELECT DISTINCT ip_src, COUNT(acid_event.cid) ".
+@@ -352,7 +369,7 @@
+
+ function GetPortDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
+ {
+- GLOBAL $db, $debug_mode;
++ GLOBAL $db, $debug_mode;
+
+ if ( ($chart_type == 8) || ($chart_type == 9) )
+ $sql = "SELECT DISTINCT layer4_dport, COUNT(acid_event.cid) ".
+@@ -386,13 +403,12 @@
+
+ function GetClassificationDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
+ {
+- GLOBAL $db, $debug_mode;
+-
+-
++ GLOBAL $db, $debug_mode;
++
+ $sql = "SELECT DISTINCT sig_class_id, COUNT(acid_event.cid) ".
+ "FROM acid_event ".$criteria[0].
+- "WHERE ".$criteria[1]." AND layer4_dport is NOT NULL ".
+- "GROUP BY sig_class_id ORDER BY sig_class_id";
++ "WHERE ".$criteria[1]. /* " AND layer4_dport is NOT NULL ". */
++ " GROUP BY sig_class_id ORDER BY sig_class_id";
+
+ if ( $debug_mode > 0) echo $sql.",
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: Displays the actual .GIF/.PNG/.TIFF image
+@@ -13,6 +13,7 @@
+ * Input GET/POST variables
+ * - width: chart width
+ * - height: chart width
++ * - pmargin0-3: plot margins
+ * - title: chart title
+ * - xaxis_label: x-axis label
+ * - yaxis_label: y-axis label
+@@ -23,105 +24,120 @@
+ */
+
+ include ("acid_conf.php");
++ include ("acid_state_common.inc");
+ include ("acid_graph_common.php");
+
+ session_start();
+- session_register('xdata');
+
+- LoadGraphingLib($ChartLib_path);
+-
+- /* Verifies that the chart width is not too small
+- *
+- * algorithm: width >= const + number_of_points * factor
+- */
+- $width_const = 50;
+- $width_factor = 10;
+-
+- if ( $width < ($width_const + count ($data) * $width_factor)) {
+- $width = $width_const + count ($data) * $width_factor;
+- }
++ $xdata = $HTTP_SESSION_VARS['xdata'];
++ $width = ImportHTTPVar("width");
++ $height = ImportHTTPVar("height");
++ $pmargin0 = ImportHTTPVar("pmargin0");
++ $pmargin1 = ImportHTTPVar("pmargin1");
++ $pmargin2 = ImportHTTPVar("pmargin2");
++ $pmargin3 = ImportHTTPVar("pmargin3");
++ $title = ImportHTTPVar("title");
++ $xaxis_label = ImportHTTPVar("xaxis_label");
++ $yaxis_label = ImportHTTPVar("yaxis_label");
++ $yaxis_scale = ImportHTTPVar("yaxis_scale");
++ $xaxis_grid = ImportHTTPVar("xaxis_grid");
++ $yaxis_grid = ImportHTTPVar("yaxis_grid");
++ $rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl");
++ $style = ImportHTTPVar("style");
+
+- $graph = new PHPlot($width, $height);
+- $graph->SetIsInline("0");
+- $graph->SetBrowserCache("0");
+-
+- /* Allocate enough space for the X,Y-axis data label */
+- $x_maxlength = 10; /* 10 is the PHP default size */
++ LoadGraphingLib($ChartLib_path);
+
+- /* Create the data array */
++ /* Create the data and label array */
+ for ($i = 0; $i < count($xdata); $i++)
+ {
+- if ( $style != "pie" )
+- {
+- $xdata_graph[$i] = array($xdata[$i][0], $xdata[$i][1]);
+- }
+- else
+- {
+- $xdata[$i] = array( count($data)+1 );
+- $xdata[$i][0] = $datalbl[$i];
+- for ( $j = 1; $j < $i; $j++)
+- $xdata[$i][$j] = 0;
+- $xdata[$i][$i+1] = $data[$i];
+-
+- $legend[$i] = $datalbl[$i];
+- }
+-
+- if (strlen($xdata[$i][0]) > $x_maxlength)
+- {
+- // if the label is too small, expand the label size to fit
+- $x_maxlength = strlen($xdata[$i][0]);
+- }
++ $xlabel[$i] = $xdata[$i][0];
++ $ydata[$i] = $xdata[$i][1];
+ }
+
+- $graph->SetDataType("text-data");
+- $graph->SetPlotType($style);
+-
++ if ( $style == "pie" )
++ $graph = new PieGraph($width, $height);
++ else
++ $graph = new Graph($width, $height);
++
++ /* Set Margins */
++ $graph->img->SetMargin($pmargin0,$pmargin1,$pmargin2,$pmargin3);
++ $graph->img->SetAntiAliasing();
++
++ //$graph->SetShadow();
++
++ /* Set Plot type */
+ switch($style)
+ {
+- case "bars":
+- $graph->SetDataType("text-data");
+- break;
+- case "linepoints":
+- $graph->SetDataType("text-data");
++ case "bar":
++ $plot[0] = new BarPlot($ydata);
+ break;
+ case "pie":
+- $graph->SetDataType("text-data");
+- $graph->SetLegend($legend);
++ $plot[0] = new PiePlot3D($ydata);
+ break;
+- case "thinbarline":
+- $graph->SetDataType("data-data");
++ case "line":
++ $plot[0] = new LinePlot($ydata);
+ break;
+ }
+
+- /* read the X-axis labels as text */
+- $graph->SetXGridLabelType ("title");
++ //$plot[0]->SetColor("#000000");
++
++ if ( ($style == "bar") || ($style == "line") )
++ {
++ /* Set Scale */
++ if ( $yaxis_scale == 1 )
++ $graph->SetScale("textlog");
++ else
++ $graph->SetScale("textlin");
++
++ $plot[0]->SetFillColor("#BE0505");
++ //$plot[0]->SetFillColor($GLOBALS['chart_bar_color_default']);
++
++ /* Set Gridlines */
++ if ( $xaxis_grid == 1 )
++ $graph->xgrid->Show(true);
++ else
++ $graph->xgrid->Show(false);
++
++ if ( $yaxis_grid == 1 )
++ $graph->ygrid->Show(true);
++ else
++ $graph->ygrid->Show(false);
++
++ /* Set Axis Labels */
++ $graph->xaxis->title->Set($xaxis_label);
++ $graph->yaxis->title->Set($yaxis_label);
++
++ //$graph->xaxis->SetFont(FF_ARIAL,FS_NORMAL,11);
++
++ $graph->xaxis->SetTickLabels($xlabel);
++
++ if ( $rotate_xaxis_lbl == 1 )
++ $graph->xaxis->SetLabelAngle(90);
++ }
++
++ if ( $style == "pie" )
++ {
++ $plot[0]->SetLegends($xlabel);
++ }
++
++ //$plot[0]->ShowValue(true);
++ //$plot[0]->SetShadow();
++
++ /* Set Title */
++ //$graph->title->SetFont(FF_COMIC,FS_NORMAL,18);
++ $graph->title->Set($title);
++
++
++ $graph->Add($plot[0]);
++
++ $graph->Stroke();
++?>
++
++
++
++
++
++
+
+- $graph->SetPrecisionY(0);
+- $graph->SetPrecisionX(0);
+
+- $graph->SetBackgroundColor($chart_bg_color_default);
+- $graph->SetLightGridColor($chart_lgrid_color_default);
+
+- /* Check if need to rotate X-Axis label */
+- if ( $rotate_xaxis_lbl == 1 )
+- $graph->SetXDataLabelAngle(90);
+-
+- $graph->SetFileFormat($chart_file_format);
+- //$graph->SetUseTTF("0");
+-
+- /* Set y-axis scale */
+- if ( $yaxis_scale == 1 )
+- $graph->SetYScaleType("log");
+-
+- $graph->SetXDataLabelMaxlength($x_maxlength);
+- $graph->SetDrawYGrid("1");
+- $graph->SetDataValues($xdata_graph);
+- $graph->SetXLabel($xaxis_label);
+- $graph->SetYLabel($yaxis_label);
+- $graph->SetTitle($title);
+- $graph->SetDataColors( array( $chart_bar_color_default ),
+- array("black") );
+- //$graph->SetBackgroundColor("grey");
+- $graph->DrawGraph();
+- //$graph->DrawLegend(100, 100, '');
+-?>
+\ No newline at end of file
+diff -Naur acid/acid_graph_form.php acidfp/acid_graph_form.php
+--- acid/acid_graph_form.php 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/acid_graph_form.php 2003-12-17 14:16:39.000000000 -0500
+@@ -0,0 +1,214 @@
++,
++ *
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
++ * (see the file 'acid_main.php' for license details)
++ *
++ * Purpose: displays form for graphing
++ */
++
++ echo '
,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose:
+@@ -27,9 +27,12 @@
+ $cs->ReadState();
+
+ session_start();
+- session_register('xdata');
+
+ $submit = ImportHTTPVar("submit");
++
++ $height = ImportHTTPVar("height");
++ $width = ImportHTTPVar("width");
++ $user_chart_title = ImportHTTPVar("user_chart_title");
+ $data_source = ImportHTTPVar("data_source");
+ $chart_type = ImportHTTPVar("chart_type");
+ $chart_interval = ImportHTTPVar("chart_interval");
+@@ -46,6 +49,19 @@
+
+ $chart_style = ImportHTTPVar("chart_style");
+ $rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl");
++ $yaxis_scale = ImportHTTPVar("yaxis_scale");
++ $xaxis_grid = ImportHTTPVar("xaxis_grid");
++ $yaxis_grid = ImportHTTPVar("yaxis_grid");
++
++ $pmargin0 = ImportHTTPVar("pmargin0");
++ $pmargin1 = ImportHTTPVar("pmargin1");
++ $pmargin2 = ImportHTTPVar("pmargin2");
++ $pmargin3 = ImportHTTPVar("pmargin3");
++
++ $xaxis_label_inc = ImportHTTPVar("xaxis_label_inc");
++
++ $min_size = ImportHTTPVar("min_size");
++ $aggregate_type = ImportHTTPVar("aggregate_type");
+
+ $page_title = "Graph Alert Data";
+ PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
+@@ -60,19 +76,21 @@
+ if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db);
+ ?>
+
+-
+-
+-
+ ';
+
++ $HTTP_SESSION_VARS['xdata'] = $xdata;
+ echo "
+ ";
++ "&yaxis_scale=".$yaxis_scale.
++ "&xaxis_grid=".$xaxis_grid.
++ "&yaxis_grid=".$yaxis_grid.
++ "&style=".$chart_style."\">";
+
+ echo '
+
+diff -Naur acid/acid_log_error.inc acidfp/acid_log_error.inc
+--- acid/acid_log_error.inc 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_log_error.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -32,12 +32,27 @@
+ GLOBAL $HTTP_SERVER_VARS, $DBtype, $ADODB_vers, $HTTP_SESSION_VARS;
+
+ $tmp = session_encode();
++
++ if ( isset($HTTP_SERVER_VARS['HTTP_REFERER']) )
++ $http_referer = $HTTP_SERVER_VARS['HTTP_REFERER'];
++ else
++ $http_referer = "";
+
++ if ( isset($HTTP_SERVER_VARS['HTTP_USER_AGENT']) )
++ $http_user_agent = $HTTP_SERVER_VARS['HTTP_USER_AGENT'];
++ else
++ $http_user_agent = "";
++
++ if ( isset($HTTP_SERVER_VARS['SERVER_SOFTWARE']) )
++ $server_software = $HTTP_SERVER_VARS['SERVER_SOFTWARE'];
++ else
++ $server_software = "";
++
+ echo "
+- URL: '".$HTTP_SERVER_VARS["PHP_SELF"]."' (referred by: '".$HTTP_SERVER_VARS["HTTP_REFERER"]."')
++ URL: '".$HTTP_SERVER_VARS["PHP_SELF"]."' (referred by: '".$http_referer."')
+ PARAMETERS: '".$HTTP_SERVER_VARS["QUERY_STRING"]."
+- CLIENT: ".$HTTP_SERVER_VARS["HTTP_USER_AGENT"]."
+- SERVER: ".$HTTP_SERVER_VARS["SERVER_SOFTWARE"]."
++ CLIENT: ".$http_user_agent."
++ SERVER: ".$server_software."
+ SERVER HW: ".php_uname()."
+ DATABASE TYPE: $DBtype DB ABSTRACTION VERSION: $ADODB_vers
+ PHP VERSION: ".phpversion()." PHP API: ".php_sapi_name()."
+@@ -55,4 +70,4 @@
+ echo " ";
+ }
+
+-?>
++?>
+\ No newline at end of file
+diff -Naur acid/acid_main.php acidfp/acid_main.php
+--- acid/acid_main.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_main.php 2003-12-17 14:17:10.000000000 -0500
+@@ -49,8 +49,14 @@
+ include_once("acid_db_common.php");
+
+ RegisterGlobalState();
+- InitGlobalState();
+- PreserveHistory();
++ //InitGlobalState();
++
++ /* Initialize the history */
++ $HTTP_SESSION_VARS = NULL;
++ InitArray($HTTP_SESSION_VARS['back_list'], 1, 3, "");
++ $HTTP_SESSION_VARS['back_list_cnt'] = 0;
++
++ PushHistory();
+ ?>
+
+
+@@ -138,7 +144,7 @@
+
+
+
Search Graph Alert data EXPERIMENTAL )
++Graph Alert data
+
Snapshot
+@@ -196,7 +202,7 @@
+ echo '
+
+
+-
++
+
+ Most recent Alerts:
+ any protocol ,
+@@ -217,6 +223,10 @@
+ ?>
+ Most
+ recent Unique Alerts
++ Network Fingerprints: most recent ;
++ by address ,
++ port ,
++ service
+
+
+
Last Source Ports:
+@@ -249,7 +259,7 @@
+
+
+
+-
++
+ Most
+ frequent Alerts
+
+diff -Naur acid/acid_maintenance.php acidfp/acid_maintenance.php
+--- acid/acid_maintenance.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_maintenance.php 2003-12-17 14:16:39.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: status and event/dns/whois cache maintenance
+@@ -42,8 +42,10 @@
+ if ( $debug_mode > 0 )
+ echo "submit = '$submit'";
+
+- set_time_limit($max_script_runtime);
++ if ( ini_get("safe_mode") != true )
++ set_time_limit($max_script_runtime);
+
++ $repair_output = NULL;
+ if ( $submit == "Update Alert Cache" )
+ {
+ UpdateAlertCache($db);
+@@ -71,14 +73,18 @@
+ DropWhoisCache($db);
+ UpdateWhoisCache($db);
+ }
++ else if ( $submit == "Repair Tables")
++ {
++ $repair_output = RepairDBTables($db);
++ }
+
+ echo '
";
++
';
+
+ echo '
+
+diff -Naur acid/acid_net.inc acidfp/acid_net.inc
+--- acid/acid_net.inc 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_net.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: TCP/IP network routines
+@@ -17,7 +17,7 @@
+ * Purpose: convert a text string IPv4 address into its 32-bit numeric
+ * equivalent
+ *
+- * Arguments: $IP_str => dotted IPv4 address string (e.g. 1.2.3.4)
++ :* Arguments: $IP_str => dotted IPv4 address string (e.g. 1.2.3.4)
+ *
+ * Returns: 32-bit integer equivalent of the dotted address
+ * (e.g. 255.255.255.255 => 4294967295 )
+@@ -143,7 +143,7 @@
+ $current_time = date("Y-m-d H:i:s",$current_unixtime);
+ $sql = "SELECT ipc_ip,ipc_fqdn,".$db->acidSQL_UNIXTIME("(ipc_dns_timestamp)", "","").",ipc_dns_timestamp".
+ " FROM acid_ip_cache ".
+- " WHERE ipc_ip = $ip32 ";
++ " WHERE ipc_ip = '$ip32' ";
+
+ $result = $db->acidExecute($sql);
+ $ip_cache = $result->acidFetchRow();
+@@ -160,7 +160,8 @@
+ }
+ else /* cache hit */
+ {
+- if ( ( ($ip_cache[2] / 60)+$cache_lifetime ) <= ($current_unixtime / 60) )
++ if ( (( ($ip_cache[2] / 60)+$cache_lifetime ) <= ($current_unixtime / 60)) &&
++ ($ip_cache[2] != "") )
+ {
+ /* valid entry */
+ if ( ($ip_cache[2] != "") && ($ip_cache[2] != 0) )
+@@ -176,7 +177,7 @@
+
+ /* Update entry in cache regardless of whether can resolve */
+ $sql = "UPDATE acid_ip_cache SET ipc_fqdn='$tmp', ".
+- " ipc_dns_timestamp='$current_time' WHERE ipc_ip=$ip32";
++ " ipc_dns_timestamp='$current_time' WHERE ipc_ip='$ip32'";
+ $db->acidExecute($sql);
+ }
+ }
+@@ -209,7 +210,7 @@
+ $current_time = date("Y-m-d H:i:s",$current_unixtime);
+ $sql = "SELECT ipc_ip,ipc_whois,".$db->acidSQL_UNIXTIME("(ipc_whois_timestamp)", "","").",ipc_whois_timestamp".
+ " FROM acid_ip_cache ".
+- " WHERE ipc_ip = $ip32 ";
++ " WHERE ipc_ip = '$ip32' ";
+
+ $result = $db->acidExecute($sql);
+ $whois_cache = $result->acidFetchRow();
+@@ -247,7 +248,7 @@
+
+ /* Update entry in cache regardless of whether can resolve */
+ $sql = "UPDATE acid_ip_cache SET ipc_whois='".getSafeSQLString($tmp)."', ".
+- " ipc_whois_timestamp='$current_time' WHERE ipc_ip=$ip32";
++ " ipc_whois_timestamp='$current_time' WHERE ipc_ip='$ip32'";
+ $db->acidExecute($sql);
+ }
+ }
+diff -Naur acid/acid_output_html.inc acidfp/acid_output_html.inc
+--- acid/acid_output_html.inc 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_output_html.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2001 Carnegie Mellon University
++ * Copyright (C) 2001,2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: Prints or generates HTML to display
+@@ -15,7 +15,8 @@
+ GLOBAL $debug_mode, $ACID_VERSION, $html_no_cache,
+ $max_script_runtime;
+
+- set_time_limit($max_script_runtime);
++ if ( ini_get("safe_mode") != true )
++ set_time_limit($max_script_runtime);
+
+ echo '
+
+@@ -96,11 +97,11 @@
+
+ function PrintFreshPage($refresh_stat_page, $stat_page_refresh_time)
+ {
+- GLOBAL $PHP_SELF;
++ GLOBAL $HTTP_SERVER_VARS;
+
+ if ( $refresh_stat_page )
+ echo '';
+ }
+
+-function qroPrintEntry($value)
++function qroPrintEntry($value, $halign="center", $valign="top", $passthru="")
+ {
+- echo "\n".
++ echo " \n".
+ " \n".
+ " $value\n".
+ " \n".
+diff -Naur acid/acid_qry_alert.php acidfp/acid_qry_alert.php
+--- acid/acid_qry_alert.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_qry_alert.php 2003-12-17 14:16:39.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2001 Carnegie Mellon University
++ * Copyright (C) 2001,2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: displays a single alert
+@@ -55,7 +55,7 @@
+ * to the history.
+ */
+ $submit = ImportHTTPVar("submit");
+- $QUERY_STRING = "submit=".rawurlencode($submit);
++ $HTTP_SERVER_VARS["QUERY_STRING"] = "submit=".rawurlencode($submit);
+
+ $et = new EventTiming($debug_time_mode);
+ $cs = new CriteriaState("acid_qry_alert.php");
+@@ -79,6 +79,7 @@
+
+ $qs->AddValidAction("ag_by_id");
+ $qs->AddValidAction("ag_by_name");
++ $qs->AddValidAction("add_new_ag");
+ $qs->AddValidAction("del_alert");
+ $qs->AddValidAction("email_alert");
+ $qs->AddValidAction("email_alert2");
+@@ -205,7 +206,7 @@
+
+ $sql4 = "SELECT acid_ag_alert.ag_id, ag_name, ag_desc ".
+ "FROM acid_ag_alert LEFT JOIN acid_ag ON acid_ag_alert.ag_id = acid_ag.ag_id ".
+- "WHERE ag_sid=".$sid." AND ag_cid=".$cid;
++ "WHERE ag_sid='".$sid."' AND ag_cid='".$cid."'";
+ $result4 = $db->acidExecute($sql4);
+ $num = $result4->acidRecordCount();
+
+@@ -540,11 +541,16 @@
+ $work = str_replace("\n","",$myrow2[0]);
+
+ /*
+- * depending on how the packet logged, 32-bits of NULL padding after
+- * the checksum may still be present.
++ * - depending on how the packet logged, 32-bits of NULL padding after
++ * the checksum may still be present.
+ */
+ if ( substr($work, 0, 8) == "00000000" )
+ $offset = 8;
++ /* for dest. unreachable, frag needed and DF bit set indent the padding
++ * of MTU of next hop
++ */
++ else if ( ($ICMPitype == "3") && ($ICMPicode == "4") )
++ $offset += 8;
+
+ $icmp_src = hexdec($work[24+$offset].$work[25+$offset]).".".
+ hexdec($work[26+$offset].$work[27+$offset]).".".
+@@ -556,7 +562,7 @@
+ hexdec($work[38+$offset].$work[39+$offset]);
+ $icmp_proto = hexdec($work[18+$offset].$work[19+$offset]);
+
+- $hdr_offset = ($work[$offset+1]) * 8 + offset;
++ $hdr_offset = ($work[$offset+1]) * 8 + $offset;
+ $icmp_src_port = hexdec($work[$hdr_offset].$work[$hdr_offset+1].$work[$hdr_offset+2].$work[$hdr_offset+3]);
+ $icmp_dst_port = hexdec($work[$hdr_offset+4].$work[$hdr_offset+5].$work[$hdr_offset+6].$work[$hdr_offset+7]);
+
+diff -Naur acid/acid_qry_common.php acidfp/acid_qry_common.php
+--- acid/acid_qry_common.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_qry_common.php 2003-12-17 14:16:39.000000000 -0500
+@@ -5,7 +5,7 @@
+ * Author: Roman Danyliw ,
+ * MSSQL support by Charles Hand
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * Portions Copyright (C) 2001 Iowa National Guard
+ * (see the file 'acid_main.php' for license details)
+ *
+@@ -17,67 +17,52 @@
+
+ function PrintCriteriaState()
+ {
+- GLOBAL $time, $time_cnt,
+- $sig, $sig_type,
+- $sensor,
+- $ag,
+- $ip_addr, $ip_addrs, $ip_addr_cnt,
+- $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt,
+- $tcp_flags,
+- $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt,
+- $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $data, $data_cnt,
+- $layer4, $MAX_ROWS,
+- $new, $submit, $sort_order, $num_result_rows,
+- $current_view, $caller, $action, $action_arg,
+- $sort_order, $debug_mode;
+-
+- if ( $debug_mode >= 2 )
+- {
+- echo "";
+- echo "sensor: $sensorAG: $agsignature ";
+- print_r($sig);
+- echo "time ($time_cnt): IP addresses ($ip_addr_cnt): IP fields ($ip_field_cnt): TCP ports ($tcp_port_cnt): TCP flags: TCP field ($tcp_field_cnt): UDP ports ($udp_port_cnt): UDP field ($udp_field_cnt): ICMP field ($icmp_field_cnt): Data ($data_cnt): ";
+- }
+-
+- if ( $debug_mode >= 1 )
+- {
+- echo "
+- new: '$new'
+- submit: '$submit'
+- sort_order: '$sort_order'
+- num_result_rows: '$num_result_rows' current_view: '$current_view'
+- layer4: '$layer4' caller: '$caller'
+- action: '$action' action_arg: '$action_arg'
+- ";
+- }
++ GLOBAL $HTTP_SESSION_VARS, $layer4,
++ $new, $submit, $sort_order, $num_result_rows,
++ $current_view, $caller, $action, $action_arg,
++ $sort_order;
++
++ if ( $GLOBALS['debug_mode'] >= 2 )
++ {
++ echo "";
++ echo "sensor: ".$HTTP_SESSION_VARS['sensor']."AG: ".$HTTP_SESSION_VARS['ag']."signature \n";
++ print_r($HTTP_SESSION_VARS['sig']);
++ echo "time (".$HTTP_SESSION_VARS['time_cnt']."): IP addresses (".$HTTP_SESSION_VARS['ip_addr_cnt']."): IP fields (".$HTTP_SESSION_VARS['ip_field_cnt']."): TCP ports (".$HTTP_SESSION_VARS['tcp_port_cnt']."): TCP flags: TCP field (".$HTTP_SESSION_VARS['tcp_field_cnt']."): UDP ports (".$HTTP_SESSION_VARS['udp_port_cnt']."): UDP field (".$HTTP_SESSION_VARS['udp_field_cnt']."): ICMP field (".$HTTP_SESSION_VARS['icmp_field_cnt']."): Data (".$HTTP_SESSION_VARS['data_cnt']."): ";
++ }
++
++ if ( $GLOBALS['debug_mode'] >= 1 )
++ {
++ echo "
++ new: '$new'
++ submit: '$submit'
++ sort_order: '$sort_order'
++ num_result_rows: '$num_result_rows' current_view: '$current_view'
++ layer4: '$layer4' caller: '$caller'
++ action: '$action' action_arg: '$action_arg'
++ ";
++ }
+ }
+
+ function FieldRows2sql($field, $cnt, &$s_sql)
+@@ -88,8 +73,8 @@
+ $tmp = "";
+ if ( $field[$i][3] != "" && $field[$i][1] != " ")
+ {
+- $tmp = $field[$i][0]." ".$field[$i][1]." ".$field[$i][2]."".
+- $field[$i][3]."".$field[$i][4]." ".$field[$i][5];
++ $tmp = $field[$i][0]." ".$field[$i][1]." ".$field[$i][2]." '".
++ $field[$i][3]."' ".$field[$i][4]." ".$field[$i][5];
+ }
+ else
+ {
+@@ -139,7 +124,7 @@
+ for ( $i = 0; $i < $cnt; $i++ )
+ {
+ $tmp = "";
+- if ( $field[$i][1] != " " && $field[$i][1] != "")
++ if ( isset($field[$i]) && $field[$i][1] != " " && $field[$i][1] != "")
+ {
+ $op = $field[$i][1];
+
+@@ -250,12 +235,15 @@
+ }
+ else
+ {
+- if ( ($field[$i][2] != " " || $field[$i][3] != "" || $field[$i][4] != " ") &&
++ if ( isset($field[$i]) )
++ {
++ if ( ($field[$i][2] != " " || $field[$i][3] != "" || $field[$i][4] != " ") &&
+ $field[$i][1] == " ")
+- ErrorMessage("Criteria warning: A date/time value of '".
+- $field[$i][2]."-".$field[$i][3]."-".$field[$i][4]." ".
+- $field[$i][5].":".$field[6].":".$field[7]."' was entered
+- but no operator was selected.");
++ ErrorMessage("Criteria warning: A date/time value of '".
++ $field[$i][2]."-".$field[$i][3]."-".$field[$i][4]." ".
++ $field[$i][5].":".$field[6].":".$field[7]."' was entered
++ but no operator was selected.");
++ }
+ }
+
+ if ( $i > 0 && $field[$i-1][9] == ' ' && $field[$i-1][4] != " ")
+@@ -357,54 +345,10 @@
+
+ function PrintCriteria($caller)
+ {
+- GLOBAL $db, $cs, $last_num_alerts, $time, $time_cnt, $sig, $sig_type,
+- $sensor, $ag, $sig_class,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $save_criteria;
+-
+- /* Generate the Criteria entered into a human readable form */
+- $human_fields["ip_src"] = "Source Address";
+- $human_fields["ip_dst"] = "Dest. Address";
+- $human_fields["ip_both"] = "Source or Dest. Address";
+- $human_fields["ip_ttl"] = "TTL";
+- $human_fields["ip_tos"] = "TOS";
+- $human_fields["ip_id"] = "ID";
+- $human_fields["ip_off"] = "offset";
+- $human_fields["ip_len"] = "length";
+- $human_fields["ip_csum"] = "chksum";
+- $human_fields["layer4_sport"] = "source port";
+- $human_fields["layer4_dport"] = "dest port";
+- $human_fields[""] = "";
+- $human_fields["tcp_win"] = "window";
+- $human_fields["tcp_urp"] = "urp";
+- $human_fields["tcp_seq"] = "seq #";
+- $human_fields["tcp_ack"] = "ack";
+- $human_fields["tcp_off"] = "offset";
+- $human_fields["tcp_res"] = "res";
+- $human_fields["tcp_csum"] = "chksum";
+- $human_fields["udp_len"] = "length";
+- $human_fields["udp_csum"] = "chksum";
+- $human_fields["icmp_type"] = "type";
+- $human_fields["icmp_code"] = "code";
+- $human_fields["icmp_csum"] = "chksum";
+- $human_fields["icmp_id"] = "id";
+- $human_fields["icmp_seq"] = "seq";
+- $human_fields["LIKE"] = "contains";
+- $human_fields["="] = "=";
+- $human_fields["1"] = "F";
+- $human_fields["2"] = "S";
+- $human_fields["4"] = "R";
+- $human_fields["8"] = "P";
+- $human_fields["16"] = "A";
+- $human_fields["32"] = "U";
+- $human_fields["64"] = "[R0]";
+- $human_fields["128"] = "[R1]";
++ GLOBAL $db, $cs, $last_num_alerts,
++ $save_criteria;
+
+- //$save_criteria = ' Queried DB on : '.date("D F d, Y H:i:s",time()).'
++ /* Generate the Criteria entered into a human readable form */
+ $save_criteria = '
+
+
+@@ -430,85 +374,15 @@
+ return;
+ }
+
+-// if ( $have_meta == 1 )
+-// {
+ $tmp_len = strlen($save_criteria);
+
+- if ( $sensor != " " && $sensor != "" )
+- $save_criteria = $save_criteria.'Sensor = ['.$sensor.'] '.
+- GetSensorName($sensor, $db).
+- $cs->GetClearCriteriaString("sensor").'unclassified '.$time[$i][0].' time '.$time[$i][1].' [ ';
+-
+- /* date */
+- if ( $time[$i][2] == " " && $time[$i][3] == "" && $time[$i][4] == " " )
+- $save_criteria = $save_criteria." any date ";
+- else
+- $save_criteria = $save_criteria.(($time[$i][2] == " ") ? "* / " : $time[$i][2]." / ").
+- (($time[$i][3] == "" ) ? "* / " : $time[$i][3]." / ").
+- (($time[$i][4] == " ") ? "* " : $time[$i][4]." ");
+- $save_criteria = $save_criteria.'] [';
+- /* time */
+- if ( $time[$i][5] == "" && $time[$i][6] == "" && $time[$i][7] == "" )
+- $save_criteria = $save_criteria."any time ";
+- else
+- $save_criteria = $save_criteria.(($time[$i][5] == "") ? "* : " : $time[$i][5]." : ").
+- (($time[$i][6] == "") ? "* : " : $time[$i][6]." : ").
+- (($time[$i][7] == "") ? "* " : $time[$i][7]." ");
+- $save_criteria = $save_criteria.$time[$i][8].$time[$i][9];
+- $save_criteria = $save_criteria.']';
+- $save_criteria = $save_criteria.' any ';
+@@ -519,114 +393,28 @@
+
+ IP Criteria
+ ';
+-// if ( $have_ip == 1 )
+-// {
+
+- $tmp_len = strlen($save_criteria);
+- $have_criteria = 0;
+- for ( $i = 0; $i < $ip_addr_cnt; $i++ )
+- {
+- $tmp = "";
+- if ( isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" )
+- {
+- $tmp = $tmp.$ip_addr[$i][3];
+- if ( $ip_addr[$i][4] != "" )
+- {
+- $tmp = $tmp.".".$ip_addr[$i][4];
+- if ( $ip_addr[$i][5] != "" )
+- {
+- $tmp = $tmp.".".$ip_addr[$i][5];
+- if ( $ip_addr[$i][6] != "" )
+- {
+- if ( ($ip_addr[$i][3].".".$ip_addr[$i][4].".".
+- $ip_addr[$i][5].".".$ip_addr[$i][6]) == NULL_IP)
+- $tmp = " unknown ";
+- else
+- $tmp = $tmp.".".$ip_addr[$i][6];
+- }
+- else
+- $tmp = $tmp.'.*';
+- }
+- else
+- $tmp = $tmp.'.*.*';
+- }
+- else
+- $tmp = $tmp.'.*.*.*';
+- }
+- /* Make sure that the IP isn't blank */
+- if ( $tmp != "" )
+- {
+- $mask = "";
+- if ( $ip_addr[$i][10] != "" )
+- $mask = "/".$ip_addr[$i][10];
+-
+- $save_criteria = $save_criteria.$ip_addr[$i][0].
+- $human_fields[($ip_addr[$i][1])].' '.$ip_addr[$i][2].
+- ' '.$tmp.' '.$ip_addr[$i][8].' '.$ip_addr[$i][9].$mask.
+- $cs->GetClearCriteriaString("ip_addr")." any ';
++ if ( !$cs->criteria['ip_addr']->isEmpty() || !$cs->criteria['ip_field']->isEmpty() )
++ {
++ $save_criteria = $save_criteria.$cs->criteria['ip_addr']->Description();
++ $save_criteria = $save_criteria.$cs->criteria['ip_field']->Description();
++ }
++ else
++ $save_criteria = $save_criteria.' any ';
+
+ $save_criteria = $save_criteria.' ';
+
+- if ( $layer4 == "TCP" )
+- {
+- $save_criteria = $save_criteria.'
+-
+- TCP Criteria
+- ';
++ $save_criteria = $save_criteria.' ';
++ $save_criteria = $save_criteria.$cs->criteria['layer4']->Description();
++ $save_criteria = $save_criteria.' ';
+
+- if ( $have_tcp == 1 )
++ if ( $cs->criteria['layer4']->Get() == "TCP" )
++ {
++ if ( !$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty() )
+ {
+- $have_criteria = 0;
+- for ( $i = 0; $i < $tcp_port_cnt; $i++ )
+- {
+- if ($tcp_port[$i][1] != " " && $tcp_port[$i][3] != "" )
+- {
+- $save_criteria = $save_criteria.$tcp_port[$i][0].$human_fields[($tcp_port[$i][1])].' '.
+- $tcp_port[$i][2].' '.$tcp_port[$i][3].$tcp_port[$i][4].' '.$tcp_port[$i][5];
+- $have_criteria++;
+- }
+- }
+-
+- if ( $have_criteria > 0 )
+- $save_criteria = $save_criteria. $cs->GetClearCriteriaString("tcp_port").' any ';
+@@ -634,43 +422,12 @@
+ $save_criteria = $save_criteria.'
+- UDP Criteria
+- ';
+-
+- if ( $have_udp == 1 )
++ if ( !$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty() )
+ {
+-
+- $have_criteria = 0;
+- for ( $i = 0; $i < $udp_port_cnt; $i++ )
+- {
+- if ($udp_port[$i][1] != " " && $udp_port[$i][3] != "" )
+- {
+- $save_criteria = $save_criteria.$udp_port[$i][0].$human_fields[($udp_port[$i][1])].' '.
+- $udp_port[$i][2].' '.$udp_port[$i][3].$udp_port[$i][4].' '.$udp_port[$i][5];
+- $have_criteria = 1;
+- }
+- }
+-
+- if ($have_criteria)
+- $save_criteria = $save_criteria.$cs->GetClearCriteriaString("udp_port").' any ';
+@@ -678,36 +435,20 @@
+ $save_criteria = $save_criteria.' ';
+ }
+
+- else if ( $layer4 == "ICMP" )
++ else if ( $cs->criteria['layer4']->Get() == "ICMP" )
+ {
+- $save_criteria = $save_criteria.'
+-
+- ICMP Criteria
+- ';
+-
+- if ( $have_icmp == 1 )
++ if ( !$cs->criteria['icmp_field']->isEmpty() )
+ {
+- for ( $i = 0; $i < $icmp_field_cnt; $i++ )
+- {
+- if ($icmp_field[$i][1] != " " && $icmp_field[$i][3] != "" )
+- $save_criteria = $save_criteria.$icmp_field[$i][0].$human_fields[($icmp_field[$i][1])].' '.
+- $icmp_field[$i][2].' '.$icmp_field[$i][3].$icmp_field[$i][4].' '.$icmp_field[$i][5];
+- }
+-
+- $save_criteria = $save_criteria.$cs->GetClearCriteriaString("icmp_field");
++ $save_criteria = $save_criteria.$cs->criteria['icmp_field']->Description();
+ }
+ else
+ $save_criteria = $save_criteria.' any ';
+
+ $save_criteria = $save_criteria.' ';
+ }
+-
+ else
+ {
+- $save_criteria = $save_criteria.'
+-
+- Layer 4 Criteria
+- none ';
++ $save_criteria = $save_criteria.' none ';
+ }
+
+ /* Payload ************** */
+@@ -715,26 +456,9 @@
+
+ Payload Criteria
+ ';
+- if ( $have_data == 1 )
+- {
+- if ( $data_encode[0] != " " && $data_encode[1] != " ")
+- {
+- $save_criteria = $save_criteria.' (data encoded as '.$data_encode[0];
+- $save_criteria = $save_criteria.' => '.$data_encode[1];
+- $save_criteria = $save_criteria.') any ';
+
+@@ -758,20 +482,13 @@
+ ' '.
+ '
';
+
+-
+ echo $save_criteria;
+ }
+
+ /********************************************************************************************/
+ function ProcessCriteria()
+ {
+- GLOBAL $db, $time, $time_cnt, $sig, $sig_type, $sig_class, $sensor, $ag,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $save_criteria,
++ GLOBAL $db,
+ $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode,
+ $caller, $DBtype;
+
+@@ -794,10 +511,43 @@
+
+ /* ********************** Meta Criteria ******************************************** */
+
++ /* XXX-SEC */
++ GLOBAL $cs;
++
++ $sig = $cs->criteria['sig']->criteria;
++ $sig_type = $cs->criteria['sig']->sig_type;
++ $sig_class = $cs->criteria['sig_class']->criteria;
++ $sig_priority = $cs->criteria['sig_priority']->criteria;
++ $ag = $cs->criteria['ag']->criteria;
++ $sensor = $cs->criteria['sensor']->criteria;
++ $time = $cs->criteria['time']->criteria;
++ $time_cnt = $cs->criteria['time']->GetFormItemCnt();
++ $ip_addr = $cs->criteria['ip_addr']->criteria;
++ $ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt();
++ $layer4 = $cs->criteria['layer4']->criteria;
++ $ip_field = $cs->criteria['ip_field']->criteria;
++ $ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt();
++ $tcp_port = $cs->criteria['tcp_port']->criteria;
++ $tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt();
++ $tcp_flags = $cs->criteria['tcp_flags']->criteria;
++ $tcp_field = $cs->criteria['tcp_field']->criteria;
++ $tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt();
++ $udp_port = $cs->criteria['udp_port']->criteria;
++ $udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt();
++ $udp_field = $cs->criteria['udp_field']->criteria;
++ $udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt();
++ $icmp_field = $cs->criteria['icmp_field']->criteria;
++ $icmp_field_cnt= $cs->criteria['icmp_field']->GetFormItemCnt();
++ $data = $cs->criteria['data']->criteria;
++ $data_cnt = $cs->criteria['data']->GetFormItemCnt();
++ $data_encode = $cs->criteria['data']->data_encode;
++
+ $tmp_meta = "";
+ /* Sensor */
+ if ( $sensor != "" && $sensor != " " )
+- $tmp_meta = $tmp_meta." AND acid_event.sid=".$sensor;
++ $tmp_meta = $tmp_meta." AND acid_event.sid='".$sensor."'";
++ else
++ $cs->criteria['sensor']->Set("");
+
+ /* Alert Group */
+ if ( $ag != "" && $ag != " " )
+@@ -805,9 +555,11 @@
+ $tmp_meta = $tmp_meta." AND ag_id =".$ag;
+ $join_sql = $join_sql.$ag_join_sql;
+ }
++ else
++ $cs->criteria['ag']->Set("");
+
+ /* Signature */
+- if ( $sig[0] != " " && $sig[0] != "" && $sig[1] != "" )
++ if ( (isset($sig[0]) && $sig[0] != " " && $sig[0] != "") && (isset($sig[1]) && $sig[1] != "") )
+ {
+ $sig_neg = "";
+ if ( $sig[2] == "!=" )
+@@ -839,35 +591,44 @@
+ $tmp_meta = $tmp_meta." AND ".$sig_neg." (signature LIKE '%".$sig[1]."%') ";
+ }
+ }
++ else
++ $cs->criteria['sig']->Set("");
+
+ /* Signature Classification */
+ if ( $sig_class != " " && $sig_class != "" && $sig_class != "0")
+ {
+- $tmp_meta = $tmp_meta." AND sig_class_id = ".$sig_class;
++ $tmp_meta = $tmp_meta." AND sig_class_id = '".$sig_class."'";
+ }
+ else if ($sig_class == "0")
+ {
+- $tmp_meta = $tmp_meta." AND (sig_class_id is null OR sig_class_id = 0)";
++ $tmp_meta = $tmp_meta." AND (sig_class_id is null OR sig_class_id = '0')";
+ }
++ else
++ $cs->criteria['sig_class']->Set("");
+
+- /* Date/Time */
+- DateTimeRows2sql($time, $time_cnt, $tmp_meta);
+-
+- if ( $tmp_meta != "" )
++ /* Signature Priority */
++ if ( $sig_priority[1] != " " && $sig_priority[1] != "" && $sig_priority[1] != "0")
++ {
++ $tmp_meta = $tmp_meta." AND sig_priority ".$sig_priority[0]." '".$sig_priority[1]."'";
++ }
++ else if ($sig_priority[1] == "0")
+ {
+- $have_meta = 1;
+- $criteria_sql = $criteria_sql.$tmp_meta;
++ $tmp_meta = $tmp_meta." AND (sig_priority is null OR sig_priority = '0')";
+ }
+ else
+- $have_meta = 0;
++ $cs->criteria['sig_priority']->Set("");
+
+- /* ********************** IP Criteria ********************************************** */
++ /* Date/Time */
++ if ( DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0 )
++ $cs->criteria['time']->SetFormItemCnt(0);
+
+- // $tmp_cnt = strlen($criteria_sql);
++ $criteria_sql = $criteria_sql.$tmp_meta;
++
++ /* ********************** IP Criteria ********************************************** */
+
+ /* IP Addresses */
+ $tmp2 = "";
+-
++
+ for ( $i = 0; $i < $ip_addr_cnt; $i++ )
+ {
+ $tmp = "";
+@@ -888,11 +649,11 @@
+ {
+ if ( $ip_addr[$i][10] == "" )
+ {
+- $tmp = $tmp." acid_event.".$ip_addr[$i][1].$ip_addr[$i][2].
++ $tmp = $tmp." acid_event.".$ip_addr[$i][1].$ip_addr[$i][2]."'".
+ acidIP2Long($ip_addr[$i][3].".".
+ $ip_addr[$i][4].".".
+ $ip_addr[$i][5].".".
+- $ip_addr[$i][6])." ";
++ $ip_addr[$i][6])."' ";
+ }
+ else
+ {
+@@ -905,10 +666,10 @@
+ else
+ $tmp_op = "";
+
+- $tmp = $tmp.$tmp_op." (acid_event.".$ip_addr[$i][1].">=".
+- acidIP2Long($mask[0])." AND ".
+- "acid_event.".$ip_addr[$i][1]."<=".
+- acidIP2Long($mask[1]).")";
++ $tmp = $tmp.$tmp_op." (acid_event.".$ip_addr[$i][1].">= '".
++ acidIP2Long($mask[0])."' AND ".
++ "acid_event.".$ip_addr[$i][1]."<= '".
++ acidIP2Long($mask[1])."')";
+ }
+ }
+ }
+@@ -923,8 +684,9 @@
+ else
+ $tmp = "(".$tmp_src.') AND ('.$tmp_dst.')';
+ }
+-
+- $tmp = $ip_addr[$i][0]."(".$tmp.")".$ip_addr[$i][8].$ip_addr[$i][9];
++
++ if ( $tmp != "" )
++ $tmp = $ip_addr[$i][0]."(".$tmp.")".$ip_addr[$i][8].$ip_addr[$i][9];
+ }
+ else if ( (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" ) || $ip_addr[$i][1] != " " )
+ {
+@@ -959,42 +721,38 @@
+
+ if ( $tmp2 != "" )
+ $criteria_sql = $criteria_sql." AND ( ".$tmp2." )";
+-
+- $tmp_cnt = strlen($criteria_sql);
++ else
++ $cs->criteria['ip_addr']->SetFormItemCnt(0);
+
+ /* IP Fields */
+- FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql);
+-
+- if ( $tmp_cnt != strlen($criteria_sql) )
+- $have_ip = 1;
+- else
+- $have_ip = 0;
++ if ( FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0 )
++ $cs->criteria['ip_field']->SetFormItemCnt(0);
+
+ /* Layer-4 encapsulation */
+- /* if ( $caller != "" $caller == "" ||
+- $caller == "last_tcp" || $caller == "last_udp" || $caller == "last_icmp" ) */
+- if ( $layer4 == "TCP" )
+- $criteria_sql = $criteria_sql." AND acid_event.ip_proto= 6";
+- else if ( $layer4 == "UDP" )
+- $criteria_sql = $criteria_sql." AND acid_event.ip_proto= 17";
+- else if ( $layer4 == "ICMP" )
+- $criteria_sql = $criteria_sql." AND acid_event.ip_proto= 1";
++ if ( $layer4 == "TCP" )
++ $criteria_sql = $criteria_sql." AND acid_event.ip_proto= '6'";
++ else if ( $layer4 == "UDP" )
++ $criteria_sql = $criteria_sql." AND acid_event.ip_proto= '17'";
++ else if ( $layer4 == "ICMP" )
++ $criteria_sql = $criteria_sql." AND acid_event.ip_proto= '1'";
++ else
++ $cs->criteria['layer4']->Set("");
+
+- /* Build the final IP criteria */
+- if ( $have_ip == 1 )
++ /* Join the iphdr table if necessary */
++ if ( !$cs->criteria['ip_field']->isEmpty() )
+ $join_sql = $ip_join_sql.$join_sql;
+
+ /* ********************** TCP Criteria ********************************************** */
+ if ( $layer4 == "TCP" )
+ {
+- $have_tcp = 0;
+ $proto_tmp = "";
+ /* TCP Ports */
+- FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp);
+- if ( $proto_tmp != "" ) $have_tcp = 1;
++ if ( FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0 )
++ $cs->criteria['tcp_port']->SetFormItemCnt(0);
++
+ $criteria_sql = $criteria_sql.$proto_tmp;
++
+ $proto_tmp = "";
+-
+ /* TCP Flags */
+ if ( isset($tcp_flags) )
+ {
+@@ -1012,17 +770,18 @@
+ }
+
+ /* TCP Fields */
+- FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp);
++ if ( FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0 )
++ $cs->criteria['tcp_field']->SetFormItemCnt(0);
+
+ /* TCP Options
+ * - not implemented
+ */
+
+- if ( $proto_tmp != "" )
++ if ( !$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty() )
+ {
+- $have_tcp = 1;
+ $criteria_sql = $criteria_sql.$proto_tmp;
+- $join_sql = $tcp_join_sql.$join_sql;
++ if ( !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty() )
++ $join_sql = $tcp_join_sql.$join_sql;
+ }
+ }
+
+@@ -1030,22 +789,23 @@
+ if ( $layer4 == "UDP" )
+ {
+ $proto_tmp = "";
+- $have_udp = 0;
+
+ /* UDP Ports */
+- FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp);
+- if ( $proto_tmp != "" ) $have_udp = 1;
++ if ( FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0 )
++ $cs->criteria['udp_port']->SetFormItemCnt(0);
++
+ $criteria_sql = $criteria_sql.$proto_tmp;
+ $proto_tmp = "";
+
+ /* UDP Fields */
+- FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp);
++ if ( FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0 )
++ $cs->criteria['udp_field']->SetFormItemCnt(0);
+
+- if ( $proto_tmp != "" )
++ if ( !$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty() )
+ {
+- $have_udp = 1;
+ $criteria_sql = $criteria_sql.$proto_tmp;
+- $join_sql = $udp_join_sql.$join_sql;
++ if ( !$cs->criteria['udp_field']->isEmpty() )
++ $join_sql = $udp_join_sql.$join_sql;
+ }
+ }
+
+@@ -1053,33 +813,30 @@
+ if ( $layer4 == "ICMP" )
+ {
+ $proto_tmp = "";
++
+ /* ICMP Fields */
+- FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp);
++ if ( FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0 )
++ $cs->criteria['icmp_field']->SetFormItemCnt(0);
+
+- if ( $proto_tmp != "" )
++ if ( !$cs->criteria['icmp_field']->isEmpty() )
+ {
+- $have_icmp = 1;
+ $criteria_sql = $criteria_sql.$proto_tmp;
+ $join_sql = $icmp_join_sql.$join_sql;
+ }
+- else
+- $have_icmp = 0;
+ }
+
+ /* ********************** Payload Criteria ***************************************** */
+
+ $tmp_payload = "";
+- DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload);
++ if ( DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload) == 0 )
++ $cs->criteria['data']->SetFormItemCnt(0);
+
+- if ( $tmp_payload != "" )
++ if ( !$cs->criteria['data']->isEmpty() )
+ {
+- $have_data = 1;
+ $criteria_sql = $criteria_sql.$tmp_payload;
+ $join_sql = $data_join_sql.$join_sql;
+ }
+- else
+- $have_data = 0;
+-
++
+ $csql[0] = $join_sql;
+ $csql[1] = $criteria_sql;
+
+diff -Naur acid/acid_qry_form.php acidfp/acid_qry_form.php
+--- acid/acid_qry_form.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_qry_form.php 2003-12-17 14:16:39.000000000 -0500
+@@ -4,40 +4,40 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: renders the HTML form to gather search criteria
+ *
+ */
+
+-if ( $submit == "TCP" ) { $layer4 = "TCP"; }
+-if ( $submit == "UDP" ) { $layer4 = "UDP"; }
+-if ( $submit == "ICMP" ) { $layer4 = "ICMP"; }
+-if ( $submit == "no layer4" ) { $layer4 = ""; }
+-
+-if ( $submit == "ADD Time" && $time_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $time_cnt, $time, TIME_CFCNT);
+-if ( $submit == "ADD Addr" && $ip_addr_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $ip_addr_cnt, $ip_addr, IPADDR_CFCNT);
+-if ( $submit == "ADD IP Field" && $ip_field_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $ip_field_cnt, $ip_field, PROTO_CFCNT);
++if ( $submit == "TCP" ) { $cs->criteria['layer4']->Set("TCP"); }
++if ( $submit == "UDP" ) { $cs->criteria['layer4']->Set("UDP"); }
++if ( $submit == "ICMP" ) { $cs->criteria['layer4']->Set("ICMP"); }
++if ( $submit == "no layer4" ) { $cs->criteria['layer4']->Set(""); }
++
++if ( $submit == "ADD Time" && $cs->criteria['time']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['time']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD Addr" && $cs->criteria['ip_addr']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['ip_addr']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD IP Field" && $cs->criteria['ip_field']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['ip_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+ /*if ( $submit == "ADD IP Option Field" && $ip_opt_cnt < $MAX_ROWS)
+ { $submit = $layer4; $ip_opt_cnt++; }*/
+-if ( $submit == "ADD TCP Port" && $tcp_port_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $tcp_port_cnt, $tcp_port, TCPPORT_CFCNT);
+-if ( $submit == "ADD TCP Field" && $tcp_field_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $tcp_field_cnt, $tcp_field, PROTO_CFCNT);
++if ( $submit == "ADD TCP Port" && $cs->criteria['tcp_port']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['tcp_port']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD TCP Field" && $cs->criteria['tcp_field']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['tcp_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+ /*if ( $submit == "ADD TCP Option Field" && $tcp_opt_cnt < $MAX_ROWS)
+ { $submit = $layer4; $tcp_opt_cnt++; } */
+-if ( $submit == "ADD UDP Port" && $udp_port_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $udp_port_cnt, $udp_port, PROTO_CFCNT);
+-if ( $submit == "ADD UDP Field" && $udp_field_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $udp_field_cnt, $udp_field, PROTO_CFCNT);
+-if ( $submit == "ADD ICMP Field" && $icmp_field_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $icmp_field_cnt, $icmp_field, PROTO_CFCNT);
+-if ( $submit == "ADD Payload" && $data_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $data_cnt, $data, PAYLOAD_CFCNT);
++if ( $submit == "ADD UDP Port" && $cs->criteria['udp_port']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['udp_port']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD UDP Field" && $cs->criteria['udp_field']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['udp_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD ICMP Field" && $cs->criteria['icmp_field']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['icmp_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD Payload" && $cs->criteria['data']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['data']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+
+ echo '
+
+@@ -50,93 +50,25 @@
+ ';
+
+@@ -208,73 +93,13 @@
+ ';
+
+-if ( $layer4 == "TCP" )
++if ( $cs->criteria['layer4']->Get() == "TCP" )
+ {
+ echo '
+
+@@ -344,79 +152,16 @@
+
+ echo 'Port: ';
+ echo ' ';
+- for ( $i = 0; $i < $tcp_port_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' ( { port }';
+- echo ' Source';
+- echo ' Dest <';
+- echo ' " '.chk_select($tcp_port[$i][2],">"). '>>';
+- echo ' =").'>>= __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND
+ Flags: ';
+- echo '{ flags }';
+- echo ' is';
+- echo ' contains ';
+- echo ' ';
++ $cs->criteria['tcp_flags']->PrintForm();
+
+ echo ' Misc: ';
+ echo ' ';
+- for ( $i = 0; $i < $tcp_field_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' ( { field }';
+- echo ' seq #';
+- echo ' ack';
+- echo ' offset';
+- echo ' res';
+- echo ' window';
+- echo ' chksum';
+- echo ' urp <';
+- echo ' " '.chk_select($tcp_field[$i][2],">"). '>>';
+- echo ' =").'>>= __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND Option: ';
+ echo ' ';
+@@ -449,7 +194,7 @@
+
';
+ }
+
+-if ( $layer4 == "UDP" )
++if ( $cs->criteria['layer4']->Get() == "UDP" )
+ {
+ echo '
+
+@@ -464,64 +209,17 @@
+
+ echo 'Port: ';
+ echo ' ';
+- for ( $i = 0; $i < $udp_port_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' ( { port }';
+- echo ' Source';
+- echo ' Dest <';
+- echo ' " '.chk_select($udp_port[$i][2],">"). '>>';
+- echo ' =").'>>= __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND Misc: ';
+ echo ' ';
+- for ( $i = 0; $i < $udp_field_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' ( { field }';
+- echo ' length';
+- echo ' chksum <';
+- echo ' " '.chk_select($udp_field[$i][2],">"). '>>';
+- echo ' =").'>>= __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND Misc: ';
+ echo ' ';
+- for ( $i = 0; $i < $icmp_field_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' (
+- { field }';
+- echo ' type';
+- echo ' code';
+- echo ' id';
+- echo ' seq #';
+- echo ' chksum ';
+- echo '
+- <';
+- echo ' " '.chk_select($icmp_field[$i][2],">"). '>>';
+- echo ' =").'>>= ';
+- echo ' __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose:
+@@ -50,109 +50,6 @@
+ *
+ * $sort_order: how to sort the output
+ *
+- * Meta
+- * ====
+- *
+- * $ag: AG ID
+- *
+- * $sensor: sensor ID
+- *
+- * $sig[3]: stores signature
+- * - [0] : exactly, roughly [1] : signature
+- * - [2] : =, !=
+- *
+- * $sig_class: signature classification
+- *
+- * $time[MAX][10]: stores the date/time of the packet detection
+- * - [][0] : ( [][5] : hour
+- * - [][1] : =, !=, <, <=, >, >= [][6] : minute
+- * - [][2] : month [][7] : second
+- * - [][3] : day [][8] : (, )
+- * - [][4] : year [][9] : AND, OR
+- *
+- * $time_cnt : number of rows in the $time[][] structure
+- *
+- * IP Variables
+- * ============
+- *
+- * $ip_addr[MAX][10]: stores an ip address parameters/operators row
+- * - [][0] : ( [][5] : octet3 of address
+- * - [][1] : source, dest [][6] : octet4 of address
+- * - [][2] : =, != [][7] : network mask
+- * - [][3] : octet1 of address [][8] : (, )
+- * - [][4] : octet2 of address [][9] : AND, OR
+- *
+- * $ip_addr_cnt: number of rows in the $ip_addr[][] structure
+- *
+- * $ip_field[MAX][6]: stores all other ip fields parameters/operators row
+- * - [][0] : ( [][3] : field value
+- * - [][1] : TOS, TTL, ID, offset, length [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $ip_field_cnt: number of rows in the $ip_field[][] structure
+- *
+- * TCP Variables
+- * =============
+- *
+- * $tcp_port[MAX][6]: stores all port parameters/operators row
+- * - [][0] : ( [][3] : port value
+- * - [][1] : Source Port, Dest Port [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $tcp_port_cnt: number of rows in the $tcp_port[][] structure
+- *
+- * $tcp_flags[7]: stores all other tcp flags parameters/operators row
+- * - [0] : is, contains [4] : 8 (RST)
+- * - [1] : 1 (FIN) [5] : 16 (ACK)
+- * - [2] : 2 (SYN) [6] : 32 (URG)
+- * - [3] : 4 (PUSH)
+- *
+- * $tcp_field[MAX][6]: stores all other tcp fields parameters/operators row
+- * - [][0] : ( [][3] : field value
+- * - [][1] : windows, URP [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $tcp_field_cnt: number of rows in the $tcp_field[][] structure
+- *
+- * UDP Variables
+- * =============
+- *
+- * $udp_port[MAX][6]: stores all port parameters/operators row
+- * - [][0] : ( [][3] : port value
+- * - [][1] : Source Port, Dest Port [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $udp_port_cnt: number of rows in the $udp_port[][] structure
+- *
+- * $udp_field[MAX][6]: stores all other udp fields parameters/operators row
+- * - [][0] : ( [][3] : field value
+- * - [][1] : length [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $udp_field_cnt: number of rows in the $udp_field[][] structure
+- *
+- * ICMP Variables
+- * ==============
+- * $icmp_field[MAX][6]: stores all other icmp fields parameters/operators row
+- * - [][0] : ( [][3] : field value
+- * - [][1] : code, length [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $icmp_field_cnt: number of rows in the $icmp_field[][] structure
+- *
+- * Payload Variables
+- * =================
+- * $data_encode[2]: how the payload should be interpreted and converted
+- * - [0] : encoding type (hex, ascii)
+- * - [1] : conversion type (hex, ascii)
+- *
+- * $data[MAX][5]: stores all the payload related parameters/operators row
+- * - [][0] : ( [][3] : (, )
+- * - [][1] : =, != [][4] : AND, OR
+- * - [][2] : field value
+- *
+- * $data_cnt: number of rows in the $data[][] structure
+- *
+ * ----- Search Result Variables ----
+ * $action_chk_lst[]: array of check boxes to determine if an alert
+ * was selected for action
+@@ -173,18 +70,16 @@
+ $et = new EventTiming($debug_time_mode);
+ $cs = new CriteriaState("acid_qry_main.php", "&new=1&submit=Query+DB");
+
+- $new = ImportHTTPVar("new");
++ $new = ImportHTTPVar("new", VAR_DIGIT);
+ $submit = ImportHTTPVar("submit");
+- $layer4 = ImportHTTPVar("layer4");
+
+-/* Code to correct 'interesting' (read: unexplained) browser behavior
+- */
++/* Code to correct 'interesting' (read: unexplained) browser behavior */
+
+ /* Something with Netscape 4.75 such that the $submit variable is no recognized
+ * under certain circumstances. This one is a result of using HTTPS and
+ * clicking on TCP traffic profile from acid_main.php
+ */
+-if ( $layer4 != "" && $submit == "" )
++if ( $cs->criteria['layer4']->Get() != "" && $submit == "" )
+ $submit = "Query DB";
+
+ /* End 'interesting' browser code fixes */
+@@ -192,42 +87,10 @@
+ /* Totally new Search */
+ if ( ($new == 1) && ($submit == "") )
+ {
+- /* Read the state to import the history */
+- $cs->ReadState();
+-
+- /*
+- * Save the variables associated with keeping history,
+- * or they will be deleted in the InitState() call
+- */
+- $save_back_list = $GLOBALS['back_list'];
+- $save_back_list_cnt = $GLOBALS['back_list_cnt'];
+-
+ $cs->InitState();
+-
+- /* Restore the history variables */
+- $back_list = $save_back_list;
+- $back_list_cnt = $save_back_list_cnt;
+-
+- $time_cnt = 1;
+- $ip_addr_cnt = 1;
+- $ip_field_cnt = 1;
+- $tcp_port_cnt = 1;
+- $tcp_field_cnt = 1;
+- $udp_port_cnt = 1;
+- $udp_field_cnt = 1;
+- $icmp_field_cnt = 1;
+- $data_cnt = 1;
+- $layer4 = "";
+ }
+
+- /* if scrolling between pages read the session */
+- /* if access the first query result page from the criteria specification
+- * then read the session and migrate the POST variables into the session
+- */
+- else
+- {
+- $cs->ReadState();
+- }
++ $cs->ReadState();
+
+ $qs = new QueryState();
+ $qs->AddCannedQuery("last_tcp", $last_num_alerts, "Last TCP", "time_d");
+@@ -277,7 +140,7 @@
+ if ( $submit == "Query DB" ||
+ $submit == "Selected" || $submit == "ALL on Screen" || $submit == "Entire Query" ||
+ $qs->isCannedQuery() ||
+- $sort_order != "" )
++ $qs->GetCurrentSort() != "" )
+ {
+ /* Init and run the action */
+ $criteria_clauses = ProcessCriteria();
+@@ -287,6 +150,7 @@
+
+ $qs->AddValidAction("ag_by_id");
+ $qs->AddValidAction("ag_by_name");
++ $qs->AddValidAction("add_new_ag");
+ $qs->AddValidAction("del_alert");
+ $qs->AddValidAction("email_alert");
+ $qs->AddValidAction("email_alert2");
+@@ -298,13 +162,14 @@
+ $qs->AddValidActionOp("ALL on Screen");
+ $qs->AddValidActionOp("Entire Query");
+
+- $qs->SetActionSQL("SELECT acid_event.sid, acid_event.cid $from $where");
++ $qs->SetActionSQL("SELECT acid_event.sid, acid_event.cid $from $where");
+ $et->Mark("Initialization");
+
+ $qs->RunAction($submit, PAGE_QRY_ALERTS, $db);
+ $et->Mark("Alert Action");
+
+ if ( $debug_mode > 0 ) ErrorMessage("Initial/Canned Query or Sort Clicked");
++
+ include("acid_qry_sqlcalls.php");
+ }
+ /* Return the input form to get more criteria from user */
+@@ -313,32 +178,6 @@
+ include("acid_qry_form.php");
+ }
+
+-/* Stores the neccessary variables for shared state between calls */
+-
+-/* These variables will ultimately be stored in the session, but are
+- * temporarily required while criteria is being entered in the form
+- */
+-//if ( ($HTTP_POST_VARS["new"] == 1) || ($HTTP_GET_VARS["new"] == 1) )
+-if ( $new == 1 )
+-{
+- echo '
++ *
++ * Copyright (C) 2001,2002 Carnegie Mellon University
++ * (see the file 'acid_main.php' for license details)
++ *
++ * Purpose: displays a single alert
++ *
++ * Input GET/POST variables
++ * - caller
++ * - submit:
++ *
++ */
++
++ include ("acid_constants.inc");
++ include ("acid_conf.php");
++ include ("acid_include.inc");
++ include_once ("acid_db_common.php");
++ include_once ("acid_qry_common.php");
++ include_once ("acid_stat_common.php");
++
++function PrintPacketLookupBrowseButtons($seq, $save_sql, $db, &$previous_button, &$next_button)
++{
++ echo "\n\n\n";
++
++ $result2 = $db->acidExecute($save_sql);
++
++ if ( $seq == 0 )
++ $previous_button = '[ First ]'."\n";
++
++ $i = 0;
++ while ($i <= $seq+1 )
++ {
++ $myrow2 = $result2->acidFetchRow();
++
++ if ( $myrow2 == "" )
++ $next_button = '[ Last ]'."\n";
++ else if ( $i == $seq-1 )
++ $previous_button = '[".
++ "".$ref_system." ".
++ "] ";
++ else if ( $style == 2 )
++ return "[".$ref_system."/$ref_tag] ";
++ }
++ else
++ {
++ return $ref_system;
++ }
++}
++
+ function GetSignatureReference($sig_id, $db, $style)
+ {
+ $ref = "";
+
+- $temp_sql = "SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id=".$sig_id;
++ $temp_sql = "SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='".$sig_id."'";
+ $tmp_sig_ref = $db->acidExecute($temp_sql);
+
+ if ( $tmp_sig_ref )
+@@ -84,7 +124,7 @@
+ {
+ $mysig_ref = $tmp_sig_ref->acidFetchRow();
+
+- $temp_sql = "SELECT ref_system_id, ref_tag FROM reference WHERE ref_id=".$mysig_ref[1];
++ $temp_sql = "SELECT ref_system_id, ref_tag FROM reference WHERE ref_id='".$mysig_ref[1]."'";
+ $tmp_ref_tag = $db->acidExecute($temp_sql);
+
+ if ( $tmp_ref_tag )
+@@ -94,63 +134,39 @@
+ $ref_system = GetRefSystemName($myrow[0], $db);
+ }
+
+- $href = "";
+- if ( strncasecmp($ref_system,"arachNIDS",9) == 0)
+- {
+- if ( $style == 1 )
+- $href = "arachNIDS ";
+- else if ( $style == 2 )
+- $href = "[arachNIDS/$ref_tag] ";
+- }
+- elseif ( strncasecmp($ref_system,"cve",3) == 0)
+- {
+- if ( $style == 1 )
+- $href = "CVE ";
+- else if ( $style == 2 )
+- $href = "[CVE/$ref_tag] ";
+- }
+- elseif ( strncasecmp($ref_system,"bugtraq",7) == 0)
+- {
+- if ( $style == 1 )
+- $href = "bugtraq ";
+- else if ( $style == 2 )
+- $href = "[Bugtraq/$ref_tag] ";
+- }
+- elseif ( strncasecmp($ref_system,"McAfee",6) == 0 )
+- {
+- if ( $style == 1 )
+- $href = "McAfee ";
+- else if ( $style == 2 )
+- $href = "[McAfee/$ref_tag] ";
+- }
+- elseif ( strncasecmp($ref_system,"url",3) == 0 )
+- {
+- if ( $style == 1 )
+- $href = "url ";
+- else if ( $style == 2 )
+- $href = "[url/$ref_tag] ";
+-
+- }
+- else
+- {
+- $href = $ref_system;
+- }
++ $ref = $ref.GetSingleSignatureReference($ref_system, $ref_tag, $style);
+
+- if ( $style == 1 )
+- $ref = $ref."[$href] ";
+- else if ( $style == 2 )
+- $ref = $ref.$href;
+-
++ /* Automatically add an ICAT reference is a CVE reference exists */
++ if ( $ref_system == "cve" )
++ $ref = $ref.GetSingleSignatureReference("icat", $ref_tag, $style);
++
+ $tmp_ref_tag->acidFreeRows();
+ }
+ $tmp_sig_ref->acidFreeRows();
+ }
+
++ if ( $db->acidGetDBVersion() >= 103 )
++ {
++ $tmp_sql = "SELECT sig_sid FROM signature WHERE sig_id='".$sig_id."'";
++ $tmp_sig_sid = $db->acidExecute($tmp_sql);
++
++ if ( $tmp_sig_sid )
++ {
++ $myrow = $tmp_sig_sid->acidFetchRow();
++ $sig_sid = $myrow[0];
++ }
++ }
++ else
++ $sig_sid = "";
++
++ $href = "";
++
++ /* snort.org should be documenting all official signatures,
++ * so automatically add a link
++ */
++ if ( $sig_sid != "")
++ $ref = $ref.GetSingleSignatureReference("snort", $sig_sid, $style);
++
+ return $ref;
+ }
+
+@@ -171,9 +187,9 @@
+
+ $replace=array("\\1\\2 ",
+ "\\1\\2\\3 ",
+- "BUGTRAQ ID \\1 ",
+- "MCAFEE ID \\1 ",
+- "\\1 ");
++ "BUGTRAQ ID \\1 ",
++ "MCAFEE ID \\1 ",
++ "\\1 ");
+
+ $msg = preg_replace($pattern, $replace, $signature);
+
+@@ -208,7 +224,6 @@
+ * RETURNS: a formatted signature and the associated references
+ */
+ {
+- //echo "sig_id = $sig_idunclassified ";
+
+ $sql = "SELECT sig_class_name FROM sig_class ".
+- "WHERE sig_class_id = $class_id";
++ "WHERE sig_class_id = '$class_id'";
+ $result = $db->acidExecute($sql);
+
+ $row = $result->acidFetchRow();
+diff -Naur acid/acid_stat_alerts.php acidfp/acid_stat_alerts.php
+--- acid/acid_stat_alerts.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_alerts.php 2003-12-17 14:16:39.000000000 -0500
+@@ -55,6 +55,7 @@
+
+ $qs->AddValidAction("ag_by_id");
+ $qs->AddValidAction("ag_by_name");
++ $qs->AddValidAction("add_new_ag");
+ $qs->AddValidAction("del_alert");
+ $qs->AddValidAction("email_alert");
+ $qs->AddValidAction("email_alert2");
+diff -Naur acid/acid_stat_class.php acidfp/acid_stat_class.php
+--- acid/acid_stat_class.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_class.php 2003-12-17 14:16:39.000000000 -0500
+@@ -53,6 +53,7 @@
+
+ $qs->AddValidAction("ag_by_id");
+ $qs->AddValidAction("ag_by_name");
++ $qs->AddValidAction("add_new_ag");
+ $qs->AddValidAction("del_alert");
+ $qs->AddValidAction("email_alert");
+ $qs->AddValidAction("email_alert2");
+diff -Naur acid/acid_stat_common.php acidfp/acid_stat_common.php
+--- acid/acid_stat_common.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_common.php 2003-12-17 14:16:39.000000000 -0500
+@@ -4,10 +4,10 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000 Carnegie Mellon University
++ * Copyright (C) 2000-2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+- * Purpose:
++ * Purpose: summary statistics
+ *
+ */
+
+@@ -16,7 +16,7 @@
+ function SensorCnt($db, $join = "", $where = "")
+ {
+ if ( $join == "" && $where == "" )
+- $result = $db->acidExecute("SELECT count(*) FROM sensor");
++ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event");
+ else
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event $join $where");
+ $myrow = $result->acidFetchRow();
+@@ -52,7 +52,7 @@
+ {
+
+ /* Calculate the Unique Alerts */
+- $query = "SELECT COUNT(DISTINCT signature) FROM acid_event WHERE sid = " . $sensorID . ";";
++ $query = "SELECT COUNT(DISTINCT signature) FROM acid_event WHERE sid = '" . $sensorID . "'";
+ $result = $db->acidExecute($query);
+
+ if ( $result )
+@@ -75,7 +75,7 @@
+ */
+ function EventCntBySensor($sensorID, $db)
+ {
+- $query = "SELECT count(*) FROM acid_event where sid = " .$sensorID. ";";
++ $query = "SELECT count(*) FROM acid_event where sid = '" .$sensorID. "'";
+
+ $result = $db->acidExecute($query);
+ $myrow = $result->acidFetchRow();
+@@ -87,7 +87,7 @@
+
+ function MinDateBySensor($sensorID, $db)
+ {
+- $query = "SELECT min(timestamp) FROM acid_event WHERE sid=" . $sensorID . ";";
++ $query = "SELECT min(timestamp) FROM acid_event WHERE sid= '". $sensorID."'";
+
+ $result = $db->acidExecute($query);
+ $myrow = $result->acidFetchRow();
+@@ -100,7 +100,7 @@
+
+ function MaxDateBySensor($sensorID, $db)
+ {
+- $query = "SELECT max(timestamp) FROM acid_event WHERE sid=" . $sensorID . ";";
++ $query = "SELECT max(timestamp) FROM acid_event WHERE sid='".$sensorID."'";
+
+ $result = $db->acidExecute($query);
+ $myrow = $result->acidFetchRow();
+@@ -112,7 +112,7 @@
+
+ function UniqueDestAddrCntBySensor( $sensorID, $db )
+ {
+- $query = "SELECT COUNT(DISTINCT ip_dst) from acid_event WHERE sid=" . $sensorID . ";";
++ $query = "SELECT COUNT(DISTINCT ip_dst) from acid_event WHERE sid='" . $sensorID . "'";
+
+ $result = $db->acidExecute($query);
+ $row = $result->acidFetchRow();
+@@ -124,7 +124,7 @@
+
+ function UniqueSrcAddrCntBySensor( $sensorID, $db )
+ {
+- $query = "SELECT COUNT(DISTINCT ip_src) from acid_event WHERE sid=" . $sensorID . ";";
++ $query = "SELECT COUNT(DISTINCT ip_src) from acid_event WHERE sid='" . $sensorID . "'";
+
+ $result = $db->acidExecute($query);
+ $row = $result->acidFetchRow();
+@@ -136,7 +136,7 @@
+
+ function TCPPktCnt($db)
+ {
+- $result = $db->acidExecute("SELECT count(*) FROM tcphdr;");
++ $result = $db->acidExecute("SELECT count(*) FROM acid_event WHERE ip_proto=6");
+ $myrow = $result->acidFetchRow();
+ $num = $myrow[0];
+ $result->acidFreeRows();
+@@ -146,7 +146,7 @@
+
+ function UDPPktCnt($db)
+ {
+- $result = $db->acidExecute("SELECT count(*) FROM udphdr;");
++ $result = $db->acidExecute("SELECT count(*) FROM acid_event WHERE ip_proto=17");
+ $myrow = $result->acidFetchRow();
+ $num = $myrow[0];
+ $result->acidFreeRows();
+@@ -156,7 +156,7 @@
+
+ function ICMPPktCnt($db)
+ {
+- $result = $db->acidExecute("SELECT count(*) FROM icmphdr;");
++ $result = $db->acidExecute("SELECT count(*) FROM acid_event WHERE ip_proto=1");
+ $myrow = $result->acidFetchRow();
+ $num = $myrow[0];
+ $result->acidFreeRows();
+@@ -273,11 +273,11 @@
+ if ( $join == "" && $where == "")
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
+ "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ".
+- "WHERE ip_proto=".TCP);
++ "WHERE ip_proto='".TCP."'");
+ else
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
+ "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join".
+- " $where AND ip_proto=".TCP);
++ " $where AND ip_proto='".TCP."'");
+
+ $row = $result->acidFetchRow();
+ $result->acidFreeRows();
+@@ -290,11 +290,11 @@
+ if ( $join == "" && $where == "")
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
+ "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ".
+- "WHERE ip_proto=".UDP);
++ "WHERE ip_proto='".UDP."'");
+ else
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
+ "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join".
+- " $where AND ip_proto=".UDP);
++ " $where AND ip_proto='".UDP."'");
+
+ $row = $result->acidFetchRow();
+ $result->acidFreeRows();
+diff -Naur acid/acid_state_citems.inc acidfp/acid_state_citems.inc
+--- acid/acid_state_citems.inc 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/acid_state_citems.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -0,0 +1,1462 @@
++,
++ *
++ * Copyright (C) 2002 Carnegie Mellon University
++ * (see the file 'acid_main.php' for license details)
++ *
++ * Purpose: individual criteria classes
++ *
++ */
++
++class BaseCriteria
++{
++ var $criteria;
++ var $export_name;
++
++ var $db;
++ var $cs;
++
++ function BaseCriteria($db, $cs, $name)
++ {
++ $this->db = &$db;
++ $this->cs = &$cs;
++
++ $this->export_name = $name;
++ $this->criteria = NULL;
++ }
++
++ function Init()
++ {
++ }
++
++ function Import()
++ {
++ /* imports criteria from POST, GET, or the session */
++ }
++
++ function Clear()
++ {
++ /* clears the criteria */
++ }
++
++ function Sanitize()
++ {
++ /* clean/validate the criteria */
++ }
++
++ function SanitizeElement()
++ {
++ /* clean/validate the criteria */
++ }
++
++ function PrintForm()
++ {
++ /* prints the HTML form to input the criteria */
++ }
++
++ function AddFormItem()
++ {
++ /* adding another item to the HTML form */
++ }
++
++ function GetFormItemCnt()
++ {
++ /* returns the number of items in this form element */
++ }
++
++ function SetFormItemCnt()
++ {
++ /* sets the number of items in this form element */
++ }
++
++ function Set($value)
++ {
++ /* set the value of this criteria */
++ }
++
++ function Get()
++ {
++ /* returns the value of this criteria */
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ /* generate human-readable description of this criteria */
++ }
++
++ function isEmpty()
++ {
++ /* returns if the criteria is empty */
++ }
++};
++
++class SingleElementCriteria extends BaseCriteria
++{
++ function Import()
++ {
++ GLOBAL $HTTP_SESSION_VARS;
++
++ $this->criteria = SetSessionVar($this->export_name);
++
++ $HTTP_SESSION_VARS[$this->export_name] = &$this->criteria;
++ }
++
++ function Sanitize()
++ {
++ $this->SanitizeElement();
++ }
++
++ function GetFormItemCnt()
++ {
++ return -1;
++ }
++
++ function Set($value)
++ {
++ $this->criteria = $value;
++ }
++
++ function Get()
++ {
++ return $this->criteria;
++ }
++ function isEmpty()
++ {
++ if ( $this->criteria == "" )
++ return true;
++ else
++ return false;
++ }
++};
++
++class MultipleElementCriteria extends BaseCriteria
++{
++ var $element_cnt;
++ var $criteria_cnt;
++ var $valid_field_list;
++
++ function MultipleElementCriteria($db, $cs, $export_name, $element_cnt, $field_list = NULL)
++ {
++ $this->BaseCriteria(&$db, &$cs, $export_name);
++
++ $this->element_cnt = $element_cnt;
++ $this->criteria_cnt = 0;
++ $this->valid_field_list = $field_list;
++ }
++
++ function Init()
++ {
++ GLOBAL $HTTP_SESSION_VARS;
++
++ InitArray($this->criteria, $GLOBALS['MAX_ROWS'], $this->element_cnt, "");
++ $this->criteria_cnt = 1;
++
++ $HTTP_SESSION_VARS[$this->export_name."_cnt"] = &$this->criteria_cnt;
++ }
++
++ function Import()
++ {
++ GLOBAL $HTTP_SESSION_VARS;
++
++ $this->criteria = SetSessionVar($this->export_name);
++ $this->criteria_cnt = SetSessionVar($this->export_name."_cnt");
++
++ $HTTP_SESSION_VARS[$this->export_name] = &$this->criteria;
++ $HTTP_SESSION_VARS[$this->export_name."_cnt"] = &$this->criteria_cnt;
++ }
++
++ function Sanitize()
++ {
++ if ( in_array("criteria", array_keys(get_object_vars($this))) )
++ //if ( isset($this->criteria) )
++ {
++ for($i=0; $i < $this->element_cnt; $i++)
++ {
++ if ( isset($this->criteria[$i]) )
++ $this->SanitizeElement($i);
++ }
++ }
++ }
++
++ function SanitizeElement($i)
++ {
++ }
++
++ function GetFormItemCnt()
++ {
++ return $this->criteria_cnt;
++ }
++
++ function SetFormItemCnt($value)
++ {
++ $this->criteria_cnt = $value;
++ }
++
++ function AddFormItem(&$submit, $submit_value)
++ {
++ AddCriteriaFormRow($submit, $submit_value, &$this->criteria_cnt, $this->criteria, $this->element_cnt);
++ }
++
++ function Set($value)
++ {
++ $this->criteria = $value;
++ }
++
++ function Get()
++ {
++ return $this->criteria;
++ }
++
++ function isEmpty()
++ {
++ if ( $this->criteria_cnt == 0 )
++ return true;
++ else
++ return false;
++ }
++
++ function PrintForm($field_list, $blank_field_string, $add_button_string)
++ {
++ for ( $i = 0; $i < $this->criteria_cnt; $i++ )
++ {
++ echo ' ';
++ echo ' criteria[$i][0]," ").'>__ ';
++ echo ' criteria[$i][0],"(").'>( ';
++ echo ' ';
++
++ echo ' ';
++ echo ' criteria[$i][1]," ").'>'.$blank_field_string.' ';
++
++ reset($field_list);
++ foreach( $field_list as $field_name => $field_human_name )
++ {
++ echo ' criteria[$i][1],$field_name).'>'.$field_human_name.' ';
++ }
++ echo ' ';
++
++ echo ' ';
++ echo ' criteria[$i][2],"="). '>= ';
++ echo ' criteria[$i][2],"!=").'>!= ';
++ echo ' criteria[$i][2],"<"). '>< ';
++ echo ' criteria[$i][2],"<=").'><= ';
++ echo ' criteria[$i][2],">"). '>> ';
++ echo ' criteria[$i][2],">=").'>>= ';
++ echo ' ';
++
++ echo ' ';
++ echo ' criteria[$i][4]," ").'>__criteria[$i][4],"(").'>( ';
++ echo ' criteria[$i][4],")").'>) ';
++ echo ' ';
++
++ echo ' ';
++ echo ' criteria[$i][5]," "). '>__ ';
++ echo ' criteria[$i][5],"OR"). '>OR ';
++ echo ' criteria[$i][5],"AND").'>AND ';
++ echo ' ';
++ if ( $i == $this->criteria_cnt-1 )
++ echo ' criteria[0]," "). '>{ signature }';
++ echo ' criteria[0],"="). '>exactly ';
++ echo ' criteria[0],"LIKE").'>roughly criteria[2],"="). '>=';
++ echo ' criteria[2],"!="). '>!=';
++ echo '
++ { Select Signature from List }';
++
++ if ($tmp_result)
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo ' '.$myrow[0];
++ $tmp_result->acidFreeRows();
++ }
++ echo '
++ criteria, " ").'>{ any Classification }
++ criteria, "null").'>-unclassified-';
++
++ $temp_sql = "SELECT sig_class_id, sig_class_name FROM sig_class";
++ $tmp_result = $this->db->acidExecute($temp_sql);
++ if ( $tmp_result )
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo ' criteria, $myrow[0]).'>'.
++ $myrow[1];
++
++ $tmp_result->acidFreeRows();
++ }
++ echo ' ';
++ }
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $tmp = "";
++
++ if ( $this->db->acidGetDBVersion() >= 103 )
++ {
++ if ( $this->criteria != " " && $this->criteria != "" )
++ {
++ if ( $this->criteria == "null")
++ $tmp = $tmp.'Signature Classification = '.
++ 'unclassified
++ criteria[0],"="). '>__
++ criteria[0],"=").'>==
++ criteria[0],"!=").'>!=
++ criteria[0],"<"). '><
++ criteria[0],">").'>>
++ criteria[0],"><="). '><=
++ criteria[0],">=").'>>= ';
++
++ echo '
++ criteria[1], " ").'>{ any Priority }
++ criteria[1], "null").'>-unclassified- ';
++ $temp_sql = "select DISTINCT sig_priority from signature ORDER BY sig_priority ASC ";
++ $tmp_result = $this->db->acidExecute($temp_sql);
++ if ( $tmp_result )
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo 'criteria[1], $myrow[0]).'>'.
++ $myrow[0];
++
++ $tmp_result->acidFreeRows();
++ }
++ echo ' ';
++ }
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $tmp = "";
++
++ if ( $this->db->acidGetDBVersion() >= 103 )
++ {
++ if ( $this->criteria[1] != " " && $this->criteria[1] != "" )
++ {
++ if ( $this->criteria[1] == null)
++ $tmp = $tmp.'Signature Priority = '.
++ 'none
++ criteria, " ").'>{ any Alert Group }';
++
++ $temp_sql = "SELECT ag_id, ag_name FROM acid_ag";
++ $tmp_result = $this->db->acidExecute($temp_sql);
++ if ( $tmp_result )
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo ' criteria, $myrow[0]).'>'.
++ '['.$myrow[0].'] '.$myrow[1];
++
++ $tmp_result->acidFreeRows();
++ }
++ echo ' ';
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $tmp = "";
++
++ if ( $this->criteria != " " && $this->criteria != "" )
++ $tmp = $tmp.'Alert Group = ['.$this->criteria.'] '.GetAGNameByID($this->criteria, $this->db).
++ $this->cs->GetClearCriteriaString($this->export_name).'
++ criteria, " ").'>{ any sensor }';
++
++ $temp_sql = "SELECT sid, hostname, interface, filter FROM sensor";
++ $tmp_result = $this->db->acidExecute($temp_sql);
++ if ( $tmp_result->row )
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo ' criteria, $myrow[0]).'>'.
++ '['.$myrow[0].'] '.GetSensorName($myrow[0], $this->db);
++
++ $tmp_result->acidFreeRows();
++ }
++
++ echo ' ';
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $tmp = "";
++
++ if ( $this->criteria != " " && $this->criteria != "" )
++ $tmp = $tmp.'Sensor = ['.$this->criteria.'] '.
++ GetSensorName($this->criteria, $this->db).
++ $this->cs->GetClearCriteriaString($this->export_name).'criteria[$i][0]," ").'>__';
++ echo ' criteria[$i][0],"(").'>( criteria[$i][1]," "). '>{ time }';
++ echo ' criteria[$i][1],"="). '>=';
++ echo ' criteria[$i][1],"!=").'>!=';
++ echo ' criteria[$i][1],"<"). '><';
++ echo ' criteria[$i][1],"<=").'><=';
++ echo ' criteria[$i][1],">"). '>>';
++ echo ' criteria[$i][1],">=").'>>= criteria[$i][2]," " ).'>{ month }';
++ echo ' criteria[$i][2],"01").'>Jan';
++ echo ' criteria[$i][2],"02").'>Feb';
++ echo ' criteria[$i][2],"03").'>Mar';
++ echo ' criteria[$i][2],"04").'>Apr';
++ echo ' criteria[$i][2],"05").'>May';
++ echo ' criteria[$i][2],"06").'>Jun';
++ echo ' criteria[$i][2],"07").'>Jly';
++ echo ' criteria[$i][2],"08").'>Aug';
++ echo ' criteria[$i][2],"09").'>Sep';
++ echo ' criteria[$i][2],"10").'>Oct';
++ echo ' criteria[$i][2],"11").'>Nov';
++ echo ' criteria[$i][2],"12").'>Dec criteria[$i][4]," ").'>{ year }';
++ echo ' criteria[$i][4],"1999").'>1999';
++ echo ' criteria[$i][4],"2000").'>2000';
++ echo ' criteria[$i][4],"2001").'>2001';
++ echo ' criteria[$i][4],"2002").'>2002';
++ echo ' criteria[$i][4],"2003").'>2003';
++ echo ' criteria[$i][4],"2004").'>2004 : ';
++ echo ': ';
++ echo 'criteria[$i][8]," ").'>__';
++ echo ' criteria[$i][8],"(").'>(';
++ echo ' criteria[$i][8],")").'>) criteria[$i][9]," "). '>__';
++ echo ' criteria[$i][9],"OR"). '>OR';
++ echo ' criteria[$i][9],"AND").'>AND '.$this->criteria[$i][0].' time '.$this->criteria[$i][1].' [ ';
++
++ /* date */
++ if ( $this->criteria[$i][2] == " " && $this->criteria[$i][3] == "" && $this->criteria[$i][4] == " " )
++ $tmp = $tmp." any date ";
++ else
++ $tmp = $tmp.(($this->criteria[$i][2] == " ") ? "* / " : $this->criteria[$i][2]." / ").
++ (($this->criteria[$i][3] == "" ) ? "* / " : $this->criteria[$i][3]." / ").
++ (($this->criteria[$i][4] == " ") ? "* " : $this->criteria[$i][4]." ");
++ $tmp = $tmp.'] [ ';
++ /* time */
++ if ( $this->criteria[$i][5] == "" && $this->criteria[$i][6] == "" && $this->criteria[$i][7] == "" )
++ $tmp = $tmp."any time ";
++ else
++ $tmp = $tmp.(($this->criteria[$i][5] == "") ? "* : " : $this->criteria[$i][5]." : ").
++ (($this->criteria[$i][6] == "") ? "* : " : $this->criteria[$i][6]." : ").
++ (($this->criteria[$i][7] == "") ? "* " : $this->criteria[$i][7]." ");
++ $tmp = $tmp.$this->criteria[$i][8].'] '.$this->criteria[$i][9];
++ $tmp = $tmp.'criteria[$i][0]," ").'>__';
++ echo ' criteria[$i][0],"(").'>(
++ criteria[$i][1]," " ).'>{ address }
++ criteria[$i][1],"ip_src").'>Source
++ criteria[$i][1],"ip_dst").'>Dest
++ criteria[$i][1],"ip_both").'>Src or Dest
++ ';
++ echo '
++ criteria[$i][2],"="). '>=
++ criteria[$i][2],"!=").'>!=
++ ';
++
++ if ( $GLOBALS['ip_address_input'] == 2 )
++ echo ' . ';
++ echo ' . ';
++ echo ' . ';
++ echo ' criteria[$i][8]," ").'>__';
++ echo ' criteria[$i][8],"(").'>(';
++ echo ' criteria[$i][8],")").'>) criteria[$i][9]," "). '>__';
++ echo ' criteria[$i][9],"OR"). '>OR';
++ echo ' criteria[$i][9],"AND").'>AND criteria[0]," ").'>{ flags }';
++ echo ' criteria[0],"is").'>is';
++ echo ' criteria[0],"contains").'>contains ';
++ echo ' ';
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $human_fields["1"] = "F";
++ $human_fields["2"] = "S";
++ $human_fields["4"] = "R";
++ $human_fields["8"] = "P";
++ $human_fields["16"] = "A";
++ $human_fields["32"] = "U";
++ $human_fields["64"] = "[R0]";
++ $human_fields["128"] = "[R1]";
++ $human_fields["LIKE"] = "contains";
++ $human_fields["="] = "=";
++
++ $tmp = "";
++
++ if ( isset($this->criteria[0]) && ($this->criteria[0] != " ") && ($this->criteria[0] != "") )
++ {
++ $tmp = $tmp.'flags '.$this->criteria[0].' ';
++ for ( $i = 8; $i >=1; $i-- )
++ if ( $this->criteria[$i] == "" )
++ $tmp = $tmp.'-';
++ else
++ $tmp = $tmp.$human_fields[($this->criteria[$i])];
++
++ $tmp = $tmp.$this->cs->GetClearCriteriaString("tcp_flags").'Input Criteria Encoding Type: ';
++ echo 'data_encode[0]," ").'>{ Encoding }';
++ echo ' data_encode[0],"hex").'>hex';
++ echo ' data_encode[0],"ascii").'>ascii Convert To (when searching): ';
++ echo 'data_encode[1]," ").'>{ Convert To }';
++ echo ' data_encode[1],"hex").'>hex';
++ echo ' data_encode[1],"ascii").'>ascii criteria[$i][0]," ").'>__';
++ echo ' criteria[$i][0],"(").'>( criteria[$i][1]," "). '>{ payload }';
++ echo ' criteria[$i][1],"LIKE"). '>has ';
++ echo ' criteria[$i][1],"NOT LIKE").'>has NOT criteria[$i][3]," ").'>__';
++ echo ' criteria[$i][3],"(").'>(';
++ echo ' criteria[$i][3],")").'>) criteria[$i][4]," "). '>__';
++ echo ' criteria[$i][4],"OR"). '>OR';
++ echo ' criteria[$i][4],"AND").'>AND ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000-2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: routines to manipulate shared state (session
+ * information)
+ *
+ */
+-
++/* ***********************************************************************
++ * Function: InitArray()
++ *
++ * @doc Defines an initializes a 1 or 2 dimensional PHP array.
++ *
++ * @param $a (in/out) array to initialize
++ * @param $dim1 number of elements of first dimension
++ * @param $dim2 number of elements of second dimension
++ * @param $value default value
++ *
++ ************************************************************************/
+ function InitArray(&$a, $dim1, $dim2, $value)
+ {
+ $a = "";
+ /* determine the number of dimensions in the array */
+ if ( $dim2 == 0 ) /* 1-dim */
+- for ( $i = 0; $i < $dim2; $i++ )
++ for ( $i = 0; $i < $dim1; $i++ )
+ $a[$i] = $value;
+ else /* 2-dim */
+ for ( $i = 0; $i < $dim1; $i++ )
+@@ -25,70 +35,16 @@
+ $a[$i][$j] = $value;
+ }
+
+-function InitGlobalState()
+-{
+- GLOBAL $time, $time_cnt, $sig, $sig_class, $sensor, $ag,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $save_criteria,
+- $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode,
+- $back_list, $back_list_cnt;
+- GLOBAL $MAX_ROWS;
+-
+- $caller = "";
+- $layer4 = "";
+-
+- InitArray($back_list, 1, 3, "");
+- $back_list_cnt = 0;
+-
+- $ag = "";
+- $sensor = "";
+- InitArray($sig, 3, 0, "");
+- $sig_class = "";
+- InitArray($time, $MAX_ROWS, TIME_CFCNT, "");
+- $time_cnt = 0;
+-
+- InitArray($ip_addr, $MAX_ROWS, IPADDR_CFCNT, "");
+- $ip_addr_cnt = 0;
+- InitArray($ip_field, $MAX_ROWS, PROTO_CFCNT, "");
+- $ip_field_cnt = 0;
+-
+- InitArray($tcp_port, $MAX_ROWS, PROTO_CFCNT, "");
+- $tcp_port_cnt = 0;
+- InitArray($tcp_flags, $MAX_ROWS, TCPFLAGS_CFCNT, "");
+- InitArray($tcp_field, $MAX_ROWS, PROTO_CFCNT, "");
+- $tcp_field_cnt = 0;
+-
+- InitArray($udp_port, $MAX_ROWS, PROTO_CFCNT, "");
+- $udp_port_cnt = 0;
+- InitArray($udp_field, $MAX_ROWS, PROTO_CFCNT, "");
+- $udp_field_cnt = 0;
+-
+- InitArray($icmp_field, $MAX_ROWS, PROTO_CFCNT, "");
+- $icmp_field_cnt = 0;
+-
+- InitArray($data_encode, 2, 0, "");
+- InitArray($data, $MAX_ROWS, PAYLOAD_CFCNT, "");
+- $data_cnt = 0;
+-}
+-
++/* ***********************************************************************
++ * Function: RegisterGlobalState()
++ *
++ * @doc Application-specific wrapper for PHP session_start(). It performs
++ * a couple of additional configuration checks (notably for custom
++ * PHP session handlers).
++ *
++ ************************************************************************/
+ function RegisterGlobalState()
+ {
+- GLOBAL $time, $time_cnt, $sig, $sensor, $ag,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $save_criteria,
+- $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode,
+- $back_list, $back_list_cnt;
+-
+- GLOBAL $MAX_ROWS;
+-
+ /* Deal with user specified session handlers */
+ if (session_module_name() == "user" )
+ {
+@@ -125,170 +81,199 @@
+
+ session_start();
+
+- session_register('back_list');
+- session_register('back_list_cnt');
+- session_register('layer4');
+-
+- session_register('ag');
+- session_register('sig_type');
+- session_register('sig');
+- session_register('sig_class');
+- session_register('sensor');
+- session_register('time');
+- session_register('time_cnt');
+-
+- session_register('ip_addr');
+- session_register('ip_addr_cnt');
+- session_register('ip_field');
+- session_register('ip_field_cnt');
+-
+- session_register('tcp_port');
+- session_register('tcp_port_cnt');
+- session_register('tcp_flags');
+- session_register('tcp_field');
+- session_register('tcp_field_cnt');
+-
+- session_register('udp_port');
+- session_register('udp_port_cnt');
+- session_register('udp_field');
+- session_register('udp_field_cnt');
+-
+- session_register('icmp_field');
+- session_register('icmp_field_cnt');
+-
+- session_register('data_encode');
+- session_register('data');
+- session_register('data_cnt');
+-
+- if ( $debug_mode > 0 )
++ if ( $GLOBALS['debug_mode'] > 0 )
+ echo 'Session Registered ,
+ *
+- * Copyright (C) 2001 Carnegie Mellon University
++ * Copyright (C) 2001-2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: routines to manipulate shared state (session
+@@ -13,65 +13,100 @@
+ */
+
+ include_once("acid_state_common.inc");
++include_once("acid_state_citems.inc");
+
+ class CriteriaState
+ {
+- var $valid_criteria_list = array("layer4",
+- "ag",
+- "sig",
+- "sig_class",
+- "sensor",
+- "time",
+- "ip_addr",
+- "ip_field",
+- "tcp_port",
+- "tcp_flags",
+- "tcp_field",
+- "udp_port",
+- "udp_field",
+- "icmp_field",
+- "data");
+-
+ var $clear_criteria_name;
+ var $clear_criteria_element;
+ var $clear_url;
+ var $clear_url_params;
+
++ var $criteria;
++
+ function CriteriaState($url, $params = "")
+ {
+- $this->clear_url = $url;
+- $this->clear_url_params = $params;
++ $this->clear_url = $url;
++ $this->clear_url_params = $params;
++
++ /* XXX-SEC */
++ GLOBAL $db;
++
++ $this->criteria['sig'] = new SignatureCriteria(&$db, &$this, "sig");
++ $this->criteria['sig_class'] = new SignatureClassificationCriteria(&$db, &$this, "sig_class");
++ $this->criteria['sig_priority'] = new SignaturePriorityCriteria(&$db, &$this, "sig_priority");
++ $this->criteria['ag'] = new AlertGroupCriteria(&$db, &$this, "ag");
++ $this->criteria['sensor'] = new SensorCriteria(&$db, &$this, "sensor");
++ $this->criteria['time'] = new TimeCriteria(&$db, &$this, "time", TIME_CFCNT);
++ $this->criteria['ip_addr'] = new IPAddressCriteria(&$db, &$this, "ip_addr", IPADDR_CFCNT);
++ $this->criteria['layer4'] = new Layer4Criteria(&$db, &$this, "layer4");
++ $this->criteria['ip_field'] = new IPFieldCriteria(&$db, &$this, "ip_field", PROTO_CFCNT);
++ $this->criteria['tcp_port'] = new TCPPortCriteria(&$db, &$this, "tcp_port", PROTO_CFCNT);
++ $this->criteria['tcp_flags'] = new TCPFlagsCriteria(&$db, &$this, "tcp_flags");
++ $this->criteria['tcp_field'] = new TCPFieldCriteria(&$db, &$this, "tcp_field", PROTO_CFCNT);
++ $this->criteria['udp_port'] = new UDPPortCriteria(&$db, &$this, "udp_port", PROTO_CFCNT);
++ $this->criteria['udp_field'] = new UDPFieldCriteria(&$db, &$this, "udp_field", PROTO_CFCNT);
++ $this->criteria['icmp_field'] = new ICMPFieldCriteria(&$db, &$this, "icmp_field", PROTO_CFCNT);
++ $this->criteria['data'] = new DataCriteria(&$db, &$this, "data", PAYLOAD_CFCNT);
++
++ /*
++ * For new criteria, add a call to the appropriate constructor here, and implement
++ * the appropriate class in acid_stat_citems.inc.
++ */
+ }
+
+ function InitState()
+ {
+- RegisterGlobalState();
+- InitGlobalState();
++ RegisterGlobalState();
++
++ $valid_criteria_list = array_keys($this->criteria);
++
++ foreach ( $valid_criteria_list as $cname )
++ $this->criteria[$cname]->Init();
+ }
+
+ function ReadState()
+ {
+- GLOBAL $time, $time_cnt, $sig, $sig_type,
+- $sensor, $ag, $sig_class,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $QUERY_STRING, $PHP_SELF, $debug_mode,
+- $back_list, $back_list_cnt;
+-
+- RegisterGlobalState();
+- ImportGlobalState();
+-
+- $this->clear_criteria_name = ImportHTTPVar("clear_criteria");
+- $this->clear_criteria_element = ImportHTTPVar("clear_criteria_element");
+-
+- if ( $this->clear_criteria_name != "" )
+- $this->ClearCriteriaStateElement($this->clear_criteria_name,
+- $this->clear_criteria_element);
+- if ( $GLOBALS['maintain_history'] == 1 )
+- PreserveHistory();
++ RegisterGlobalState();
++
++ /*
++ * If the BACK button was clicked, shuffle the appropriate
++ * criteria variables from the $back_list (history) array into
++ * the current session ($HTTP_SESSION_VARS)
++ */
++ if ( ($GLOBALS['maintain_history'] == 1) &&
++ (ImportHTTPVar("back", VAR_DIGIT) == 1) )
++ {
++ PopHistory();
++ }
++
++ /*
++ * Import, update and sanitize all persistant criteria variables
++ */
++ $valid_criteria_list = array_keys($this->criteria);
++ foreach ( $valid_criteria_list as $cname )
++ {
++ $this->criteria[$cname]->Import();
++ $this->criteria[$cname]->Sanitize();
++ }
++
++ /*
++ * Check whether criteria elements need to be cleared
++ */
++ $this->clear_criteria_name = ImportHTTPVar("clear_criteria", "",
++ array_keys($this->criteria));
++ $this->clear_criteria_element = ImportHTTPVar("clear_criteria_element", "",
++ array_keys($this->criteria));
++
++ if ( $this->clear_criteria_name != "" )
++ $this->ClearCriteriaStateElement($this->clear_criteria_name,
++ $this->clear_criteria_element);
++
++ /*
++ * Save the current criteria into $back_list (history)
++ */
++ if ( $GLOBALS['maintain_history'] == 1 )
++ PushHistory();
+ }
+
+ function GetBackLink()
+@@ -87,151 +122,155 @@
+
+ function ClearCriteriaStateElement($name, $element)
+ {
+- GLOBAL $time, $time_cnt, $sig, $sig_type,
+- $sensor, $ag, $sig_class,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode;
++ $valid_criteria_list = array_keys($this->criteria);
+
+- if ( in_array($name, $this->valid_criteria_list) )
++ if ( in_array($name, $valid_criteria_list) )
+ {
+ ErrorMessage("Removing '$name' from criteria");
+-
+- switch($name)
+- {
+- case "sensor":
+- $sensor = "";
+- break;
+- case "ag":
+- $ag = "";
+- break;
+- case "sig":
+- $sig = "";
+- break;
+- case "sig_class":
+- $sig_class = "";
+- break;
+- case "time":
+- unset($time);
+- $time_cnt = 0;
+- break;
+- case "ip_addr":
+- unset($ip_addr);
+- $ip_addr_cnt = 0;
+- break;
+- case "ip_field":
+- unset($ip_field);
+- $ip_field_cnt = 0;
+- break;
+- case "tcp_port":
+- unset($tcp_port);
+- $tcp_port_cnt = 0;
+- break;
+- case "tcp_flags":
+- unset($tcp_flags);
+- $tcp_flags_cnt = 0;
+- break;
+- case "tcp_field":
+- unset($tcp_field);
+- $tcp_field_cnt = 0;
+- break;
+- case "udp_port":
+- unset($udp_port);
+- $udp_port_cnt = 0;
+- break;
+- case "udp_field":
+- unset($udp_field);
+- $udp_field_cnt = 0;
+- break;
+- case "icmp_field":
+- unset($icmp_field);
+- $icmp_field_cnt = 0;
+- break;
+- case "data":
+- unset($data);
+- $data_cnt = 0;
+- break;
+- }
++
++ $this->criteria[$name]->Init();
+ }
+ else
+ ErrorMessage("Invalid criteria element");
+ }
+ }
+
+-function PreserveHistory()
++/* ***********************************************************************
++ * Function: PopHistory()
++ *
++ * @doc Remove and restore the last entry of the history list (i.e.,
++ * hit the back button in the browser)
++ *
++ * @see PushHistory PrintBackButton
++ *
++ ************************************************************************/
++function PopHistory()
++{
++ GLOBAL $HTTP_SESSION_VARS;
++
++ if ( $HTTP_SESSION_VARS['back_list_cnt'] >= 0 )
++ {
++ /* Remove the state of the page from which the back button was
++ * just hit
++ */
++ unset($HTTP_SESSION_VARS['back_list'][$HTTP_SESSION_VARS['back_list_cnt']]);
++
++ /*
++ * save a copy of the $back_list because session_destroy()/session_decode() will
++ * overwrite it.
++ */
++ $save_back_list = $HTTP_SESSION_VARS['back_list'];
++ $save_back_list_cnt = $HTTP_SESSION_VARS['back_list_cnt']-1;
++
++ /* Restore the session
++ * - destroy all variables in the current session
++ * - restore proper back_list history entry into the current variables (session)
++ * - but, first delete the currently restored entry and
++ * decremement the history stack
++ * - push saved back_list back into session
++ */
++ session_unset();
++
++ if ( $GLOBALS['debug_mode'] > 2 )
++ ErrorMessage("Popping a History Entry from #".$save_back_list_cnt);
++
++ session_decode($save_back_list[$save_back_list_cnt]["session"]);
++ unset($save_back_list[$save_back_list_cnt]);
++ --$save_back_list_cnt;
++
++ $HTTP_SESSION_VARS['back_list'] = $save_back_list;
++ $HTTP_SESSION_VARS['back_list_cnt'] = $save_back_list_cnt;
++ }
++}
++
++/* ***********************************************************************
++ * Function: PushHistory()
++ *
++ * @doc Save the current criteria into the history list ($back_list,
++ * $back_list_cnt) in order to support the ACID back button.
++ *
++ * @see PopHistory PrintBackButton
++ *
++ ************************************************************************/
++function PushHistory()
+ {
+- GLOBAL $back_list_cnt, $back_list, $PHP_SELF, $QUERY_STRING, $debug_mode;
+-
+- /* If the BACK button was clicked, extract the old criteria */
+- if ( ImportHTTPVar("back") == 1 )
+- {
+- --$back_list_cnt;
+- if ( $back_list_cnt >= 0 )
+- {
+- if ( $debug_mode > 0 )
+- {
+- $tmp_num = $back_list_cnt + 1;
+- ErrorMessage("Back (from ".$back_list[$tmp_num]["PHP_SELF"].")");
+- ErrorMessage("Import (historical) state from #".$back_list_cnt);
+- }
+-
+- session_decode($back_list[$back_list_cnt]["session"]);
+- $back_list = & $GLOBALS['back_list'];
+- }
+- }
+-
+- /* Save criteria of current page into history
+- * Note: the $back_list need not be saved
+- */
+- session_unregister('back_list');
+- $full_session = session_encode();
+- session_register('back_list');
+- $back_list_cnt = & $GLOBALS['back_list_cnt'];
+-
+- ++$back_list_cnt;
+- $back_list[$back_list_cnt] = array ("PHP_SELF" => $PHP_SELF,
+- "QUERY_STRING" => $QUERY_STRING,
+- "session" => $full_session );
++ GLOBAL $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_POST_VARS;
++
++ if ( $GLOBALS['debug_mode'] > 1 )
++ {
++ ErrorMessage("Saving state (into ".$HTTP_SESSION_VARS['back_list_cnt'].")");
++ }
++
++ /* save the current session without the $back_list into the history
++ * - make a temporary copy of the $back_list
++ * - NULL-out the $back_list in $HTTP_SESSION_VARS (so that
++ * the current session is serialized without these variables)
++ * - serialize the current session
++ * - fix-up the QUERY_STRING
++ * - make a new QUERY_STRING that includes the temporary QueryState variables
++ * - remove &back=1 from any QUERY_STRING
++ * - add the current session into the $back_list (history)
++ */
++ $tmp_back_list = $HTTP_SESSION_VARS['back_list'];
++ $tmp_back_list_cnt = $HTTP_SESSION_VARS['back_list_cnt'];
++
++ $HTTP_SESSION_VARS['back_list'] = NULL;
++ $HTTP_SESSION_VARS['back_list_cnt'] = -1;
++
++ $full_session = session_encode();
++ $HTTP_SESSION_VARS['back_list'] = $tmp_back_list;
++ $HTTP_SESSION_VARS['back_list_cnt'] = $tmp_back_list_cnt;
++
++ $query_string = $HTTP_SERVER_VARS["QUERY_STRING"];
++ if ( isset($HTTP_POST_VARS['caller']) ) $query_string .= "&caller=".$HTTP_POST_VARS['caller'];
++ if ( isset($HTTP_POST_VARS['num_result_rows']) ) $query_string .= "&num_result_rows=".$HTTP_POST_VARS['num_result_rows'];
++ if ( isset($HTTP_POST_VARS['sort_order']) ) $query_string .= "&sort_order=".$HTTP_POST_VARS['sort_order'];
++ if ( isset($HTTP_POST_VARS['current_view']) ) $query_string .= "¤t_view=".$HTTP_POST_VARS['current_view'];
++ if ( isset($HTTP_POST_VARS['submit']) ) $query_string .= "&submit=".$HTTP_POST_VARS['submit'];
++
++ $query_string = ereg_replace("back=1&", "", $query_string);
++
++ ++$HTTP_SESSION_VARS['back_list_cnt'];
++ $HTTP_SESSION_VARS['back_list'][$HTTP_SESSION_VARS['back_list_cnt']] =
++ array ("PHP_SELF" => $HTTP_SERVER_VARS["PHP_SELF"],
++ "QUERY_STRING" => $query_string, /*$HTTP_SERVER_VARS["QUERY_STRING"], */
++ "session" => $full_session );
+
+- if ( $debug_mode > 0 )
++ if ( $GLOBALS['debug_mode'] > 1 )
+ {
+- echo "History depth = $back_list_cnt";
+- print_r($back_list);
+- echo " ";
++ ErrorMessage("Insert session into slot #".$HTTP_SESSION_VARS['back_list_cnt']);
++
++ echo "Back List (Cnt = ".$HTTP_SESSION_VARS['back_list_cnt'].") ";
++ print_r($HTTP_SESSION_VARS['back_list']);
++ echo " ";
+ }
+ }
+
++/* ***********************************************************************
++ * Function: PrintBackButton()
++ *
++ * @doc Returns a string with the URL of the previously viewed
++ * page. Clicking this link is equivalent to using the browser
++ * back-button, but all the associated ACID meta-information
++ * propogates correctly.
++ *
++ * @see PushHistory PopHistory
++ *
++ ************************************************************************/
+ function PrintBackButton()
+ {
+- GLOBAL $back_list, $back_list_cnt;
++ GLOBAL $HTTP_SESSION_VARS;
+
+ if ( $GLOBALS['maintain_history'] == 0 )
+ return "Back ";
+
+- $back_list = & $GLOBALS['back_list'];
+- $back_list_cnt = & $GLOBALS['back_list_cnt'];
+-
+- $criteria_num = $back_list_cnt - 1;
+-
+- if ( isset($back_list[$criteria_num]["PHP_SELF"]) )
++ $criteria_num = $HTTP_SESSION_VARS['back_list_cnt'] - 1;
++
++ if ( isset($HTTP_SESSION_VARS['back_list'][$criteria_num]["PHP_SELF"]) )
+
+- return "Back Back ";
+ }
+diff -Naur acid/acid_state_query.inc acidfp/acid_state_query.inc
+--- acid/acid_state_query.inc 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_state_query.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -120,7 +120,6 @@
+ function AddValidActionOp($action_op)
+ {
+ $this->valid_action_op_list[ count($this->valid_action_op_list) ] = $action_op;
+- //array_push($this->valid_action_op_list, $action_op);
+ }
+
+ function SetActionSQL($sql)
+@@ -312,30 +311,30 @@
+
+ function ReadState()
+ {
+- $this->current_canned_query = ImportHTTPVar("caller");
+- $this->num_result_rows = ImportHTTPVar("num_result_rows");
+- $this->current_sort_order = ImportHTTPVar("sort_order");
+- $this->current_view = ImportHTTPVar("current_view");
+- $this->action_arg = ImportHTTPVar("action_arg");
+- $this->action_chk_lst = ImportHTTPVar("action_chk_lst");
+- $this->action_lst = ImportHTTPVar("action_lst");
+- $this->action = ImportHTTPVar("action");
++ $this->current_canned_query = ImportHTTPVar("caller", VAR_LETTER | VAR_USCORE);
++ $this->num_result_rows = ImportHTTPVar("num_result_rows", VAR_DIGIT);
++ $this->current_sort_order = ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE);
++ $this->current_view = ImportHTTPVar("current_view", VAR_DIGIT);
++ $this->action_arg = ImportHTTPVar("action_arg", VAR_ALPHA | VAR_PERIOD | VAR_USCORE | VAR_AT);
++ $this->action_chk_lst = ImportHTTPVar("action_chk_lst", VAR_DIGIT);
++ $this->action_lst = ImportHTTPVar("action_lst", VAR_DIGIT);
++ $this->action = ImportHTTPVar("action", VAR_LETTER | VAR_USCORE);
+ }
+
+ function SaveState()
+ {
+- echo "\n";
+- ExportHTTPVar("caller", $this->current_canned_query);
+- ExportHTTPVar("num_result_rows", $this->num_result_rows);
+- ExportHTTPVar("sort_order", $this->current_sort_order);
+- ExportHTTPVar("current_view", $this->current_view);
++ echo "\n";
++ ExportHTTPVar("caller", $this->current_canned_query);
++ ExportHTTPVar("num_result_rows", $this->num_result_rows);
++ ExportHTTPVar("sort_order", $this->current_sort_order);
++ ExportHTTPVar("current_view", $this->current_view);
+ }
+
+ function SaveStateGET()
+ {
+- return "?caller=".$this->current_canned_query.
+- "&num_result_rows=".$this->num_result_rows.
+- "¤t_view=".$this->current_view;
++ return "?caller=".$this->current_canned_query.
++ "&num_result_rows=".$this->num_result_rows.
++ "¤t_view=".$this->current_view;
+ }
+
+ function DumpState()
+diff -Naur acid/acid_stat_fingerprints.php acidfp/acid_stat_fingerprints.php
+--- acid/acid_stat_fingerprints.php 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/acid_stat_fingerprints.php 2004-02-06 11:56:05.000000000 -0500
+@@ -0,0 +1,251 @@
++,
++ *
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
++ * (see the file 'acid_main.php' for license details)
++ *
++ * Purpose: Displays stats on an individual IP address
++ *
++ * Input GET/POST variables
++ * - action:
++ * - submit:
++ * - ip:
++ * - netmask:
++ */
++
++ $start = time();
++
++ include("acid_constants.inc");
++ include("acid_conf.php");
++ include("acid_include.inc");
++ include_once("acid_db_common.php");
++ include_once("acid_common.php");
++
++ $et = new EventTiming($debug_time_mode);
++ $cs = new CriteriaState("acid_stat_ipaddr.php");
++ $cs->ReadState();
++
++ $sortby = ImportHTTPVar("sortby");
++ $dir = ImportHTTPVar("dir");
++ $iddir = $sigdir = $fstdir = $lstdir = $addrdir = $portdir = $protodir = $servdir = $hopsdir = "ASC";
++
++ if ( $dir == "" )
++ {
++ $dir="ASC";
++ }
++
++ if ( $sortby == "" || $sortby == "addr" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby = "fpevent.ip_src DESC, fpevent.port_src";
++ $addrdir = "ASC";
++ }
++ else
++ {
++ $orderby = "fpevent.ip_src ASC, fpevent.port_src";
++ $addrdir = "DESC";
++ }
++ }
++ if ( $sortby == "port" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby = "fpevent.port_src DESC, fpevent.ip_src";
++ $portdir = "ASC";
++ }
++ else
++ {
++ $orderby = "fpevent.port_src ASC, fpevent.ip_src";
++ $portdir = "DESC";
++ }
++ }
++ if ( $sortby == "fseen" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.firstseen DESC, fpevent.ip_src";
++ $fstdir = "ASC";
++ }
++ else
++ {
++ $orderby="fpevent.firstseen ASC, fpevent.ip_src";
++ $fstdir = "DESC";
++ }
++ }
++ if ( $sortby == "lseen" )
++ {
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.lastseen DESC, fpevent.ip_src";
++ $lstdir="ASC";
++ }
++ else
++ {
++ $orderby="fpevent.lastseen ASC, fpevent.ip_src";
++ $lstdir="DESC";
++ }
++ }
++ if ( $sortby == "sig" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="signature.sig_name DESC, fpevent.ip_src";
++ $sigdir = "ASC";
++ }
++ else
++ {
++ $orderby="signature.sig_name ASC, fpevent.ip_src";
++ $sigdir = "DESC";
++ }
++ }
++ if ( $sortby == "proto" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.protocol DESC, fpevent.ip_src";
++ $protodir = "ASC";
++ }
++ else
++ {
++ $orderby="fpevent.protocol ASC, fpevent.ip_src";
++ $protodir = "DESC";
++ }
++ }
++ if ( $sortby == "serv" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="services.name DESC, fpevent.ip_src";
++ $servdir = "ASC";
++ }
++ else
++ {
++ $orderby="services.name ASC, fpevent.ip_src";
++ $servdir = "DESC";
++ }
++ }
++ if ( $sortby == "id" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.sid DESC, fpevent.cid DESC";
++ $iddir = "ASC";
++ }
++ else
++ {
++ $orderby="fpevent.sid ASC, fpevent.cid ASC";
++ $iddir = "DESC";
++ }
++ }
++ if ( $sortby == "hops" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.hopcount DESC, fpevent.ip_src";
++ $hopsdir = "ASC";
++ }
++ else
++ {
++ $orderby="fpevent.hopcount ASC, fpevent.ip_src";
++ $hopsdir = "DESC";
++ }
++ }
++
++
++
++ $page_title = 'Network Fingerprints';
++ PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
++
++
++ /* Connect to the Alert database */
++ $db = NewACIDDBConnection($DBlib_path, $DBtype);
++ $db->acidDBConnect($db_connect_method,
++ $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
++
++ if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db);
++
++ /* SDR BEGIN */
++ echo '';
++
++ $temp = "SELECT fpevent.sid, fpevent.cid, signature.sig_name, fpevent.firstseen, fpevent.lastseen, ".
++ "fpevent.ip_src, fpevent.port_src, fpevent.protocol, services.name, fpevent.hopcount ".
++ "FROM fpevent,signature,services ".
++ "WHERE ( fpevent.signature = signature.sig_id ".
++ "AND fpevent.port_src = services.port AND fpevent.protocol = services.protocol ) ".
++ "ORDER BY ".$orderby;
++/*
++ echo "Query is: ".$temp;
++*/
++ $result2 = $db->acidExecute($temp);
++
++ echo '
++ ';
++
++ /* SDR END */
++
++
++
++ PrintACIDSubFooter();
++?>
++
++
++
++
++
+diff -Naur acid/acid_stat_ipaddr.php acidfp/acid_stat_ipaddr.php
+--- acid/acid_stat_ipaddr.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_ipaddr.php 2003-12-17 14:17:10.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: Displays stats on an individual IP address
+@@ -215,8 +215,9 @@
+ //if ( !VerifySocketSupport() )
+ echo '
+ ARIN |
+- RIPE
+- APNIC RIPE |
++ APNIC |
++ LACNIC External: '.
+ 'DNS | '.
+@@ -269,7 +270,7 @@
+
+ /* Number of Sensors, First, and Last timestamp */
+ $temp = "SELECT COUNT(DISTINCT sid), MIN(timestamp), MAX(timestamp) FROM acid_event ".
+- "WHERE (ip_src = $ip_src32 OR ip_dst = $ip_dst32 )";
++ "WHERE (ip_src = '$ip_src32' OR ip_dst = '$ip_dst32' )";
+ $result2 = $db->acidExecute($temp);
+ $row2 = $result2->acidFetchRow();
+
+@@ -279,14 +280,14 @@
+ $result2->acidFreeRows();
+
+ /* Unique instances as Source Address */
+- $temp = "SELECT COUNT(sid) from acid_event WHERE ip_src=$ip_src32";
++ $temp = "SELECT COUNT(sid) from acid_event WHERE ip_src='$ip_src32'";
+ $result2 = $db->acidExecute($temp);
+ $row2 = $result2->acidFetchRow();
+ $num_src_ip = $row2[0];
+ $result2->acidFreeRows();
+
+ /* Unique instances Dest. Address */
+- $temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst=$ip_dst32";
++ $temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst='$ip_dst32'";
+ $result2 = $db->acidExecute($temp);
+ $row2 = $result2->acidFetchRow();
+ $num_dst_ip = $row2[0];
+@@ -309,6 +310,46 @@
+ Network Fingerprints
++
++
++ ID
++ Signature
++ First Seen
++ Last Seen
++ Port
++ Protocol
++ Service
++ ';
++ while ( $row2 = $result2->acidFetchRow() )
++ {
++ echo '
++
++ '.$row2[0].'-'.$row2[1].'
++ '.$row2[2].'
++ '.$row2[3].'
++ '.$row2[4].'
++ '.$row2[5].'
++ '.$row2[6].'
++ '.$row2[7].'
++ ';
++ }
++ $result2->acidFreeRows();
++ echo '
';
++
++ /* SDR END */
++
+ if ( $action == "events" )
+ {
+ echo '
+- Time
+- # of Alerts
++ Time
++ # of Alerts
+ Alerts 2000
+ 2001
+ 2002
++ 2003
++ 2004
+ ';
+
+ if ( $i == 0 ) echo ' -- ';
+diff -Naur acid/acid_stat_uaddr.php acidfp/acid_stat_uaddr.php
+--- acid/acid_stat_uaddr.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_uaddr.php 2003-12-17 14:16:39.000000000 -0500
+@@ -33,8 +33,15 @@
+
+ $et = new EventTiming($debug_time_mode);
+ $cs = new CriteriaState("acid_stat_uaddr.php", "&addr_type=$addr_type");
++
+ $cs->ReadState();
+
++/* Dump some debugging information on the shared state */
++if ( $debug_mode > 0 )
++{
++ PrintCriteriaState();
++}
++
+ $qs = new QueryState();
+ $qs->AddCannedQuery("most_frequent", $freq_num_uaddr, "Most Frequent IP addresses", "occur_d");
+ //$qs->AddCannedQuery("last_addr", $last_num_uaddr, "Last IP addresses", "last_d");
+@@ -71,7 +78,6 @@
+
+ $criteria_clauses = ProcessCriteria();
+ PrintCriteria("");
+- echo $time[0][2];
+
+ $criteria = $criteria_clauses[0]." ".$criteria_clauses[1];
+ $from = $criteria_clauses[0];
+diff -Naur acid/acid_style.css acidfp/acid_style.css
+--- acid/acid_style.css 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_style.css 2003-12-17 14:17:10.000000000 -0500
+@@ -17,7 +17,7 @@
+
+ P, B, A, BODY, FORM, TD, INPUT, SELECT, OPTION, TR, OL, UL, MENU, BLOCKQUOTE, FONT, DIV, H4, H5, H6 {
+ FONT-FAMILY: arial,helvetica,sans-serif;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ H3 {
+@@ -60,6 +60,15 @@
+ font-size: 10pt;
+ }
+
++A.table {
++ FONT-FAMILY: arial,helvetica;
++ COLOR: yellow;
++ BACKGROUND-COLOR: black;
++ font-size: 12pt;
++ font-weight: bold;
++ text-align: center;
++}
++
+ table {
+ }
+
+@@ -106,7 +115,6 @@
+ text-align: center;
+ }
+
+-
+ td.plfield {
+ FONT-FAMILY: verdana,arial,helvetica;
+ COLOR: black;
+@@ -120,7 +128,7 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #AA0000;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ td.iptitle {
+@@ -128,7 +136,7 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #333399;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ td.layer4title {
+@@ -136,7 +144,7 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #009966;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ td.payloadtitle {
+@@ -144,7 +152,7 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #660099;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ td.sectiontitle {
+@@ -152,13 +160,6 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #669999;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+-
+-
+-
+-
+-
+-
+-
+diff -Naur acid/CHANGELOG acidfp/CHANGELOG
+--- acid/CHANGELOG 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/CHANGELOG 2003-12-17 14:16:39.000000000 -0500
+@@ -1,5 +1,61 @@
+ ??/??/????: 0.9.6
+
++ - 01/08/2003: 0.9.6b23
++ - [01/08/2003] rdd
++ - 2003-2004 added to combo-boxes as time criteria
++
++ - [12/12/2002] rdd
++ - acid_net.inc
++ detect invalid IP adddress cache entries and update them
++ appropriately
++
++ - [11/12/2002] Christian Berg
++ - Check if PHP safe_mode is used before trying to set_time_limit()
++
++ - [10/15/2002] rdd
++ - acid_qry_sqlcalls.php:
++ fixed SQL generated when sorting by IP protocol on the
++ Alert Listing page
++ - acid_graph_form.php:
++ replace typo of ')
++ - tweaked SQL to always quote constants for better index use with the
++ PostgreSQL query optimizer (reported: Mike Gahagan )
++ - fix to ICMP decode
++ - added timezone to date in email export
++ - updated McAfee and Snort signature reference URLs
++ - complete re-write of state handling code (support without using
++ PHP's register_globals)
++ - input validation checks for criteria variables
++ - addded $external_sig_link configuration variable to eliminate
++ hardcoded URLs in the signature references
++ - added ICAT signature reference support
++ - use JPGraph library for alert graphing
++ - added pie chart support
++ - added classification vs. number of alerts chart
++ - added sensor vs. number of alerts chart
++
+ - 03/03/2002: 0.9.6b21
+ - CSV-formatted email alert action
+ - fixed bug in SQL generated when classification criteria is not set
+diff -Naur acid/create_acid_tbls_mssql_extra.sql acidfp/create_acid_tbls_mssql_extra.sql
+--- acid/create_acid_tbls_mssql_extra.sql 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/create_acid_tbls_mssql_extra.sql 2003-12-17 14:16:39.000000000 -0500
+@@ -0,0 +1,68 @@
++-- Copyright (C) 2002 Carnegie Mellon University
++--
++-- Author: Roman Danyliw
++--
++-- This program is free software; you can redistribute it and/or modify
++-- it under the terms of the GNU General Public License as published by
++-- the Free Software Foundation; either version 2 of the License, or
++-- (at your option) any later version.
++--
++-- This program is distributed in the hope that it will be useful,
++-- but WITHOUT ANY WARRANTY; without even the implied warranty of
++-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++-- GNU General Public License for more details.
++--
++-- You should have received a copy of the GNU General Public License
++-- along with this program; if not, write to the Free Software
++-- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++--
++-- - Purpose:
++-- Add referential integrity to the database schema
++
++ALTER TABLE acid_event
++ ADD CONSTRAINT acid_event_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE acid_ag_alert
++ ADD CONSTRAINT acid_ag_alert_fkey_sid_cid
++ FOREIGN KEY (ag_sid,ag_cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE iphdr
++ ADD CONSTRAINT iphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE tcphdr
++ ADD CONSTRAINT tcphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE udphdr
++ ADD CONSTRAINT udphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE icmphdr
++ ADD CONSTRAINT icmphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE opt
++ ADD CONSTRAINT opt_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE data
++ ADD CONSTRAINT data_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
+diff -Naur acid/create_acid_tbls_pgsql_extra.sql acidfp/create_acid_tbls_pgsql_extra.sql
+--- acid/create_acid_tbls_pgsql_extra.sql 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/create_acid_tbls_pgsql_extra.sql 2003-12-17 14:16:39.000000000 -0500
+@@ -0,0 +1,68 @@
++-- Copyright (C) 2002 Carnegie Mellon University
++--
++-- Author: Roman Danyliw
++--
++-- This program is free software; you can redistribute it and/or modify
++-- it under the terms of the GNU General Public License as published by
++-- the Free Software Foundation; either version 2 of the License, or
++-- (at your option) any later version.
++--
++-- This program is distributed in the hope that it will be useful,
++-- but WITHOUT ANY WARRANTY; without even the implied warranty of
++-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++-- GNU General Public License for more details.
++--
++-- You should have received a copy of the GNU General Public License
++-- along with this program; if not, write to the Free Software
++-- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++--
++-- - Purpose:
++-- Add referential integrity to the database schema
++
++ALTER TABLE acid_event
++ ADD CONSTRAINT acid_event_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE acid_ag_alert
++ ADD CONSTRAINT acid_ag_alert_fkey_sid_cid
++ FOREIGN KEY (ag_sid,ag_cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE iphdr
++ ADD CONSTRAINT iphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE tcphdr
++ ADD CONSTRAINT tcphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE udphdr
++ ADD CONSTRAINT udphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE icmphdr
++ ADD CONSTRAINT icmphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE opt
++ ADD CONSTRAINT opt_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE data
++ ADD CONSTRAINT data_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
+diff -Naur acid/README acidfp/README
+--- acid/README 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/README 2003-12-17 14:16:39.000000000 -0500
+@@ -14,7 +14,7 @@
+ CVS : cvs.acidlab.sourceforge.net
+
+ -------------------------------------------------------------------------------
+-** Copyright (C) 2000, 2001 Carnegie Mellon University
++** Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ **
+ ** This program is free software; you can redistribute it and/or modify
+ ** it under the terms of the GNU General Public License as published by
+@@ -63,7 +63,6 @@
+ - tcpdump binary logs
+
+ o using logsnorter (www.snort.org/downloads/logsnorter-0.2.tar.gz)
+- - Cisco PIX
+ - ipchains
+ - iptables
+ - ipfw
+@@ -98,7 +97,7 @@
+ Version: 1.7+
+ Description: Network Intrusion Detection System
+ Reason: Detects security events
+- Homepage: http://www.snort.com/
++ Homepage: http://www.snort.org/
+
+ - Package: logsnorter
+ Version: 0.2+
+@@ -132,11 +131,11 @@
+ Reason: PHP provides no clean database API
+ Homepage: http://php.weblogs.com/adodb/
+
+- o Package: PHPlot
+- Version: 4.4.6+
++ o Package: JPGraph
++ Version: 1.8+
+ Description: PHP chart library
+- Reason: Set of PHP classes over GD to generate charts
+- Homepage: http://www.phplot.com
++ Reason: PHP4 graphing library
++ Homepage: http://www.aditus.nu/jpgraph/
+ Type: optional
+
+ o Package: GD
+@@ -146,6 +145,24 @@
+ Homepage: http://www.boutell.com/gd/
+ Type: optional
+
++ The following are GD dependencies:
++
++ o Package: libpng
++ Description: PNG library
++ Reason: PNG format support for GD
++ Homepage: http://www.libpng.org/pub/png/
++
++ o Package: libjpeg-6b
++ Description: JPEG library
++ Reason: JPEG format support for GD
++ Homepage: http://www.ijg.org/
++
++ o Package: zlib
++ Version: 1.8.*
++ Description: compression library
++ Reason: Compression support for GD
++ Homepage: http://www.gzip.org/zlib/
++
+ o Any web browser capable of supporting cookies
+
+
+@@ -303,7 +320,7 @@
+ under Windows, http://www.php.net/manual/en/install-windows.php.
+
+ o PHP will execute more efficiently if run as an Apache module
+- (--with-apache in the ./configure script). However, it is possible to
++ (--with-apxs in the ./configure script). However, it is possible to
+ run PHP as a CGI application and under different web servers. It should
+ be noted that these configurations are untested.
+
+@@ -353,25 +370,19 @@
+ $ tar xvfz adodb112.tgz
+ $ cd ..
+
+-7. Uncompress and install PHPlot 4.4.6+. Again, this installation should
+- involve only copying the files into a directory viewable by the web
++7. Uncompress and install JPGraph 1.8+. This installation should
++ involve copying the files into a directory viewable by the web
+ server and PHP.
+
+ [UNIX]
+- $ cp phplot-4.4.6.tar.gz /home/httpd/html
++ $ cp jpgraph1.8.tar.gz /home/httpd/html
+ $ cd /home/httpd/html
+- $ tar xvfz phplot-4.4.6.tar.gz
++ $ tar xvfz jpgraph.1.8.tar.gz
+ $ cd ..
+
+-8. [OPTIONAL] Confirm that GD support has been properly configured in
+- PHP by opening a browser and attempting to view the PHPlot diagnostics page
+- examples/test_setup.php (the full URL will depend on where PHPlot was
+- installed; e.g. http://mywebserver/phplot/examples/test_setup.php). If
+- PHP has been configured correctly, at least one chart graphic should be
+- seen on this page. Otherwise, PHP has not been configured correctly with
+- GD support.
++ See the JPGraph README file for additional documentation.
+
+-9. Uncompress and install ACID by copying and expanding it to a directory
++8. Uncompress and install ACID by copying and expanding it to a directory
+ viewable by the web server and PHP.
+
+ [UNIX]
+@@ -380,7 +391,7 @@
+ $ tar xvfz acid-0.9.6.tar.gz
+ $ cd acid
+
+-10. Verify that cookie support in the browser is enabled.
++9. Verify that cookie support in the browser is enabled.
+
+ [Netscape 4.*]
+
+@@ -409,7 +420,7 @@
+ IV. CONFIGURATION
+ _____________________________________
+
+-11. The file 'acid_conf.php' controls the configuration of ACID.
++10. The file 'acid_conf.php' controls the configuration of ACID.
+
+ Note: 'acid_conf.php' is PHP code which will be included in each
+ ACID page request. As such, it is imperative that the opening
+@@ -461,7 +472,8 @@
+
+ [OPTIONAL for chart support]
+
+- o $ChartLib_path : full path to the PHPlot install
++ o $ChartLib_path : full path to the JPGraph install; the directory
++ in which the file 'jpgraph.php' is located
+ (Note: do not include a trailing '\' character)
+
+ o $chart_file_format : graphic format to use for generated charts
+@@ -473,7 +485,7 @@
+
+ o $portscan_file : full path to a Snort portscan log file
+
+-12. Open the acid_main.php page in a browser. If the any database changes
++11. Open the acid_main.php page in a browser. If the any database changes
+ are required, ACID will prompt for action.
+
+ For new databases, several ACID specific tables will need to be created.
+@@ -494,7 +506,7 @@
+
+ After the tables are created, ACID will return status indicating success.
+
+-13. Read the security notes about deploying ACID.
++12. Read the security notes about deploying ACID.
+
+
+ V. SECURITY
diff -Naur snort-2.2.0/contrib/create_mysql_fp snort-2.2.0fp/contrib/create_mysql_fp
--- snort-2.2.0/contrib/create_mysql_fp Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/contrib/create_mysql_fp Sun Jan 23 17:36:22 2005
@@ -0,0 +1,716 @@
+# Copyright (C) 2000-2002 Carnegie Mellon University
+#
+# Maintainer: Roman Danyliw ,
+#
+# Original Author(s): Jed Pickel (2000-2001)
+# Roman Danyliw
+# Todd Schrubb
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+use snort;
+
+# Drop old tables if they exist
+
+DROP TABLE IF EXISTS schema;
+DROP TABLE IF EXISTS event;
+DROP TABLE IF EXISTS fpevent;
+DROP TABLE IF EXISTS services;
+DROP TABLE IF EXISTS signature;
+DROP TABLE IF EXISTS sig_reference;
+DROP TABLE IF EXISTS reference;
+DROP TABLE IF EXISTS reference_system;
+DROP TABLE IF EXISTS sig_class;
+DROP TABLE IF EXISTS sensor;
+DROP TABLE IF EXISTS iphdr;
+DROP TABLE IF EXISTS tcphdr;
+DROP TABLE IF EXISTS udphdr;
+DROP TABLE IF EXISTS icmphdr;
+DROP TABLE IF EXISTS opt;
+DROP TABLE IF EXISTS data;
+DROP TABLE IF EXISTS encoding;
+DROP TABLE IF EXISTS detail;
+
+# Create new tables;
+
+CREATE TABLE schema ( vseq INT UNSIGNED NOT NULL,
+ ctime DATETIME NOT NULL,
+ PRIMARY KEY (vseq));
+INSERT INTO schema (vseq, ctime) VALUES ('106', now());
+
+CREATE TABLE event ( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ signature INT UNSIGNED NOT NULL,
+ timestamp DATETIME NOT NULL,
+ PRIMARY KEY (sid,cid),
+ INDEX sig (signature),
+ INDEX time (timestamp));
+
+# Here's the new fingerprint event table we need to add
+
+
+CREATE TABLE fpevent (ip_src INT UNSIGNED NOT NULL,
+ port_src SMALLINT UNSIGNED NOT NULL,
+ protocol VARCHAR(10) NOT NULL,
+ signature INT UNSIGNED NOT NULL,
+ osfp_flag TINYINT UNSIGNED NOT NULL,
+ sig_priority INT UNSIGNED NOT NULL,
+ sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ firstseen DATETIME NOT NULL,
+ lastseen DATETIME NOT NULL,
+ hopcount INT NOT NULL,
+ PRIMARY KEY (sid,cid),
+ INDEX ip (ip_src, osfp_flag, port_src),
+ INDEX time (lastseen,firstseen));
+
+
+CREATE TABLE services (name VARCHAR(128) NOT NULL,
+ port INT NOT NULL,
+ protocol VARCHAR(10) NOT NULL,
+ PRIMARY KEY (port,protocol),
+ INDEX port (port,protocol));
+
+CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ sig_name VARCHAR(255) NOT NULL,
+ sig_class_id INT UNSIGNED NOT NULL,
+ sig_priority INT UNSIGNED,
+ sig_rev INT UNSIGNED,
+ sig_sid INT UNSIGNED,
+ PRIMARY KEY (sig_id),
+ INDEX sign_idx (sig_name(20)),
+ INDEX sig_class_id_idx (sig_class_id));
+
+CREATE TABLE sig_reference (sig_id INT UNSIGNED NOT NULL,
+ ref_seq INT UNSIGNED NOT NULL,
+ ref_id INT UNSIGNED NOT NULL,
+ PRIMARY KEY(sig_id, ref_seq));
+
+CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ ref_system_id INT UNSIGNED NOT NULL,
+ ref_tag TEXT NOT NULL,
+ PRIMARY KEY (ref_id));
+
+CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ ref_system_name VARCHAR(20),
+ PRIMARY KEY (ref_system_id));
+
+CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ sig_class_name VARCHAR(60) NOT NULL,
+ PRIMARY KEY (sig_class_id),
+ INDEX (sig_class_id),
+ INDEX (sig_class_name));
+
+# store info about the sensor supplying data
+CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ hostname TEXT,
+ interface TEXT,
+ filter TEXT,
+ detail TINYINT,
+ encoding TINYINT,
+ last_cid INT UNSIGNED NOT NULL,
+ PRIMARY KEY (sid));
+
+# All of the fields of an ip header
+CREATE TABLE iphdr ( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ ip_src INT UNSIGNED NOT NULL,
+ ip_dst INT UNSIGNED NOT NULL,
+ ip_ver TINYINT UNSIGNED,
+ ip_hlen TINYINT UNSIGNED,
+ ip_tos TINYINT UNSIGNED,
+ ip_len SMALLINT UNSIGNED,
+ ip_id SMALLINT UNSIGNED,
+ ip_flags TINYINT UNSIGNED,
+ ip_off SMALLINT UNSIGNED,
+ ip_ttl TINYINT UNSIGNED,
+ ip_proto TINYINT UNSIGNED NOT NULL,
+ ip_csum SMALLINT UNSIGNED,
+ PRIMARY KEY (sid,cid),
+ INDEX ip_src (ip_src),
+ INDEX ip_dst (ip_dst));
+
+# All of the fields of a tcp header
+CREATE TABLE tcphdr( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ tcp_sport SMALLINT UNSIGNED NOT NULL,
+ tcp_dport SMALLINT UNSIGNED NOT NULL,
+ tcp_seq INT UNSIGNED,
+ tcp_ack INT UNSIGNED,
+ tcp_off TINYINT UNSIGNED,
+ tcp_res TINYINT UNSIGNED,
+ tcp_flags TINYINT UNSIGNED NOT NULL,
+ tcp_win SMALLINT UNSIGNED,
+ tcp_csum SMALLINT UNSIGNED,
+ tcp_urp SMALLINT UNSIGNED,
+ PRIMARY KEY (sid,cid),
+ INDEX tcp_sport (tcp_sport),
+ INDEX tcp_dport (tcp_dport),
+ INDEX tcp_flags (tcp_flags));
+
+# All of the fields of a udp header
+CREATE TABLE udphdr( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ udp_sport SMALLINT UNSIGNED NOT NULL,
+ udp_dport SMALLINT UNSIGNED NOT NULL,
+ udp_len SMALLINT UNSIGNED,
+ udp_csum SMALLINT UNSIGNED,
+ PRIMARY KEY (sid,cid),
+ INDEX udp_sport (udp_sport),
+ INDEX udp_dport (udp_dport));
+
+
+# All of the fields of an icmp header
+CREATE TABLE icmphdr( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ icmp_type TINYINT UNSIGNED NOT NULL,
+ icmp_code TINYINT UNSIGNED NOT NULL,
+ icmp_csum SMALLINT UNSIGNED,
+ icmp_id SMALLINT UNSIGNED,
+ icmp_seq SMALLINT UNSIGNED,
+ PRIMARY KEY (sid,cid),
+ INDEX icmp_type (icmp_type));
+
+# Protocol options
+CREATE TABLE opt ( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ optid INT UNSIGNED NOT NULL,
+ opt_proto TINYINT UNSIGNED NOT NULL,
+ opt_code TINYINT UNSIGNED NOT NULL,
+ opt_len SMALLINT,
+ opt_data TEXT,
+ PRIMARY KEY (sid,cid,optid));
+
+# Packet payload
+CREATE TABLE data ( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ data_payload TEXT,
+ PRIMARY KEY (sid,cid));
+
+# encoding is a lookup table for storing encoding types
+CREATE TABLE encoding(encoding_type TINYINT UNSIGNED NOT NULL,
+ encoding_text TEXT NOT NULL,
+ PRIMARY KEY (encoding_type));
+INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex');
+INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64');
+INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii');
+
+# detail is a lookup table for storing different detail levels
+CREATE TABLE detail (detail_type TINYINT UNSIGNED NOT NULL,
+ detail_text TEXT NOT NULL,
+ PRIMARY KEY (detail_type));
+INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast');
+INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full');
+
+# Set permissions
+
+grant update,insert,delete on fpevent to snort;
+grant update,insert,delete on iphdr to snort;
+grant update,insert,delete on tcphdr to snort;
+grant update,insert,delete on udphdr to snort;
+grant update,insert,delete on icmphdr to snort;
+grant update,insert,delete on opt to snort;
+grant update,insert,delete on data to snort;
+
+grant update,insert on signature to snort;
+grant update,insert on sig_reference to snort;
+grant update,insert on reference to snort;
+grant update,insert on reference_system to snort;
+grant update,insert on sig_class to snort;
+grant update,insert on sensor to snort;
+grant update,insert on encoding to snort;
+grant update,insert on detail to snort;
+grant update,insert on services to snort;
+
+# be sure to also use the snortdb-extra tables if you want
+# mappings for tcp flags, protocols, and ports
+replace services ( name, port, protocol ) values ( 'osfp', 0, 'tcp' );
+replace services ( name, port, protocol ) values ( 'osfp', 0, 'udp' );
+replace services ( name, port, protocol ) values ( 'tcpmux', 1, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tcpmux', 1, 'udp' );
+replace services ( name, port, protocol ) values ( 'rje', 5, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rje', 5, 'udp' );
+replace services ( name, port, protocol ) values ( 'echo', 7, 'tcp' );
+replace services ( name, port, protocol ) values ( 'echo', 7, 'udp' );
+replace services ( name, port, protocol ) values ( 'discard', 9, 'tcp' );
+replace services ( name, port, protocol ) values ( 'discard', 9, 'udp' );
+replace services ( name, port, protocol ) values ( 'systat', 11, 'tcp' );
+replace services ( name, port, protocol ) values ( 'systat', 11, 'udp' );
+replace services ( name, port, protocol ) values ( 'daytime', 13, 'tcp' );
+replace services ( name, port, protocol ) values ( 'daytime', 13, 'udp' );
+replace services ( name, port, protocol ) values ( 'qotd', 17, 'tcp' );
+replace services ( name, port, protocol ) values ( 'qotd', 17, 'udp' );
+replace services ( name, port, protocol ) values ( 'msp', 18, 'tcp' );
+replace services ( name, port, protocol ) values ( 'msp', 18, 'udp' );
+replace services ( name, port, protocol ) values ( 'chargen', 19, 'tcp' );
+replace services ( name, port, protocol ) values ( 'chargen', 19, 'udp' );
+replace services ( name, port, protocol ) values ( 'ftp-data', 20, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ftp-data', 20, 'udp' );
+replace services ( name, port, protocol ) values ( 'ftp', 21, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ftp', 21, 'udp' );
+replace services ( name, port, protocol ) values ( 'ssh', 22, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ssh', 22, 'udp' );
+replace services ( name, port, protocol ) values ( 'telnet', 23, 'tcp' );
+replace services ( name, port, protocol ) values ( 'telnet', 23, 'udp' );
+replace services ( name, port, protocol ) values ( 'smtp', 25, 'tcp' );
+replace services ( name, port, protocol ) values ( 'smtp', 25, 'udp' );
+replace services ( name, port, protocol ) values ( 'time', 37, 'tcp' );
+replace services ( name, port, protocol ) values ( 'time', 37, 'udp' );
+replace services ( name, port, protocol ) values ( 'rlp', 39, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rlp', 39, 'udp' );
+replace services ( name, port, protocol ) values ( 'nameserver', 42, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nameserver', 42, 'udp' );
+replace services ( name, port, protocol ) values ( 'nicname', 43, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nicname', 43, 'udp' );
+replace services ( name, port, protocol ) values ( 'tacacs', 49, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tacacs', 49, 'udp' );
+replace services ( name, port, protocol ) values ( 're-mail-ck', 50, 'tcp' );
+replace services ( name, port, protocol ) values ( 're-mail-ck', 50, 'udp' );
+replace services ( name, port, protocol ) values ( 'domain', 53, 'tcp' );
+replace services ( name, port, protocol ) values ( 'domain', 53, 'udp' );
+replace services ( name, port, protocol ) values ( 'whois++', 63, 'tcp' );
+replace services ( name, port, protocol ) values ( 'whois++', 63, 'udp' );
+replace services ( name, port, protocol ) values ( 'bootps', 67, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bootps', 67, 'udp' );
+replace services ( name, port, protocol ) values ( 'bootpc', 68, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bootpc', 68, 'udp' );
+replace services ( name, port, protocol ) values ( 'tftp', 69, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tftp', 69, 'udp' );
+replace services ( name, port, protocol ) values ( 'gopher', 70, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gopher', 70, 'udp' );
+replace services ( name, port, protocol ) values ( 'netrjs-1', 71, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netrjs-1', 71, 'udp' );
+replace services ( name, port, protocol ) values ( 'netrjs-2', 72, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netrjs-2', 72, 'udp' );
+replace services ( name, port, protocol ) values ( 'netrjs-3', 73, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netrjs-3', 73, 'udp' );
+replace services ( name, port, protocol ) values ( 'netrjs-4', 74, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netrjs-4', 74, 'udp' );
+replace services ( name, port, protocol ) values ( 'finger', 79, 'tcp' );
+replace services ( name, port, protocol ) values ( 'finger', 79, 'udp' );
+replace services ( name, port, protocol ) values ( 'http', 80, 'tcp' );
+replace services ( name, port, protocol ) values ( 'http', 80, 'udp' );
+replace services ( name, port, protocol ) values ( 'kerberos', 88, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kerberos', 88, 'udp' );
+replace services ( name, port, protocol ) values ( 'supdup', 95, 'tcp' );
+replace services ( name, port, protocol ) values ( 'supdup', 95, 'udp' );
+replace services ( name, port, protocol ) values ( 'hostname', 101, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hostname', 101, 'udp' );
+replace services ( name, port, protocol ) values ( 'iso-tsap', 102, 'tcp' );
+replace services ( name, port, protocol ) values ( 'csnet-ns', 105, 'tcp' );
+replace services ( name, port, protocol ) values ( 'csnet-ns', 105, 'udp' );
+replace services ( name, port, protocol ) values ( 'rtelnet', 107, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rtelnet', 107, 'udp' );
+replace services ( name, port, protocol ) values ( 'pop2', 109, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pop2', 109, 'udp' );
+replace services ( name, port, protocol ) values ( 'pop3', 110, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pop3', 110, 'udp' );
+replace services ( name, port, protocol ) values ( 'sunrpc', 111, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sunrpc', 111, 'udp' );
+replace services ( name, port, protocol ) values ( 'auth', 113, 'tcp' );
+replace services ( name, port, protocol ) values ( 'auth', 113, 'udp' );
+replace services ( name, port, protocol ) values ( 'sftp', 115, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sftp', 115, 'udp' );
+replace services ( name, port, protocol ) values ( 'uucp-path', 117, 'tcp' );
+replace services ( name, port, protocol ) values ( 'uucp-path', 117, 'udp' );
+replace services ( name, port, protocol ) values ( 'nntp', 119, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nntp', 119, 'udp' );
+replace services ( name, port, protocol ) values ( 'ntp', 123, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ntp', 123, 'udp' );
+replace services ( name, port, protocol ) values ( 'netbios-ns', 137, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netbios-ns', 137, 'udp' );
+replace services ( name, port, protocol ) values ( 'netbios-dgm', 138, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netbios-dgm', 138, 'udp' );
+replace services ( name, port, protocol ) values ( 'netbios-ssn', 139, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netbios-ssn', 139, 'udp' );
+replace services ( name, port, protocol ) values ( 'imap', 143, 'tcp' );
+replace services ( name, port, protocol ) values ( 'imap', 143, 'udp' );
+replace services ( name, port, protocol ) values ( 'snmp', 161, 'tcp' );
+replace services ( name, port, protocol ) values ( 'snmp', 161, 'udp' );
+replace services ( name, port, protocol ) values ( 'snmptrap', 162, 'udp' );
+replace services ( name, port, protocol ) values ( 'cmip-man', 163, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cmip-man', 163, 'udp' );
+replace services ( name, port, protocol ) values ( 'cmip-agent', 164, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cmip-agent', 164, 'udp' );
+replace services ( name, port, protocol ) values ( 'mailq', 174, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mailq', 174, 'udp' );
+replace services ( name, port, protocol ) values ( 'xdmcp', 177, 'tcp' );
+replace services ( name, port, protocol ) values ( 'xdmcp', 177, 'udp' );
+replace services ( name, port, protocol ) values ( 'nextstep', 178, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nextstep', 178, 'udp' );
+replace services ( name, port, protocol ) values ( 'bgp', 179, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bgp', 179, 'udp' );
+replace services ( name, port, protocol ) values ( 'prospero', 191, 'tcp' );
+replace services ( name, port, protocol ) values ( 'prospero', 191, 'udp' );
+replace services ( name, port, protocol ) values ( 'irc', 194, 'tcp' );
+replace services ( name, port, protocol ) values ( 'irc', 194, 'udp' );
+replace services ( name, port, protocol ) values ( 'smux', 199, 'tcp' );
+replace services ( name, port, protocol ) values ( 'smux', 199, 'udp' );
+replace services ( name, port, protocol ) values ( 'at-rtmp', 201, 'tcp' );
+replace services ( name, port, protocol ) values ( 'at-rtmp', 201, 'udp' );
+replace services ( name, port, protocol ) values ( 'at-nbp', 202, 'tcp' );
+replace services ( name, port, protocol ) values ( 'at-nbp', 202, 'udp' );
+replace services ( name, port, protocol ) values ( 'at-echo', 204, 'tcp' );
+replace services ( name, port, protocol ) values ( 'at-echo', 204, 'udp' );
+replace services ( name, port, protocol ) values ( 'at-zis', 206, 'tcp' );
+replace services ( name, port, protocol ) values ( 'at-zis', 206, 'udp' );
+replace services ( name, port, protocol ) values ( 'qmtp', 209, 'tcp' );
+replace services ( name, port, protocol ) values ( 'qmtp', 209, 'udp' );
+replace services ( name, port, protocol ) values ( 'z39.50', 210, 'tcp' );
+replace services ( name, port, protocol ) values ( 'z39.50', 210, 'udp' );
+replace services ( name, port, protocol ) values ( 'ipx', 213, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ipx', 213, 'udp' );
+replace services ( name, port, protocol ) values ( 'imap3', 220, 'tcp' );
+replace services ( name, port, protocol ) values ( 'imap3', 220, 'udp' );
+replace services ( name, port, protocol ) values ( 'link', 245, 'tcp' );
+replace services ( name, port, protocol ) values ( 'link', 245, 'ucp' );
+replace services ( name, port, protocol ) values ( 'fatserv', 347, 'tcp' );
+replace services ( name, port, protocol ) values ( 'fatserv', 347, 'udp' );
+replace services ( name, port, protocol ) values ( 'rsvp_tunnel', 363, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rsvp_tunnel', 363, 'udp' );
+replace services ( name, port, protocol ) values ( 'rpc2portmap', 369, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rpc2portmap', 369, 'udp' );
+replace services ( name, port, protocol ) values ( 'codaauth2', 370, 'tcp' );
+replace services ( name, port, protocol ) values ( 'codaauth2', 370, 'udp' );
+replace services ( name, port, protocol ) values ( 'ulistproc', 372, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ulistproc', 372, 'udp' );
+replace services ( name, port, protocol ) values ( 'ldap', 389, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ldap', 389, 'udp' );
+replace services ( name, port, protocol ) values ( 'svrloc', 427, 'tcp' );
+replace services ( name, port, protocol ) values ( 'svrloc', 427, 'udp' );
+replace services ( name, port, protocol ) values ( 'mobileip-agent', 434, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mobileip-agent', 434, 'udp' );
+replace services ( name, port, protocol ) values ( 'mobilip-mn', 435, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mobilip-mn', 435, 'udp' );
+replace services ( name, port, protocol ) values ( 'https', 443, 'tcp' );
+replace services ( name, port, protocol ) values ( 'https', 443, 'udp' );
+replace services ( name, port, protocol ) values ( 'snpp', 444, 'tcp' );
+replace services ( name, port, protocol ) values ( 'snpp', 444, 'udp' );
+replace services ( name, port, protocol ) values ( 'microsoft-ds', 445, 'tcp' );
+replace services ( name, port, protocol ) values ( 'microsoft-ds', 445, 'udp' );
+replace services ( name, port, protocol ) values ( 'kpasswd', 464, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kpasswd', 464, 'udp' );
+replace services ( name, port, protocol ) values ( 'photuris', 468, 'tcp' );
+replace services ( name, port, protocol ) values ( 'photuris', 468, 'udp' );
+replace services ( name, port, protocol ) values ( 'saft', 487, 'tcp' );
+replace services ( name, port, protocol ) values ( 'saft', 487, 'udp' );
+replace services ( name, port, protocol ) values ( 'gss-http', 488, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gss-http', 488, 'udp' );
+replace services ( name, port, protocol ) values ( 'pim-rp-disc', 496, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pim-rp-disc', 496, 'udp' );
+replace services ( name, port, protocol ) values ( 'isakmp', 500, 'tcp' );
+replace services ( name, port, protocol ) values ( 'isakmp', 500, 'udp' );
+replace services ( name, port, protocol ) values ( 'gdomap', 538, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gdomap', 538, 'udp' );
+replace services ( name, port, protocol ) values ( 'iiop', 535, 'tcp' );
+replace services ( name, port, protocol ) values ( 'iiop', 535, 'udp' );
+replace services ( name, port, protocol ) values ( 'dhcpv6-client', 546, 'tcp' );
+replace services ( name, port, protocol ) values ( 'dhcpv6-client', 546, 'udp' );
+replace services ( name, port, protocol ) values ( 'dhcpv6-server', 547, 'tcp' );
+replace services ( name, port, protocol ) values ( 'dhcpv6-server', 547, 'udp' );
+replace services ( name, port, protocol ) values ( 'rtsp', 554, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rtsp', 554, 'udp' );
+replace services ( name, port, protocol ) values ( 'nntps', 563, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nntps', 563, 'udp' );
+replace services ( name, port, protocol ) values ( 'whoami', 565, 'tcp' );
+replace services ( name, port, protocol ) values ( 'whoami', 565, 'udp' );
+replace services ( name, port, protocol ) values ( 'submission', 587, 'tcp' );
+replace services ( name, port, protocol ) values ( 'submission', 587, 'udp' );
+replace services ( name, port, protocol ) values ( 'npmp-local', 610, 'tcp' );
+replace services ( name, port, protocol ) values ( 'npmp-local', 610, 'udp' );
+replace services ( name, port, protocol ) values ( 'npmp-gui', 611, 'tcp' );
+replace services ( name, port, protocol ) values ( 'npmp-gui', 611, 'udp' );
+replace services ( name, port, protocol ) values ( 'hmmp-ind', 612, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hmmp-ind', 612, 'udp' );
+replace services ( name, port, protocol ) values ( 'ipp', 631, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ipp', 631, 'ucp' );
+replace services ( name, port, protocol ) values ( 'ldaps', 636, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ldaps', 636, 'udp' );
+replace services ( name, port, protocol ) values ( 'acap', 674, 'tcp' );
+replace services ( name, port, protocol ) values ( 'acap', 674, 'udp' );
+replace services ( name, port, protocol ) values ( 'ha-cluster', 694, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ha-cluster', 694, 'udp' );
+replace services ( name, port, protocol ) values ( 'kerberos-adm', 749, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kerberos-iv', 750, 'udp' );
+replace services ( name, port, protocol ) values ( 'kerberos-iv', 750, 'tcp' );
+replace services ( name, port, protocol ) values ( 'webster', 765, 'tcp' );
+replace services ( name, port, protocol ) values ( 'webster', 765, 'udp' );
+replace services ( name, port, protocol ) values ( 'phonebook', 767, 'tcp' );
+replace services ( name, port, protocol ) values ( 'phonebook', 767, 'udp' );
+replace services ( name, port, protocol ) values ( 'rsync', 873, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rsync', 873, 'udp' );
+replace services ( name, port, protocol ) values ( 'telnets', 992, 'tcp' );
+replace services ( name, port, protocol ) values ( 'telnets', 992, 'udp' );
+replace services ( name, port, protocol ) values ( 'imaps', 993, 'tcp' );
+replace services ( name, port, protocol ) values ( 'imaps', 993, 'udp' );
+replace services ( name, port, protocol ) values ( 'ircs', 994, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ircs', 994, 'udp' );
+replace services ( name, port, protocol ) values ( 'pop3s', 995, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pop3s', 995, 'udp' );
+replace services ( name, port, protocol ) values ( 'exec', 512, 'tcp' );
+replace services ( name, port, protocol ) values ( 'biff', 512, 'udp' );
+replace services ( name, port, protocol ) values ( 'login', 513, 'tcp' );
+replace services ( name, port, protocol ) values ( 'who', 513, 'udp' );
+replace services ( name, port, protocol ) values ( 'shell', 514, 'tcp' );
+replace services ( name, port, protocol ) values ( 'syslog', 514, 'udp' );
+replace services ( name, port, protocol ) values ( 'printer', 515, 'tcp' );
+replace services ( name, port, protocol ) values ( 'printer', 515, 'udp' );
+replace services ( name, port, protocol ) values ( 'talk', 517, 'udp' );
+replace services ( name, port, protocol ) values ( 'ntalk', 518, 'udp' );
+replace services ( name, port, protocol ) values ( 'utime', 519, 'tcp' );
+replace services ( name, port, protocol ) values ( 'utime', 519, 'udp' );
+replace services ( name, port, protocol ) values ( 'efs', 520, 'tcp' );
+replace services ( name, port, protocol ) values ( 'router', 520, 'udp' );
+replace services ( name, port, protocol ) values ( 'ripng', 521, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ripng', 521, 'udp' );
+replace services ( name, port, protocol ) values ( 'timed', 525, 'tcp' );
+replace services ( name, port, protocol ) values ( 'timed', 525, 'udp' );
+replace services ( name, port, protocol ) values ( 'tempo', 526, 'tcp' );
+replace services ( name, port, protocol ) values ( 'courier', 530, 'tcp' );
+replace services ( name, port, protocol ) values ( 'conference', 531, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netnews', 532, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netwall', 533, 'udp' );
+replace services ( name, port, protocol ) values ( 'uucp', 540, 'tcp' );
+replace services ( name, port, protocol ) values ( 'klogin', 543, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kshell', 544, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afpovertcp', 548, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afpovertcp', 548, 'udp' );
+replace services ( name, port, protocol ) values ( 'remotefs', 556, 'tcp' );
+replace services ( name, port, protocol ) values ( 'socks', 1080, 'tcp' );
+replace services ( name, port, protocol ) values ( 'socks', 1080, 'udp' );
+replace services ( name, port, protocol ) values ( 'bvcontrol', 1236, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bvcontrol', 1236, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323hostcallsc', 1300, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323hostcallsc', 1300, 'udp' );
+replace services ( name, port, protocol ) values ( 'lotus-notes', 1352, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ms-sql-s', 1433, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ms-sql-s', 1433, 'udp' );
+replace services ( name, port, protocol ) values ( 'ms-sql-m', 1434, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ms-sql-m', 1434, 'udp' );
+replace services ( name, port, protocol ) values ( 'ica', 1494, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ica', 1494, 'udp' );
+replace services ( name, port, protocol ) values ( 'wins', 1512, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wins', 1512, 'udp' );
+replace services ( name, port, protocol ) values ( 'ingreslock', 1524, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ingreslock', 1524, 'udp' );
+replace services ( name, port, protocol ) values ( 'prospero-np', 1525, 'tcp' );
+replace services ( name, port, protocol ) values ( 'prospero-np', 1525, 'udp' );
+replace services ( name, port, protocol ) values ( 'datametrics', 1645, 'tcp' );
+replace services ( name, port, protocol ) values ( 'datametrics', 1645, 'udp' );
+replace services ( name, port, protocol ) values ( 'sa-msg-port', 1646, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sa-msg-port', 1646, 'udp' );
+replace services ( name, port, protocol ) values ( 'kermit', 1649, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kermit', 1649, 'udp' );
+replace services ( name, port, protocol ) values ( 'l2tp', 1701, 'tcp' );
+replace services ( name, port, protocol ) values ( 'l2tp', 1701, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323gatedisc', 1718, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323gatedisc', 1718, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323gatestat', 1719, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323gatestat', 1719, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323hostcall', 1720, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323hostcall', 1720, 'udp' );
+replace services ( name, port, protocol ) values ( 'tftp-mcast', 1758, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tftp-mcast', 1758, 'udp' );
+replace services ( name, port, protocol ) values ( 'hello', 1789, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hello', 1789, 'udp' );
+replace services ( name, port, protocol ) values ( 'radius', 1812, 'tcp' );
+replace services ( name, port, protocol ) values ( 'radius', 1812, 'udp' );
+replace services ( name, port, protocol ) values ( 'radius-acct', 1813, 'tcp' );
+replace services ( name, port, protocol ) values ( 'radius-acct', 1813, 'udp' );
+replace services ( name, port, protocol ) values ( 'mtp', 1911, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mtp', 1911, 'udp' );
+replace services ( name, port, protocol ) values ( 'hsrp', 1985, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hsrp', 1985, 'udp' );
+replace services ( name, port, protocol ) values ( 'licensedaemon', 1986, 'tcp' );
+replace services ( name, port, protocol ) values ( 'licensedaemon', 1986, 'udp' );
+replace services ( name, port, protocol ) values ( 'gdp-port', 1997, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gdp-port', 1997, 'udp' );
+replace services ( name, port, protocol ) values ( 'nfs', 2049, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nfs', 2049, 'udp' );
+replace services ( name, port, protocol ) values ( 'zephyr-srv', 2102, 'tcp' );
+replace services ( name, port, protocol ) values ( 'zephyr-srv', 2102, 'udp' );
+replace services ( name, port, protocol ) values ( 'zephyr-clt', 2103, 'tcp' );
+replace services ( name, port, protocol ) values ( 'zephyr-clt', 2103, 'udp' );
+replace services ( name, port, protocol ) values ( 'zephyr-hm', 2104, 'tcp' );
+replace services ( name, port, protocol ) values ( 'zephyr-hm', 2104, 'udp' );
+replace services ( name, port, protocol ) values ( 'cvspserver', 2401, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cvspserver', 2401, 'udp' );
+replace services ( name, port, protocol ) values ( 'venus', 2430, 'tcp' );
+replace services ( name, port, protocol ) values ( 'venus', 2430, 'udp' );
+replace services ( name, port, protocol ) values ( 'venus-se', 2431, 'tcp' );
+replace services ( name, port, protocol ) values ( 'venus-se', 2431, 'udp' );
+replace services ( name, port, protocol ) values ( 'codasrv', 2432, 'tcp' );
+replace services ( name, port, protocol ) values ( 'codasrv', 2432, 'udp' );
+replace services ( name, port, protocol ) values ( 'codasrv-se', 2433, 'tcp' );
+replace services ( name, port, protocol ) values ( 'codasrv-se', 2433, 'udp' );
+replace services ( name, port, protocol ) values ( 'hpstgmgr', 2600, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hpstgmgr', 2600, 'udp' );
+replace services ( name, port, protocol ) values ( 'discp-client', 2601, 'tcp' );
+replace services ( name, port, protocol ) values ( 'discp-client', 2601, 'udp' );
+replace services ( name, port, protocol ) values ( 'discp-server', 2602, 'tcp' );
+replace services ( name, port, protocol ) values ( 'discp-server', 2602, 'udp' );
+replace services ( name, port, protocol ) values ( 'servicemeter', 2603, 'tcp' );
+replace services ( name, port, protocol ) values ( 'servicemeter', 2603, 'udp' );
+replace services ( name, port, protocol ) values ( 'nsc-ccs', 2604, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nsc-ccs', 2604, 'udp' );
+replace services ( name, port, protocol ) values ( 'nsc-posa', 2605, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nsc-posa', 2605, 'udp' );
+replace services ( name, port, protocol ) values ( 'netmon', 2606, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netmon', 2606, 'udp' );
+replace services ( name, port, protocol ) values ( 'corbaloc', 2809, 'tcp' );
+replace services ( name, port, protocol ) values ( 'icpv2', 3130, 'tcp' );
+replace services ( name, port, protocol ) values ( 'icpv2', 3130, 'udp' );
+replace services ( name, port, protocol ) values ( 'mysql', 3306, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mysql', 3306, 'udp' );
+replace services ( name, port, protocol ) values ( 'trnsprntproxy', 3346, 'tcp' );
+replace services ( name, port, protocol ) values ( 'trnsprntproxy', 3346, 'udp' );
+replace services ( name, port, protocol ) values ( 'rwhois', 4321, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rwhois', 4321, 'udp' );
+replace services ( name, port, protocol ) values ( 'krb524', 4444, 'tcp' );
+replace services ( name, port, protocol ) values ( 'krb524', 4444, 'udp' );
+replace services ( name, port, protocol ) values ( 'rfe', 5002, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rfe', 5002, 'udp' );
+replace services ( name, port, protocol ) values ( 'cfengine', 5308, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cfengine', 5308, 'udp' );
+replace services ( name, port, protocol ) values ( 'cvsup', 5999, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cvsup', 5999, 'udp' );
+replace services ( name, port, protocol ) values ( 'x11', 6000, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-fileserver', 7000, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-fileserver', 7000, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-callback', 7001, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-callback', 7001, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-prserver', 7002, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-prserver', 7002, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-vlserver', 7003, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-vlserver', 7003, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-kaserver', 7004, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-kaserver', 7004, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-volser', 7005, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-volser', 7005, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-errors', 7006, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-errors', 7006, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-bos', 7007, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-bos', 7007, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-update', 7008, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-update', 7008, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-rmtsys', 7009, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-rmtsys', 7009, 'udp' );
+replace services ( name, port, protocol ) values ( 'sd', 9876, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sd', 9876, 'udp' );
+replace services ( name, port, protocol ) values ( 'amanda', 10080, 'tcp' );
+replace services ( name, port, protocol ) values ( 'amanda', 10080, 'udp' );
+replace services ( name, port, protocol ) values ( 'pgpkeyserver', 11371, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pgpkeyserver', 11371, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323callsigalt', 11720, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323callsigalt', 11720, 'udp' );
+replace services ( name, port, protocol ) values ( 'bprd', 13720, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bprd', 13720, 'udp' );
+replace services ( name, port, protocol ) values ( 'bpdbm', 13721, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bpdbm', 13721, 'udp' );
+replace services ( name, port, protocol ) values ( 'bpjava-msvc', 13722, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bpjava-msvc', 13722, 'udp' );
+replace services ( name, port, protocol ) values ( 'vnetd', 13724, 'tcp' );
+replace services ( name, port, protocol ) values ( 'vnetd', 13724, 'udp' );
+replace services ( name, port, protocol ) values ( 'bpcd', 13782, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bpcd', 13782, 'udp' );
+replace services ( name, port, protocol ) values ( 'vopied', 13783, 'tcp' );
+replace services ( name, port, protocol ) values ( 'vopied', 13783, 'udp' );
+replace services ( name, port, protocol ) values ( 'wnn6', 22273, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wnn6', 22273, 'ucp' );
+replace services ( name, port, protocol ) values ( 'quake', 26000, 'tcp' );
+replace services ( name, port, protocol ) values ( 'quake', 26000, 'udp' );
+replace services ( name, port, protocol ) values ( 'wnn6-ds', 26208, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wnn6-ds', 26208, 'udp' );
+replace services ( name, port, protocol ) values ( 'traceroute', 33434, 'tcp' );
+replace services ( name, port, protocol ) values ( 'traceroute', 33434, 'udp' );
+replace services ( name, port, protocol ) values ( 'rtmp', 1, 'ddp' );
+replace services ( name, port, protocol ) values ( 'nbp', 2, 'ddp' );
+replace services ( name, port, protocol ) values ( 'echo', 4, 'ddp' );
+replace services ( name, port, protocol ) values ( 'zip', 6, 'ddp' );
+replace services ( name, port, protocol ) values ( 'kerberos_master', 751, 'udp' );
+replace services ( name, port, protocol ) values ( 'kerberos_master', 751, 'tcp' );
+replace services ( name, port, protocol ) values ( 'passwd_server', 752, 'udp' );
+replace services ( name, port, protocol ) values ( 'krbupdate', 760, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kpop', 1109, 'tcp' );
+replace services ( name, port, protocol ) values ( 'knetd', 2053, 'tcp' );
+replace services ( name, port, protocol ) values ( 'krb5_prop', 754, 'tcp' );
+replace services ( name, port, protocol ) values ( 'eklogin', 2105, 'tcp' );
+replace services ( name, port, protocol ) values ( 'supfilesrv', 871, 'tcp' );
+replace services ( name, port, protocol ) values ( 'supfiledbg', 1127, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netstat', 15, 'tcp' );
+replace services ( name, port, protocol ) values ( 'linuxconf', 98, 'tcp' );
+replace services ( name, port, protocol ) values ( 'poppassd', 106, 'tcp' );
+replace services ( name, port, protocol ) values ( 'poppassd', 106, 'udp' );
+replace services ( name, port, protocol ) values ( 'smtps', 465, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gii', 616, 'tcp' );
+replace services ( name, port, protocol ) values ( 'omirr', 808, 'tcp' );
+replace services ( name, port, protocol ) values ( 'omirr', 808, 'udp' );
+replace services ( name, port, protocol ) values ( 'swat', 901, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rndc', 953, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rndc', 953, 'udp' );
+replace services ( name, port, protocol ) values ( 'skkserv', 1178, 'tcp' );
+replace services ( name, port, protocol ) values ( 'xtel', 1313, 'tcp' );
+replace services ( name, port, protocol ) values ( 'support', 1529, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cfinger', 2003, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ninstall', 2150, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ninstall', 2150, 'udp' );
+replace services ( name, port, protocol ) values ( 'afbackup', 2988, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afbackup', 2988, 'udp' );
+replace services ( name, port, protocol ) values ( 'squid', 3128, 'tcp' );
+replace services ( name, port, protocol ) values ( 'prsvp', 3455, 'tcp' );
+replace services ( name, port, protocol ) values ( 'prsvp', 3455, 'udp' );
+replace services ( name, port, protocol ) values ( 'postgres', 5432, 'tcp' );
+replace services ( name, port, protocol ) values ( 'postgres', 5432, 'udp' );
+replace services ( name, port, protocol ) values ( 'fax', 4557, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hylafax', 4559, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sgi-dgl', 5232, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sgi-dgl', 5232, 'udp' );
+replace services ( name, port, protocol ) values ( 'noclog', 5354, 'tcp' );
+replace services ( name, port, protocol ) values ( 'noclog', 5354, 'udp' );
+replace services ( name, port, protocol ) values ( 'hostmon', 5355, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hostmon', 5355, 'udp' );
+replace services ( name, port, protocol ) values ( 'canna', 5680, 'tcp' );
+replace services ( name, port, protocol ) values ( 'x11-ssh-offset', 6010, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ircd', 6667, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ircd', 6667, 'udp' );
+replace services ( name, port, protocol ) values ( 'xfs', 7100, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tircproxy', 7666, 'tcp' );
+replace services ( name, port, protocol ) values ( 'http-alt', 8008, 'tcp' );
+replace services ( name, port, protocol ) values ( 'http-alt', 8008, 'udp' );
+replace services ( name, port, protocol ) values ( 'webcache', 8080, 'tcp' );
+replace services ( name, port, protocol ) values ( 'webcache', 8080, 'udp' );
+replace services ( name, port, protocol ) values ( 'tproxy', 8081, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tproxy', 8081, 'udp' );
+replace services ( name, port, protocol ) values ( 'jetdirect', 9100, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mandelspawn', 9359, 'udp' );
+replace services ( name, port, protocol ) values ( 'kamanda', 10081, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kamanda', 10081, 'udp' );
+replace services ( name, port, protocol ) values ( 'amandaidx', 10082, 'tcp' );
+replace services ( name, port, protocol ) values ( 'amidxtape', 10083, 'tcp' );
+replace services ( name, port, protocol ) values ( 'isdnlog', 20011, 'tcp' );
+replace services ( name, port, protocol ) values ( 'isdnlog', 20011, 'udp' );
+replace services ( name, port, protocol ) values ( 'vboxd', 20012, 'tcp' );
+replace services ( name, port, protocol ) values ( 'vboxd', 20012, 'udp' );
+replace services ( name, port, protocol ) values ( 'wnn4_Kr', 22305, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wnn4_Cn', 22289, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wnn4_Tw', 22321, 'tcp' );
+replace services ( name, port, protocol ) values ( 'binkp', 24554, 'tcp' );
+replace services ( name, port, protocol ) values ( 'binkp', 24554, 'udp' );
+replace services ( name, port, protocol ) values ( 'asp', 27374, 'tcp' );
+replace services ( name, port, protocol ) values ( 'asp', 27374, 'udp' );
+replace services ( name, port, protocol ) values ( 'tfido', 60177, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tfido', 60177, 'udp' );
+replace services ( name, port, protocol ) values ( 'fido', 60179, 'tcp' );
+replace services ( name, port, protocol ) values ( 'fido', 60179, 'udp' );
diff -Naur snort-2.2.0/doc/README.fp snort-2.2.0fp/doc/README.fp
--- snort-2.2.0/doc/README.fp Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/doc/README.fp Sun Jan 23 17:36:25 2005
@@ -0,0 +1,173 @@
+Snort!(fp): Real-Time Passive Network Fingerprinting with Snort!
+
+------------
+Introduction
+------------
+
+Snort!(fp) extends the capability of the Snort! intrusion detection
+open-source product to include OS and network daemon fingerprinting.
+
+Thus, with a properly configure Snort! environment (including the fp
+extension), you would be able to determine, given an IDS alert:
+(1) What operating system the (alert) source/destination system is running
+(2) What network services/daemons the (alert) source/destination
+system is running
+
+Example (1):
+An IDS alert indicates a DCOM vulnerability (known to only affect
+Windows System). Is the destination system running a Windows operating
+system? Snort!(fp) will tell you!
+
+Example (2):
+An IDS alert indicates a MS-SQL worm propogating on your network. Are the destination systems running MS-SQL? Snort!(fp) will tell you!
+
+Example (3):
+What new systems have appeared on my network? What OSes are they
+running? What services are they offering? Snort!(fp) will tell you!
+
+Example (4):
+Are any of my old systems offering new network services that they
+shouldn't be? Perhaps a backdoor of some kind? Snort!(fp) will tell you!
+
+------------
+Architecture
+------------
+
+Snort!(fp) is based on the following tools:
+
+IDS: Snort! (needs to be patched before building)
+DB: MySQL (no modifications except to tables)
+HTTPD: Apache (no modifications needed)
+Interface: ACID (needs to be patched to support fingerprinting)
+OS Fingerprinting: p0f (the 'p2s' utility converts to Snort!syntax)
+Service Fingerprinting: native Snort! rules
+
+Both Snort!and ACID have been extended to support fingerprinting functions. The ACID database schema has also been modified to support fingerprinting.
+
+Snort! Modifications:
+
+The following Snort!syntax has been modified/added to support OS fingerprinting. With the addition of this syntax, p0f rules can be identically replicated in Snort!
+
+window:[%,S,T]value; Added modulus, "S" and "T" p0f window functions.
+ttl:[<,>,=,<=,>=]value; Modified TTL to support <= and >= operators.
+length:[>,<,=]value; Added tests for actual packet length (as compared to dsize).
+tcpopts Added TCP options test. Multiple options separated by comma.
+tcpopts:nop; NOP.
+tcpopts:eol; EOL.
+tcpopts:ws[=,%]value; Window Scale
+tcpopts:mss[=,%]value; Maximum Segment Size
+tcpopts:sack; Selective ACK
+tcpopts:time[!,=]value; Timestamp
+tcpopts:number=value; Generic TCP option number equals value.
+quirks TCP Quirks checks (from p0f)
+quirks:opeol; TCP options past EOL.
+quirks:nzup; Non-zero urgent pointer.
+quirks:nzuf; Non-zero unused (reserved) TCP flags
+quirks:oddflags; Unususal TCP flags set.
+quirks:extra; Extra TCP payload data.
+quirks:broken; Broken TCP options.
+quirks:seqack; Sequence number equals acknowledgement number.
+quirks:rsttext; Text (payload data) found in RST packet.
+
+Additional modifications have been made in Snort! to support fingerprinting, especially within the database logging routines. These modifications had to be made to separate traditional alerts from fingerprint log information.
+
+Snort.conf and classification.config have also been modified. Most notably, an service-fingerprint and os-fingerprint classification type have been added. To increase efficiency, classification.config is now read earlier in snort.conf such that the database output plugin is aware of the fingerprinting data type. (This prevents a classification lookup for every packet logged.)
+
+Database Schema:
+
+The MySQL database schema (other DB's not yet supported) has been modified to support fingerprinting. Most notably, the addition of the "fpevent" table was created to separate standard alert events (originally and still in the "event" table) from fingerprint alerts. The fpevent table (and corresponding Snort!database routine functions) have been modified to store only the first and last fingerprint entries for a given IP and port number (OS fingerprints are identified by port 0). It is too impractical to store every fingerprint event. However, given the first and last timestamps, we can answer important questions such as "What new services have appeared on my network in the last 24 hours?"
+
+Additionally, generic fingerprint events are never replaced by existing specific fingerprint events. The standard Snort! "priority" field is used to identify more specific fingerprint descriptions. For example, a previously identified "specific" Apache Web Server should not be replaced by a "generic" TCP service fingerprint on port 80. Similar to Snort!alert syntax, a lower priority is considered a more specific fingerprint.
+
+ACID Modifications:
+
+Two major modifications have been added to ACID. First, the IP query (acid_stat_ipaddr) screen has been modified to include any fingerprints assocatied with the queried address. Second, a "Network Fingerprints" (acid_stat_fingerprints) query has been added to display a list of all fingerprints. Fingerprints can be sorted by address, port, signature, first seen (time), last seen (time), and service description.
+
+------------
+Installation
+------------
+
+These are general installation directions. The reader is assumed to
+have knowledge of integrating ACID, MYSQL, Apache and Snort!
+
+1. Download, build and install MYSQL database (www.mysql.com)
+
+2. Download, build and install Apache httpd (www.apache.org)
+
+3. Snort! IDS
+
+3.1 Download the Snort! 2.1.2 source code (www.Snort.org)
+3.2 Apply the 2.1.2fp patch
+
+ $ cd snort-2.1.2
+ $ patch -Np1 < snort-2.1.2fp.patch
+
+3.3 Build Snort! with MYSQL DB support enabled
+
+ $ configure --with-mysql[=/mysql/directory/path]
+ $ make
+
+ Warning(s) that can be safely ignored:
+
+ spo_database.c:2417: warning: second parameter of `va_start'
+ not last named argument
+
+ # make install
+
+4. Update MYSQL Schema
+
+ Replace (as in destroy all previous data) MySQL database to support
+ fingerprinting.
+ YES, THIS WILL DESTROY ANY OLD DATA, so backup appropriately.
+
+ $ mysql -u root -p < ./contrib/create_mysql_fp
+
+5. ACID
+
+5.1 Download, build and install ACID (http://www.andrew.cmu.edu/~rdanyliw/Snort/Snortacid.html, also available in ./contrib directory)
+
+5.2 Apply the acid-0.9.6b23fp.patch directly in your htdocs/acid directory (patch available in ./contrib directory)
+
+ # cd /usr/local/apache2/htdocs/acid
+ # patch -Np1 < acid-0.9.6b23fp.patch
+
+6. Configure snort.conf for MYSQL database support -- be sure to use
+the patched snort.conf and classification.conf files
+
+7. Copy osfp-syn.rules and servicefp.rules from the 2.1.2 patched
+directory to your Snort! rules directory.
+
+8. Start your HTTPD, MYSQL, and Snort! daemons
+
+9. Browse ACID -- See the "Network Fingerprints" links on main page.
+
+---
+p2s
+---
+
+p2s is a conversion utility to convert p0f files to Snort! rules.
+See ./contrib/p2s-2.1.tar.gz for more info, including source and README.p2s
+
+--------------
+TODO/NEED HELP
+--------------
+
+(1) Complete testing of the p0f Snort! signatures. See README.p2s in the
+gzipped archive for testing status.
+(2) Test on other platforms. Successfully tested on Red Hat Linux 8.0.
+(3) Write DB routines in spo_database.c to support other databases.
+Presently, only MYSQL supported.
+(4) Write more OS and service signatures!
+
+------------
+Bugs/Support
+------------
+
+If you'd like to report a bug or contribute in another way to the Snort!(fp) project,
+please contact me directly at sdreed@verizon.net.
+
+On-On!
+
+
+
+
diff -Naur snort-2.2.0/etc/classification.config snort-2.2.0fp/etc/classification.config
--- snort-2.2.0/etc/classification.config Mon Oct 20 09:03:03 2003
+++ snort-2.2.0fp/etc/classification.config Sun Jan 23 17:36:16 2005
@@ -41,6 +41,10 @@
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
+# BEGIN ADD SDR
+config classification: os-fingerprint,OS Fingerprint,3
+config classification: service-fingerprint,Service Fingerprint,3
+# END ADD SDR
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
diff -Naur snort-2.2.0/etc/snort.conf snort-2.2.0fp/etc/snort.conf
--- snort-2.2.0/etc/snort.conf Thu Aug 5 12:55:37 2004
+++ snort-2.2.0fp/etc/snort.conf Sun Jan 23 21:29:52 2005
@@ -418,6 +418,20 @@
#
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
+# SDR: We need to move classification.config before the output plugins so that
+# the database plugin can be initialized correctly for fingerprinting
+#
+# Include classification & priority settings
+#
+
+include classification.config
+
+#
+# Include reference systems
+#
+
+include reference.config
+
####################################################################
# Step #3: Configure output plugins
#
@@ -451,6 +465,8 @@
# See the README.database file for more information about configuring
# and using this plugin.
#
+# SDR: Be sure to enable the mysql output plugin for fingerprinting!
+output database: log, mysql, user=[username] password=[password] dbname=snort host=[hostname]
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
@@ -507,16 +523,6 @@
# such as: c:\snort\etc\classification.config
#
-include classification.config
-
-#
-# Include reference systems
-# Note for Windows users: You are advised to make this an absolute path,
-# such as: c:\snort\etc\reference.config
-#
-
-include reference.config
-
####################################################################
# Step #4: Customize your rule set
#
@@ -615,6 +621,12 @@
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
+
+# SDR: We don't want fingerprinting to interfere with IDS functionality, so
+# we put the fingerprinting rules last. Of course, we could also disable all other rules
+# and configure just a fingerprinting engine...
+include $RULE_PATH/servicefp.rules
+include $RULE_PATH/osfp-syn.rules
# Include any thresholding or suppression commands. See threshold.conf in the
# /etc directory for details. Commands don't necessarily need to be
diff -Naur snort-2.2.0/rules/osfp-rst.rules snort-2.2.0fp/rules/osfp-rst.rules
--- snort-2.2.0/rules/osfp-rst.rules Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/rules/osfp-rst.rules Sun Jan 23 17:36:17 2005
@@ -0,0 +1,55 @@
+# p2s: p0f to Snort rule conversion utility
+# (c) Copyright 2004, Stephen D. Reed
+#
+# Options used to generate this file:
+# Input Type: [RST]
+# Initial Sid: [210000]
+# Revision: [1]
+# Source Net: [$HOME_NET]
+# Dest Net: [any]
+# Generic Rules: [included]
+
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.0/2.2 (refused)"; length:40; fragbits:!D; ttl:<=255; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210001; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 (refused)"; length:40; fragbits:D; ttl:<=64; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210002; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-recent 2.4 (refused)"; length:40; id:0; fragbits:D; ttl:<=64; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210003; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (refused)"; length:40; fragbits:!D; ttl:<=128; seq:0; ack:!=0; flags:RA+; window:0; classtype:os-fingerprint; priority:4; sid:210004; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing (refused) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=128; seq:0; ack:!=0; flags:RA+; window:0; quirks:nzup; classtype:os-fingerprint; priority:4; sid:210005; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 (dropped)"; length:40; fragbits:D; ttl:<=64; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210006; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.0/2.2 or IOS 12.x (dropped)"; length:40; fragbits:!D; ttl:<=255; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210007; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-recent 2.4 (dropped)"; length:40; id:0; fragbits:D; ttl:<=64; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210008; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-early 2.4 (dropped)"; length:40; id:0; fragbits:D; ttl:<=255; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210009; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Xylan-OmniSwitch / Linksys WAP11 AP (dropped)"; length:40; fragbits:!D; ttl:<=32; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210010; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetIron-load balancer (dropped)"; length:40; fragbits:D; ttl:<=64; flags:R; window:0; quirks:nzup; classtype:os-fingerprint; priority:4; sid:210011; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (dropped 2)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; quirks:seqack; classtype:os-fingerprint; priority:4; sid:210012; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing (1) (dropped 2) (User Stack/Scanner)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210013; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing (2) (dropped 2) (User Stack/Scanner)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; quirks:seqack,nzup; classtype:os-fingerprint; priority:4; sid:210014; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while browsing a lot (dropped 2) (User Stack/Scanner)"; length:40; fragbits:D; ttl:<=128; ack:!=0; flags:R; window:0; quirks:nzup; classtype:os-fingerprint; priority:4; sid:210015; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (?) (dropped) (Generic)"; length:40; fragbits:D; ttl:<=128; flags:R; window:0; classtype:os-fingerprint; priority:5; sid:210016; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Ascend-TAOS or BayTech (dropped 2)"; length:40; fragbits:!D; ttl:<=64; ack:!=0; flags:R; window:0; classtype:os-fingerprint; priority:4; sid:210017; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Cisco-LocalDirector (dropped 2)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:R; quirks:seqack; classtype:os-fingerprint; priority:4; sid:210018; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-9.x 'No TCP/No listener' (seldom SunOS 5.x) (dropped)"; length:58; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210019; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-8.5 'no tcp, reset' (dropped)"; length:53; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210020; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-X 'tcp_close, during connect' (dropped)"; length:65; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210021; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-X 'tcp_disconnect' (dropped)"; length:54; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210022; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"HP/UX-? 'tcp_fin_wait_2_timeout' (dropped)"; length:62; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210023; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-8.5 'tcp_disconnect' (dropped)"; length:54; fragbits:D; ttl:<=255; flags:R; window:32768; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210024; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Unknown- 'Go away' device (dropped) (Generic)"; length:63; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:5; sid:210025; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"SunOS-5.x 'new data when detached' (1) (dropped)"; length:62; fragbits:!D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210026; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"SunOS-5.x 'new data when detached' (2) (dropped)"; length:62; fragbits:D; ttl:<=255; flags:R; window:32768; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210027; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"SunOS-5.x 'tcp_lift_anchor, can't wait' (dropped)"; length:67; fragbits:D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210028; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"HP/UX-11.00 'No TCP' (dropped)"; length:46; fragbits:!D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210029; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Solaris-2.x 'tcp_disconnect' (dropped, lame)"; length:58; fragbits:D; ttl:<=255; ack:!=0; flags:RA+; window:S12; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210030; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"AOL-proxy (dropped, lame)"; length:40; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; window:S43; classtype:os-fingerprint; priority:4; sid:210031; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 (dropped, lame)"; length:40; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; classtype:os-fingerprint; priority:4; sid:210032; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (?) (dropped, lame)"; length:52; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; tcpopts:nop,nop,time; classtype:os-fingerprint; priority:4; sid:210033; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"3Com-SuperStack II (dropped, lame)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:RA+; window:0; quirks:oddflags; classtype:os-fingerprint; priority:4; sid:210034; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Intel-Netport print server (dropped, lame)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:RA+; classtype:os-fingerprint; priority:4; sid:210035; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linksys-BEF router (dropped, lame)"; length:40; fragbits:!D; ttl:<=150; ack:!=0; flags:RA+; classtype:os-fingerprint; priority:4; sid:210036; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetWare-??? 'ehnc' (dropped, lame) (Generic)"; length:44; id:0; fragbits:!D; ttl:<=32; flags:RA+; quirks:rsttext; classtype:os-fingerprint; priority:5; sid:210037; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"BayTech-RPC-3 telnet host (dropped, lame)"; length:40; fragbits:!D; ttl:<=64; seq:0; flags:RA+; window:0; quirks:seqack; classtype:os-fingerprint; priority:4; sid:210038; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Cisco-IOS/PIX NAT + data (1) (dropped, lame)"; length:>100; fragbits:!D; ttl:<=255; ack:!=0; flags:RA+; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210039; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a + data (dropped)"; length:>100; fragbits:!D; ttl:<=255; flags:R; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210040; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Isolation-Infocrypt accelerator + data (dropped, lame)"; length:>100; fragbits:!D; ttl:<=255; seq:0; ack:!=0; flags:RA+; window:0; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210041; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Cisco-IOS/PIX NAT + data (2) (dropped)"; length:>100; fragbits:!D; ttl:<=255; ack:!=0; flags:R; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210042; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (?) + data (dropped, lame)"; length:>100; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; tcpopts:nop,nop,time; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210043; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8 + data (dropped, lame)"; length:>100; fragbits:D; ttl:<=64; ack:!=0; flags:RA+; quirks:rsttext; classtype:os-fingerprint; priority:4; sid:210044; rev:1; )
diff -Naur snort-2.2.0/rules/osfp-syn.rules snort-2.2.0fp/rules/osfp-syn.rules
--- snort-2.2.0/rules/osfp-syn.rules Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/rules/osfp-syn.rules Sun Jan 23 17:36:19 2005
@@ -0,0 +1,206 @@
+# p2s: p0f to Snort rule conversion utility
+# (c) Copyright 2004, Stephen D. Reed
+#
+# Options used to generate this file:
+# Input Type: [SYN]
+# Initial Sid: [200000]
+# Revision: [1]
+# Source Net: [$HOME_NET]
+# Dest Net: [any]
+# Generic Rules: [included]
+
+log tcp $HOME_NET any -> any any ( msg:"AIX-4.3"; length:44; fragbits:!D; ttl:<=64; flags:S; window:45046; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200001; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.2 and earlier"; length:44; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200002; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (1)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200003; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (2)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:32768; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200004; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"AIX-4.3.3-5.2 (3)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss=512,nop,ws%2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200005; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"AIX-5.3 ML1"; length:64; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200006; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (1)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:512; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200007; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (2)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200008; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (MkLinux) on Mac (1)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:2; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200009; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.0.3x (MkLinux) on Mac (2)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:64; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200010; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (Google crawlbot)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1360,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200011; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (big boy)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S2; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200012; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4.18 and newer"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200013; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4/2.6"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200014; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.5 (sometimes 2.4) (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200015; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.5/2.6 (sometimes 2.4) (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200016; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.2.20 and newer"; length:60; fragbits:D; ttl:<=64; flags:S; window:S20; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200017; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200018; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S11; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200019; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 in cluster"; length:48; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1460,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200020; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (late, uncommon)"; length:60; fragbits:D; ttl:<=64; flags:S; window:T4; tcpopts:mss=1412,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200021; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (local)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss=16396,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200022; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (local)"; length:60; fragbits:D; ttl:<=64; flags:S; window:S8; tcpopts:mss=3884,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200023; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 (Opera?) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200024; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 (Opera?) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200025; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.4 w/o timestamps"; length:52; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,nop,nop,sack,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200026; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Linux-2.2 w/o timestamps"; length:52; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss,nop,nop,sack,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200027; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-2.0-4.1"; length:44; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200028; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.4 (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200029; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.4 (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:1024; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200030; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.6-4.8 (no RFC1323)"; length:44; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200031; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.6-4.8"; length:60; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200032; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.8-5.1 (or MacOS X 10.2-10.3)"; length:60; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200033; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.7-5.1 (or MacOS X 10.2-10.3) (1)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200034; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-4.7-5.1 (or MacOS X 10.2-10.3) (2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200035; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (1)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200036; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (2)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200037; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FreeBSD-5.1-current (3)"; length:60; id:0; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=2,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200038; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.3"; length:60; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200039; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6 (Opera) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200040; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6"; length:60; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200041; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6W-current (DF)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=1,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200042; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetBSD-1.6X (DF)"; length:60; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,ws=0,nop,nop,time=0; classtype:os-fingerprint; priority:4; sid:200043; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4"; length:64; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200044; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.3-3.4"; length:64; fragbits:D; ttl:<=64; flags:S; window:57344; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200045; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4 (scrub)"; length:64; fragbits:!D; ttl:<=64; flags:S; window:16384; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200046; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OpenBSD-3.0-3.4 (Opera) (User Stack/Scanner)"; length:64; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200047; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (RFC1323 on)"; length:64; fragbits:D; ttl:<=64; flags:S; window:S17; tcpopts:nop,ws=3,nop,nop,time=0,nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200048; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (1)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S17; tcpopts:nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200049; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Solaris-2.5 to 7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S17; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200050; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Solaris-2.6/7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S6; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200051; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Solaris-8 (2)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200052; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Solaris-9"; length:48; fragbits:D; ttl:<=64; flags:S; window:S34; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200053; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Solaris-7"; length:44; fragbits:D; ttl:<=255; flags:S; window:S44; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200054; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"SunOS-4.1.x"; length:44; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200055; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"IRIX-6.4"; length:44; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200056; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"IRIX-6.2-6.5"; length:44; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200057; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5 (RFC1323) (1)"; length:52; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,ws=2,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200058; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5 (RFC1323) (2)"; length:52; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,ws=3,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200059; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5.12-6.5.21 (1)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200060; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"IRIX-6.5.12-6.5.21 (2)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:49152; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200061; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Tru64-4.0 (or OS/2 Warp 4)"; length:48; fragbits:D; ttl:<=60; flags:S; window:32768; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200062; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Tru64-5.0 (or OpenVMS 7.x on Compaq 5.0 stack)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:32768; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200063; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Tru64-5.1 (no RFC1323) (or QNX 6)"; length:44; fragbits:!D; ttl:<=60; flags:S; window:8192; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200064; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Tru64-v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)"; length:48; fragbits:!D; ttl:<=60; flags:S; window:61440; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200065; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OpenVMS-7.2 (Multinet 4.3-4.4 stack)"; length:60; fragbits:D; ttl:<=64; flags:S; window:6144; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200066; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-8.6 classic"; length:48; fragbits:D; ttl:<=255; flags:S; window:S2; tcpopts:mss,ws=0,eol; classtype:os-fingerprint; priority:4; sid:200067; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-7.3-8.6 (OTTCP)"; length:48; fragbits:D; ttl:<=255; flags:S; window:16616; tcpopts:mss,ws=0,eol; classtype:os-fingerprint; priority:4; sid:200068; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-8.1-8.6 (OTTCP)"; length:48; fragbits:D; ttl:<=255; flags:S; window:16616; tcpopts:mss,nop,nop,nop,eol; classtype:os-fingerprint; priority:4; sid:200069; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-9.0-9.2"; length:48; fragbits:D; ttl:<=255; flags:S; window:32768; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200070; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-9.1 (1) (OT 2.7.4)"; length:48; fragbits:D; ttl:<=255; flags:S; window:32768; tcpopts:mss=1380,nop,nop,nop,nop; classtype:os-fingerprint; priority:4; sid:200071; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-9.1 (2) (OT 2.7.4)"; length:48; fragbits:D; ttl:<=255; flags:S; window:65535; tcpopts:mss,nop,nop,nop,nop; classtype:os-fingerprint; priority:4; sid:200072; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"MacOS-X"; length:60; fragbits:!D; ttl:<=64; flags:S; window:32768; tcpopts:mss,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200073; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-3.11 (Tucows)"; length:44; fragbits:D; ttl:<=32; flags:S; window:8192; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200074; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-95"; length:64; fragbits:D; ttl:<=64; flags:S; window:S44; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200075; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-95b"; length:64; fragbits:D; ttl:<=128; flags:S; window:8192; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200076; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (low TTL) (1)"; length:48; fragbits:D; ttl:<=32; flags:S; window:S44; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200077; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (low TTL) (2)"; length:48; fragbits:D; ttl:<=32; flags:S; window:8192; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200078; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (13)"; length:48; fragbits:D; ttl:<=64; flags:S; window:%8192; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200079; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (15)"; length:48; fragbits:D; ttl:<=128; flags:S; window:%8192; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200080; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (1)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200081; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (2)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S6; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200082; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (3"; length:48; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200083; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (16)"; length:64; fragbits:D; ttl:<=64; flags:S; window:T30; tcpopts:mss=1460,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200084; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (4)"; length:48; fragbits:D; ttl:<=64; flags:S; window:32767; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200085; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (5)"; length:48; fragbits:D; ttl:<=64; flags:S; window:37300; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200086; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (RFC1323)"; length:52; fragbits:D; ttl:<=64; flags:S; window:46080; tcpopts:mss,nop,ws=3,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200087; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (no sack)"; length:44; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200088; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (6)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S16; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200089; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (7)"; length:64; fragbits:D; ttl:<=128; flags:S; window:S16; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200090; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (8)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S26; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200091; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (9)"; length:48; fragbits:D; ttl:<=128; flags:S; window:T30; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200092; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (10)"; length:52; fragbits:D; ttl:<=128; flags:S; window:32767; tcpopts:mss,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200093; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (11)"; length:48; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200094; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (12)"; length:64; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss,nop,ws=2,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200095; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a (1)"; length:44; fragbits:D; ttl:<=128; flags:S; window:T31; tcpopts:mss=1414; classtype:os-fingerprint; priority:4; sid:200096; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 SP6a (2)"; length:44; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss=1414; classtype:os-fingerprint; priority:4; sid:200097; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-NT 4.0 (older)"; length:44; fragbits:D; ttl:<=128; flags:S; window:8192; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200098; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4, XP SP1"; length:48; fragbits:D; ttl:<=128; flags:S; window:65535; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200099; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP2+, XP SP1 (seldom 98 4.10.2222)"; length:48; fragbits:D; ttl:<=128; flags:S; window:%8192; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200100; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-SP3"; length:48; fragbits:D; ttl:<=128; flags:S; window:S20; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200101; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4, XP SP 1 (2)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S45; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200102; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-2000 SP4"; length:48; fragbits:D; ttl:<=128; flags:S; window:40320; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200103; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP, 2000 SP2+"; length:48; fragbits:D; ttl:<=128; flags:S; window:S6; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200104; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1 (1)"; length:48; fragbits:D; ttl:<=128; flags:S; window:S12; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200105; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP Pro SP1, 2000 SP3"; length:48; fragbits:D; ttl:<=128; flags:S; window:S44; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200106; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1, 2000 SP3 (2)"; length:48; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200107; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP SP1, 2000 SP4 (3)"; length:48; fragbits:D; ttl:<=128; flags:S; window:32767; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200108; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 via Cisco"; length:48; fragbits:D; ttl:<=128; flags:S; window:S52; tcpopts:mss=1260,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200109; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP bare-bone"; length:48; fragbits:D; ttl:<=128; flags:S; window:65520; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200110; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-2000 w/ZoneAlarm?"; length:52; fragbits:D; ttl:<=128; flags:S; window:16384; tcpopts:mss=536,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200111; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-.NET Enterprise Server"; length:40; fragbits:!D; ttl:<=255; flags:S; window:2048; classtype:os-fingerprint; priority:4; sid:200112; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 while downloading (leak!) (User Stack/Scanner)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,nop,sack; quirks:nzup; classtype:os-fingerprint; priority:4; sid:200113; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"HP-UX-B.10.20 "; length:44; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200114; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"HP-UX-11.00-11.11"; length:48; fragbits:D; ttl:<=64; flags:S; window:32768; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200115; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"HP-UX-B.11.00 A (RFC1323)"; length:48; fragbits:!D; ttl:<=64; flags:S; window:0; tcpopts:mss,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200116; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"RISC OS-3.70-4.36 (inet 5.04)"; length:68; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss=1460,nop,ws=0,nop,nop,time,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200117; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"RISC OS-3.70 inet 4.10"; length:44; fragbits:!D; ttl:<=32; flags:S; window:12288; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200118; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:".-RISC OS"; length:56; fragbits:D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1460,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200119; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"BSD/OS-3.1-4.3 (or MacOS X 10.2)"; length:60; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200120; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NewtonOS-2.1"; length:44; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1420; classtype:os-fingerprint; priority:4; sid:200121; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NeXTSTEP-3.3"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S8; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200122; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"BeOS-5.0-5.1"; length:48; fragbits:!D; ttl:<=255; flags:S; window:1024; tcpopts:mss,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200123; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"BeOS-5.0.x"; length:44; fragbits:!D; ttl:<=255; flags:S; window:12288; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200124; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R4/R5"; length:60; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1440,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200125; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R3/M0"; length:44; fragbits:!D; ttl:<=64; flags:S; window:8192; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200126; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OS/400-V4R5 + CF67032"; length:60; fragbits:D; ttl:<=64; flags:S; window:4096; tcpopts:mss=1440,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200127; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OS/390-?"; length:44; fragbits:!D; ttl:<=64; ack:!=0; flags:S; window:28672; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200128; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"ULTRIX-4.5"; length:40; fragbits:!D; ttl:<=64; flags:S; window:16384; classtype:os-fingerprint; priority:4; sid:200129; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"QNX-demodisk"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S16; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200130; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Novell-NetWare 5.0"; length:44; fragbits:D; ttl:<=128; flags:S; window:16384; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200131; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Novell-IntranetWare 4.11"; length:44; fragbits:D; ttl:<=128; flags:S; window:6144; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200132; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Novell-Netware 6 SP3"; length:52; fragbits:D; ttl:<=128; flags:S; window:6144; tcpopts:mss,ws=0,nop,sack,nop,nop; classtype:os-fingerprint; priority:4; sid:200133; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"SCO-UnixWare 7.1"; length:60; fragbits:D; ttl:<=64; flags:S; window:S3; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200134; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"SCO-OpenServer 5.0"; length:44; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:mss=1380; classtype:os-fingerprint; priority:4; sid:200135; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"DOS-Arachne via WATTCP/1.05"; length:44; fragbits:!D; ttl:<=255; flags:S; window:2048; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200136; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"OS/2-4"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S56; tcpopts:mss=512; classtype:os-fingerprint; priority:4; sid:200137; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"TOPS-20-version 7"; length:44; fragbits:!D; ttl:<=64; ack:!=0; flags:S; window:0; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200138; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"AMIGA-3.9 BB2 with Miami stack"; length:56; fragbits:D; ttl:<=64; flags:S; window:S32; tcpopts:mss,nop,nop,sack,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200139; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Checkpoint-(unknown 1) (Generic)"; length:44; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:mss=1460; classtype:os-fingerprint; priority:5; sid:200140; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Checkpoint-(unknown 2) (Generic)"; length:48; fragbits:D; ttl:<=64; flags:S; window:S12; tcpopts:nop,nop,sack,mss=1460; classtype:os-fingerprint; priority:5; sid:200141; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"ExtremeWare-4.x"; length:44; fragbits:!D; ttl:<=32; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200142; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Clavister-firewall 7.x"; length:52; fragbits:!D; ttl:<=64; flags:S; window:60352; tcpopts:mss=1460,nop,ws=2,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200143; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Nokia-IPSO w/Checkpoint NG FP3"; length:68; fragbits:!D; ttl:<=64; flags:S; window:S32; tcpopts:mss=512,nop,ws=0,nop,nop,time,nop,nop,number=12; classtype:os-fingerprint; priority:4; sid:200144; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"FortiNet-FortiGate 50"; length:60; fragbits:D; ttl:<=64; flags:S; window:S4; tcpopts:ws=0,nop,sack,time,mss=1460; classtype:os-fingerprint; priority:4; sid:200145; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Cisco-7200, Catalyst 3500, et"; length:44; id:0; fragbits:!D; ttl:<=255; flags:S; window:4128; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200146; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Cisco-12008"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S8; tcpopts:mss; classtype:os-fingerprint; priority:4; sid:200147; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Alteon-ACEswitch"; length:64; fragbits:D; ttl:<=128; flags:S; window:60352; tcpopts:mss=1460,nop,ws=2,nop,nop,time,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200148; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Nortel-Contivity Client"; length:44; fragbits:D; ttl:<=128; flags:S; window:64512; tcpopts:mss=1370; classtype:os-fingerprint; priority:4; sid:200149; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetCache-5.2"; length:64; fragbits:D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200150; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetCache-5.3"; length:64; fragbits:D; ttl:<=64; flags:S; window:16384; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop; classtype:os-fingerprint; priority:4; sid:200151; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetCache-5.3-5.5"; length:64; fragbits:D; ttl:<=64; flags:S; window:65535; tcpopts:mss=1460,nop,nop,sack,nop,ws,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200152; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetCache-4.1"; length:64; fragbits:D; ttl:<=64; flags:S; window:20480; tcpopts:mss=1460,nop,nop,sack,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200153; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"NetCache-Data OnTap 5.x"; length:64; fragbits:D; ttl:<=64; flags:S; window:32850; tcpopts:nop,ws=1,nop,nop,time,nop,nop,sack,mss; classtype:os-fingerprint; priority:4; sid:200154; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"CacheFlow-CacheOS ?"; length:60; fragbits:!D; ttl:<=64; flags:S; window:65535; tcpopts:mss=1460,nop,ws=0,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200155; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"CacheFlow-CacheOS 1.1"; length:60; fragbits:!D; ttl:<=64; flags:S; window:8192; tcpopts:mss=1380,nop,nop,nop,nop,nop,nop,time; classtype:os-fingerprint; priority:4; sid:200156; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Cisco-Content Engine"; length:48; fragbits:!D; ttl:<=64; flags:S; window:S4; tcpopts:mss=1460,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200157; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Dell-PowerApp cache (Linux-based)"; length:40; fragbits:!D; ttl:<=128; flags:S; window:27085; classtype:os-fingerprint; priority:4; sid:200158; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Inktomi-crawler"; length:48; fragbits:D; ttl:<=255; flags:S; window:65535; tcpopts:nop,ws=1,mss=1460; classtype:os-fingerprint; priority:4; sid:200159; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"LookSmart-ZyBorg"; length:60; fragbits:D; ttl:<=255; flags:S; window:S1; tcpopts:mss=1460,sack,time,nop,ws=0; classtype:os-fingerprint; priority:4; sid:200160; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Proxyblocker-(what's this?)"; length:40; fragbits:!D; ttl:<=255; flags:S; window:16384; classtype:os-fingerprint; priority:4; sid:200161; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"PalmOS-Tungsten C"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S9; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200162; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"PalmOS-3/4"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S5; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200163; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"PalmOS-3.5"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S4; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200164; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"PalmOS-3.5.3 (Handera)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:2948; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200165; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"SymbianOS-7"; length:64; fragbits:D; ttl:<=64; flags:S; window:S23; tcpopts:nop,ws=1,nop,nop,time,nop,nop,sack,mss=1460; classtype:os-fingerprint; priority:4; sid:200166; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"SymbianOS-6048 (on Nokia 7650?)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:8192; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200167; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"SymbianOS-(on Nokia 9210?)"; length:44; fragbits:!D; ttl:<=255; flags:S; window:8192; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200168; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Zaurus-3.10"; length:60; fragbits:D; ttl:<=64; flags:S; window:5840; tcpopts:mss=1452,sack,time,nop,ws=1; classtype:os-fingerprint; priority:4; sid:200169; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"PocketPC-2002"; length:64; fragbits:D; ttl:<=128; flags:S; window:32768; tcpopts:mss=1460,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:4; sid:200170; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Contiki-1.1-rc0"; length:44; fragbits:!D; ttl:<=255; flags:S; window:S1; tcpopts:mss=346; classtype:os-fingerprint; priority:4; sid:200171; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Sega-Dreamcast Dreamkey 3.0"; length:44; fragbits:!D; ttl:<=128; flags:S; window:4096; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200172; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Sega-Dreamcast HKT-3020 (browser disc 51027)"; length:44; fragbits:!D; ttl:<=64; flags:S; window:T5; tcpopts:mss=536; classtype:os-fingerprint; priority:4; sid:200173; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Sony-Playstation 2 (SOCOM?)"; length:44; fragbits:D; ttl:<=64; flags:S; window:S22; tcpopts:mss=1460; classtype:os-fingerprint; priority:4; sid:200174; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"AXIS-Printer Server 5600 v5.64"; length:44; fragbits:!D; ttl:<=64; flags:S; window:S12; tcpopts:mss=1452; classtype:os-fingerprint; priority:4; sid:200175; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (1) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:1024; classtype:os-fingerprint; priority:4; sid:200176; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (2) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:2048; classtype:os-fingerprint; priority:4; sid:200177; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (3) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:3072; classtype:os-fingerprint; priority:4; sid:200178; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-syn scan (4) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=64; flags:S; window:4096; classtype:os-fingerprint; priority:4; sid:200179; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (1) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:1024; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200180; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (2) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:2048; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200181; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (3) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:3072; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200182; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe (4) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol; classtype:os-fingerprint; priority:4; sid:200183; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (1) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:1024; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200184; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (2) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:2048; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200185; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (3) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:3072; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200186; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"*NMAP-OS detection probe w/flags (4) (User Stack/Scanner)"; length:60; fragbits:!D; ttl:<=64; flags:S; window:4096; tcpopts:ws=10,nop,mss=265,time,eol; quirks:opeol,oddflags; classtype:os-fingerprint; priority:4; sid:200187; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"p0f-sendsyn utility (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=255; ack:!=0; flags:S; window:12345; classtype:os-fingerprint; priority:4; sid:200188; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Mysterious-port scanner (?) (Generic) (User Stack/Scanner)"; length:40; fragbits:!D; ttl:<=128; ack:!=0; flags:S; window:56922; classtype:os-fingerprint; priority:5; sid:200189; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Mysterious-NAT device (2nd tstamp) (Generic) (User Stack/Scanner)"; length:60; fragbits:D; ttl:<=64; flags:S; window:5792; tcpopts:mss=1460,sack,time,nop,ws=0; classtype:os-fingerprint; priority:5; sid:200190; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (RFC1323 no tstamp) (Generic)"; length:52; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200191; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (RFC1323) (Generic)"; length:64; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws=0,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200192; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP (RFC1323, w+) (Generic)"; length:64; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,ws,nop,nop,time=0,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200193; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-98 (Generic)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss=536,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200194; rev:1; )
+log tcp $HOME_NET any -> any any ( msg:"Windows-XP/2000 (Generic)"; length:48; fragbits:D; ttl:<=128; flags:S; tcpopts:mss,nop,nop,sack; classtype:os-fingerprint; priority:5; sid:200195; rev:1; )
diff -Naur snort-2.2.0/rules/servicefp.rules snort-2.2.0fp/rules/servicefp.rules
--- snort-2.2.0/rules/servicefp.rules Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/rules/servicefp.rules Sun Jan 23 17:36:19 2005
@@ -0,0 +1,53 @@
+# Sample Service Fingerprint File
+# Stephen D. Reed
+#
+#
+# Generic rules should always have a higher priority (less significant) than
+# specific rules (more significant). For example, we don't want a correctly
+# identified Apache web server to be replaced by a Generic TCP Service on
+# port 80.
+
+#
+# TCP Specific Service Rules
+#
+
+# HTTP Servers
+log tcp any any -> any any (msg:"NetCache Appliance Web Server Version 5.3.1R4"; flags:A+; content:"Server\: NetCache appliance (NetApp/5.3.1R4)"; classtype:service-fingerprint; priority:2; sid:300001;)
+log tcp any any -> any any (msg:"FFE Web Server Version 1.0"; flags:A+; content:"Server\: FFE/1.0"; classtype:service-fingerprint; priority:2; sid:300002;)
+log tcp any any -> any any (msg:"GWS Web Server Version 2.0"; flags:A+; content:"Server\: GWS/2.0"; classtype:service-fingerprint; priority:2; sid:300003;)
+
+log tcp any any -> any any (msg:"Netscape Enterprise Web Server Version 4.1"; flags:A+; content:"Server\: Netscape-Enterprise/4.1"; classtype:service-fingerprint; priority:2; sid:300004;)
+log tcp any any -> any any (msg:"Microsoft IIS Web Server Version 6.0"; flags:A+; content:"Server\: Microsoft-IIS/6.0"; classtype:service-fingerprint; priority:2; sid:300005;)
+log tcp any any -> any any (msg:"Microsoft IIS Web Server Version 5.0"; flags:A+; content:"Server\: Microsoft-IIS/5.0"; classtype:service-fingerprint; priority:2; sid:300006;)
+log tcp any any -> any any (msg:"Microsoft IIS Web Server Version 4.0"; flags:A+; content:"Server\: Microsoft-IIS/4.0"; classtype:service-fingerprint; priority:2; sid:300007;)
+
+log tcp any any -> any any (msg:"Apache Web Server Version 2.0.x"; flags:A+; content:"Server\: Apache/2.0"; classtype:service-fingerprint; priority:2; sid:300008;)
+log tcp any any -> any any (msg:"Apache Web Server Version 1.3.x"; flags:A+; content:"Server\: Apache/1.3"; classtype:service-fingerprint; priority:2; sid:300009;)
+
+# FTP Servers
+log tcp any any -> any any (msg:"WU-FTP Server Version 2.6.x"; flags:A+; content:"Version wu-2.6"; classtype:service-fingerprint; priority:2; sid:300010;)
+
+
+#
+# TCP Service Rules
+#
+
+# HTTP Servers
+log tcp any any -> any any (msg:"NetCache Appliance Web Server"; flags:A+; content:"Server\: NetCache appliance"; classtype:service-fingerprint; priority:3; sid:300011;)
+log tcp any any -> any any (msg:"Netscape Enterprise Web Server"; flags:A+; content:"Server\: Netscape-Enterprise"; classtype:service-fingerprint; priority:3; sid:300012;)
+log tcp any any -> any any (msg:"Microsoft IIS Web Server"; flags:A+; content:"Server\: Microsoft-IIS"; classtype:service-fingerprint; priority:3; sid:300013;)
+log tcp any any -> any any (msg:"MDN Web Server"; flags:A+; content:"Server\: MDNServer"; classtype:service-fingerprint; priority:3; sid:300014;)
+log tcp any any -> any any (msg:"Apache Web Server"; flags:A+; content:"Server\: Apache"; classtype:service-fingerprint; priority:3; sid:300015;)
+
+# FTP Servers
+log tcp any any -> any any (msg:"WU-FTP Server"; flags:A+; content:"Version wu-"; classtype:service-fingerprint; priority:3; sid:300016;)
+log tcp any any -> any any (msg:"Web Server"; flags:A+; content:"Server\:"; classtype:service-fingerprint; priority:4; sid:300017;)
+
+#
+# Generic Rules
+#
+
+log udp any any -> any 1:1024 (msg:"UDP Service (Generic)"; classtype:service-fingerprint; priority:6; sid:300018;)
+log tcp any any -> any any (msg:"TCP Service (Generic)"; flags:SA+; classtype:service-fingerprint; priority:5; sid:300019;)
+
+
diff -Naur snort-2.2.0/snort-2.1.2/contrib/ACID-0.9.6b21fp.patch snort-2.2.0fp/snort-2.1.2/contrib/ACID-0.9.6b21fp.patch
--- snort-2.2.0/snort-2.1.2/contrib/ACID-0.9.6b21fp.patch Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/snort-2.1.2/contrib/ACID-0.9.6b21fp.patch Sun Jan 23 17:36:21 2005
@@ -0,0 +1,8199 @@
+diff -Naur acid/acid_action.inc acidfp/acid_action.inc
+--- acid/acid_action.inc 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_action.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -114,7 +114,9 @@
+ echo "==== ACTION ======,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: application constants
+@@ -43,4 +43,19 @@
+ define("DB_CONNECT", 2);
+ define("DB_PCONNECT", 1);
+
++/* */
++define("VAR_DIGIT", 1);
++define("VAR_LETTER", 2);
++define("VAR_ULETTER", 4);
++define("VAR_LLETTER", 8);
++define("VAR_ALPHA", 16);
++define("VAR_PUNC", 32);
++define("VAR_SPACE", 64);
++define("VAR_FSLASH", 128);
++define("VAR_PERIOD", 256);
++define("VAR_OPERATOR", 512);
++define("VAR_OPAREN", 1024); /* ( */
++define("VAR_CPAREN", 2048); /* ) */
++define("VAR_USCORE", 4096);
++define("VAR_AT", 8192);
+ ?>
+diff -Naur acid/acid_db_common.php acidfp/acid_db_common.php
+--- acid/acid_db_common.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_db_common.php 2003-12-17 14:16:39.000000000 -0500
+@@ -4,14 +4,13 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+- * Purpose:
++ * Purpose: database schema manipulation
+ *
+ */
+
+-
+ function createDBIndex($db, $table, $field, $index_name)
+ {
+ $sql = 'CREATE INDEX '.$index_name.' ON '.$table.' ('.$field.')';
+@@ -115,7 +114,7 @@
+ {
+ $ip32 = acidIP2long($ip);
+
+- $result = $db->acidExecute("SELECT signature FROM acid_event (ip_src=$ip32) OR (ip_dst=$ip32)");
++ $result = $db->acidExecute("SELECT signature FROM acid_event (ip_src='$ip32') OR (ip_dst='$ip32')");
+
+ while ( $myrow = $result->acidFetchRow() )
+ $sig[] = $myrow[0];
+@@ -130,7 +129,7 @@
+ $ip32 = acidIP2long($ip);
+
+ $result = $db->acidExecute("SELECT count(ip_src) FROM acid_event WHERE ".
+- "(ip_src=$ip32) OR (ip_dst=$ip32)");
++ "(ip_src='$ip32') OR (ip_dst='$ip32')");
+
+ $myrow = $result->acidFetchRow();
+ $event_cnt = $myrow[0];
+@@ -143,7 +142,7 @@
+ {
+ $ip32 = acidIP2long($ip);
+ $result = $db->acidExecute("SELECT DISTINCT signature FROM acid_event WHERE ".
+- "(ip_src=$ip32) OR (ip_dst=$ip32)");
++ "(ip_src='$ip32') OR (ip_dst='$ip32')");
+
+ while ($myrow = $result->acidFetchRow())
+ $sig[] = $myrow[0];
+@@ -157,7 +156,7 @@
+ {
+ $ip32 = acidIP2long($ip);
+ $result = $db->acidExecute("SELECT DISTINCT signature FROM acid_event WHERE ".
+- "(ip_src=$ip32) OR (ip_dst=$ip32)");
++ "(ip_src='$ip32') OR (ip_dst='$ip32')");
+
+ while ($myrow = $result->acidFetchRow())
+ $sig[] = $myrow[0];
+@@ -171,7 +170,7 @@
+ {
+ $ip32 = acidIP2long($ip);
+ $result = $db->acidExecute("SELECT count(signature) FROM acid_event WHERE ".
+- "( (ip_src=$ip32 OR ip_dst=$ip32) AND signature='$current_event')");
++ "( (ip_src='$ip32' OR ip_dst='$ip32') AND signature='$current_event')");
+
+ $myrow = $result->acidFetchRow();
+ $tmp = $myrow[0];
+@@ -184,7 +183,7 @@
+ {
+ $ip32 = acidIP2long($ip);
+ $result = $db->acidExecute("SELECT DISTINCT sid FROM acid_event WHERE ".
+- "( (ip_src=$ip32 OR ip_dst=$ip32) AND signature='$current_event')");
++ "( (ip_src='$ip32' OR ip_dst='$ip32') AND signature='$current_event')");
+
+ while ($myrow = $result->acidFetchRow())
+ $sid[] = $myrow[0];
+@@ -199,7 +198,7 @@
+ {
+ $ip32 = acidIP2long($ip);
+ $result = $db->acidExecute("SELECT min(timestamp) FROM acid_event WHERE ".
+- "((ip_src=$ip32 OR ip_dst=$ip32) AND signature = '$current_event');");
++ "((ip_src='$ip32' OR ip_dst='$ip32') AND signature = '$current_event');");
+ $myrow = $result->acidFetchRow();
+ $start_time = $myrow[0];
+
+@@ -211,7 +210,7 @@
+ {
+ $ip32 = acidIP2long($ip);
+ $result = $db->acidExecute("SELECT max(timestamp) FROM acid_event WHERE ".
+- "((ip_src=$ip32 OR ip_dst=$ip32) AND signature = '$current_event');");
++ "((ip_src='$ip32' OR ip_dst='$ip32') AND signature = '$current_event');");
+
+ $myrow = $result->acidFetchRow();
+ $stop_time = $myrow[0];
+diff -Naur acid/acid_db.inc acidfp/acid_db.inc
+--- acid/acid_db.inc 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_db.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -40,7 +40,7 @@
+
+ function acidConnect($database, $host, $port, $username, $password)
+ {
+- GLOBAL $sql_trace_mode, $sql_trace_file, $PHP_SELF;
++ GLOBAL $sql_trace_mode, $sql_trace_file, $HTTP_SERVER_VARS;
+
+ $this->DB = NewADOConnection();
+ $this->DB_name = $database;
+@@ -98,7 +98,7 @@
+ fwrite($this->sql_trace,
+ "\n--------------------------------------------------------------------------------\n");
+ fwrite($this->sql_trace, "Connect [".$this->DB_type."] ".$database."@".$host.":".$port." as ".$username."\n");
+- fwrite($this->sql_trace, "[".date ("M d Y H:i:s", time())."] ".$PHP_SELF." - db version ".$this->version);
++ fwrite($this->sql_trace, "[".date ("M d Y H:i:s", time())."] ".$HTTP_SERVER_VARS["PHP_SELF"]." - db version ".$this->version);
+ fwrite($this->sql_trace,
+ "\n--------------------------------------------------------------------------------\n\n");
+ fflush($this->sql_trace);
+@@ -109,7 +109,7 @@
+
+ function acidPConnect($database, $host, $port, $username, $password)
+ {
+- GLOBAL $sql_trace_mode, $sql_trace_file, $PHP_SELF;
++ GLOBAL $sql_trace_mode, $sql_trace_file, $HTTP_SERVER_VARS;
+
+ $this->DB = NewADOConnection();
+ $this->DB_name = $database;
+@@ -167,7 +167,7 @@
+ fwrite($this->sql_trace,
+ "\n--------------------------------------------------------------------------------\n");
+ fwrite($this->sql_trace, "PConnect [".$this->DB_type."] ".$database."@".$host.":".$port." as ".$username."\n");
+- fwrite($this->sql_trace, "[".date ("M d Y H:i:s", time())."] ".$PHP_SELF." - db version ".$this->version);
++ fwrite($this->sql_trace, "[".date ("M d Y H:i:s", time())."] ".$HTTP_SERVER_VARS["PHP_SELF"]." - db version ".$this->version);
+ fwrite($this->sql_trace,
+ "\n--------------------------------------------------------------------------------\n\n");
+ fflush($this->sql_trace);
+@@ -558,20 +558,20 @@
+ {
+ echo "Invalid Database Type Specified ".
+ "The variable \$DBtype in acid_conf.php was set to the ".
+- "unrecognized database type of '$type'. Only the following databases are ".
++ "unrecognized database type of '$type'. Only the following databases are ".
+ "supported: ".
+ "
+ MySQL : 'mysql'
+ PostgreSQL : 'postgres'
+ MS SQL Server : 'mssql'
+ ";
+- die();
++ die();
+ }
+
+ /* Export ADODB_DIR for use by ADODB */
+ define('ADODB_DIR', $path);
+ $GLOBALS['ADODB_DIR'] = $path;
+-
++
+ $last_char = substr($path, strlen($path)-1, 1);
+
+ if ( $debug_mode > 1 )
+@@ -615,4 +615,55 @@
+ return $mssql_kludge;
+ }
+
++function RepairDBTables($db)
++{
++/*
++ if ( $db->DB_type == "mysql" )
++ {
++ $sql = "REPAIR TABLE event, data, iphdr, tcphdr, udphdr, icmphdr, opt, sensor, detail, acid_ag, acid_ag_alert, encoding, acid_event ";
++ if ( $db->acidGetDBversion() >= 100 )
++ {
++ $sql = $sql.", reference, reference_system, schema, sig_class, sig_reference";
++ }
++
++ $sql = $sql." QUICK";
++ }
++ else if ( $db->DB_type == "postgres" )
++ $sql = "VACUUM VERBOSE ANALYSE";
++ else
++ return "This function not supported by your database type";
++
++ $result = $db->acidExecute($sql);
++
++ $tmp_str = "";
++ if ( $db->DB_type == "mysql" )
++ {
++ echo "Fetching data";
++ $tmp_str = '';
++ $tmp_str = $tmp_str.'Table Type Message '.$myrow[0].' '.
++ ''.$myrow[2].' '.
++ ''.$myrow[3].'
';
++
++ //$tmp_str = $tmp_str.'
';
++ $result->acidFreeRows();
++ }
++ else if ( $db->DB_type == "postgres")
++ {
++ $tmp_str = "
Repair Complete
";
++ $result->acidFreeRows();
++ }
++
++ echo "";
++ echo $tmp_str;
++ echo " ";
++ return $tmp_str;
++*/
++}
++
+ ?>
+diff -Naur acid/acid_footer.html acidfp/acid_footer.html
+--- acid/acid_footer.html 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_footer.html 2003-12-17 14:16:39.000000000 -0500
+@@ -1,3 +1,3 @@
+-ACID v0.9.6b21 (
++ACID v0.9.6b23 (
+ by as part of the
+ project ),
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: extracts and calculates the data to plot
+@@ -45,8 +45,8 @@
+ '"Check the Graphing abstraction library variable $ChartLib_path'.
+ ' in acid_conf.php
+
+- The underlying graphing library currently used is PHPlot, that can be downloaded
+- at http://www.phplot.com . Without this
++ The underlying graphing library currently used is JPGraph, that can be downloaded
++ at http://www.aditus.nu/jpgraph/index.php . Without this
+ library no graphing operations can be performed.';
+
+ die();
+@@ -54,26 +54,43 @@
+ }
+
+ function LoadGraphingLib($path)
+-{
+- $last_char = substr($path, strlen($path)-1, 1);
++{
++ $libs = array ("jpgraph.php",
++ "jpgraph_line.php",
++ "jpgraph_bar.php",
++ "jpgraph_canvas.php",
++ "jpgraph_error.php",
++ "jpgraph_log.php",
++ "jpgraph_pie.php",
++ "jpgraph_pie3d.php",
++ "jpgraph_scatter.php",
++ "jpgraph_radar.php" );
+
+- if ( $last_char == "\\" || $last_char == "/" )
+- {
+- VerifyGraphingLib($path."phplot.php");
+- include($path."phplot.php");
+- }
+- else if ( strstr($path,"/") || $path == "" )
++ for ( $i = 0; $i < count($libs); $i++ )
+ {
+- VerifyGraphingLib($path."/phplot.php");
+- include($path."/phplot.php");
+- }
+- else if ( strstr($path,"\\") )
+- {
+- VerifyGraphingLib($path."\\phplot.php");
+- include($path."\\phplot.php");
++ $last_char = substr($path, strlen($path)-1, 1);
++
++ if ( $last_char == "\\" || $last_char == "/" )
++ {
++ VerifyGraphingLib($path.$libs[$i]);
++ include( $path.$libs[$i] );
++ }
++ else if ( strstr($path,"/") || $path == "" )
++ {
++ VerifyGraphingLib($path."/".$libs[$i]);
++ include($path."/".$libs[$i]);
++ }
++ else if ( strstr($path,"\\") )
++ {
++ VerifyGraphingLib($path."\\".$libs[$i]);
++ include($path."\\".$libs[$i]);
++ }
++ else
++ {
++ echo "ERROR: Unable to load graphing library file:".$libs[$i];
++ return;
++ }
+ }
+- else
+- echo "ERROR: Unable to load graphing library";
+ }
+
+ /* Generates the required SQL from the chart time criteria */
+@@ -318,7 +335,7 @@
+
+ function GetIPDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
+ {
+- GLOBAL $db, $debug_mode;
++ GLOBAL $db, $debug_mode;
+
+ if ( $chart_type == 6 )
+ $sql = "SELECT DISTINCT ip_src, COUNT(acid_event.cid) ".
+@@ -352,7 +369,7 @@
+
+ function GetPortDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
+ {
+- GLOBAL $db, $debug_mode;
++ GLOBAL $db, $debug_mode;
+
+ if ( ($chart_type == 8) || ($chart_type == 9) )
+ $sql = "SELECT DISTINCT layer4_dport, COUNT(acid_event.cid) ".
+@@ -386,13 +403,12 @@
+
+ function GetClassificationDataSet(&$xdata, $chart_type, $data_source, $min_threshold, $criteria)
+ {
+- GLOBAL $db, $debug_mode;
+-
+-
++ GLOBAL $db, $debug_mode;
++
+ $sql = "SELECT DISTINCT sig_class_id, COUNT(acid_event.cid) ".
+ "FROM acid_event ".$criteria[0].
+- "WHERE ".$criteria[1]." AND layer4_dport is NOT NULL ".
+- "GROUP BY sig_class_id ORDER BY sig_class_id";
++ "WHERE ".$criteria[1]. /* " AND layer4_dport is NOT NULL ". */
++ " GROUP BY sig_class_id ORDER BY sig_class_id";
+
+ if ( $debug_mode > 0) echo $sql.",
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: Displays the actual .GIF/.PNG/.TIFF image
+@@ -13,6 +13,7 @@
+ * Input GET/POST variables
+ * - width: chart width
+ * - height: chart width
++ * - pmargin0-3: plot margins
+ * - title: chart title
+ * - xaxis_label: x-axis label
+ * - yaxis_label: y-axis label
+@@ -23,105 +24,120 @@
+ */
+
+ include ("acid_conf.php");
++ include ("acid_state_common.inc");
+ include ("acid_graph_common.php");
+
+ session_start();
+- session_register('xdata');
+
+- LoadGraphingLib($ChartLib_path);
+-
+- /* Verifies that the chart width is not too small
+- *
+- * algorithm: width >= const + number_of_points * factor
+- */
+- $width_const = 50;
+- $width_factor = 10;
+-
+- if ( $width < ($width_const + count ($data) * $width_factor)) {
+- $width = $width_const + count ($data) * $width_factor;
+- }
++ $xdata = $HTTP_SESSION_VARS['xdata'];
++ $width = ImportHTTPVar("width");
++ $height = ImportHTTPVar("height");
++ $pmargin0 = ImportHTTPVar("pmargin0");
++ $pmargin1 = ImportHTTPVar("pmargin1");
++ $pmargin2 = ImportHTTPVar("pmargin2");
++ $pmargin3 = ImportHTTPVar("pmargin3");
++ $title = ImportHTTPVar("title");
++ $xaxis_label = ImportHTTPVar("xaxis_label");
++ $yaxis_label = ImportHTTPVar("yaxis_label");
++ $yaxis_scale = ImportHTTPVar("yaxis_scale");
++ $xaxis_grid = ImportHTTPVar("xaxis_grid");
++ $yaxis_grid = ImportHTTPVar("yaxis_grid");
++ $rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl");
++ $style = ImportHTTPVar("style");
+
+- $graph = new PHPlot($width, $height);
+- $graph->SetIsInline("0");
+- $graph->SetBrowserCache("0");
+-
+- /* Allocate enough space for the X,Y-axis data label */
+- $x_maxlength = 10; /* 10 is the PHP default size */
++ LoadGraphingLib($ChartLib_path);
+
+- /* Create the data array */
++ /* Create the data and label array */
+ for ($i = 0; $i < count($xdata); $i++)
+ {
+- if ( $style != "pie" )
+- {
+- $xdata_graph[$i] = array($xdata[$i][0], $xdata[$i][1]);
+- }
+- else
+- {
+- $xdata[$i] = array( count($data)+1 );
+- $xdata[$i][0] = $datalbl[$i];
+- for ( $j = 1; $j < $i; $j++)
+- $xdata[$i][$j] = 0;
+- $xdata[$i][$i+1] = $data[$i];
+-
+- $legend[$i] = $datalbl[$i];
+- }
+-
+- if (strlen($xdata[$i][0]) > $x_maxlength)
+- {
+- // if the label is too small, expand the label size to fit
+- $x_maxlength = strlen($xdata[$i][0]);
+- }
++ $xlabel[$i] = $xdata[$i][0];
++ $ydata[$i] = $xdata[$i][1];
+ }
+
+- $graph->SetDataType("text-data");
+- $graph->SetPlotType($style);
+-
++ if ( $style == "pie" )
++ $graph = new PieGraph($width, $height);
++ else
++ $graph = new Graph($width, $height);
++
++ /* Set Margins */
++ $graph->img->SetMargin($pmargin0,$pmargin1,$pmargin2,$pmargin3);
++ $graph->img->SetAntiAliasing();
++
++ //$graph->SetShadow();
++
++ /* Set Plot type */
+ switch($style)
+ {
+- case "bars":
+- $graph->SetDataType("text-data");
+- break;
+- case "linepoints":
+- $graph->SetDataType("text-data");
++ case "bar":
++ $plot[0] = new BarPlot($ydata);
+ break;
+ case "pie":
+- $graph->SetDataType("text-data");
+- $graph->SetLegend($legend);
++ $plot[0] = new PiePlot3D($ydata);
+ break;
+- case "thinbarline":
+- $graph->SetDataType("data-data");
++ case "line":
++ $plot[0] = new LinePlot($ydata);
+ break;
+ }
+
+- /* read the X-axis labels as text */
+- $graph->SetXGridLabelType ("title");
++ //$plot[0]->SetColor("#000000");
++
++ if ( ($style == "bar") || ($style == "line") )
++ {
++ /* Set Scale */
++ if ( $yaxis_scale == 1 )
++ $graph->SetScale("textlog");
++ else
++ $graph->SetScale("textlin");
++
++ $plot[0]->SetFillColor("#BE0505");
++ //$plot[0]->SetFillColor($GLOBALS['chart_bar_color_default']);
++
++ /* Set Gridlines */
++ if ( $xaxis_grid == 1 )
++ $graph->xgrid->Show(true);
++ else
++ $graph->xgrid->Show(false);
++
++ if ( $yaxis_grid == 1 )
++ $graph->ygrid->Show(true);
++ else
++ $graph->ygrid->Show(false);
++
++ /* Set Axis Labels */
++ $graph->xaxis->title->Set($xaxis_label);
++ $graph->yaxis->title->Set($yaxis_label);
++
++ //$graph->xaxis->SetFont(FF_ARIAL,FS_NORMAL,11);
++
++ $graph->xaxis->SetTickLabels($xlabel);
++
++ if ( $rotate_xaxis_lbl == 1 )
++ $graph->xaxis->SetLabelAngle(90);
++ }
++
++ if ( $style == "pie" )
++ {
++ $plot[0]->SetLegends($xlabel);
++ }
++
++ //$plot[0]->ShowValue(true);
++ //$plot[0]->SetShadow();
++
++ /* Set Title */
++ //$graph->title->SetFont(FF_COMIC,FS_NORMAL,18);
++ $graph->title->Set($title);
++
++
++ $graph->Add($plot[0]);
++
++ $graph->Stroke();
++?>
++
++
++
++
++
++
+
+- $graph->SetPrecisionY(0);
+- $graph->SetPrecisionX(0);
+
+- $graph->SetBackgroundColor($chart_bg_color_default);
+- $graph->SetLightGridColor($chart_lgrid_color_default);
+
+- /* Check if need to rotate X-Axis label */
+- if ( $rotate_xaxis_lbl == 1 )
+- $graph->SetXDataLabelAngle(90);
+-
+- $graph->SetFileFormat($chart_file_format);
+- //$graph->SetUseTTF("0");
+-
+- /* Set y-axis scale */
+- if ( $yaxis_scale == 1 )
+- $graph->SetYScaleType("log");
+-
+- $graph->SetXDataLabelMaxlength($x_maxlength);
+- $graph->SetDrawYGrid("1");
+- $graph->SetDataValues($xdata_graph);
+- $graph->SetXLabel($xaxis_label);
+- $graph->SetYLabel($yaxis_label);
+- $graph->SetTitle($title);
+- $graph->SetDataColors( array( $chart_bar_color_default ),
+- array("black") );
+- //$graph->SetBackgroundColor("grey");
+- $graph->DrawGraph();
+- //$graph->DrawLegend(100, 100, '');
+-?>
+\ No newline at end of file
+diff -Naur acid/acid_graph_form.php acidfp/acid_graph_form.php
+--- acid/acid_graph_form.php 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/acid_graph_form.php 2003-12-17 14:16:39.000000000 -0500
+@@ -0,0 +1,214 @@
++,
++ *
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
++ * (see the file 'acid_main.php' for license details)
++ *
++ * Purpose: displays form for graphing
++ */
++
++ echo '
,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose:
+@@ -27,9 +27,12 @@
+ $cs->ReadState();
+
+ session_start();
+- session_register('xdata');
+
+ $submit = ImportHTTPVar("submit");
++
++ $height = ImportHTTPVar("height");
++ $width = ImportHTTPVar("width");
++ $user_chart_title = ImportHTTPVar("user_chart_title");
+ $data_source = ImportHTTPVar("data_source");
+ $chart_type = ImportHTTPVar("chart_type");
+ $chart_interval = ImportHTTPVar("chart_interval");
+@@ -46,6 +49,19 @@
+
+ $chart_style = ImportHTTPVar("chart_style");
+ $rotate_xaxis_lbl = ImportHTTPVar("rotate_xaxis_lbl");
++ $yaxis_scale = ImportHTTPVar("yaxis_scale");
++ $xaxis_grid = ImportHTTPVar("xaxis_grid");
++ $yaxis_grid = ImportHTTPVar("yaxis_grid");
++
++ $pmargin0 = ImportHTTPVar("pmargin0");
++ $pmargin1 = ImportHTTPVar("pmargin1");
++ $pmargin2 = ImportHTTPVar("pmargin2");
++ $pmargin3 = ImportHTTPVar("pmargin3");
++
++ $xaxis_label_inc = ImportHTTPVar("xaxis_label_inc");
++
++ $min_size = ImportHTTPVar("min_size");
++ $aggregate_type = ImportHTTPVar("aggregate_type");
+
+ $page_title = "Graph Alert Data";
+ PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
+@@ -60,19 +76,21 @@
+ if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db);
+ ?>
+
+-
+-
+-
+ ';
+
++ $HTTP_SESSION_VARS['xdata'] = $xdata;
+ echo "
+ ";
++ "&yaxis_scale=".$yaxis_scale.
++ "&xaxis_grid=".$xaxis_grid.
++ "&yaxis_grid=".$yaxis_grid.
++ "&style=".$chart_style."\">";
+
+ echo '
+
+diff -Naur acid/acid_log_error.inc acidfp/acid_log_error.inc
+--- acid/acid_log_error.inc 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_log_error.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -32,12 +32,27 @@
+ GLOBAL $HTTP_SERVER_VARS, $DBtype, $ADODB_vers, $HTTP_SESSION_VARS;
+
+ $tmp = session_encode();
++
++ if ( isset($HTTP_SERVER_VARS['HTTP_REFERER']) )
++ $http_referer = $HTTP_SERVER_VARS['HTTP_REFERER'];
++ else
++ $http_referer = "";
+
++ if ( isset($HTTP_SERVER_VARS['HTTP_USER_AGENT']) )
++ $http_user_agent = $HTTP_SERVER_VARS['HTTP_USER_AGENT'];
++ else
++ $http_user_agent = "";
++
++ if ( isset($HTTP_SERVER_VARS['SERVER_SOFTWARE']) )
++ $server_software = $HTTP_SERVER_VARS['SERVER_SOFTWARE'];
++ else
++ $server_software = "";
++
+ echo "
+- URL: '".$HTTP_SERVER_VARS["PHP_SELF"]."' (referred by: '".$HTTP_SERVER_VARS["HTTP_REFERER"]."')
++ URL: '".$HTTP_SERVER_VARS["PHP_SELF"]."' (referred by: '".$http_referer."')
+ PARAMETERS: '".$HTTP_SERVER_VARS["QUERY_STRING"]."
+- CLIENT: ".$HTTP_SERVER_VARS["HTTP_USER_AGENT"]."
+- SERVER: ".$HTTP_SERVER_VARS["SERVER_SOFTWARE"]."
++ CLIENT: ".$http_user_agent."
++ SERVER: ".$server_software."
+ SERVER HW: ".php_uname()."
+ DATABASE TYPE: $DBtype DB ABSTRACTION VERSION: $ADODB_vers
+ PHP VERSION: ".phpversion()." PHP API: ".php_sapi_name()."
+@@ -55,4 +70,4 @@
+ echo " ";
+ }
+
+-?>
++?>
+\ No newline at end of file
+diff -Naur acid/acid_main.php acidfp/acid_main.php
+--- acid/acid_main.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_main.php 2003-12-17 14:17:10.000000000 -0500
+@@ -49,8 +49,14 @@
+ include_once("acid_db_common.php");
+
+ RegisterGlobalState();
+- InitGlobalState();
+- PreserveHistory();
++ //InitGlobalState();
++
++ /* Initialize the history */
++ $HTTP_SESSION_VARS = NULL;
++ InitArray($HTTP_SESSION_VARS['back_list'], 1, 3, "");
++ $HTTP_SESSION_VARS['back_list_cnt'] = 0;
++
++ PushHistory();
+ ?>
+
+
+@@ -138,7 +144,7 @@
+
+
+
Search Graph Alert data EXPERIMENTAL )
++Graph Alert data
+
Snapshot
+@@ -196,7 +202,7 @@
+ echo '
+
+
+-
++
+
+ Most recent Alerts:
+ any protocol ,
+@@ -217,6 +223,10 @@
+ ?>
+ Most
+ recent Unique Alerts
++ Network Fingerprints: most recent ;
++ by address ,
++ port ,
++ service
+
+
+
Last Source Ports:
+@@ -249,7 +259,7 @@
+
+
+
+-
++
+ Most
+ frequent Alerts
+
+diff -Naur acid/acid_maintenance.php acidfp/acid_maintenance.php
+--- acid/acid_maintenance.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_maintenance.php 2003-12-17 14:16:39.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: status and event/dns/whois cache maintenance
+@@ -42,8 +42,10 @@
+ if ( $debug_mode > 0 )
+ echo "submit = '$submit'";
+
+- set_time_limit($max_script_runtime);
++ if ( ini_get("safe_mode") != true )
++ set_time_limit($max_script_runtime);
+
++ $repair_output = NULL;
+ if ( $submit == "Update Alert Cache" )
+ {
+ UpdateAlertCache($db);
+@@ -71,14 +73,18 @@
+ DropWhoisCache($db);
+ UpdateWhoisCache($db);
+ }
++ else if ( $submit == "Repair Tables")
++ {
++ $repair_output = RepairDBTables($db);
++ }
+
+ echo '
";
++
';
+
+ echo '
+
+diff -Naur acid/acid_net.inc acidfp/acid_net.inc
+--- acid/acid_net.inc 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_net.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: TCP/IP network routines
+@@ -17,7 +17,7 @@
+ * Purpose: convert a text string IPv4 address into its 32-bit numeric
+ * equivalent
+ *
+- * Arguments: $IP_str => dotted IPv4 address string (e.g. 1.2.3.4)
++ :* Arguments: $IP_str => dotted IPv4 address string (e.g. 1.2.3.4)
+ *
+ * Returns: 32-bit integer equivalent of the dotted address
+ * (e.g. 255.255.255.255 => 4294967295 )
+@@ -143,7 +143,7 @@
+ $current_time = date("Y-m-d H:i:s",$current_unixtime);
+ $sql = "SELECT ipc_ip,ipc_fqdn,".$db->acidSQL_UNIXTIME("(ipc_dns_timestamp)", "","").",ipc_dns_timestamp".
+ " FROM acid_ip_cache ".
+- " WHERE ipc_ip = $ip32 ";
++ " WHERE ipc_ip = '$ip32' ";
+
+ $result = $db->acidExecute($sql);
+ $ip_cache = $result->acidFetchRow();
+@@ -160,7 +160,8 @@
+ }
+ else /* cache hit */
+ {
+- if ( ( ($ip_cache[2] / 60)+$cache_lifetime ) <= ($current_unixtime / 60) )
++ if ( (( ($ip_cache[2] / 60)+$cache_lifetime ) <= ($current_unixtime / 60)) &&
++ ($ip_cache[2] != "") )
+ {
+ /* valid entry */
+ if ( ($ip_cache[2] != "") && ($ip_cache[2] != 0) )
+@@ -176,7 +177,7 @@
+
+ /* Update entry in cache regardless of whether can resolve */
+ $sql = "UPDATE acid_ip_cache SET ipc_fqdn='$tmp', ".
+- " ipc_dns_timestamp='$current_time' WHERE ipc_ip=$ip32";
++ " ipc_dns_timestamp='$current_time' WHERE ipc_ip='$ip32'";
+ $db->acidExecute($sql);
+ }
+ }
+@@ -209,7 +210,7 @@
+ $current_time = date("Y-m-d H:i:s",$current_unixtime);
+ $sql = "SELECT ipc_ip,ipc_whois,".$db->acidSQL_UNIXTIME("(ipc_whois_timestamp)", "","").",ipc_whois_timestamp".
+ " FROM acid_ip_cache ".
+- " WHERE ipc_ip = $ip32 ";
++ " WHERE ipc_ip = '$ip32' ";
+
+ $result = $db->acidExecute($sql);
+ $whois_cache = $result->acidFetchRow();
+@@ -247,7 +248,7 @@
+
+ /* Update entry in cache regardless of whether can resolve */
+ $sql = "UPDATE acid_ip_cache SET ipc_whois='".getSafeSQLString($tmp)."', ".
+- " ipc_whois_timestamp='$current_time' WHERE ipc_ip=$ip32";
++ " ipc_whois_timestamp='$current_time' WHERE ipc_ip='$ip32'";
+ $db->acidExecute($sql);
+ }
+ }
+diff -Naur acid/acid_output_html.inc acidfp/acid_output_html.inc
+--- acid/acid_output_html.inc 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_output_html.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2001 Carnegie Mellon University
++ * Copyright (C) 2001,2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: Prints or generates HTML to display
+@@ -15,7 +15,8 @@
+ GLOBAL $debug_mode, $ACID_VERSION, $html_no_cache,
+ $max_script_runtime;
+
+- set_time_limit($max_script_runtime);
++ if ( ini_get("safe_mode") != true )
++ set_time_limit($max_script_runtime);
+
+ echo '
+
+@@ -96,11 +97,11 @@
+
+ function PrintFreshPage($refresh_stat_page, $stat_page_refresh_time)
+ {
+- GLOBAL $PHP_SELF;
++ GLOBAL $HTTP_SERVER_VARS;
+
+ if ( $refresh_stat_page )
+ echo '';
+ }
+
+-function qroPrintEntry($value)
++function qroPrintEntry($value, $halign="center", $valign="top", $passthru="")
+ {
+- echo "\n".
++ echo " \n".
+ " \n".
+ " $value\n".
+ " \n".
+diff -Naur acid/acid_qry_alert.php acidfp/acid_qry_alert.php
+--- acid/acid_qry_alert.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_qry_alert.php 2003-12-17 14:16:39.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2001 Carnegie Mellon University
++ * Copyright (C) 2001,2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: displays a single alert
+@@ -55,7 +55,7 @@
+ * to the history.
+ */
+ $submit = ImportHTTPVar("submit");
+- $QUERY_STRING = "submit=".rawurlencode($submit);
++ $HTTP_SERVER_VARS["QUERY_STRING"] = "submit=".rawurlencode($submit);
+
+ $et = new EventTiming($debug_time_mode);
+ $cs = new CriteriaState("acid_qry_alert.php");
+@@ -79,6 +79,7 @@
+
+ $qs->AddValidAction("ag_by_id");
+ $qs->AddValidAction("ag_by_name");
++ $qs->AddValidAction("add_new_ag");
+ $qs->AddValidAction("del_alert");
+ $qs->AddValidAction("email_alert");
+ $qs->AddValidAction("email_alert2");
+@@ -205,7 +206,7 @@
+
+ $sql4 = "SELECT acid_ag_alert.ag_id, ag_name, ag_desc ".
+ "FROM acid_ag_alert LEFT JOIN acid_ag ON acid_ag_alert.ag_id = acid_ag.ag_id ".
+- "WHERE ag_sid=".$sid." AND ag_cid=".$cid;
++ "WHERE ag_sid='".$sid."' AND ag_cid='".$cid."'";
+ $result4 = $db->acidExecute($sql4);
+ $num = $result4->acidRecordCount();
+
+@@ -540,11 +541,16 @@
+ $work = str_replace("\n","",$myrow2[0]);
+
+ /*
+- * depending on how the packet logged, 32-bits of NULL padding after
+- * the checksum may still be present.
++ * - depending on how the packet logged, 32-bits of NULL padding after
++ * the checksum may still be present.
+ */
+ if ( substr($work, 0, 8) == "00000000" )
+ $offset = 8;
++ /* for dest. unreachable, frag needed and DF bit set indent the padding
++ * of MTU of next hop
++ */
++ else if ( ($ICMPitype == "3") && ($ICMPicode == "4") )
++ $offset += 8;
+
+ $icmp_src = hexdec($work[24+$offset].$work[25+$offset]).".".
+ hexdec($work[26+$offset].$work[27+$offset]).".".
+@@ -556,7 +562,7 @@
+ hexdec($work[38+$offset].$work[39+$offset]);
+ $icmp_proto = hexdec($work[18+$offset].$work[19+$offset]);
+
+- $hdr_offset = ($work[$offset+1]) * 8 + offset;
++ $hdr_offset = ($work[$offset+1]) * 8 + $offset;
+ $icmp_src_port = hexdec($work[$hdr_offset].$work[$hdr_offset+1].$work[$hdr_offset+2].$work[$hdr_offset+3]);
+ $icmp_dst_port = hexdec($work[$hdr_offset+4].$work[$hdr_offset+5].$work[$hdr_offset+6].$work[$hdr_offset+7]);
+
+diff -Naur acid/acid_qry_common.php acidfp/acid_qry_common.php
+--- acid/acid_qry_common.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_qry_common.php 2003-12-17 14:16:39.000000000 -0500
+@@ -5,7 +5,7 @@
+ * Author: Roman Danyliw ,
+ * MSSQL support by Charles Hand
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * Portions Copyright (C) 2001 Iowa National Guard
+ * (see the file 'acid_main.php' for license details)
+ *
+@@ -17,67 +17,52 @@
+
+ function PrintCriteriaState()
+ {
+- GLOBAL $time, $time_cnt,
+- $sig, $sig_type,
+- $sensor,
+- $ag,
+- $ip_addr, $ip_addrs, $ip_addr_cnt,
+- $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt,
+- $tcp_flags,
+- $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt,
+- $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $data, $data_cnt,
+- $layer4, $MAX_ROWS,
+- $new, $submit, $sort_order, $num_result_rows,
+- $current_view, $caller, $action, $action_arg,
+- $sort_order, $debug_mode;
+-
+- if ( $debug_mode >= 2 )
+- {
+- echo "";
+- echo "sensor: $sensorAG: $agsignature ";
+- print_r($sig);
+- echo "time ($time_cnt): IP addresses ($ip_addr_cnt): IP fields ($ip_field_cnt): TCP ports ($tcp_port_cnt): TCP flags: TCP field ($tcp_field_cnt): UDP ports ($udp_port_cnt): UDP field ($udp_field_cnt): ICMP field ($icmp_field_cnt): Data ($data_cnt): ";
+- }
+-
+- if ( $debug_mode >= 1 )
+- {
+- echo "
+- new: '$new'
+- submit: '$submit'
+- sort_order: '$sort_order'
+- num_result_rows: '$num_result_rows' current_view: '$current_view'
+- layer4: '$layer4' caller: '$caller'
+- action: '$action' action_arg: '$action_arg'
+- ";
+- }
++ GLOBAL $HTTP_SESSION_VARS, $layer4,
++ $new, $submit, $sort_order, $num_result_rows,
++ $current_view, $caller, $action, $action_arg,
++ $sort_order;
++
++ if ( $GLOBALS['debug_mode'] >= 2 )
++ {
++ echo "";
++ echo "sensor: ".$HTTP_SESSION_VARS['sensor']."AG: ".$HTTP_SESSION_VARS['ag']."signature \n";
++ print_r($HTTP_SESSION_VARS['sig']);
++ echo "time (".$HTTP_SESSION_VARS['time_cnt']."): IP addresses (".$HTTP_SESSION_VARS['ip_addr_cnt']."): IP fields (".$HTTP_SESSION_VARS['ip_field_cnt']."): TCP ports (".$HTTP_SESSION_VARS['tcp_port_cnt']."): TCP flags: TCP field (".$HTTP_SESSION_VARS['tcp_field_cnt']."): UDP ports (".$HTTP_SESSION_VARS['udp_port_cnt']."): UDP field (".$HTTP_SESSION_VARS['udp_field_cnt']."): ICMP field (".$HTTP_SESSION_VARS['icmp_field_cnt']."): Data (".$HTTP_SESSION_VARS['data_cnt']."): ";
++ }
++
++ if ( $GLOBALS['debug_mode'] >= 1 )
++ {
++ echo "
++ new: '$new'
++ submit: '$submit'
++ sort_order: '$sort_order'
++ num_result_rows: '$num_result_rows' current_view: '$current_view'
++ layer4: '$layer4' caller: '$caller'
++ action: '$action' action_arg: '$action_arg'
++ ";
++ }
+ }
+
+ function FieldRows2sql($field, $cnt, &$s_sql)
+@@ -88,8 +73,8 @@
+ $tmp = "";
+ if ( $field[$i][3] != "" && $field[$i][1] != " ")
+ {
+- $tmp = $field[$i][0]." ".$field[$i][1]." ".$field[$i][2]."".
+- $field[$i][3]."".$field[$i][4]." ".$field[$i][5];
++ $tmp = $field[$i][0]." ".$field[$i][1]." ".$field[$i][2]." '".
++ $field[$i][3]."' ".$field[$i][4]." ".$field[$i][5];
+ }
+ else
+ {
+@@ -139,7 +124,7 @@
+ for ( $i = 0; $i < $cnt; $i++ )
+ {
+ $tmp = "";
+- if ( $field[$i][1] != " " && $field[$i][1] != "")
++ if ( isset($field[$i]) && $field[$i][1] != " " && $field[$i][1] != "")
+ {
+ $op = $field[$i][1];
+
+@@ -250,12 +235,15 @@
+ }
+ else
+ {
+- if ( ($field[$i][2] != " " || $field[$i][3] != "" || $field[$i][4] != " ") &&
++ if ( isset($field[$i]) )
++ {
++ if ( ($field[$i][2] != " " || $field[$i][3] != "" || $field[$i][4] != " ") &&
+ $field[$i][1] == " ")
+- ErrorMessage("Criteria warning: A date/time value of '".
+- $field[$i][2]."-".$field[$i][3]."-".$field[$i][4]." ".
+- $field[$i][5].":".$field[6].":".$field[7]."' was entered
+- but no operator was selected.");
++ ErrorMessage("Criteria warning: A date/time value of '".
++ $field[$i][2]."-".$field[$i][3]."-".$field[$i][4]." ".
++ $field[$i][5].":".$field[6].":".$field[7]."' was entered
++ but no operator was selected.");
++ }
+ }
+
+ if ( $i > 0 && $field[$i-1][9] == ' ' && $field[$i-1][4] != " ")
+@@ -357,54 +345,10 @@
+
+ function PrintCriteria($caller)
+ {
+- GLOBAL $db, $cs, $last_num_alerts, $time, $time_cnt, $sig, $sig_type,
+- $sensor, $ag, $sig_class,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $save_criteria;
+-
+- /* Generate the Criteria entered into a human readable form */
+- $human_fields["ip_src"] = "Source Address";
+- $human_fields["ip_dst"] = "Dest. Address";
+- $human_fields["ip_both"] = "Source or Dest. Address";
+- $human_fields["ip_ttl"] = "TTL";
+- $human_fields["ip_tos"] = "TOS";
+- $human_fields["ip_id"] = "ID";
+- $human_fields["ip_off"] = "offset";
+- $human_fields["ip_len"] = "length";
+- $human_fields["ip_csum"] = "chksum";
+- $human_fields["layer4_sport"] = "source port";
+- $human_fields["layer4_dport"] = "dest port";
+- $human_fields[""] = "";
+- $human_fields["tcp_win"] = "window";
+- $human_fields["tcp_urp"] = "urp";
+- $human_fields["tcp_seq"] = "seq #";
+- $human_fields["tcp_ack"] = "ack";
+- $human_fields["tcp_off"] = "offset";
+- $human_fields["tcp_res"] = "res";
+- $human_fields["tcp_csum"] = "chksum";
+- $human_fields["udp_len"] = "length";
+- $human_fields["udp_csum"] = "chksum";
+- $human_fields["icmp_type"] = "type";
+- $human_fields["icmp_code"] = "code";
+- $human_fields["icmp_csum"] = "chksum";
+- $human_fields["icmp_id"] = "id";
+- $human_fields["icmp_seq"] = "seq";
+- $human_fields["LIKE"] = "contains";
+- $human_fields["="] = "=";
+- $human_fields["1"] = "F";
+- $human_fields["2"] = "S";
+- $human_fields["4"] = "R";
+- $human_fields["8"] = "P";
+- $human_fields["16"] = "A";
+- $human_fields["32"] = "U";
+- $human_fields["64"] = "[R0]";
+- $human_fields["128"] = "[R1]";
++ GLOBAL $db, $cs, $last_num_alerts,
++ $save_criteria;
+
+- //$save_criteria = ' Queried DB on : '.date("D F d, Y H:i:s",time()).'
++ /* Generate the Criteria entered into a human readable form */
+ $save_criteria = '
+
+
+@@ -430,85 +374,15 @@
+ return;
+ }
+
+-// if ( $have_meta == 1 )
+-// {
+ $tmp_len = strlen($save_criteria);
+
+- if ( $sensor != " " && $sensor != "" )
+- $save_criteria = $save_criteria.'Sensor = ['.$sensor.'] '.
+- GetSensorName($sensor, $db).
+- $cs->GetClearCriteriaString("sensor").'unclassified '.$time[$i][0].' time '.$time[$i][1].' [ ';
+-
+- /* date */
+- if ( $time[$i][2] == " " && $time[$i][3] == "" && $time[$i][4] == " " )
+- $save_criteria = $save_criteria." any date ";
+- else
+- $save_criteria = $save_criteria.(($time[$i][2] == " ") ? "* / " : $time[$i][2]." / ").
+- (($time[$i][3] == "" ) ? "* / " : $time[$i][3]." / ").
+- (($time[$i][4] == " ") ? "* " : $time[$i][4]." ");
+- $save_criteria = $save_criteria.'] [';
+- /* time */
+- if ( $time[$i][5] == "" && $time[$i][6] == "" && $time[$i][7] == "" )
+- $save_criteria = $save_criteria."any time ";
+- else
+- $save_criteria = $save_criteria.(($time[$i][5] == "") ? "* : " : $time[$i][5]." : ").
+- (($time[$i][6] == "") ? "* : " : $time[$i][6]." : ").
+- (($time[$i][7] == "") ? "* " : $time[$i][7]." ");
+- $save_criteria = $save_criteria.$time[$i][8].$time[$i][9];
+- $save_criteria = $save_criteria.']';
+- $save_criteria = $save_criteria.' any ';
+@@ -519,114 +393,28 @@
+
+ IP Criteria
+ ';
+-// if ( $have_ip == 1 )
+-// {
+
+- $tmp_len = strlen($save_criteria);
+- $have_criteria = 0;
+- for ( $i = 0; $i < $ip_addr_cnt; $i++ )
+- {
+- $tmp = "";
+- if ( isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" )
+- {
+- $tmp = $tmp.$ip_addr[$i][3];
+- if ( $ip_addr[$i][4] != "" )
+- {
+- $tmp = $tmp.".".$ip_addr[$i][4];
+- if ( $ip_addr[$i][5] != "" )
+- {
+- $tmp = $tmp.".".$ip_addr[$i][5];
+- if ( $ip_addr[$i][6] != "" )
+- {
+- if ( ($ip_addr[$i][3].".".$ip_addr[$i][4].".".
+- $ip_addr[$i][5].".".$ip_addr[$i][6]) == NULL_IP)
+- $tmp = " unknown ";
+- else
+- $tmp = $tmp.".".$ip_addr[$i][6];
+- }
+- else
+- $tmp = $tmp.'.*';
+- }
+- else
+- $tmp = $tmp.'.*.*';
+- }
+- else
+- $tmp = $tmp.'.*.*.*';
+- }
+- /* Make sure that the IP isn't blank */
+- if ( $tmp != "" )
+- {
+- $mask = "";
+- if ( $ip_addr[$i][10] != "" )
+- $mask = "/".$ip_addr[$i][10];
+-
+- $save_criteria = $save_criteria.$ip_addr[$i][0].
+- $human_fields[($ip_addr[$i][1])].' '.$ip_addr[$i][2].
+- ' '.$tmp.' '.$ip_addr[$i][8].' '.$ip_addr[$i][9].$mask.
+- $cs->GetClearCriteriaString("ip_addr")." any ';
++ if ( !$cs->criteria['ip_addr']->isEmpty() || !$cs->criteria['ip_field']->isEmpty() )
++ {
++ $save_criteria = $save_criteria.$cs->criteria['ip_addr']->Description();
++ $save_criteria = $save_criteria.$cs->criteria['ip_field']->Description();
++ }
++ else
++ $save_criteria = $save_criteria.' any ';
+
+ $save_criteria = $save_criteria.' ';
+
+- if ( $layer4 == "TCP" )
+- {
+- $save_criteria = $save_criteria.'
+-
+- TCP Criteria
+- ';
++ $save_criteria = $save_criteria.' ';
++ $save_criteria = $save_criteria.$cs->criteria['layer4']->Description();
++ $save_criteria = $save_criteria.' ';
+
+- if ( $have_tcp == 1 )
++ if ( $cs->criteria['layer4']->Get() == "TCP" )
++ {
++ if ( !$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty() )
+ {
+- $have_criteria = 0;
+- for ( $i = 0; $i < $tcp_port_cnt; $i++ )
+- {
+- if ($tcp_port[$i][1] != " " && $tcp_port[$i][3] != "" )
+- {
+- $save_criteria = $save_criteria.$tcp_port[$i][0].$human_fields[($tcp_port[$i][1])].' '.
+- $tcp_port[$i][2].' '.$tcp_port[$i][3].$tcp_port[$i][4].' '.$tcp_port[$i][5];
+- $have_criteria++;
+- }
+- }
+-
+- if ( $have_criteria > 0 )
+- $save_criteria = $save_criteria. $cs->GetClearCriteriaString("tcp_port").' any ';
+@@ -634,43 +422,12 @@
+ $save_criteria = $save_criteria.'
+- UDP Criteria
+- ';
+-
+- if ( $have_udp == 1 )
++ if ( !$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty() )
+ {
+-
+- $have_criteria = 0;
+- for ( $i = 0; $i < $udp_port_cnt; $i++ )
+- {
+- if ($udp_port[$i][1] != " " && $udp_port[$i][3] != "" )
+- {
+- $save_criteria = $save_criteria.$udp_port[$i][0].$human_fields[($udp_port[$i][1])].' '.
+- $udp_port[$i][2].' '.$udp_port[$i][3].$udp_port[$i][4].' '.$udp_port[$i][5];
+- $have_criteria = 1;
+- }
+- }
+-
+- if ($have_criteria)
+- $save_criteria = $save_criteria.$cs->GetClearCriteriaString("udp_port").' any ';
+@@ -678,36 +435,20 @@
+ $save_criteria = $save_criteria.' ';
+ }
+
+- else if ( $layer4 == "ICMP" )
++ else if ( $cs->criteria['layer4']->Get() == "ICMP" )
+ {
+- $save_criteria = $save_criteria.'
+-
+- ICMP Criteria
+- ';
+-
+- if ( $have_icmp == 1 )
++ if ( !$cs->criteria['icmp_field']->isEmpty() )
+ {
+- for ( $i = 0; $i < $icmp_field_cnt; $i++ )
+- {
+- if ($icmp_field[$i][1] != " " && $icmp_field[$i][3] != "" )
+- $save_criteria = $save_criteria.$icmp_field[$i][0].$human_fields[($icmp_field[$i][1])].' '.
+- $icmp_field[$i][2].' '.$icmp_field[$i][3].$icmp_field[$i][4].' '.$icmp_field[$i][5];
+- }
+-
+- $save_criteria = $save_criteria.$cs->GetClearCriteriaString("icmp_field");
++ $save_criteria = $save_criteria.$cs->criteria['icmp_field']->Description();
+ }
+ else
+ $save_criteria = $save_criteria.' any ';
+
+ $save_criteria = $save_criteria.' ';
+ }
+-
+ else
+ {
+- $save_criteria = $save_criteria.'
+-
+- Layer 4 Criteria
+- none ';
++ $save_criteria = $save_criteria.' none ';
+ }
+
+ /* Payload ************** */
+@@ -715,26 +456,9 @@
+
+ Payload Criteria
+ ';
+- if ( $have_data == 1 )
+- {
+- if ( $data_encode[0] != " " && $data_encode[1] != " ")
+- {
+- $save_criteria = $save_criteria.' (data encoded as '.$data_encode[0];
+- $save_criteria = $save_criteria.' => '.$data_encode[1];
+- $save_criteria = $save_criteria.') any ';
+
+@@ -758,20 +482,13 @@
+ ' '.
+ '
';
+
+-
+ echo $save_criteria;
+ }
+
+ /********************************************************************************************/
+ function ProcessCriteria()
+ {
+- GLOBAL $db, $time, $time_cnt, $sig, $sig_type, $sig_class, $sensor, $ag,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $save_criteria,
++ GLOBAL $db,
+ $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode,
+ $caller, $DBtype;
+
+@@ -794,10 +511,43 @@
+
+ /* ********************** Meta Criteria ******************************************** */
+
++ /* XXX-SEC */
++ GLOBAL $cs;
++
++ $sig = $cs->criteria['sig']->criteria;
++ $sig_type = $cs->criteria['sig']->sig_type;
++ $sig_class = $cs->criteria['sig_class']->criteria;
++ $sig_priority = $cs->criteria['sig_priority']->criteria;
++ $ag = $cs->criteria['ag']->criteria;
++ $sensor = $cs->criteria['sensor']->criteria;
++ $time = $cs->criteria['time']->criteria;
++ $time_cnt = $cs->criteria['time']->GetFormItemCnt();
++ $ip_addr = $cs->criteria['ip_addr']->criteria;
++ $ip_addr_cnt = $cs->criteria['ip_addr']->GetFormItemCnt();
++ $layer4 = $cs->criteria['layer4']->criteria;
++ $ip_field = $cs->criteria['ip_field']->criteria;
++ $ip_field_cnt = $cs->criteria['ip_field']->GetFormItemCnt();
++ $tcp_port = $cs->criteria['tcp_port']->criteria;
++ $tcp_port_cnt = $cs->criteria['tcp_port']->GetFormItemCnt();
++ $tcp_flags = $cs->criteria['tcp_flags']->criteria;
++ $tcp_field = $cs->criteria['tcp_field']->criteria;
++ $tcp_field_cnt = $cs->criteria['tcp_field']->GetFormItemCnt();
++ $udp_port = $cs->criteria['udp_port']->criteria;
++ $udp_port_cnt = $cs->criteria['udp_port']->GetFormItemCnt();
++ $udp_field = $cs->criteria['udp_field']->criteria;
++ $udp_field_cnt = $cs->criteria['udp_field']->GetFormItemCnt();
++ $icmp_field = $cs->criteria['icmp_field']->criteria;
++ $icmp_field_cnt= $cs->criteria['icmp_field']->GetFormItemCnt();
++ $data = $cs->criteria['data']->criteria;
++ $data_cnt = $cs->criteria['data']->GetFormItemCnt();
++ $data_encode = $cs->criteria['data']->data_encode;
++
+ $tmp_meta = "";
+ /* Sensor */
+ if ( $sensor != "" && $sensor != " " )
+- $tmp_meta = $tmp_meta." AND acid_event.sid=".$sensor;
++ $tmp_meta = $tmp_meta." AND acid_event.sid='".$sensor."'";
++ else
++ $cs->criteria['sensor']->Set("");
+
+ /* Alert Group */
+ if ( $ag != "" && $ag != " " )
+@@ -805,9 +555,11 @@
+ $tmp_meta = $tmp_meta." AND ag_id =".$ag;
+ $join_sql = $join_sql.$ag_join_sql;
+ }
++ else
++ $cs->criteria['ag']->Set("");
+
+ /* Signature */
+- if ( $sig[0] != " " && $sig[0] != "" && $sig[1] != "" )
++ if ( (isset($sig[0]) && $sig[0] != " " && $sig[0] != "") && (isset($sig[1]) && $sig[1] != "") )
+ {
+ $sig_neg = "";
+ if ( $sig[2] == "!=" )
+@@ -839,35 +591,44 @@
+ $tmp_meta = $tmp_meta." AND ".$sig_neg." (signature LIKE '%".$sig[1]."%') ";
+ }
+ }
++ else
++ $cs->criteria['sig']->Set("");
+
+ /* Signature Classification */
+ if ( $sig_class != " " && $sig_class != "" && $sig_class != "0")
+ {
+- $tmp_meta = $tmp_meta." AND sig_class_id = ".$sig_class;
++ $tmp_meta = $tmp_meta." AND sig_class_id = '".$sig_class."'";
+ }
+ else if ($sig_class == "0")
+ {
+- $tmp_meta = $tmp_meta." AND (sig_class_id is null OR sig_class_id = 0)";
++ $tmp_meta = $tmp_meta." AND (sig_class_id is null OR sig_class_id = '0')";
+ }
++ else
++ $cs->criteria['sig_class']->Set("");
+
+- /* Date/Time */
+- DateTimeRows2sql($time, $time_cnt, $tmp_meta);
+-
+- if ( $tmp_meta != "" )
++ /* Signature Priority */
++ if ( $sig_priority[1] != " " && $sig_priority[1] != "" && $sig_priority[1] != "0")
++ {
++ $tmp_meta = $tmp_meta." AND sig_priority ".$sig_priority[0]." '".$sig_priority[1]."'";
++ }
++ else if ($sig_priority[1] == "0")
+ {
+- $have_meta = 1;
+- $criteria_sql = $criteria_sql.$tmp_meta;
++ $tmp_meta = $tmp_meta." AND (sig_priority is null OR sig_priority = '0')";
+ }
+ else
+- $have_meta = 0;
++ $cs->criteria['sig_priority']->Set("");
+
+- /* ********************** IP Criteria ********************************************** */
++ /* Date/Time */
++ if ( DateTimeRows2sql($time, $time_cnt, $tmp_meta) == 0 )
++ $cs->criteria['time']->SetFormItemCnt(0);
+
+- // $tmp_cnt = strlen($criteria_sql);
++ $criteria_sql = $criteria_sql.$tmp_meta;
++
++ /* ********************** IP Criteria ********************************************** */
+
+ /* IP Addresses */
+ $tmp2 = "";
+-
++
+ for ( $i = 0; $i < $ip_addr_cnt; $i++ )
+ {
+ $tmp = "";
+@@ -888,11 +649,11 @@
+ {
+ if ( $ip_addr[$i][10] == "" )
+ {
+- $tmp = $tmp." acid_event.".$ip_addr[$i][1].$ip_addr[$i][2].
++ $tmp = $tmp." acid_event.".$ip_addr[$i][1].$ip_addr[$i][2]."'".
+ acidIP2Long($ip_addr[$i][3].".".
+ $ip_addr[$i][4].".".
+ $ip_addr[$i][5].".".
+- $ip_addr[$i][6])." ";
++ $ip_addr[$i][6])."' ";
+ }
+ else
+ {
+@@ -905,10 +666,10 @@
+ else
+ $tmp_op = "";
+
+- $tmp = $tmp.$tmp_op." (acid_event.".$ip_addr[$i][1].">=".
+- acidIP2Long($mask[0])." AND ".
+- "acid_event.".$ip_addr[$i][1]."<=".
+- acidIP2Long($mask[1]).")";
++ $tmp = $tmp.$tmp_op." (acid_event.".$ip_addr[$i][1].">= '".
++ acidIP2Long($mask[0])."' AND ".
++ "acid_event.".$ip_addr[$i][1]."<= '".
++ acidIP2Long($mask[1])."')";
+ }
+ }
+ }
+@@ -923,8 +684,9 @@
+ else
+ $tmp = "(".$tmp_src.') AND ('.$tmp_dst.')';
+ }
+-
+- $tmp = $ip_addr[$i][0]."(".$tmp.")".$ip_addr[$i][8].$ip_addr[$i][9];
++
++ if ( $tmp != "" )
++ $tmp = $ip_addr[$i][0]."(".$tmp.")".$ip_addr[$i][8].$ip_addr[$i][9];
+ }
+ else if ( (isset($ip_addr[$i][3]) && $ip_addr[$i][3] != "" ) || $ip_addr[$i][1] != " " )
+ {
+@@ -959,42 +721,38 @@
+
+ if ( $tmp2 != "" )
+ $criteria_sql = $criteria_sql." AND ( ".$tmp2." )";
+-
+- $tmp_cnt = strlen($criteria_sql);
++ else
++ $cs->criteria['ip_addr']->SetFormItemCnt(0);
+
+ /* IP Fields */
+- FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql);
+-
+- if ( $tmp_cnt != strlen($criteria_sql) )
+- $have_ip = 1;
+- else
+- $have_ip = 0;
++ if ( FieldRows2sql($ip_field, $ip_field_cnt, $criteria_sql) == 0 )
++ $cs->criteria['ip_field']->SetFormItemCnt(0);
+
+ /* Layer-4 encapsulation */
+- /* if ( $caller != "" $caller == "" ||
+- $caller == "last_tcp" || $caller == "last_udp" || $caller == "last_icmp" ) */
+- if ( $layer4 == "TCP" )
+- $criteria_sql = $criteria_sql." AND acid_event.ip_proto= 6";
+- else if ( $layer4 == "UDP" )
+- $criteria_sql = $criteria_sql." AND acid_event.ip_proto= 17";
+- else if ( $layer4 == "ICMP" )
+- $criteria_sql = $criteria_sql." AND acid_event.ip_proto= 1";
++ if ( $layer4 == "TCP" )
++ $criteria_sql = $criteria_sql." AND acid_event.ip_proto= '6'";
++ else if ( $layer4 == "UDP" )
++ $criteria_sql = $criteria_sql." AND acid_event.ip_proto= '17'";
++ else if ( $layer4 == "ICMP" )
++ $criteria_sql = $criteria_sql." AND acid_event.ip_proto= '1'";
++ else
++ $cs->criteria['layer4']->Set("");
+
+- /* Build the final IP criteria */
+- if ( $have_ip == 1 )
++ /* Join the iphdr table if necessary */
++ if ( !$cs->criteria['ip_field']->isEmpty() )
+ $join_sql = $ip_join_sql.$join_sql;
+
+ /* ********************** TCP Criteria ********************************************** */
+ if ( $layer4 == "TCP" )
+ {
+- $have_tcp = 0;
+ $proto_tmp = "";
+ /* TCP Ports */
+- FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp);
+- if ( $proto_tmp != "" ) $have_tcp = 1;
++ if ( FieldRows2sql($tcp_port, $tcp_port_cnt, $proto_tmp) == 0 )
++ $cs->criteria['tcp_port']->SetFormItemCnt(0);
++
+ $criteria_sql = $criteria_sql.$proto_tmp;
++
+ $proto_tmp = "";
+-
+ /* TCP Flags */
+ if ( isset($tcp_flags) )
+ {
+@@ -1012,17 +770,18 @@
+ }
+
+ /* TCP Fields */
+- FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp);
++ if ( FieldRows2sql($tcp_field, $tcp_field_cnt, $proto_tmp) == 0 )
++ $cs->criteria['tcp_field']->SetFormItemCnt(0);
+
+ /* TCP Options
+ * - not implemented
+ */
+
+- if ( $proto_tmp != "" )
++ if ( !$cs->criteria['tcp_port']->isEmpty() || !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty() )
+ {
+- $have_tcp = 1;
+ $criteria_sql = $criteria_sql.$proto_tmp;
+- $join_sql = $tcp_join_sql.$join_sql;
++ if ( !$cs->criteria['tcp_flags']->isEmpty() || !$cs->criteria['tcp_field']->isEmpty() )
++ $join_sql = $tcp_join_sql.$join_sql;
+ }
+ }
+
+@@ -1030,22 +789,23 @@
+ if ( $layer4 == "UDP" )
+ {
+ $proto_tmp = "";
+- $have_udp = 0;
+
+ /* UDP Ports */
+- FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp);
+- if ( $proto_tmp != "" ) $have_udp = 1;
++ if ( FieldRows2sql($udp_port, $udp_port_cnt, $proto_tmp) == 0 )
++ $cs->criteria['udp_port']->SetFormItemCnt(0);
++
+ $criteria_sql = $criteria_sql.$proto_tmp;
+ $proto_tmp = "";
+
+ /* UDP Fields */
+- FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp);
++ if ( FieldRows2sql($udp_field, $udp_field_cnt, $proto_tmp) == 0 )
++ $cs->criteria['udp_field']->SetFormItemCnt(0);
+
+- if ( $proto_tmp != "" )
++ if ( !$cs->criteria['udp_port']->isEmpty() || !$cs->criteria['udp_field']->isEmpty() )
+ {
+- $have_udp = 1;
+ $criteria_sql = $criteria_sql.$proto_tmp;
+- $join_sql = $udp_join_sql.$join_sql;
++ if ( !$cs->criteria['udp_field']->isEmpty() )
++ $join_sql = $udp_join_sql.$join_sql;
+ }
+ }
+
+@@ -1053,33 +813,30 @@
+ if ( $layer4 == "ICMP" )
+ {
+ $proto_tmp = "";
++
+ /* ICMP Fields */
+- FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp);
++ if ( FieldRows2sql($icmp_field, $icmp_field_cnt, $proto_tmp) == 0 )
++ $cs->criteria['icmp_field']->SetFormItemCnt(0);
+
+- if ( $proto_tmp != "" )
++ if ( !$cs->criteria['icmp_field']->isEmpty() )
+ {
+- $have_icmp = 1;
+ $criteria_sql = $criteria_sql.$proto_tmp;
+ $join_sql = $icmp_join_sql.$join_sql;
+ }
+- else
+- $have_icmp = 0;
+ }
+
+ /* ********************** Payload Criteria ***************************************** */
+
+ $tmp_payload = "";
+- DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload);
++ if ( DataRows2sql($data, $data_cnt, $data_encode, $tmp_payload) == 0 )
++ $cs->criteria['data']->SetFormItemCnt(0);
+
+- if ( $tmp_payload != "" )
++ if ( !$cs->criteria['data']->isEmpty() )
+ {
+- $have_data = 1;
+ $criteria_sql = $criteria_sql.$tmp_payload;
+ $join_sql = $data_join_sql.$join_sql;
+ }
+- else
+- $have_data = 0;
+-
++
+ $csql[0] = $join_sql;
+ $csql[1] = $criteria_sql;
+
+diff -Naur acid/acid_qry_form.php acidfp/acid_qry_form.php
+--- acid/acid_qry_form.php 2002-03-03 18:02:44.000000000 -0500
++++ acidfp/acid_qry_form.php 2003-12-17 14:16:39.000000000 -0500
+@@ -4,40 +4,40 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: renders the HTML form to gather search criteria
+ *
+ */
+
+-if ( $submit == "TCP" ) { $layer4 = "TCP"; }
+-if ( $submit == "UDP" ) { $layer4 = "UDP"; }
+-if ( $submit == "ICMP" ) { $layer4 = "ICMP"; }
+-if ( $submit == "no layer4" ) { $layer4 = ""; }
+-
+-if ( $submit == "ADD Time" && $time_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $time_cnt, $time, TIME_CFCNT);
+-if ( $submit == "ADD Addr" && $ip_addr_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $ip_addr_cnt, $ip_addr, IPADDR_CFCNT);
+-if ( $submit == "ADD IP Field" && $ip_field_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $ip_field_cnt, $ip_field, PROTO_CFCNT);
++if ( $submit == "TCP" ) { $cs->criteria['layer4']->Set("TCP"); }
++if ( $submit == "UDP" ) { $cs->criteria['layer4']->Set("UDP"); }
++if ( $submit == "ICMP" ) { $cs->criteria['layer4']->Set("ICMP"); }
++if ( $submit == "no layer4" ) { $cs->criteria['layer4']->Set(""); }
++
++if ( $submit == "ADD Time" && $cs->criteria['time']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['time']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD Addr" && $cs->criteria['ip_addr']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['ip_addr']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD IP Field" && $cs->criteria['ip_field']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['ip_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+ /*if ( $submit == "ADD IP Option Field" && $ip_opt_cnt < $MAX_ROWS)
+ { $submit = $layer4; $ip_opt_cnt++; }*/
+-if ( $submit == "ADD TCP Port" && $tcp_port_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $tcp_port_cnt, $tcp_port, TCPPORT_CFCNT);
+-if ( $submit == "ADD TCP Field" && $tcp_field_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $tcp_field_cnt, $tcp_field, PROTO_CFCNT);
++if ( $submit == "ADD TCP Port" && $cs->criteria['tcp_port']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['tcp_port']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD TCP Field" && $cs->criteria['tcp_field']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['tcp_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+ /*if ( $submit == "ADD TCP Option Field" && $tcp_opt_cnt < $MAX_ROWS)
+ { $submit = $layer4; $tcp_opt_cnt++; } */
+-if ( $submit == "ADD UDP Port" && $udp_port_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $udp_port_cnt, $udp_port, PROTO_CFCNT);
+-if ( $submit == "ADD UDP Field" && $udp_field_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $udp_field_cnt, $udp_field, PROTO_CFCNT);
+-if ( $submit == "ADD ICMP Field" && $icmp_field_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $icmp_field_cnt, $icmp_field, PROTO_CFCNT);
+-if ( $submit == "ADD Payload" && $data_cnt < $MAX_ROWS)
+- AddCriteriaFormRow($submit, $layer4, $data_cnt, $data, PAYLOAD_CFCNT);
++if ( $submit == "ADD UDP Port" && $cs->criteria['udp_port']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['udp_port']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD UDP Field" && $cs->criteria['udp_field']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['udp_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD ICMP Field" && $cs->criteria['icmp_field']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['icmp_field']->AddFormItem($submit, $cs->criteria['layer4']->Get());
++if ( $submit == "ADD Payload" && $cs->criteria['data']->GetFormItemCnt() < $MAX_ROWS)
++ $cs->criteria['data']->AddFormItem($submit, $cs->criteria['layer4']->Get());
+
+ echo '
+
+@@ -50,93 +50,25 @@
+ ';
+
+@@ -208,73 +93,13 @@
+ ';
+
+-if ( $layer4 == "TCP" )
++if ( $cs->criteria['layer4']->Get() == "TCP" )
+ {
+ echo '
+
+@@ -344,79 +152,16 @@
+
+ echo 'Port: ';
+ echo ' ';
+- for ( $i = 0; $i < $tcp_port_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' ( { port }';
+- echo ' Source';
+- echo ' Dest <';
+- echo ' " '.chk_select($tcp_port[$i][2],">"). '>>';
+- echo ' =").'>>= __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND
+ Flags: ';
+- echo '{ flags }';
+- echo ' is';
+- echo ' contains ';
+- echo ' ';
++ $cs->criteria['tcp_flags']->PrintForm();
+
+ echo ' Misc: ';
+ echo ' ';
+- for ( $i = 0; $i < $tcp_field_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' ( { field }';
+- echo ' seq #';
+- echo ' ack';
+- echo ' offset';
+- echo ' res';
+- echo ' window';
+- echo ' chksum';
+- echo ' urp <';
+- echo ' " '.chk_select($tcp_field[$i][2],">"). '>>';
+- echo ' =").'>>= __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND Option: ';
+ echo ' ';
+@@ -449,7 +194,7 @@
+
';
+ }
+
+-if ( $layer4 == "UDP" )
++if ( $cs->criteria['layer4']->Get() == "UDP" )
+ {
+ echo '
+
+@@ -464,64 +209,17 @@
+
+ echo 'Port: ';
+ echo ' ';
+- for ( $i = 0; $i < $udp_port_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' ( { port }';
+- echo ' Source';
+- echo ' Dest <';
+- echo ' " '.chk_select($udp_port[$i][2],">"). '>>';
+- echo ' =").'>>= __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND Misc: ';
+ echo ' ';
+- for ( $i = 0; $i < $udp_field_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' ( { field }';
+- echo ' length';
+- echo ' chksum <';
+- echo ' " '.chk_select($udp_field[$i][2],">"). '>>';
+- echo ' =").'>>= __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND Misc: ';
+ echo ' ';
+- for ( $i = 0; $i < $icmp_field_cnt; $i++ )
+- {
+- echo ' __';
+- echo ' (
+- { field }';
+- echo ' type';
+- echo ' code';
+- echo ' id';
+- echo ' seq #';
+- echo ' chksum ';
+- echo '
+- <';
+- echo ' " '.chk_select($icmp_field[$i][2],">"). '>>';
+- echo ' =").'>>= ';
+- echo ' __';
+- echo ' (';
+- echo ' ) __';
+- echo ' OR';
+- echo ' AND ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose:
+@@ -50,109 +50,6 @@
+ *
+ * $sort_order: how to sort the output
+ *
+- * Meta
+- * ====
+- *
+- * $ag: AG ID
+- *
+- * $sensor: sensor ID
+- *
+- * $sig[3]: stores signature
+- * - [0] : exactly, roughly [1] : signature
+- * - [2] : =, !=
+- *
+- * $sig_class: signature classification
+- *
+- * $time[MAX][10]: stores the date/time of the packet detection
+- * - [][0] : ( [][5] : hour
+- * - [][1] : =, !=, <, <=, >, >= [][6] : minute
+- * - [][2] : month [][7] : second
+- * - [][3] : day [][8] : (, )
+- * - [][4] : year [][9] : AND, OR
+- *
+- * $time_cnt : number of rows in the $time[][] structure
+- *
+- * IP Variables
+- * ============
+- *
+- * $ip_addr[MAX][10]: stores an ip address parameters/operators row
+- * - [][0] : ( [][5] : octet3 of address
+- * - [][1] : source, dest [][6] : octet4 of address
+- * - [][2] : =, != [][7] : network mask
+- * - [][3] : octet1 of address [][8] : (, )
+- * - [][4] : octet2 of address [][9] : AND, OR
+- *
+- * $ip_addr_cnt: number of rows in the $ip_addr[][] structure
+- *
+- * $ip_field[MAX][6]: stores all other ip fields parameters/operators row
+- * - [][0] : ( [][3] : field value
+- * - [][1] : TOS, TTL, ID, offset, length [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $ip_field_cnt: number of rows in the $ip_field[][] structure
+- *
+- * TCP Variables
+- * =============
+- *
+- * $tcp_port[MAX][6]: stores all port parameters/operators row
+- * - [][0] : ( [][3] : port value
+- * - [][1] : Source Port, Dest Port [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $tcp_port_cnt: number of rows in the $tcp_port[][] structure
+- *
+- * $tcp_flags[7]: stores all other tcp flags parameters/operators row
+- * - [0] : is, contains [4] : 8 (RST)
+- * - [1] : 1 (FIN) [5] : 16 (ACK)
+- * - [2] : 2 (SYN) [6] : 32 (URG)
+- * - [3] : 4 (PUSH)
+- *
+- * $tcp_field[MAX][6]: stores all other tcp fields parameters/operators row
+- * - [][0] : ( [][3] : field value
+- * - [][1] : windows, URP [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $tcp_field_cnt: number of rows in the $tcp_field[][] structure
+- *
+- * UDP Variables
+- * =============
+- *
+- * $udp_port[MAX][6]: stores all port parameters/operators row
+- * - [][0] : ( [][3] : port value
+- * - [][1] : Source Port, Dest Port [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $udp_port_cnt: number of rows in the $udp_port[][] structure
+- *
+- * $udp_field[MAX][6]: stores all other udp fields parameters/operators row
+- * - [][0] : ( [][3] : field value
+- * - [][1] : length [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $udp_field_cnt: number of rows in the $udp_field[][] structure
+- *
+- * ICMP Variables
+- * ==============
+- * $icmp_field[MAX][6]: stores all other icmp fields parameters/operators row
+- * - [][0] : ( [][3] : field value
+- * - [][1] : code, length [][4] : (, )
+- * - [][2] : =, !=, <, <=, >, >= [][5] : AND, OR
+- *
+- * $icmp_field_cnt: number of rows in the $icmp_field[][] structure
+- *
+- * Payload Variables
+- * =================
+- * $data_encode[2]: how the payload should be interpreted and converted
+- * - [0] : encoding type (hex, ascii)
+- * - [1] : conversion type (hex, ascii)
+- *
+- * $data[MAX][5]: stores all the payload related parameters/operators row
+- * - [][0] : ( [][3] : (, )
+- * - [][1] : =, != [][4] : AND, OR
+- * - [][2] : field value
+- *
+- * $data_cnt: number of rows in the $data[][] structure
+- *
+ * ----- Search Result Variables ----
+ * $action_chk_lst[]: array of check boxes to determine if an alert
+ * was selected for action
+@@ -173,18 +70,16 @@
+ $et = new EventTiming($debug_time_mode);
+ $cs = new CriteriaState("acid_qry_main.php", "&new=1&submit=Query+DB");
+
+- $new = ImportHTTPVar("new");
++ $new = ImportHTTPVar("new", VAR_DIGIT);
+ $submit = ImportHTTPVar("submit");
+- $layer4 = ImportHTTPVar("layer4");
+
+-/* Code to correct 'interesting' (read: unexplained) browser behavior
+- */
++/* Code to correct 'interesting' (read: unexplained) browser behavior */
+
+ /* Something with Netscape 4.75 such that the $submit variable is no recognized
+ * under certain circumstances. This one is a result of using HTTPS and
+ * clicking on TCP traffic profile from acid_main.php
+ */
+-if ( $layer4 != "" && $submit == "" )
++if ( $cs->criteria['layer4']->Get() != "" && $submit == "" )
+ $submit = "Query DB";
+
+ /* End 'interesting' browser code fixes */
+@@ -192,42 +87,10 @@
+ /* Totally new Search */
+ if ( ($new == 1) && ($submit == "") )
+ {
+- /* Read the state to import the history */
+- $cs->ReadState();
+-
+- /*
+- * Save the variables associated with keeping history,
+- * or they will be deleted in the InitState() call
+- */
+- $save_back_list = $GLOBALS['back_list'];
+- $save_back_list_cnt = $GLOBALS['back_list_cnt'];
+-
+ $cs->InitState();
+-
+- /* Restore the history variables */
+- $back_list = $save_back_list;
+- $back_list_cnt = $save_back_list_cnt;
+-
+- $time_cnt = 1;
+- $ip_addr_cnt = 1;
+- $ip_field_cnt = 1;
+- $tcp_port_cnt = 1;
+- $tcp_field_cnt = 1;
+- $udp_port_cnt = 1;
+- $udp_field_cnt = 1;
+- $icmp_field_cnt = 1;
+- $data_cnt = 1;
+- $layer4 = "";
+ }
+
+- /* if scrolling between pages read the session */
+- /* if access the first query result page from the criteria specification
+- * then read the session and migrate the POST variables into the session
+- */
+- else
+- {
+- $cs->ReadState();
+- }
++ $cs->ReadState();
+
+ $qs = new QueryState();
+ $qs->AddCannedQuery("last_tcp", $last_num_alerts, "Last TCP", "time_d");
+@@ -277,7 +140,7 @@
+ if ( $submit == "Query DB" ||
+ $submit == "Selected" || $submit == "ALL on Screen" || $submit == "Entire Query" ||
+ $qs->isCannedQuery() ||
+- $sort_order != "" )
++ $qs->GetCurrentSort() != "" )
+ {
+ /* Init and run the action */
+ $criteria_clauses = ProcessCriteria();
+@@ -287,6 +150,7 @@
+
+ $qs->AddValidAction("ag_by_id");
+ $qs->AddValidAction("ag_by_name");
++ $qs->AddValidAction("add_new_ag");
+ $qs->AddValidAction("del_alert");
+ $qs->AddValidAction("email_alert");
+ $qs->AddValidAction("email_alert2");
+@@ -298,13 +162,14 @@
+ $qs->AddValidActionOp("ALL on Screen");
+ $qs->AddValidActionOp("Entire Query");
+
+- $qs->SetActionSQL("SELECT acid_event.sid, acid_event.cid $from $where");
++ $qs->SetActionSQL("SELECT acid_event.sid, acid_event.cid $from $where");
+ $et->Mark("Initialization");
+
+ $qs->RunAction($submit, PAGE_QRY_ALERTS, $db);
+ $et->Mark("Alert Action");
+
+ if ( $debug_mode > 0 ) ErrorMessage("Initial/Canned Query or Sort Clicked");
++
+ include("acid_qry_sqlcalls.php");
+ }
+ /* Return the input form to get more criteria from user */
+@@ -313,32 +178,6 @@
+ include("acid_qry_form.php");
+ }
+
+-/* Stores the neccessary variables for shared state between calls */
+-
+-/* These variables will ultimately be stored in the session, but are
+- * temporarily required while criteria is being entered in the form
+- */
+-//if ( ($HTTP_POST_VARS["new"] == 1) || ($HTTP_GET_VARS["new"] == 1) )
+-if ( $new == 1 )
+-{
+- echo '
++ *
++ * Copyright (C) 2001,2002 Carnegie Mellon University
++ * (see the file 'acid_main.php' for license details)
++ *
++ * Purpose: displays a single alert
++ *
++ * Input GET/POST variables
++ * - caller
++ * - submit:
++ *
++ */
++
++ include ("acid_constants.inc");
++ include ("acid_conf.php");
++ include ("acid_include.inc");
++ include_once ("acid_db_common.php");
++ include_once ("acid_qry_common.php");
++ include_once ("acid_stat_common.php");
++
++function PrintPacketLookupBrowseButtons($seq, $save_sql, $db, &$previous_button, &$next_button)
++{
++ echo "\n\n\n";
++
++ $result2 = $db->acidExecute($save_sql);
++
++ if ( $seq == 0 )
++ $previous_button = '[ First ]'."\n";
++
++ $i = 0;
++ while ($i <= $seq+1 )
++ {
++ $myrow2 = $result2->acidFetchRow();
++
++ if ( $myrow2 == "" )
++ $next_button = '[ Last ]'."\n";
++ else if ( $i == $seq-1 )
++ $previous_button = '[".
++ "".$ref_system." ".
++ "] ";
++ else if ( $style == 2 )
++ return "[".$ref_system."/$ref_tag] ";
++ }
++ else
++ {
++ return $ref_system;
++ }
++}
++
+ function GetSignatureReference($sig_id, $db, $style)
+ {
+ $ref = "";
+
+- $temp_sql = "SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id=".$sig_id;
++ $temp_sql = "SELECT ref_seq, ref_id FROM sig_reference WHERE sig_id='".$sig_id."'";
+ $tmp_sig_ref = $db->acidExecute($temp_sql);
+
+ if ( $tmp_sig_ref )
+@@ -84,7 +124,7 @@
+ {
+ $mysig_ref = $tmp_sig_ref->acidFetchRow();
+
+- $temp_sql = "SELECT ref_system_id, ref_tag FROM reference WHERE ref_id=".$mysig_ref[1];
++ $temp_sql = "SELECT ref_system_id, ref_tag FROM reference WHERE ref_id='".$mysig_ref[1]."'";
+ $tmp_ref_tag = $db->acidExecute($temp_sql);
+
+ if ( $tmp_ref_tag )
+@@ -94,63 +134,39 @@
+ $ref_system = GetRefSystemName($myrow[0], $db);
+ }
+
+- $href = "";
+- if ( strncasecmp($ref_system,"arachNIDS",9) == 0)
+- {
+- if ( $style == 1 )
+- $href = "arachNIDS ";
+- else if ( $style == 2 )
+- $href = "[arachNIDS/$ref_tag] ";
+- }
+- elseif ( strncasecmp($ref_system,"cve",3) == 0)
+- {
+- if ( $style == 1 )
+- $href = "CVE ";
+- else if ( $style == 2 )
+- $href = "[CVE/$ref_tag] ";
+- }
+- elseif ( strncasecmp($ref_system,"bugtraq",7) == 0)
+- {
+- if ( $style == 1 )
+- $href = "bugtraq ";
+- else if ( $style == 2 )
+- $href = "[Bugtraq/$ref_tag] ";
+- }
+- elseif ( strncasecmp($ref_system,"McAfee",6) == 0 )
+- {
+- if ( $style == 1 )
+- $href = "McAfee ";
+- else if ( $style == 2 )
+- $href = "[McAfee/$ref_tag] ";
+- }
+- elseif ( strncasecmp($ref_system,"url",3) == 0 )
+- {
+- if ( $style == 1 )
+- $href = "url ";
+- else if ( $style == 2 )
+- $href = "[url/$ref_tag] ";
+-
+- }
+- else
+- {
+- $href = $ref_system;
+- }
++ $ref = $ref.GetSingleSignatureReference($ref_system, $ref_tag, $style);
+
+- if ( $style == 1 )
+- $ref = $ref."[$href] ";
+- else if ( $style == 2 )
+- $ref = $ref.$href;
+-
++ /* Automatically add an ICAT reference is a CVE reference exists */
++ if ( $ref_system == "cve" )
++ $ref = $ref.GetSingleSignatureReference("icat", $ref_tag, $style);
++
+ $tmp_ref_tag->acidFreeRows();
+ }
+ $tmp_sig_ref->acidFreeRows();
+ }
+
++ if ( $db->acidGetDBVersion() >= 103 )
++ {
++ $tmp_sql = "SELECT sig_sid FROM signature WHERE sig_id='".$sig_id."'";
++ $tmp_sig_sid = $db->acidExecute($tmp_sql);
++
++ if ( $tmp_sig_sid )
++ {
++ $myrow = $tmp_sig_sid->acidFetchRow();
++ $sig_sid = $myrow[0];
++ }
++ }
++ else
++ $sig_sid = "";
++
++ $href = "";
++
++ /* snort.org should be documenting all official signatures,
++ * so automatically add a link
++ */
++ if ( $sig_sid != "")
++ $ref = $ref.GetSingleSignatureReference("snort", $sig_sid, $style);
++
+ return $ref;
+ }
+
+@@ -171,9 +187,9 @@
+
+ $replace=array("\\1\\2 ",
+ "\\1\\2\\3 ",
+- "BUGTRAQ ID \\1 ",
+- "MCAFEE ID \\1 ",
+- "\\1 ");
++ "BUGTRAQ ID \\1 ",
++ "MCAFEE ID \\1 ",
++ "\\1 ");
+
+ $msg = preg_replace($pattern, $replace, $signature);
+
+@@ -208,7 +224,6 @@
+ * RETURNS: a formatted signature and the associated references
+ */
+ {
+- //echo "sig_id = $sig_idunclassified ";
+
+ $sql = "SELECT sig_class_name FROM sig_class ".
+- "WHERE sig_class_id = $class_id";
++ "WHERE sig_class_id = '$class_id'";
+ $result = $db->acidExecute($sql);
+
+ $row = $result->acidFetchRow();
+diff -Naur acid/acid_stat_alerts.php acidfp/acid_stat_alerts.php
+--- acid/acid_stat_alerts.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_alerts.php 2003-12-17 14:16:39.000000000 -0500
+@@ -55,6 +55,7 @@
+
+ $qs->AddValidAction("ag_by_id");
+ $qs->AddValidAction("ag_by_name");
++ $qs->AddValidAction("add_new_ag");
+ $qs->AddValidAction("del_alert");
+ $qs->AddValidAction("email_alert");
+ $qs->AddValidAction("email_alert2");
+diff -Naur acid/acid_stat_class.php acidfp/acid_stat_class.php
+--- acid/acid_stat_class.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_class.php 2003-12-17 14:16:39.000000000 -0500
+@@ -53,6 +53,7 @@
+
+ $qs->AddValidAction("ag_by_id");
+ $qs->AddValidAction("ag_by_name");
++ $qs->AddValidAction("add_new_ag");
+ $qs->AddValidAction("del_alert");
+ $qs->AddValidAction("email_alert");
+ $qs->AddValidAction("email_alert2");
+diff -Naur acid/acid_stat_common.php acidfp/acid_stat_common.php
+--- acid/acid_stat_common.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_common.php 2003-12-17 14:16:39.000000000 -0500
+@@ -4,10 +4,10 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000 Carnegie Mellon University
++ * Copyright (C) 2000-2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+- * Purpose:
++ * Purpose: summary statistics
+ *
+ */
+
+@@ -16,7 +16,7 @@
+ function SensorCnt($db, $join = "", $where = "")
+ {
+ if ( $join == "" && $where == "" )
+- $result = $db->acidExecute("SELECT count(*) FROM sensor");
++ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event");
+ else
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.sid) FROM acid_event $join $where");
+ $myrow = $result->acidFetchRow();
+@@ -52,7 +52,7 @@
+ {
+
+ /* Calculate the Unique Alerts */
+- $query = "SELECT COUNT(DISTINCT signature) FROM acid_event WHERE sid = " . $sensorID . ";";
++ $query = "SELECT COUNT(DISTINCT signature) FROM acid_event WHERE sid = '" . $sensorID . "'";
+ $result = $db->acidExecute($query);
+
+ if ( $result )
+@@ -75,7 +75,7 @@
+ */
+ function EventCntBySensor($sensorID, $db)
+ {
+- $query = "SELECT count(*) FROM acid_event where sid = " .$sensorID. ";";
++ $query = "SELECT count(*) FROM acid_event where sid = '" .$sensorID. "'";
+
+ $result = $db->acidExecute($query);
+ $myrow = $result->acidFetchRow();
+@@ -87,7 +87,7 @@
+
+ function MinDateBySensor($sensorID, $db)
+ {
+- $query = "SELECT min(timestamp) FROM acid_event WHERE sid=" . $sensorID . ";";
++ $query = "SELECT min(timestamp) FROM acid_event WHERE sid= '". $sensorID."'";
+
+ $result = $db->acidExecute($query);
+ $myrow = $result->acidFetchRow();
+@@ -100,7 +100,7 @@
+
+ function MaxDateBySensor($sensorID, $db)
+ {
+- $query = "SELECT max(timestamp) FROM acid_event WHERE sid=" . $sensorID . ";";
++ $query = "SELECT max(timestamp) FROM acid_event WHERE sid='".$sensorID."'";
+
+ $result = $db->acidExecute($query);
+ $myrow = $result->acidFetchRow();
+@@ -112,7 +112,7 @@
+
+ function UniqueDestAddrCntBySensor( $sensorID, $db )
+ {
+- $query = "SELECT COUNT(DISTINCT ip_dst) from acid_event WHERE sid=" . $sensorID . ";";
++ $query = "SELECT COUNT(DISTINCT ip_dst) from acid_event WHERE sid='" . $sensorID . "'";
+
+ $result = $db->acidExecute($query);
+ $row = $result->acidFetchRow();
+@@ -124,7 +124,7 @@
+
+ function UniqueSrcAddrCntBySensor( $sensorID, $db )
+ {
+- $query = "SELECT COUNT(DISTINCT ip_src) from acid_event WHERE sid=" . $sensorID . ";";
++ $query = "SELECT COUNT(DISTINCT ip_src) from acid_event WHERE sid='" . $sensorID . "'";
+
+ $result = $db->acidExecute($query);
+ $row = $result->acidFetchRow();
+@@ -136,7 +136,7 @@
+
+ function TCPPktCnt($db)
+ {
+- $result = $db->acidExecute("SELECT count(*) FROM tcphdr;");
++ $result = $db->acidExecute("SELECT count(*) FROM acid_event WHERE ip_proto=6");
+ $myrow = $result->acidFetchRow();
+ $num = $myrow[0];
+ $result->acidFreeRows();
+@@ -146,7 +146,7 @@
+
+ function UDPPktCnt($db)
+ {
+- $result = $db->acidExecute("SELECT count(*) FROM udphdr;");
++ $result = $db->acidExecute("SELECT count(*) FROM acid_event WHERE ip_proto=17");
+ $myrow = $result->acidFetchRow();
+ $num = $myrow[0];
+ $result->acidFreeRows();
+@@ -156,7 +156,7 @@
+
+ function ICMPPktCnt($db)
+ {
+- $result = $db->acidExecute("SELECT count(*) FROM icmphdr;");
++ $result = $db->acidExecute("SELECT count(*) FROM acid_event WHERE ip_proto=1");
+ $myrow = $result->acidFetchRow();
+ $num = $myrow[0];
+ $result->acidFreeRows();
+@@ -273,11 +273,11 @@
+ if ( $join == "" && $where == "")
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
+ "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ".
+- "WHERE ip_proto=".TCP);
++ "WHERE ip_proto='".TCP."'");
+ else
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
+ "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join".
+- " $where AND ip_proto=".TCP);
++ " $where AND ip_proto='".TCP."'");
+
+ $row = $result->acidFetchRow();
+ $result->acidFreeRows();
+@@ -290,11 +290,11 @@
+ if ( $join == "" && $where == "")
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
+ "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event ".
+- "WHERE ip_proto=".UDP);
++ "WHERE ip_proto='".UDP."'");
+ else
+ $result = $db->acidExecute("SELECT COUNT(DISTINCT acid_event.layer4_sport), ".
+ "COUNT(DISTINCT acid_event.layer4_dport) FROM acid_event $join".
+- " $where AND ip_proto=".UDP);
++ " $where AND ip_proto='".UDP."'");
+
+ $row = $result->acidFetchRow();
+ $result->acidFreeRows();
+diff -Naur acid/acid_state_citems.inc acidfp/acid_state_citems.inc
+--- acid/acid_state_citems.inc 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/acid_state_citems.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -0,0 +1,1462 @@
++,
++ *
++ * Copyright (C) 2002 Carnegie Mellon University
++ * (see the file 'acid_main.php' for license details)
++ *
++ * Purpose: individual criteria classes
++ *
++ */
++
++class BaseCriteria
++{
++ var $criteria;
++ var $export_name;
++
++ var $db;
++ var $cs;
++
++ function BaseCriteria($db, $cs, $name)
++ {
++ $this->db = &$db;
++ $this->cs = &$cs;
++
++ $this->export_name = $name;
++ $this->criteria = NULL;
++ }
++
++ function Init()
++ {
++ }
++
++ function Import()
++ {
++ /* imports criteria from POST, GET, or the session */
++ }
++
++ function Clear()
++ {
++ /* clears the criteria */
++ }
++
++ function Sanitize()
++ {
++ /* clean/validate the criteria */
++ }
++
++ function SanitizeElement()
++ {
++ /* clean/validate the criteria */
++ }
++
++ function PrintForm()
++ {
++ /* prints the HTML form to input the criteria */
++ }
++
++ function AddFormItem()
++ {
++ /* adding another item to the HTML form */
++ }
++
++ function GetFormItemCnt()
++ {
++ /* returns the number of items in this form element */
++ }
++
++ function SetFormItemCnt()
++ {
++ /* sets the number of items in this form element */
++ }
++
++ function Set($value)
++ {
++ /* set the value of this criteria */
++ }
++
++ function Get()
++ {
++ /* returns the value of this criteria */
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ /* generate human-readable description of this criteria */
++ }
++
++ function isEmpty()
++ {
++ /* returns if the criteria is empty */
++ }
++};
++
++class SingleElementCriteria extends BaseCriteria
++{
++ function Import()
++ {
++ GLOBAL $HTTP_SESSION_VARS;
++
++ $this->criteria = SetSessionVar($this->export_name);
++
++ $HTTP_SESSION_VARS[$this->export_name] = &$this->criteria;
++ }
++
++ function Sanitize()
++ {
++ $this->SanitizeElement();
++ }
++
++ function GetFormItemCnt()
++ {
++ return -1;
++ }
++
++ function Set($value)
++ {
++ $this->criteria = $value;
++ }
++
++ function Get()
++ {
++ return $this->criteria;
++ }
++ function isEmpty()
++ {
++ if ( $this->criteria == "" )
++ return true;
++ else
++ return false;
++ }
++};
++
++class MultipleElementCriteria extends BaseCriteria
++{
++ var $element_cnt;
++ var $criteria_cnt;
++ var $valid_field_list;
++
++ function MultipleElementCriteria($db, $cs, $export_name, $element_cnt, $field_list = NULL)
++ {
++ $this->BaseCriteria(&$db, &$cs, $export_name);
++
++ $this->element_cnt = $element_cnt;
++ $this->criteria_cnt = 0;
++ $this->valid_field_list = $field_list;
++ }
++
++ function Init()
++ {
++ GLOBAL $HTTP_SESSION_VARS;
++
++ InitArray($this->criteria, $GLOBALS['MAX_ROWS'], $this->element_cnt, "");
++ $this->criteria_cnt = 1;
++
++ $HTTP_SESSION_VARS[$this->export_name."_cnt"] = &$this->criteria_cnt;
++ }
++
++ function Import()
++ {
++ GLOBAL $HTTP_SESSION_VARS;
++
++ $this->criteria = SetSessionVar($this->export_name);
++ $this->criteria_cnt = SetSessionVar($this->export_name."_cnt");
++
++ $HTTP_SESSION_VARS[$this->export_name] = &$this->criteria;
++ $HTTP_SESSION_VARS[$this->export_name."_cnt"] = &$this->criteria_cnt;
++ }
++
++ function Sanitize()
++ {
++ if ( in_array("criteria", array_keys(get_object_vars($this))) )
++ //if ( isset($this->criteria) )
++ {
++ for($i=0; $i < $this->element_cnt; $i++)
++ {
++ if ( isset($this->criteria[$i]) )
++ $this->SanitizeElement($i);
++ }
++ }
++ }
++
++ function SanitizeElement($i)
++ {
++ }
++
++ function GetFormItemCnt()
++ {
++ return $this->criteria_cnt;
++ }
++
++ function SetFormItemCnt($value)
++ {
++ $this->criteria_cnt = $value;
++ }
++
++ function AddFormItem(&$submit, $submit_value)
++ {
++ AddCriteriaFormRow($submit, $submit_value, &$this->criteria_cnt, $this->criteria, $this->element_cnt);
++ }
++
++ function Set($value)
++ {
++ $this->criteria = $value;
++ }
++
++ function Get()
++ {
++ return $this->criteria;
++ }
++
++ function isEmpty()
++ {
++ if ( $this->criteria_cnt == 0 )
++ return true;
++ else
++ return false;
++ }
++
++ function PrintForm($field_list, $blank_field_string, $add_button_string)
++ {
++ for ( $i = 0; $i < $this->criteria_cnt; $i++ )
++ {
++ echo ' ';
++ echo ' criteria[$i][0]," ").'>__ ';
++ echo ' criteria[$i][0],"(").'>( ';
++ echo ' ';
++
++ echo ' ';
++ echo ' criteria[$i][1]," ").'>'.$blank_field_string.' ';
++
++ reset($field_list);
++ foreach( $field_list as $field_name => $field_human_name )
++ {
++ echo ' criteria[$i][1],$field_name).'>'.$field_human_name.' ';
++ }
++ echo ' ';
++
++ echo ' ';
++ echo ' criteria[$i][2],"="). '>= ';
++ echo ' criteria[$i][2],"!=").'>!= ';
++ echo ' criteria[$i][2],"<"). '>< ';
++ echo ' criteria[$i][2],"<=").'><= ';
++ echo ' criteria[$i][2],">"). '>> ';
++ echo ' criteria[$i][2],">=").'>>= ';
++ echo ' ';
++
++ echo ' ';
++ echo ' criteria[$i][4]," ").'>__criteria[$i][4],"(").'>( ';
++ echo ' criteria[$i][4],")").'>) ';
++ echo ' ';
++
++ echo ' ';
++ echo ' criteria[$i][5]," "). '>__ ';
++ echo ' criteria[$i][5],"OR"). '>OR ';
++ echo ' criteria[$i][5],"AND").'>AND ';
++ echo ' ';
++ if ( $i == $this->criteria_cnt-1 )
++ echo ' criteria[0]," "). '>{ signature }';
++ echo ' criteria[0],"="). '>exactly ';
++ echo ' criteria[0],"LIKE").'>roughly criteria[2],"="). '>=';
++ echo ' criteria[2],"!="). '>!=';
++ echo '
++ { Select Signature from List }';
++
++ if ($tmp_result)
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo ' '.$myrow[0];
++ $tmp_result->acidFreeRows();
++ }
++ echo '
++ criteria, " ").'>{ any Classification }
++ criteria, "null").'>-unclassified-';
++
++ $temp_sql = "SELECT sig_class_id, sig_class_name FROM sig_class";
++ $tmp_result = $this->db->acidExecute($temp_sql);
++ if ( $tmp_result )
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo ' criteria, $myrow[0]).'>'.
++ $myrow[1];
++
++ $tmp_result->acidFreeRows();
++ }
++ echo ' ';
++ }
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $tmp = "";
++
++ if ( $this->db->acidGetDBVersion() >= 103 )
++ {
++ if ( $this->criteria != " " && $this->criteria != "" )
++ {
++ if ( $this->criteria == "null")
++ $tmp = $tmp.'Signature Classification = '.
++ 'unclassified
++ criteria[0],"="). '>__
++ criteria[0],"=").'>==
++ criteria[0],"!=").'>!=
++ criteria[0],"<"). '><
++ criteria[0],">").'>>
++ criteria[0],"><="). '><=
++ criteria[0],">=").'>>= ';
++
++ echo '
++ criteria[1], " ").'>{ any Priority }
++ criteria[1], "null").'>-unclassified- ';
++ $temp_sql = "select DISTINCT sig_priority from signature ORDER BY sig_priority ASC ";
++ $tmp_result = $this->db->acidExecute($temp_sql);
++ if ( $tmp_result )
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo 'criteria[1], $myrow[0]).'>'.
++ $myrow[0];
++
++ $tmp_result->acidFreeRows();
++ }
++ echo ' ';
++ }
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $tmp = "";
++
++ if ( $this->db->acidGetDBVersion() >= 103 )
++ {
++ if ( $this->criteria[1] != " " && $this->criteria[1] != "" )
++ {
++ if ( $this->criteria[1] == null)
++ $tmp = $tmp.'Signature Priority = '.
++ 'none
++ criteria, " ").'>{ any Alert Group }';
++
++ $temp_sql = "SELECT ag_id, ag_name FROM acid_ag";
++ $tmp_result = $this->db->acidExecute($temp_sql);
++ if ( $tmp_result )
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo ' criteria, $myrow[0]).'>'.
++ '['.$myrow[0].'] '.$myrow[1];
++
++ $tmp_result->acidFreeRows();
++ }
++ echo ' ';
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $tmp = "";
++
++ if ( $this->criteria != " " && $this->criteria != "" )
++ $tmp = $tmp.'Alert Group = ['.$this->criteria.'] '.GetAGNameByID($this->criteria, $this->db).
++ $this->cs->GetClearCriteriaString($this->export_name).'
++ criteria, " ").'>{ any sensor }';
++
++ $temp_sql = "SELECT sid, hostname, interface, filter FROM sensor";
++ $tmp_result = $this->db->acidExecute($temp_sql);
++ if ( $tmp_result->row )
++ {
++ while ( $myrow = $tmp_result->acidFetchRow() )
++ echo ' criteria, $myrow[0]).'>'.
++ '['.$myrow[0].'] '.GetSensorName($myrow[0], $this->db);
++
++ $tmp_result->acidFreeRows();
++ }
++
++ echo ' ';
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $tmp = "";
++
++ if ( $this->criteria != " " && $this->criteria != "" )
++ $tmp = $tmp.'Sensor = ['.$this->criteria.'] '.
++ GetSensorName($this->criteria, $this->db).
++ $this->cs->GetClearCriteriaString($this->export_name).'criteria[$i][0]," ").'>__';
++ echo ' criteria[$i][0],"(").'>( criteria[$i][1]," "). '>{ time }';
++ echo ' criteria[$i][1],"="). '>=';
++ echo ' criteria[$i][1],"!=").'>!=';
++ echo ' criteria[$i][1],"<"). '><';
++ echo ' criteria[$i][1],"<=").'><=';
++ echo ' criteria[$i][1],">"). '>>';
++ echo ' criteria[$i][1],">=").'>>= criteria[$i][2]," " ).'>{ month }';
++ echo ' criteria[$i][2],"01").'>Jan';
++ echo ' criteria[$i][2],"02").'>Feb';
++ echo ' criteria[$i][2],"03").'>Mar';
++ echo ' criteria[$i][2],"04").'>Apr';
++ echo ' criteria[$i][2],"05").'>May';
++ echo ' criteria[$i][2],"06").'>Jun';
++ echo ' criteria[$i][2],"07").'>Jly';
++ echo ' criteria[$i][2],"08").'>Aug';
++ echo ' criteria[$i][2],"09").'>Sep';
++ echo ' criteria[$i][2],"10").'>Oct';
++ echo ' criteria[$i][2],"11").'>Nov';
++ echo ' criteria[$i][2],"12").'>Dec criteria[$i][4]," ").'>{ year }';
++ echo ' criteria[$i][4],"1999").'>1999';
++ echo ' criteria[$i][4],"2000").'>2000';
++ echo ' criteria[$i][4],"2001").'>2001';
++ echo ' criteria[$i][4],"2002").'>2002';
++ echo ' criteria[$i][4],"2003").'>2003';
++ echo ' criteria[$i][4],"2004").'>2004 : ';
++ echo ': ';
++ echo 'criteria[$i][8]," ").'>__';
++ echo ' criteria[$i][8],"(").'>(';
++ echo ' criteria[$i][8],")").'>) criteria[$i][9]," "). '>__';
++ echo ' criteria[$i][9],"OR"). '>OR';
++ echo ' criteria[$i][9],"AND").'>AND '.$this->criteria[$i][0].' time '.$this->criteria[$i][1].' [ ';
++
++ /* date */
++ if ( $this->criteria[$i][2] == " " && $this->criteria[$i][3] == "" && $this->criteria[$i][4] == " " )
++ $tmp = $tmp." any date ";
++ else
++ $tmp = $tmp.(($this->criteria[$i][2] == " ") ? "* / " : $this->criteria[$i][2]." / ").
++ (($this->criteria[$i][3] == "" ) ? "* / " : $this->criteria[$i][3]." / ").
++ (($this->criteria[$i][4] == " ") ? "* " : $this->criteria[$i][4]." ");
++ $tmp = $tmp.'] [ ';
++ /* time */
++ if ( $this->criteria[$i][5] == "" && $this->criteria[$i][6] == "" && $this->criteria[$i][7] == "" )
++ $tmp = $tmp."any time ";
++ else
++ $tmp = $tmp.(($this->criteria[$i][5] == "") ? "* : " : $this->criteria[$i][5]." : ").
++ (($this->criteria[$i][6] == "") ? "* : " : $this->criteria[$i][6]." : ").
++ (($this->criteria[$i][7] == "") ? "* " : $this->criteria[$i][7]." ");
++ $tmp = $tmp.$this->criteria[$i][8].'] '.$this->criteria[$i][9];
++ $tmp = $tmp.'criteria[$i][0]," ").'>__';
++ echo ' criteria[$i][0],"(").'>(
++ criteria[$i][1]," " ).'>{ address }
++ criteria[$i][1],"ip_src").'>Source
++ criteria[$i][1],"ip_dst").'>Dest
++ criteria[$i][1],"ip_both").'>Src or Dest
++ ';
++ echo '
++ criteria[$i][2],"="). '>=
++ criteria[$i][2],"!=").'>!=
++ ';
++
++ if ( $GLOBALS['ip_address_input'] == 2 )
++ echo ' . ';
++ echo ' . ';
++ echo ' . ';
++ echo ' criteria[$i][8]," ").'>__';
++ echo ' criteria[$i][8],"(").'>(';
++ echo ' criteria[$i][8],")").'>) criteria[$i][9]," "). '>__';
++ echo ' criteria[$i][9],"OR"). '>OR';
++ echo ' criteria[$i][9],"AND").'>AND criteria[0]," ").'>{ flags }';
++ echo ' criteria[0],"is").'>is';
++ echo ' criteria[0],"contains").'>contains ';
++ echo ' ';
++ }
++
++ function ToSQL()
++ {
++ /* convert this criteria to SQL */
++ }
++
++ function Description()
++ {
++ $human_fields["1"] = "F";
++ $human_fields["2"] = "S";
++ $human_fields["4"] = "R";
++ $human_fields["8"] = "P";
++ $human_fields["16"] = "A";
++ $human_fields["32"] = "U";
++ $human_fields["64"] = "[R0]";
++ $human_fields["128"] = "[R1]";
++ $human_fields["LIKE"] = "contains";
++ $human_fields["="] = "=";
++
++ $tmp = "";
++
++ if ( isset($this->criteria[0]) && ($this->criteria[0] != " ") && ($this->criteria[0] != "") )
++ {
++ $tmp = $tmp.'flags '.$this->criteria[0].' ';
++ for ( $i = 8; $i >=1; $i-- )
++ if ( $this->criteria[$i] == "" )
++ $tmp = $tmp.'-';
++ else
++ $tmp = $tmp.$human_fields[($this->criteria[$i])];
++
++ $tmp = $tmp.$this->cs->GetClearCriteriaString("tcp_flags").'Input Criteria Encoding Type: ';
++ echo 'data_encode[0]," ").'>{ Encoding }';
++ echo ' data_encode[0],"hex").'>hex';
++ echo ' data_encode[0],"ascii").'>ascii Convert To (when searching): ';
++ echo 'data_encode[1]," ").'>{ Convert To }';
++ echo ' data_encode[1],"hex").'>hex';
++ echo ' data_encode[1],"ascii").'>ascii criteria[$i][0]," ").'>__';
++ echo ' criteria[$i][0],"(").'>( criteria[$i][1]," "). '>{ payload }';
++ echo ' criteria[$i][1],"LIKE"). '>has ';
++ echo ' criteria[$i][1],"NOT LIKE").'>has NOT criteria[$i][3]," ").'>__';
++ echo ' criteria[$i][3],"(").'>(';
++ echo ' criteria[$i][3],")").'>) criteria[$i][4]," "). '>__';
++ echo ' criteria[$i][4],"OR"). '>OR';
++ echo ' criteria[$i][4],"AND").'>AND ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000-2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: routines to manipulate shared state (session
+ * information)
+ *
+ */
+-
++/* ***********************************************************************
++ * Function: InitArray()
++ *
++ * @doc Defines an initializes a 1 or 2 dimensional PHP array.
++ *
++ * @param $a (in/out) array to initialize
++ * @param $dim1 number of elements of first dimension
++ * @param $dim2 number of elements of second dimension
++ * @param $value default value
++ *
++ ************************************************************************/
+ function InitArray(&$a, $dim1, $dim2, $value)
+ {
+ $a = "";
+ /* determine the number of dimensions in the array */
+ if ( $dim2 == 0 ) /* 1-dim */
+- for ( $i = 0; $i < $dim2; $i++ )
++ for ( $i = 0; $i < $dim1; $i++ )
+ $a[$i] = $value;
+ else /* 2-dim */
+ for ( $i = 0; $i < $dim1; $i++ )
+@@ -25,70 +35,16 @@
+ $a[$i][$j] = $value;
+ }
+
+-function InitGlobalState()
+-{
+- GLOBAL $time, $time_cnt, $sig, $sig_class, $sensor, $ag,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $save_criteria,
+- $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode,
+- $back_list, $back_list_cnt;
+- GLOBAL $MAX_ROWS;
+-
+- $caller = "";
+- $layer4 = "";
+-
+- InitArray($back_list, 1, 3, "");
+- $back_list_cnt = 0;
+-
+- $ag = "";
+- $sensor = "";
+- InitArray($sig, 3, 0, "");
+- $sig_class = "";
+- InitArray($time, $MAX_ROWS, TIME_CFCNT, "");
+- $time_cnt = 0;
+-
+- InitArray($ip_addr, $MAX_ROWS, IPADDR_CFCNT, "");
+- $ip_addr_cnt = 0;
+- InitArray($ip_field, $MAX_ROWS, PROTO_CFCNT, "");
+- $ip_field_cnt = 0;
+-
+- InitArray($tcp_port, $MAX_ROWS, PROTO_CFCNT, "");
+- $tcp_port_cnt = 0;
+- InitArray($tcp_flags, $MAX_ROWS, TCPFLAGS_CFCNT, "");
+- InitArray($tcp_field, $MAX_ROWS, PROTO_CFCNT, "");
+- $tcp_field_cnt = 0;
+-
+- InitArray($udp_port, $MAX_ROWS, PROTO_CFCNT, "");
+- $udp_port_cnt = 0;
+- InitArray($udp_field, $MAX_ROWS, PROTO_CFCNT, "");
+- $udp_field_cnt = 0;
+-
+- InitArray($icmp_field, $MAX_ROWS, PROTO_CFCNT, "");
+- $icmp_field_cnt = 0;
+-
+- InitArray($data_encode, 2, 0, "");
+- InitArray($data, $MAX_ROWS, PAYLOAD_CFCNT, "");
+- $data_cnt = 0;
+-}
+-
++/* ***********************************************************************
++ * Function: RegisterGlobalState()
++ *
++ * @doc Application-specific wrapper for PHP session_start(). It performs
++ * a couple of additional configuration checks (notably for custom
++ * PHP session handlers).
++ *
++ ************************************************************************/
+ function RegisterGlobalState()
+ {
+- GLOBAL $time, $time_cnt, $sig, $sensor, $ag,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $save_criteria,
+- $join_sql, $where_sql, $criteria_sql, $sql, $debug_mode,
+- $back_list, $back_list_cnt;
+-
+- GLOBAL $MAX_ROWS;
+-
+ /* Deal with user specified session handlers */
+ if (session_module_name() == "user" )
+ {
+@@ -125,170 +81,199 @@
+
+ session_start();
+
+- session_register('back_list');
+- session_register('back_list_cnt');
+- session_register('layer4');
+-
+- session_register('ag');
+- session_register('sig_type');
+- session_register('sig');
+- session_register('sig_class');
+- session_register('sensor');
+- session_register('time');
+- session_register('time_cnt');
+-
+- session_register('ip_addr');
+- session_register('ip_addr_cnt');
+- session_register('ip_field');
+- session_register('ip_field_cnt');
+-
+- session_register('tcp_port');
+- session_register('tcp_port_cnt');
+- session_register('tcp_flags');
+- session_register('tcp_field');
+- session_register('tcp_field_cnt');
+-
+- session_register('udp_port');
+- session_register('udp_port_cnt');
+- session_register('udp_field');
+- session_register('udp_field_cnt');
+-
+- session_register('icmp_field');
+- session_register('icmp_field_cnt');
+-
+- session_register('data_encode');
+- session_register('data');
+- session_register('data_cnt');
+-
+- if ( $debug_mode > 0 )
++ if ( $GLOBALS['debug_mode'] > 0 )
+ echo 'Session Registered ,
+ *
+- * Copyright (C) 2001 Carnegie Mellon University
++ * Copyright (C) 2001-2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: routines to manipulate shared state (session
+@@ -13,65 +13,100 @@
+ */
+
+ include_once("acid_state_common.inc");
++include_once("acid_state_citems.inc");
+
+ class CriteriaState
+ {
+- var $valid_criteria_list = array("layer4",
+- "ag",
+- "sig",
+- "sig_class",
+- "sensor",
+- "time",
+- "ip_addr",
+- "ip_field",
+- "tcp_port",
+- "tcp_flags",
+- "tcp_field",
+- "udp_port",
+- "udp_field",
+- "icmp_field",
+- "data");
+-
+ var $clear_criteria_name;
+ var $clear_criteria_element;
+ var $clear_url;
+ var $clear_url_params;
+
++ var $criteria;
++
+ function CriteriaState($url, $params = "")
+ {
+- $this->clear_url = $url;
+- $this->clear_url_params = $params;
++ $this->clear_url = $url;
++ $this->clear_url_params = $params;
++
++ /* XXX-SEC */
++ GLOBAL $db;
++
++ $this->criteria['sig'] = new SignatureCriteria(&$db, &$this, "sig");
++ $this->criteria['sig_class'] = new SignatureClassificationCriteria(&$db, &$this, "sig_class");
++ $this->criteria['sig_priority'] = new SignaturePriorityCriteria(&$db, &$this, "sig_priority");
++ $this->criteria['ag'] = new AlertGroupCriteria(&$db, &$this, "ag");
++ $this->criteria['sensor'] = new SensorCriteria(&$db, &$this, "sensor");
++ $this->criteria['time'] = new TimeCriteria(&$db, &$this, "time", TIME_CFCNT);
++ $this->criteria['ip_addr'] = new IPAddressCriteria(&$db, &$this, "ip_addr", IPADDR_CFCNT);
++ $this->criteria['layer4'] = new Layer4Criteria(&$db, &$this, "layer4");
++ $this->criteria['ip_field'] = new IPFieldCriteria(&$db, &$this, "ip_field", PROTO_CFCNT);
++ $this->criteria['tcp_port'] = new TCPPortCriteria(&$db, &$this, "tcp_port", PROTO_CFCNT);
++ $this->criteria['tcp_flags'] = new TCPFlagsCriteria(&$db, &$this, "tcp_flags");
++ $this->criteria['tcp_field'] = new TCPFieldCriteria(&$db, &$this, "tcp_field", PROTO_CFCNT);
++ $this->criteria['udp_port'] = new UDPPortCriteria(&$db, &$this, "udp_port", PROTO_CFCNT);
++ $this->criteria['udp_field'] = new UDPFieldCriteria(&$db, &$this, "udp_field", PROTO_CFCNT);
++ $this->criteria['icmp_field'] = new ICMPFieldCriteria(&$db, &$this, "icmp_field", PROTO_CFCNT);
++ $this->criteria['data'] = new DataCriteria(&$db, &$this, "data", PAYLOAD_CFCNT);
++
++ /*
++ * For new criteria, add a call to the appropriate constructor here, and implement
++ * the appropriate class in acid_stat_citems.inc.
++ */
+ }
+
+ function InitState()
+ {
+- RegisterGlobalState();
+- InitGlobalState();
++ RegisterGlobalState();
++
++ $valid_criteria_list = array_keys($this->criteria);
++
++ foreach ( $valid_criteria_list as $cname )
++ $this->criteria[$cname]->Init();
+ }
+
+ function ReadState()
+ {
+- GLOBAL $time, $time_cnt, $sig, $sig_type,
+- $sensor, $ag, $sig_class,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode, $QUERY_STRING, $PHP_SELF, $debug_mode,
+- $back_list, $back_list_cnt;
+-
+- RegisterGlobalState();
+- ImportGlobalState();
+-
+- $this->clear_criteria_name = ImportHTTPVar("clear_criteria");
+- $this->clear_criteria_element = ImportHTTPVar("clear_criteria_element");
+-
+- if ( $this->clear_criteria_name != "" )
+- $this->ClearCriteriaStateElement($this->clear_criteria_name,
+- $this->clear_criteria_element);
+- if ( $GLOBALS['maintain_history'] == 1 )
+- PreserveHistory();
++ RegisterGlobalState();
++
++ /*
++ * If the BACK button was clicked, shuffle the appropriate
++ * criteria variables from the $back_list (history) array into
++ * the current session ($HTTP_SESSION_VARS)
++ */
++ if ( ($GLOBALS['maintain_history'] == 1) &&
++ (ImportHTTPVar("back", VAR_DIGIT) == 1) )
++ {
++ PopHistory();
++ }
++
++ /*
++ * Import, update and sanitize all persistant criteria variables
++ */
++ $valid_criteria_list = array_keys($this->criteria);
++ foreach ( $valid_criteria_list as $cname )
++ {
++ $this->criteria[$cname]->Import();
++ $this->criteria[$cname]->Sanitize();
++ }
++
++ /*
++ * Check whether criteria elements need to be cleared
++ */
++ $this->clear_criteria_name = ImportHTTPVar("clear_criteria", "",
++ array_keys($this->criteria));
++ $this->clear_criteria_element = ImportHTTPVar("clear_criteria_element", "",
++ array_keys($this->criteria));
++
++ if ( $this->clear_criteria_name != "" )
++ $this->ClearCriteriaStateElement($this->clear_criteria_name,
++ $this->clear_criteria_element);
++
++ /*
++ * Save the current criteria into $back_list (history)
++ */
++ if ( $GLOBALS['maintain_history'] == 1 )
++ PushHistory();
+ }
+
+ function GetBackLink()
+@@ -87,151 +122,155 @@
+
+ function ClearCriteriaStateElement($name, $element)
+ {
+- GLOBAL $time, $time_cnt, $sig, $sig_type,
+- $sensor, $ag, $sig_class,
+- $ip_addr, $ip_addr_cnt, $ip_field, $ip_field_cnt,
+- $tcp_port, $tcp_port_cnt, $tcp_flags, $tcp_field, $tcp_field_cnt,
+- $udp_port, $udp_port_cnt, $udp_field, $udp_field_cnt,
+- $icmp_field, $icmp_field_cnt,
+- $have_meta, $have_ip, $have_tcp, $have_udp, $have_icmp, $have_data,
+- $layer4, $data, $data_cnt, $data_encode;
++ $valid_criteria_list = array_keys($this->criteria);
+
+- if ( in_array($name, $this->valid_criteria_list) )
++ if ( in_array($name, $valid_criteria_list) )
+ {
+ ErrorMessage("Removing '$name' from criteria");
+-
+- switch($name)
+- {
+- case "sensor":
+- $sensor = "";
+- break;
+- case "ag":
+- $ag = "";
+- break;
+- case "sig":
+- $sig = "";
+- break;
+- case "sig_class":
+- $sig_class = "";
+- break;
+- case "time":
+- unset($time);
+- $time_cnt = 0;
+- break;
+- case "ip_addr":
+- unset($ip_addr);
+- $ip_addr_cnt = 0;
+- break;
+- case "ip_field":
+- unset($ip_field);
+- $ip_field_cnt = 0;
+- break;
+- case "tcp_port":
+- unset($tcp_port);
+- $tcp_port_cnt = 0;
+- break;
+- case "tcp_flags":
+- unset($tcp_flags);
+- $tcp_flags_cnt = 0;
+- break;
+- case "tcp_field":
+- unset($tcp_field);
+- $tcp_field_cnt = 0;
+- break;
+- case "udp_port":
+- unset($udp_port);
+- $udp_port_cnt = 0;
+- break;
+- case "udp_field":
+- unset($udp_field);
+- $udp_field_cnt = 0;
+- break;
+- case "icmp_field":
+- unset($icmp_field);
+- $icmp_field_cnt = 0;
+- break;
+- case "data":
+- unset($data);
+- $data_cnt = 0;
+- break;
+- }
++
++ $this->criteria[$name]->Init();
+ }
+ else
+ ErrorMessage("Invalid criteria element");
+ }
+ }
+
+-function PreserveHistory()
++/* ***********************************************************************
++ * Function: PopHistory()
++ *
++ * @doc Remove and restore the last entry of the history list (i.e.,
++ * hit the back button in the browser)
++ *
++ * @see PushHistory PrintBackButton
++ *
++ ************************************************************************/
++function PopHistory()
++{
++ GLOBAL $HTTP_SESSION_VARS;
++
++ if ( $HTTP_SESSION_VARS['back_list_cnt'] >= 0 )
++ {
++ /* Remove the state of the page from which the back button was
++ * just hit
++ */
++ unset($HTTP_SESSION_VARS['back_list'][$HTTP_SESSION_VARS['back_list_cnt']]);
++
++ /*
++ * save a copy of the $back_list because session_destroy()/session_decode() will
++ * overwrite it.
++ */
++ $save_back_list = $HTTP_SESSION_VARS['back_list'];
++ $save_back_list_cnt = $HTTP_SESSION_VARS['back_list_cnt']-1;
++
++ /* Restore the session
++ * - destroy all variables in the current session
++ * - restore proper back_list history entry into the current variables (session)
++ * - but, first delete the currently restored entry and
++ * decremement the history stack
++ * - push saved back_list back into session
++ */
++ session_unset();
++
++ if ( $GLOBALS['debug_mode'] > 2 )
++ ErrorMessage("Popping a History Entry from #".$save_back_list_cnt);
++
++ session_decode($save_back_list[$save_back_list_cnt]["session"]);
++ unset($save_back_list[$save_back_list_cnt]);
++ --$save_back_list_cnt;
++
++ $HTTP_SESSION_VARS['back_list'] = $save_back_list;
++ $HTTP_SESSION_VARS['back_list_cnt'] = $save_back_list_cnt;
++ }
++}
++
++/* ***********************************************************************
++ * Function: PushHistory()
++ *
++ * @doc Save the current criteria into the history list ($back_list,
++ * $back_list_cnt) in order to support the ACID back button.
++ *
++ * @see PopHistory PrintBackButton
++ *
++ ************************************************************************/
++function PushHistory()
+ {
+- GLOBAL $back_list_cnt, $back_list, $PHP_SELF, $QUERY_STRING, $debug_mode;
+-
+- /* If the BACK button was clicked, extract the old criteria */
+- if ( ImportHTTPVar("back") == 1 )
+- {
+- --$back_list_cnt;
+- if ( $back_list_cnt >= 0 )
+- {
+- if ( $debug_mode > 0 )
+- {
+- $tmp_num = $back_list_cnt + 1;
+- ErrorMessage("Back (from ".$back_list[$tmp_num]["PHP_SELF"].")");
+- ErrorMessage("Import (historical) state from #".$back_list_cnt);
+- }
+-
+- session_decode($back_list[$back_list_cnt]["session"]);
+- $back_list = & $GLOBALS['back_list'];
+- }
+- }
+-
+- /* Save criteria of current page into history
+- * Note: the $back_list need not be saved
+- */
+- session_unregister('back_list');
+- $full_session = session_encode();
+- session_register('back_list');
+- $back_list_cnt = & $GLOBALS['back_list_cnt'];
+-
+- ++$back_list_cnt;
+- $back_list[$back_list_cnt] = array ("PHP_SELF" => $PHP_SELF,
+- "QUERY_STRING" => $QUERY_STRING,
+- "session" => $full_session );
++ GLOBAL $HTTP_SERVER_VARS, $HTTP_SESSION_VARS, $HTTP_POST_VARS;
++
++ if ( $GLOBALS['debug_mode'] > 1 )
++ {
++ ErrorMessage("Saving state (into ".$HTTP_SESSION_VARS['back_list_cnt'].")");
++ }
++
++ /* save the current session without the $back_list into the history
++ * - make a temporary copy of the $back_list
++ * - NULL-out the $back_list in $HTTP_SESSION_VARS (so that
++ * the current session is serialized without these variables)
++ * - serialize the current session
++ * - fix-up the QUERY_STRING
++ * - make a new QUERY_STRING that includes the temporary QueryState variables
++ * - remove &back=1 from any QUERY_STRING
++ * - add the current session into the $back_list (history)
++ */
++ $tmp_back_list = $HTTP_SESSION_VARS['back_list'];
++ $tmp_back_list_cnt = $HTTP_SESSION_VARS['back_list_cnt'];
++
++ $HTTP_SESSION_VARS['back_list'] = NULL;
++ $HTTP_SESSION_VARS['back_list_cnt'] = -1;
++
++ $full_session = session_encode();
++ $HTTP_SESSION_VARS['back_list'] = $tmp_back_list;
++ $HTTP_SESSION_VARS['back_list_cnt'] = $tmp_back_list_cnt;
++
++ $query_string = $HTTP_SERVER_VARS["QUERY_STRING"];
++ if ( isset($HTTP_POST_VARS['caller']) ) $query_string .= "&caller=".$HTTP_POST_VARS['caller'];
++ if ( isset($HTTP_POST_VARS['num_result_rows']) ) $query_string .= "&num_result_rows=".$HTTP_POST_VARS['num_result_rows'];
++ if ( isset($HTTP_POST_VARS['sort_order']) ) $query_string .= "&sort_order=".$HTTP_POST_VARS['sort_order'];
++ if ( isset($HTTP_POST_VARS['current_view']) ) $query_string .= "¤t_view=".$HTTP_POST_VARS['current_view'];
++ if ( isset($HTTP_POST_VARS['submit']) ) $query_string .= "&submit=".$HTTP_POST_VARS['submit'];
++
++ $query_string = ereg_replace("back=1&", "", $query_string);
++
++ ++$HTTP_SESSION_VARS['back_list_cnt'];
++ $HTTP_SESSION_VARS['back_list'][$HTTP_SESSION_VARS['back_list_cnt']] =
++ array ("PHP_SELF" => $HTTP_SERVER_VARS["PHP_SELF"],
++ "QUERY_STRING" => $query_string, /*$HTTP_SERVER_VARS["QUERY_STRING"], */
++ "session" => $full_session );
+
+- if ( $debug_mode > 0 )
++ if ( $GLOBALS['debug_mode'] > 1 )
+ {
+- echo "History depth = $back_list_cnt";
+- print_r($back_list);
+- echo " ";
++ ErrorMessage("Insert session into slot #".$HTTP_SESSION_VARS['back_list_cnt']);
++
++ echo "Back List (Cnt = ".$HTTP_SESSION_VARS['back_list_cnt'].") ";
++ print_r($HTTP_SESSION_VARS['back_list']);
++ echo " ";
+ }
+ }
+
++/* ***********************************************************************
++ * Function: PrintBackButton()
++ *
++ * @doc Returns a string with the URL of the previously viewed
++ * page. Clicking this link is equivalent to using the browser
++ * back-button, but all the associated ACID meta-information
++ * propogates correctly.
++ *
++ * @see PushHistory PopHistory
++ *
++ ************************************************************************/
+ function PrintBackButton()
+ {
+- GLOBAL $back_list, $back_list_cnt;
++ GLOBAL $HTTP_SESSION_VARS;
+
+ if ( $GLOBALS['maintain_history'] == 0 )
+ return "Back ";
+
+- $back_list = & $GLOBALS['back_list'];
+- $back_list_cnt = & $GLOBALS['back_list_cnt'];
+-
+- $criteria_num = $back_list_cnt - 1;
+-
+- if ( isset($back_list[$criteria_num]["PHP_SELF"]) )
++ $criteria_num = $HTTP_SESSION_VARS['back_list_cnt'] - 1;
++
++ if ( isset($HTTP_SESSION_VARS['back_list'][$criteria_num]["PHP_SELF"]) )
+
+- return "Back Back ";
+ }
+diff -Naur acid/acid_state_query.inc acidfp/acid_state_query.inc
+--- acid/acid_state_query.inc 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_state_query.inc 2003-12-17 14:16:39.000000000 -0500
+@@ -120,7 +120,6 @@
+ function AddValidActionOp($action_op)
+ {
+ $this->valid_action_op_list[ count($this->valid_action_op_list) ] = $action_op;
+- //array_push($this->valid_action_op_list, $action_op);
+ }
+
+ function SetActionSQL($sql)
+@@ -312,30 +311,30 @@
+
+ function ReadState()
+ {
+- $this->current_canned_query = ImportHTTPVar("caller");
+- $this->num_result_rows = ImportHTTPVar("num_result_rows");
+- $this->current_sort_order = ImportHTTPVar("sort_order");
+- $this->current_view = ImportHTTPVar("current_view");
+- $this->action_arg = ImportHTTPVar("action_arg");
+- $this->action_chk_lst = ImportHTTPVar("action_chk_lst");
+- $this->action_lst = ImportHTTPVar("action_lst");
+- $this->action = ImportHTTPVar("action");
++ $this->current_canned_query = ImportHTTPVar("caller", VAR_LETTER | VAR_USCORE);
++ $this->num_result_rows = ImportHTTPVar("num_result_rows", VAR_DIGIT);
++ $this->current_sort_order = ImportHTTPVar("sort_order", VAR_LETTER | VAR_USCORE);
++ $this->current_view = ImportHTTPVar("current_view", VAR_DIGIT);
++ $this->action_arg = ImportHTTPVar("action_arg", VAR_ALPHA | VAR_PERIOD | VAR_USCORE | VAR_AT);
++ $this->action_chk_lst = ImportHTTPVar("action_chk_lst", VAR_DIGIT);
++ $this->action_lst = ImportHTTPVar("action_lst", VAR_DIGIT);
++ $this->action = ImportHTTPVar("action", VAR_LETTER | VAR_USCORE);
+ }
+
+ function SaveState()
+ {
+- echo "\n";
+- ExportHTTPVar("caller", $this->current_canned_query);
+- ExportHTTPVar("num_result_rows", $this->num_result_rows);
+- ExportHTTPVar("sort_order", $this->current_sort_order);
+- ExportHTTPVar("current_view", $this->current_view);
++ echo "\n";
++ ExportHTTPVar("caller", $this->current_canned_query);
++ ExportHTTPVar("num_result_rows", $this->num_result_rows);
++ ExportHTTPVar("sort_order", $this->current_sort_order);
++ ExportHTTPVar("current_view", $this->current_view);
+ }
+
+ function SaveStateGET()
+ {
+- return "?caller=".$this->current_canned_query.
+- "&num_result_rows=".$this->num_result_rows.
+- "¤t_view=".$this->current_view;
++ return "?caller=".$this->current_canned_query.
++ "&num_result_rows=".$this->num_result_rows.
++ "¤t_view=".$this->current_view;
+ }
+
+ function DumpState()
+diff -Naur acid/acid_stat_fingerprints.php acidfp/acid_stat_fingerprints.php
+--- acid/acid_stat_fingerprints.php 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/acid_stat_fingerprints.php 2004-02-06 11:56:05.000000000 -0500
+@@ -0,0 +1,251 @@
++,
++ *
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
++ * (see the file 'acid_main.php' for license details)
++ *
++ * Purpose: Displays stats on an individual IP address
++ *
++ * Input GET/POST variables
++ * - action:
++ * - submit:
++ * - ip:
++ * - netmask:
++ */
++
++ $start = time();
++
++ include("acid_constants.inc");
++ include("acid_conf.php");
++ include("acid_include.inc");
++ include_once("acid_db_common.php");
++ include_once("acid_common.php");
++
++ $et = new EventTiming($debug_time_mode);
++ $cs = new CriteriaState("acid_stat_ipaddr.php");
++ $cs->ReadState();
++
++ $sortby = ImportHTTPVar("sortby");
++ $dir = ImportHTTPVar("dir");
++ $iddir = $sigdir = $fstdir = $lstdir = $addrdir = $portdir = $protodir = $servdir = $hopsdir = "ASC";
++
++ if ( $dir == "" )
++ {
++ $dir="ASC";
++ }
++
++ if ( $sortby == "" || $sortby == "addr" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby = "fpevent.ip_src DESC, fpevent.port_src";
++ $addrdir = "ASC";
++ }
++ else
++ {
++ $orderby = "fpevent.ip_src ASC, fpevent.port_src";
++ $addrdir = "DESC";
++ }
++ }
++ if ( $sortby == "port" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby = "fpevent.port_src DESC, fpevent.ip_src";
++ $portdir = "ASC";
++ }
++ else
++ {
++ $orderby = "fpevent.port_src ASC, fpevent.ip_src";
++ $portdir = "DESC";
++ }
++ }
++ if ( $sortby == "fseen" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.firstseen DESC, fpevent.ip_src";
++ $fstdir = "ASC";
++ }
++ else
++ {
++ $orderby="fpevent.firstseen ASC, fpevent.ip_src";
++ $fstdir = "DESC";
++ }
++ }
++ if ( $sortby == "lseen" )
++ {
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.lastseen DESC, fpevent.ip_src";
++ $lstdir="ASC";
++ }
++ else
++ {
++ $orderby="fpevent.lastseen ASC, fpevent.ip_src";
++ $lstdir="DESC";
++ }
++ }
++ if ( $sortby == "sig" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="signature.sig_name DESC, fpevent.ip_src";
++ $sigdir = "ASC";
++ }
++ else
++ {
++ $orderby="signature.sig_name ASC, fpevent.ip_src";
++ $sigdir = "DESC";
++ }
++ }
++ if ( $sortby == "proto" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.protocol DESC, fpevent.ip_src";
++ $protodir = "ASC";
++ }
++ else
++ {
++ $orderby="fpevent.protocol ASC, fpevent.ip_src";
++ $protodir = "DESC";
++ }
++ }
++ if ( $sortby == "serv" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="services.name DESC, fpevent.ip_src";
++ $servdir = "ASC";
++ }
++ else
++ {
++ $orderby="services.name ASC, fpevent.ip_src";
++ $servdir = "DESC";
++ }
++ }
++ if ( $sortby == "id" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.sid DESC, fpevent.cid DESC";
++ $iddir = "ASC";
++ }
++ else
++ {
++ $orderby="fpevent.sid ASC, fpevent.cid ASC";
++ $iddir = "DESC";
++ }
++ }
++ if ( $sortby == "hops" )
++ {
++
++ if ( $dir == "DESC" )
++ {
++ $orderby="fpevent.hopcount DESC, fpevent.ip_src";
++ $hopsdir = "ASC";
++ }
++ else
++ {
++ $orderby="fpevent.hopcount ASC, fpevent.ip_src";
++ $hopsdir = "DESC";
++ }
++ }
++
++
++
++ $page_title = 'Network Fingerprints';
++ PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
++
++
++ /* Connect to the Alert database */
++ $db = NewACIDDBConnection($DBlib_path, $DBtype);
++ $db->acidDBConnect($db_connect_method,
++ $alert_dbname, $alert_host, $alert_port, $alert_user, $alert_password);
++
++ if ( $event_cache_auto_update == 1 ) UpdateAlertCache($db);
++
++ /* SDR BEGIN */
++ echo '';
++
++ $temp = "SELECT fpevent.sid, fpevent.cid, signature.sig_name, fpevent.firstseen, fpevent.lastseen, ".
++ "fpevent.ip_src, fpevent.port_src, fpevent.protocol, services.name, fpevent.hopcount ".
++ "FROM fpevent,signature,services ".
++ "WHERE ( fpevent.signature = signature.sig_id ".
++ "AND fpevent.port_src = services.port AND fpevent.protocol = services.protocol ) ".
++ "ORDER BY ".$orderby;
++/*
++ echo "Query is: ".$temp;
++*/
++ $result2 = $db->acidExecute($temp);
++
++ echo '
++ ';
++
++ /* SDR END */
++
++
++
++ PrintACIDSubFooter();
++?>
++
++
++
++
++
+diff -Naur acid/acid_stat_ipaddr.php acidfp/acid_stat_ipaddr.php
+--- acid/acid_stat_ipaddr.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_ipaddr.php 2003-12-17 14:17:10.000000000 -0500
+@@ -4,7 +4,7 @@
+ *
+ * Author: Roman Danyliw ,
+ *
+- * Copyright (C) 2000, 2001 Carnegie Mellon University
++ * Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ * (see the file 'acid_main.php' for license details)
+ *
+ * Purpose: Displays stats on an individual IP address
+@@ -215,8 +215,9 @@
+ //if ( !VerifySocketSupport() )
+ echo '
+ ARIN |
+- RIPE
+- APNIC RIPE |
++ APNIC |
++ LACNIC External: '.
+ 'DNS | '.
+@@ -269,7 +270,7 @@
+
+ /* Number of Sensors, First, and Last timestamp */
+ $temp = "SELECT COUNT(DISTINCT sid), MIN(timestamp), MAX(timestamp) FROM acid_event ".
+- "WHERE (ip_src = $ip_src32 OR ip_dst = $ip_dst32 )";
++ "WHERE (ip_src = '$ip_src32' OR ip_dst = '$ip_dst32' )";
+ $result2 = $db->acidExecute($temp);
+ $row2 = $result2->acidFetchRow();
+
+@@ -279,14 +280,14 @@
+ $result2->acidFreeRows();
+
+ /* Unique instances as Source Address */
+- $temp = "SELECT COUNT(sid) from acid_event WHERE ip_src=$ip_src32";
++ $temp = "SELECT COUNT(sid) from acid_event WHERE ip_src='$ip_src32'";
+ $result2 = $db->acidExecute($temp);
+ $row2 = $result2->acidFetchRow();
+ $num_src_ip = $row2[0];
+ $result2->acidFreeRows();
+
+ /* Unique instances Dest. Address */
+- $temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst=$ip_dst32";
++ $temp = "SELECT COUNT(sid) from acid_event WHERE ip_dst='$ip_dst32'";
+ $result2 = $db->acidExecute($temp);
+ $row2 = $result2->acidFetchRow();
+ $num_dst_ip = $row2[0];
+@@ -309,6 +310,46 @@
+
Network Fingerprints
++
++
++ ID
++ Signature
++ First Seen
++ Last Seen
++ Port
++ Protocol
++ Service
++ ';
++ while ( $row2 = $result2->acidFetchRow() )
++ {
++ echo '
++
++ '.$row2[0].'-'.$row2[1].'
++ '.$row2[2].'
++ '.$row2[3].'
++ '.$row2[4].'
++ '.$row2[5].'
++ '.$row2[6].'
++ '.$row2[7].'
++ ';
++ }
++ $result2->acidFreeRows();
++ echo '
';
++
++ /* SDR END */
++
+ if ( $action == "events" )
+ {
+ echo '
+- Time
+- # of Alerts
++ Time
++ # of Alerts
+ Alerts 2000
+ 2001
+ 2002
++ 2003
++ 2004
+ ';
+
+ if ( $i == 0 ) echo ' -- ';
+diff -Naur acid/acid_stat_uaddr.php acidfp/acid_stat_uaddr.php
+--- acid/acid_stat_uaddr.php 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_stat_uaddr.php 2003-12-17 14:16:39.000000000 -0500
+@@ -33,8 +33,15 @@
+
+ $et = new EventTiming($debug_time_mode);
+ $cs = new CriteriaState("acid_stat_uaddr.php", "&addr_type=$addr_type");
++
+ $cs->ReadState();
+
++/* Dump some debugging information on the shared state */
++if ( $debug_mode > 0 )
++{
++ PrintCriteriaState();
++}
++
+ $qs = new QueryState();
+ $qs->AddCannedQuery("most_frequent", $freq_num_uaddr, "Most Frequent IP addresses", "occur_d");
+ //$qs->AddCannedQuery("last_addr", $last_num_uaddr, "Last IP addresses", "last_d");
+@@ -71,7 +78,6 @@
+
+ $criteria_clauses = ProcessCriteria();
+ PrintCriteria("");
+- echo $time[0][2];
+
+ $criteria = $criteria_clauses[0]." ".$criteria_clauses[1];
+ $from = $criteria_clauses[0];
+diff -Naur acid/acid_style.css acidfp/acid_style.css
+--- acid/acid_style.css 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/acid_style.css 2003-12-17 14:17:10.000000000 -0500
+@@ -17,7 +17,7 @@
+
+ P, B, A, BODY, FORM, TD, INPUT, SELECT, OPTION, TR, OL, UL, MENU, BLOCKQUOTE, FONT, DIV, H4, H5, H6 {
+ FONT-FAMILY: arial,helvetica,sans-serif;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ H3 {
+@@ -60,6 +60,15 @@
+ font-size: 10pt;
+ }
+
++A.table {
++ FONT-FAMILY: arial,helvetica;
++ COLOR: yellow;
++ BACKGROUND-COLOR: black;
++ font-size: 12pt;
++ font-weight: bold;
++ text-align: center;
++}
++
+ table {
+ }
+
+@@ -106,7 +115,6 @@
+ text-align: center;
+ }
+
+-
+ td.plfield {
+ FONT-FAMILY: verdana,arial,helvetica;
+ COLOR: black;
+@@ -120,7 +128,7 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #AA0000;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ td.iptitle {
+@@ -128,7 +136,7 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #333399;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ td.layer4title {
+@@ -136,7 +144,7 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #009966;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ td.payloadtitle {
+@@ -144,7 +152,7 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #660099;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+ td.sectiontitle {
+@@ -152,13 +160,6 @@
+ font-weight: bold;
+ COLOR: white;
+ BACKGROUND-COLOR: #669999;
+- font-size: 12pt;
++ font-size: 10pt;
+ }
+
+-
+-
+-
+-
+-
+-
+-
+diff -Naur acid/CHANGELOG acidfp/CHANGELOG
+--- acid/CHANGELOG 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/CHANGELOG 2003-12-17 14:16:39.000000000 -0500
+@@ -1,5 +1,61 @@
+ ??/??/????: 0.9.6
+
++ - 01/08/2003: 0.9.6b23
++ - [01/08/2003] rdd
++ - 2003-2004 added to combo-boxes as time criteria
++
++ - [12/12/2002] rdd
++ - acid_net.inc
++ detect invalid IP adddress cache entries and update them
++ appropriately
++
++ - [11/12/2002] Christian Berg
++ - Check if PHP safe_mode is used before trying to set_time_limit()
++
++ - [10/15/2002] rdd
++ - acid_qry_sqlcalls.php:
++ fixed SQL generated when sorting by IP protocol on the
++ Alert Listing page
++ - acid_graph_form.php:
++ replace typo of ')
++ - tweaked SQL to always quote constants for better index use with the
++ PostgreSQL query optimizer (reported: Mike Gahagan )
++ - fix to ICMP decode
++ - added timezone to date in email export
++ - updated McAfee and Snort signature reference URLs
++ - complete re-write of state handling code (support without using
++ PHP's register_globals)
++ - input validation checks for criteria variables
++ - addded $external_sig_link configuration variable to eliminate
++ hardcoded URLs in the signature references
++ - added ICAT signature reference support
++ - use JPGraph library for alert graphing
++ - added pie chart support
++ - added classification vs. number of alerts chart
++ - added sensor vs. number of alerts chart
++
+ - 03/03/2002: 0.9.6b21
+ - CSV-formatted email alert action
+ - fixed bug in SQL generated when classification criteria is not set
+diff -Naur acid/create_acid_tbls_mssql_extra.sql acidfp/create_acid_tbls_mssql_extra.sql
+--- acid/create_acid_tbls_mssql_extra.sql 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/create_acid_tbls_mssql_extra.sql 2003-12-17 14:16:39.000000000 -0500
+@@ -0,0 +1,68 @@
++-- Copyright (C) 2002 Carnegie Mellon University
++--
++-- Author: Roman Danyliw
++--
++-- This program is free software; you can redistribute it and/or modify
++-- it under the terms of the GNU General Public License as published by
++-- the Free Software Foundation; either version 2 of the License, or
++-- (at your option) any later version.
++--
++-- This program is distributed in the hope that it will be useful,
++-- but WITHOUT ANY WARRANTY; without even the implied warranty of
++-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++-- GNU General Public License for more details.
++--
++-- You should have received a copy of the GNU General Public License
++-- along with this program; if not, write to the Free Software
++-- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++--
++-- - Purpose:
++-- Add referential integrity to the database schema
++
++ALTER TABLE acid_event
++ ADD CONSTRAINT acid_event_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE acid_ag_alert
++ ADD CONSTRAINT acid_ag_alert_fkey_sid_cid
++ FOREIGN KEY (ag_sid,ag_cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE iphdr
++ ADD CONSTRAINT iphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE tcphdr
++ ADD CONSTRAINT tcphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE udphdr
++ ADD CONSTRAINT udphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE icmphdr
++ ADD CONSTRAINT icmphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE opt
++ ADD CONSTRAINT opt_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE data
++ ADD CONSTRAINT data_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
+diff -Naur acid/create_acid_tbls_pgsql_extra.sql acidfp/create_acid_tbls_pgsql_extra.sql
+--- acid/create_acid_tbls_pgsql_extra.sql 1969-12-31 19:00:00.000000000 -0500
++++ acidfp/create_acid_tbls_pgsql_extra.sql 2003-12-17 14:16:39.000000000 -0500
+@@ -0,0 +1,68 @@
++-- Copyright (C) 2002 Carnegie Mellon University
++--
++-- Author: Roman Danyliw
++--
++-- This program is free software; you can redistribute it and/or modify
++-- it under the terms of the GNU General Public License as published by
++-- the Free Software Foundation; either version 2 of the License, or
++-- (at your option) any later version.
++--
++-- This program is distributed in the hope that it will be useful,
++-- but WITHOUT ANY WARRANTY; without even the implied warranty of
++-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++-- GNU General Public License for more details.
++--
++-- You should have received a copy of the GNU General Public License
++-- along with this program; if not, write to the Free Software
++-- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++--
++-- - Purpose:
++-- Add referential integrity to the database schema
++
++ALTER TABLE acid_event
++ ADD CONSTRAINT acid_event_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE acid_ag_alert
++ ADD CONSTRAINT acid_ag_alert_fkey_sid_cid
++ FOREIGN KEY (ag_sid,ag_cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE iphdr
++ ADD CONSTRAINT iphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE tcphdr
++ ADD CONSTRAINT tcphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE udphdr
++ ADD CONSTRAINT udphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE icmphdr
++ ADD CONSTRAINT icmphdr_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE opt
++ ADD CONSTRAINT opt_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
++
++ALTER TABLE data
++ ADD CONSTRAINT data_fkey_sid_cid
++ FOREIGN KEY (sid,cid) REFERENCES event (sid,cid)
++ ON DELETE CASCADE
++ ON UPDATE CASCADE;
+diff -Naur acid/README acidfp/README
+--- acid/README 2002-03-03 18:02:45.000000000 -0500
++++ acidfp/README 2003-12-17 14:16:39.000000000 -0500
+@@ -14,7 +14,7 @@
+ CVS : cvs.acidlab.sourceforge.net
+
+ -------------------------------------------------------------------------------
+-** Copyright (C) 2000, 2001 Carnegie Mellon University
++** Copyright (C) 2000, 2001, 2002 Carnegie Mellon University
+ **
+ ** This program is free software; you can redistribute it and/or modify
+ ** it under the terms of the GNU General Public License as published by
+@@ -63,7 +63,6 @@
+ - tcpdump binary logs
+
+ o using logsnorter (www.snort.org/downloads/logsnorter-0.2.tar.gz)
+- - Cisco PIX
+ - ipchains
+ - iptables
+ - ipfw
+@@ -98,7 +97,7 @@
+ Version: 1.7+
+ Description: Network Intrusion Detection System
+ Reason: Detects security events
+- Homepage: http://www.snort.com/
++ Homepage: http://www.snort.org/
+
+ - Package: logsnorter
+ Version: 0.2+
+@@ -132,11 +131,11 @@
+ Reason: PHP provides no clean database API
+ Homepage: http://php.weblogs.com/adodb/
+
+- o Package: PHPlot
+- Version: 4.4.6+
++ o Package: JPGraph
++ Version: 1.8+
+ Description: PHP chart library
+- Reason: Set of PHP classes over GD to generate charts
+- Homepage: http://www.phplot.com
++ Reason: PHP4 graphing library
++ Homepage: http://www.aditus.nu/jpgraph/
+ Type: optional
+
+ o Package: GD
+@@ -146,6 +145,24 @@
+ Homepage: http://www.boutell.com/gd/
+ Type: optional
+
++ The following are GD dependencies:
++
++ o Package: libpng
++ Description: PNG library
++ Reason: PNG format support for GD
++ Homepage: http://www.libpng.org/pub/png/
++
++ o Package: libjpeg-6b
++ Description: JPEG library
++ Reason: JPEG format support for GD
++ Homepage: http://www.ijg.org/
++
++ o Package: zlib
++ Version: 1.8.*
++ Description: compression library
++ Reason: Compression support for GD
++ Homepage: http://www.gzip.org/zlib/
++
+ o Any web browser capable of supporting cookies
+
+
+@@ -303,7 +320,7 @@
+ under Windows, http://www.php.net/manual/en/install-windows.php.
+
+ o PHP will execute more efficiently if run as an Apache module
+- (--with-apache in the ./configure script). However, it is possible to
++ (--with-apxs in the ./configure script). However, it is possible to
+ run PHP as a CGI application and under different web servers. It should
+ be noted that these configurations are untested.
+
+@@ -353,25 +370,19 @@
+ $ tar xvfz adodb112.tgz
+ $ cd ..
+
+-7. Uncompress and install PHPlot 4.4.6+. Again, this installation should
+- involve only copying the files into a directory viewable by the web
++7. Uncompress and install JPGraph 1.8+. This installation should
++ involve copying the files into a directory viewable by the web
+ server and PHP.
+
+ [UNIX]
+- $ cp phplot-4.4.6.tar.gz /home/httpd/html
++ $ cp jpgraph1.8.tar.gz /home/httpd/html
+ $ cd /home/httpd/html
+- $ tar xvfz phplot-4.4.6.tar.gz
++ $ tar xvfz jpgraph.1.8.tar.gz
+ $ cd ..
+
+-8. [OPTIONAL] Confirm that GD support has been properly configured in
+- PHP by opening a browser and attempting to view the PHPlot diagnostics page
+- examples/test_setup.php (the full URL will depend on where PHPlot was
+- installed; e.g. http://mywebserver/phplot/examples/test_setup.php). If
+- PHP has been configured correctly, at least one chart graphic should be
+- seen on this page. Otherwise, PHP has not been configured correctly with
+- GD support.
++ See the JPGraph README file for additional documentation.
+
+-9. Uncompress and install ACID by copying and expanding it to a directory
++8. Uncompress and install ACID by copying and expanding it to a directory
+ viewable by the web server and PHP.
+
+ [UNIX]
+@@ -380,7 +391,7 @@
+ $ tar xvfz acid-0.9.6.tar.gz
+ $ cd acid
+
+-10. Verify that cookie support in the browser is enabled.
++9. Verify that cookie support in the browser is enabled.
+
+ [Netscape 4.*]
+
+@@ -409,7 +420,7 @@
+ IV. CONFIGURATION
+ _____________________________________
+
+-11. The file 'acid_conf.php' controls the configuration of ACID.
++10. The file 'acid_conf.php' controls the configuration of ACID.
+
+ Note: 'acid_conf.php' is PHP code which will be included in each
+ ACID page request. As such, it is imperative that the opening
+@@ -461,7 +472,8 @@
+
+ [OPTIONAL for chart support]
+
+- o $ChartLib_path : full path to the PHPlot install
++ o $ChartLib_path : full path to the JPGraph install; the directory
++ in which the file 'jpgraph.php' is located
+ (Note: do not include a trailing '\' character)
+
+ o $chart_file_format : graphic format to use for generated charts
+@@ -473,7 +485,7 @@
+
+ o $portscan_file : full path to a Snort portscan log file
+
+-12. Open the acid_main.php page in a browser. If the any database changes
++11. Open the acid_main.php page in a browser. If the any database changes
+ are required, ACID will prompt for action.
+
+ For new databases, several ACID specific tables will need to be created.
+@@ -494,7 +506,7 @@
+
+ After the tables are created, ACID will return status indicating success.
+
+-13. Read the security notes about deploying ACID.
++12. Read the security notes about deploying ACID.
+
+
+ V. SECURITY
diff -Naur snort-2.2.0/snort-2.1.2/contrib/create_mysql_fp snort-2.2.0fp/snort-2.1.2/contrib/create_mysql_fp
--- snort-2.2.0/snort-2.1.2/contrib/create_mysql_fp Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/snort-2.1.2/contrib/create_mysql_fp Sun Jan 23 17:36:20 2005
@@ -0,0 +1,716 @@
+# Copyright (C) 2000-2002 Carnegie Mellon University
+#
+# Maintainer: Roman Danyliw ,
+#
+# Original Author(s): Jed Pickel (2000-2001)
+# Roman Danyliw
+# Todd Schrubb
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+use snort;
+
+# Drop old tables if they exist
+
+DROP TABLE IF EXISTS schema;
+DROP TABLE IF EXISTS event;
+DROP TABLE IF EXISTS fpevent;
+DROP TABLE IF EXISTS services;
+DROP TABLE IF EXISTS signature;
+DROP TABLE IF EXISTS sig_reference;
+DROP TABLE IF EXISTS reference;
+DROP TABLE IF EXISTS reference_system;
+DROP TABLE IF EXISTS sig_class;
+DROP TABLE IF EXISTS sensor;
+DROP TABLE IF EXISTS iphdr;
+DROP TABLE IF EXISTS tcphdr;
+DROP TABLE IF EXISTS udphdr;
+DROP TABLE IF EXISTS icmphdr;
+DROP TABLE IF EXISTS opt;
+DROP TABLE IF EXISTS data;
+DROP TABLE IF EXISTS encoding;
+DROP TABLE IF EXISTS detail;
+
+# Create new tables;
+
+CREATE TABLE schema ( vseq INT UNSIGNED NOT NULL,
+ ctime DATETIME NOT NULL,
+ PRIMARY KEY (vseq));
+INSERT INTO schema (vseq, ctime) VALUES ('106', now());
+
+CREATE TABLE event ( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ signature INT UNSIGNED NOT NULL,
+ timestamp DATETIME NOT NULL,
+ PRIMARY KEY (sid,cid),
+ INDEX sig (signature),
+ INDEX time (timestamp));
+
+# Here's the new fingerprint event table we need to add
+
+
+CREATE TABLE fpevent (ip_src INT UNSIGNED NOT NULL,
+ port_src SMALLINT UNSIGNED NOT NULL,
+ protocol VARCHAR(10) NOT NULL,
+ signature INT UNSIGNED NOT NULL,
+ osfp_flag TINYINT UNSIGNED NOT NULL,
+ sig_priority INT UNSIGNED NOT NULL,
+ sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ firstseen DATETIME NOT NULL,
+ lastseen DATETIME NOT NULL,
+ hopcount INT NOT NULL,
+ PRIMARY KEY (sid,cid),
+ INDEX ip (ip_src, osfp_flag, port_src),
+ INDEX time (lastseen,firstseen));
+
+
+CREATE TABLE services (name VARCHAR(128) NOT NULL,
+ port INT NOT NULL,
+ protocol VARCHAR(10) NOT NULL,
+ PRIMARY KEY (port,protocol),
+ INDEX port (port,protocol));
+
+CREATE TABLE signature ( sig_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ sig_name VARCHAR(255) NOT NULL,
+ sig_class_id INT UNSIGNED NOT NULL,
+ sig_priority INT UNSIGNED,
+ sig_rev INT UNSIGNED,
+ sig_sid INT UNSIGNED,
+ PRIMARY KEY (sig_id),
+ INDEX sign_idx (sig_name(20)),
+ INDEX sig_class_id_idx (sig_class_id));
+
+CREATE TABLE sig_reference (sig_id INT UNSIGNED NOT NULL,
+ ref_seq INT UNSIGNED NOT NULL,
+ ref_id INT UNSIGNED NOT NULL,
+ PRIMARY KEY(sig_id, ref_seq));
+
+CREATE TABLE reference ( ref_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ ref_system_id INT UNSIGNED NOT NULL,
+ ref_tag TEXT NOT NULL,
+ PRIMARY KEY (ref_id));
+
+CREATE TABLE reference_system ( ref_system_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ ref_system_name VARCHAR(20),
+ PRIMARY KEY (ref_system_id));
+
+CREATE TABLE sig_class ( sig_class_id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ sig_class_name VARCHAR(60) NOT NULL,
+ PRIMARY KEY (sig_class_id),
+ INDEX (sig_class_id),
+ INDEX (sig_class_name));
+
+# store info about the sensor supplying data
+CREATE TABLE sensor ( sid INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ hostname TEXT,
+ interface TEXT,
+ filter TEXT,
+ detail TINYINT,
+ encoding TINYINT,
+ last_cid INT UNSIGNED NOT NULL,
+ PRIMARY KEY (sid));
+
+# All of the fields of an ip header
+CREATE TABLE iphdr ( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ ip_src INT UNSIGNED NOT NULL,
+ ip_dst INT UNSIGNED NOT NULL,
+ ip_ver TINYINT UNSIGNED,
+ ip_hlen TINYINT UNSIGNED,
+ ip_tos TINYINT UNSIGNED,
+ ip_len SMALLINT UNSIGNED,
+ ip_id SMALLINT UNSIGNED,
+ ip_flags TINYINT UNSIGNED,
+ ip_off SMALLINT UNSIGNED,
+ ip_ttl TINYINT UNSIGNED,
+ ip_proto TINYINT UNSIGNED NOT NULL,
+ ip_csum SMALLINT UNSIGNED,
+ PRIMARY KEY (sid,cid),
+ INDEX ip_src (ip_src),
+ INDEX ip_dst (ip_dst));
+
+# All of the fields of a tcp header
+CREATE TABLE tcphdr( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ tcp_sport SMALLINT UNSIGNED NOT NULL,
+ tcp_dport SMALLINT UNSIGNED NOT NULL,
+ tcp_seq INT UNSIGNED,
+ tcp_ack INT UNSIGNED,
+ tcp_off TINYINT UNSIGNED,
+ tcp_res TINYINT UNSIGNED,
+ tcp_flags TINYINT UNSIGNED NOT NULL,
+ tcp_win SMALLINT UNSIGNED,
+ tcp_csum SMALLINT UNSIGNED,
+ tcp_urp SMALLINT UNSIGNED,
+ PRIMARY KEY (sid,cid),
+ INDEX tcp_sport (tcp_sport),
+ INDEX tcp_dport (tcp_dport),
+ INDEX tcp_flags (tcp_flags));
+
+# All of the fields of a udp header
+CREATE TABLE udphdr( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ udp_sport SMALLINT UNSIGNED NOT NULL,
+ udp_dport SMALLINT UNSIGNED NOT NULL,
+ udp_len SMALLINT UNSIGNED,
+ udp_csum SMALLINT UNSIGNED,
+ PRIMARY KEY (sid,cid),
+ INDEX udp_sport (udp_sport),
+ INDEX udp_dport (udp_dport));
+
+
+# All of the fields of an icmp header
+CREATE TABLE icmphdr( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ icmp_type TINYINT UNSIGNED NOT NULL,
+ icmp_code TINYINT UNSIGNED NOT NULL,
+ icmp_csum SMALLINT UNSIGNED,
+ icmp_id SMALLINT UNSIGNED,
+ icmp_seq SMALLINT UNSIGNED,
+ PRIMARY KEY (sid,cid),
+ INDEX icmp_type (icmp_type));
+
+# Protocol options
+CREATE TABLE opt ( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ optid INT UNSIGNED NOT NULL,
+ opt_proto TINYINT UNSIGNED NOT NULL,
+ opt_code TINYINT UNSIGNED NOT NULL,
+ opt_len SMALLINT,
+ opt_data TEXT,
+ PRIMARY KEY (sid,cid,optid));
+
+# Packet payload
+CREATE TABLE data ( sid INT UNSIGNED NOT NULL,
+ cid INT UNSIGNED NOT NULL,
+ data_payload TEXT,
+ PRIMARY KEY (sid,cid));
+
+# encoding is a lookup table for storing encoding types
+CREATE TABLE encoding(encoding_type TINYINT UNSIGNED NOT NULL,
+ encoding_text TEXT NOT NULL,
+ PRIMARY KEY (encoding_type));
+INSERT INTO encoding (encoding_type, encoding_text) VALUES (0, 'hex');
+INSERT INTO encoding (encoding_type, encoding_text) VALUES (1, 'base64');
+INSERT INTO encoding (encoding_type, encoding_text) VALUES (2, 'ascii');
+
+# detail is a lookup table for storing different detail levels
+CREATE TABLE detail (detail_type TINYINT UNSIGNED NOT NULL,
+ detail_text TEXT NOT NULL,
+ PRIMARY KEY (detail_type));
+INSERT INTO detail (detail_type, detail_text) VALUES (0, 'fast');
+INSERT INTO detail (detail_type, detail_text) VALUES (1, 'full');
+
+# Set permissions
+
+grant update,insert,delete on fpevent to snort;
+grant update,insert,delete on iphdr to snort;
+grant update,insert,delete on tcphdr to snort;
+grant update,insert,delete on udphdr to snort;
+grant update,insert,delete on icmphdr to snort;
+grant update,insert,delete on opt to snort;
+grant update,insert,delete on data to snort;
+
+grant update,insert on signature to snort;
+grant update,insert on sig_reference to snort;
+grant update,insert on reference to snort;
+grant update,insert on reference_system to snort;
+grant update,insert on sig_class to snort;
+grant update,insert on sensor to snort;
+grant update,insert on encoding to snort;
+grant update,insert on detail to snort;
+grant update,insert on services to snort;
+
+# be sure to also use the snortdb-extra tables if you want
+# mappings for tcp flags, protocols, and ports
+replace services ( name, port, protocol ) values ( 'osfp', 0, 'tcp' );
+replace services ( name, port, protocol ) values ( 'osfp', 0, 'udp' );
+replace services ( name, port, protocol ) values ( 'tcpmux', 1, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tcpmux', 1, 'udp' );
+replace services ( name, port, protocol ) values ( 'rje', 5, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rje', 5, 'udp' );
+replace services ( name, port, protocol ) values ( 'echo', 7, 'tcp' );
+replace services ( name, port, protocol ) values ( 'echo', 7, 'udp' );
+replace services ( name, port, protocol ) values ( 'discard', 9, 'tcp' );
+replace services ( name, port, protocol ) values ( 'discard', 9, 'udp' );
+replace services ( name, port, protocol ) values ( 'systat', 11, 'tcp' );
+replace services ( name, port, protocol ) values ( 'systat', 11, 'udp' );
+replace services ( name, port, protocol ) values ( 'daytime', 13, 'tcp' );
+replace services ( name, port, protocol ) values ( 'daytime', 13, 'udp' );
+replace services ( name, port, protocol ) values ( 'qotd', 17, 'tcp' );
+replace services ( name, port, protocol ) values ( 'qotd', 17, 'udp' );
+replace services ( name, port, protocol ) values ( 'msp', 18, 'tcp' );
+replace services ( name, port, protocol ) values ( 'msp', 18, 'udp' );
+replace services ( name, port, protocol ) values ( 'chargen', 19, 'tcp' );
+replace services ( name, port, protocol ) values ( 'chargen', 19, 'udp' );
+replace services ( name, port, protocol ) values ( 'ftp-data', 20, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ftp-data', 20, 'udp' );
+replace services ( name, port, protocol ) values ( 'ftp', 21, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ftp', 21, 'udp' );
+replace services ( name, port, protocol ) values ( 'ssh', 22, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ssh', 22, 'udp' );
+replace services ( name, port, protocol ) values ( 'telnet', 23, 'tcp' );
+replace services ( name, port, protocol ) values ( 'telnet', 23, 'udp' );
+replace services ( name, port, protocol ) values ( 'smtp', 25, 'tcp' );
+replace services ( name, port, protocol ) values ( 'smtp', 25, 'udp' );
+replace services ( name, port, protocol ) values ( 'time', 37, 'tcp' );
+replace services ( name, port, protocol ) values ( 'time', 37, 'udp' );
+replace services ( name, port, protocol ) values ( 'rlp', 39, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rlp', 39, 'udp' );
+replace services ( name, port, protocol ) values ( 'nameserver', 42, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nameserver', 42, 'udp' );
+replace services ( name, port, protocol ) values ( 'nicname', 43, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nicname', 43, 'udp' );
+replace services ( name, port, protocol ) values ( 'tacacs', 49, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tacacs', 49, 'udp' );
+replace services ( name, port, protocol ) values ( 're-mail-ck', 50, 'tcp' );
+replace services ( name, port, protocol ) values ( 're-mail-ck', 50, 'udp' );
+replace services ( name, port, protocol ) values ( 'domain', 53, 'tcp' );
+replace services ( name, port, protocol ) values ( 'domain', 53, 'udp' );
+replace services ( name, port, protocol ) values ( 'whois++', 63, 'tcp' );
+replace services ( name, port, protocol ) values ( 'whois++', 63, 'udp' );
+replace services ( name, port, protocol ) values ( 'bootps', 67, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bootps', 67, 'udp' );
+replace services ( name, port, protocol ) values ( 'bootpc', 68, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bootpc', 68, 'udp' );
+replace services ( name, port, protocol ) values ( 'tftp', 69, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tftp', 69, 'udp' );
+replace services ( name, port, protocol ) values ( 'gopher', 70, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gopher', 70, 'udp' );
+replace services ( name, port, protocol ) values ( 'netrjs-1', 71, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netrjs-1', 71, 'udp' );
+replace services ( name, port, protocol ) values ( 'netrjs-2', 72, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netrjs-2', 72, 'udp' );
+replace services ( name, port, protocol ) values ( 'netrjs-3', 73, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netrjs-3', 73, 'udp' );
+replace services ( name, port, protocol ) values ( 'netrjs-4', 74, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netrjs-4', 74, 'udp' );
+replace services ( name, port, protocol ) values ( 'finger', 79, 'tcp' );
+replace services ( name, port, protocol ) values ( 'finger', 79, 'udp' );
+replace services ( name, port, protocol ) values ( 'http', 80, 'tcp' );
+replace services ( name, port, protocol ) values ( 'http', 80, 'udp' );
+replace services ( name, port, protocol ) values ( 'kerberos', 88, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kerberos', 88, 'udp' );
+replace services ( name, port, protocol ) values ( 'supdup', 95, 'tcp' );
+replace services ( name, port, protocol ) values ( 'supdup', 95, 'udp' );
+replace services ( name, port, protocol ) values ( 'hostname', 101, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hostname', 101, 'udp' );
+replace services ( name, port, protocol ) values ( 'iso-tsap', 102, 'tcp' );
+replace services ( name, port, protocol ) values ( 'csnet-ns', 105, 'tcp' );
+replace services ( name, port, protocol ) values ( 'csnet-ns', 105, 'udp' );
+replace services ( name, port, protocol ) values ( 'rtelnet', 107, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rtelnet', 107, 'udp' );
+replace services ( name, port, protocol ) values ( 'pop2', 109, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pop2', 109, 'udp' );
+replace services ( name, port, protocol ) values ( 'pop3', 110, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pop3', 110, 'udp' );
+replace services ( name, port, protocol ) values ( 'sunrpc', 111, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sunrpc', 111, 'udp' );
+replace services ( name, port, protocol ) values ( 'auth', 113, 'tcp' );
+replace services ( name, port, protocol ) values ( 'auth', 113, 'udp' );
+replace services ( name, port, protocol ) values ( 'sftp', 115, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sftp', 115, 'udp' );
+replace services ( name, port, protocol ) values ( 'uucp-path', 117, 'tcp' );
+replace services ( name, port, protocol ) values ( 'uucp-path', 117, 'udp' );
+replace services ( name, port, protocol ) values ( 'nntp', 119, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nntp', 119, 'udp' );
+replace services ( name, port, protocol ) values ( 'ntp', 123, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ntp', 123, 'udp' );
+replace services ( name, port, protocol ) values ( 'netbios-ns', 137, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netbios-ns', 137, 'udp' );
+replace services ( name, port, protocol ) values ( 'netbios-dgm', 138, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netbios-dgm', 138, 'udp' );
+replace services ( name, port, protocol ) values ( 'netbios-ssn', 139, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netbios-ssn', 139, 'udp' );
+replace services ( name, port, protocol ) values ( 'imap', 143, 'tcp' );
+replace services ( name, port, protocol ) values ( 'imap', 143, 'udp' );
+replace services ( name, port, protocol ) values ( 'snmp', 161, 'tcp' );
+replace services ( name, port, protocol ) values ( 'snmp', 161, 'udp' );
+replace services ( name, port, protocol ) values ( 'snmptrap', 162, 'udp' );
+replace services ( name, port, protocol ) values ( 'cmip-man', 163, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cmip-man', 163, 'udp' );
+replace services ( name, port, protocol ) values ( 'cmip-agent', 164, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cmip-agent', 164, 'udp' );
+replace services ( name, port, protocol ) values ( 'mailq', 174, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mailq', 174, 'udp' );
+replace services ( name, port, protocol ) values ( 'xdmcp', 177, 'tcp' );
+replace services ( name, port, protocol ) values ( 'xdmcp', 177, 'udp' );
+replace services ( name, port, protocol ) values ( 'nextstep', 178, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nextstep', 178, 'udp' );
+replace services ( name, port, protocol ) values ( 'bgp', 179, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bgp', 179, 'udp' );
+replace services ( name, port, protocol ) values ( 'prospero', 191, 'tcp' );
+replace services ( name, port, protocol ) values ( 'prospero', 191, 'udp' );
+replace services ( name, port, protocol ) values ( 'irc', 194, 'tcp' );
+replace services ( name, port, protocol ) values ( 'irc', 194, 'udp' );
+replace services ( name, port, protocol ) values ( 'smux', 199, 'tcp' );
+replace services ( name, port, protocol ) values ( 'smux', 199, 'udp' );
+replace services ( name, port, protocol ) values ( 'at-rtmp', 201, 'tcp' );
+replace services ( name, port, protocol ) values ( 'at-rtmp', 201, 'udp' );
+replace services ( name, port, protocol ) values ( 'at-nbp', 202, 'tcp' );
+replace services ( name, port, protocol ) values ( 'at-nbp', 202, 'udp' );
+replace services ( name, port, protocol ) values ( 'at-echo', 204, 'tcp' );
+replace services ( name, port, protocol ) values ( 'at-echo', 204, 'udp' );
+replace services ( name, port, protocol ) values ( 'at-zis', 206, 'tcp' );
+replace services ( name, port, protocol ) values ( 'at-zis', 206, 'udp' );
+replace services ( name, port, protocol ) values ( 'qmtp', 209, 'tcp' );
+replace services ( name, port, protocol ) values ( 'qmtp', 209, 'udp' );
+replace services ( name, port, protocol ) values ( 'z39.50', 210, 'tcp' );
+replace services ( name, port, protocol ) values ( 'z39.50', 210, 'udp' );
+replace services ( name, port, protocol ) values ( 'ipx', 213, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ipx', 213, 'udp' );
+replace services ( name, port, protocol ) values ( 'imap3', 220, 'tcp' );
+replace services ( name, port, protocol ) values ( 'imap3', 220, 'udp' );
+replace services ( name, port, protocol ) values ( 'link', 245, 'tcp' );
+replace services ( name, port, protocol ) values ( 'link', 245, 'ucp' );
+replace services ( name, port, protocol ) values ( 'fatserv', 347, 'tcp' );
+replace services ( name, port, protocol ) values ( 'fatserv', 347, 'udp' );
+replace services ( name, port, protocol ) values ( 'rsvp_tunnel', 363, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rsvp_tunnel', 363, 'udp' );
+replace services ( name, port, protocol ) values ( 'rpc2portmap', 369, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rpc2portmap', 369, 'udp' );
+replace services ( name, port, protocol ) values ( 'codaauth2', 370, 'tcp' );
+replace services ( name, port, protocol ) values ( 'codaauth2', 370, 'udp' );
+replace services ( name, port, protocol ) values ( 'ulistproc', 372, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ulistproc', 372, 'udp' );
+replace services ( name, port, protocol ) values ( 'ldap', 389, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ldap', 389, 'udp' );
+replace services ( name, port, protocol ) values ( 'svrloc', 427, 'tcp' );
+replace services ( name, port, protocol ) values ( 'svrloc', 427, 'udp' );
+replace services ( name, port, protocol ) values ( 'mobileip-agent', 434, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mobileip-agent', 434, 'udp' );
+replace services ( name, port, protocol ) values ( 'mobilip-mn', 435, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mobilip-mn', 435, 'udp' );
+replace services ( name, port, protocol ) values ( 'https', 443, 'tcp' );
+replace services ( name, port, protocol ) values ( 'https', 443, 'udp' );
+replace services ( name, port, protocol ) values ( 'snpp', 444, 'tcp' );
+replace services ( name, port, protocol ) values ( 'snpp', 444, 'udp' );
+replace services ( name, port, protocol ) values ( 'microsoft-ds', 445, 'tcp' );
+replace services ( name, port, protocol ) values ( 'microsoft-ds', 445, 'udp' );
+replace services ( name, port, protocol ) values ( 'kpasswd', 464, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kpasswd', 464, 'udp' );
+replace services ( name, port, protocol ) values ( 'photuris', 468, 'tcp' );
+replace services ( name, port, protocol ) values ( 'photuris', 468, 'udp' );
+replace services ( name, port, protocol ) values ( 'saft', 487, 'tcp' );
+replace services ( name, port, protocol ) values ( 'saft', 487, 'udp' );
+replace services ( name, port, protocol ) values ( 'gss-http', 488, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gss-http', 488, 'udp' );
+replace services ( name, port, protocol ) values ( 'pim-rp-disc', 496, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pim-rp-disc', 496, 'udp' );
+replace services ( name, port, protocol ) values ( 'isakmp', 500, 'tcp' );
+replace services ( name, port, protocol ) values ( 'isakmp', 500, 'udp' );
+replace services ( name, port, protocol ) values ( 'gdomap', 538, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gdomap', 538, 'udp' );
+replace services ( name, port, protocol ) values ( 'iiop', 535, 'tcp' );
+replace services ( name, port, protocol ) values ( 'iiop', 535, 'udp' );
+replace services ( name, port, protocol ) values ( 'dhcpv6-client', 546, 'tcp' );
+replace services ( name, port, protocol ) values ( 'dhcpv6-client', 546, 'udp' );
+replace services ( name, port, protocol ) values ( 'dhcpv6-server', 547, 'tcp' );
+replace services ( name, port, protocol ) values ( 'dhcpv6-server', 547, 'udp' );
+replace services ( name, port, protocol ) values ( 'rtsp', 554, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rtsp', 554, 'udp' );
+replace services ( name, port, protocol ) values ( 'nntps', 563, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nntps', 563, 'udp' );
+replace services ( name, port, protocol ) values ( 'whoami', 565, 'tcp' );
+replace services ( name, port, protocol ) values ( 'whoami', 565, 'udp' );
+replace services ( name, port, protocol ) values ( 'submission', 587, 'tcp' );
+replace services ( name, port, protocol ) values ( 'submission', 587, 'udp' );
+replace services ( name, port, protocol ) values ( 'npmp-local', 610, 'tcp' );
+replace services ( name, port, protocol ) values ( 'npmp-local', 610, 'udp' );
+replace services ( name, port, protocol ) values ( 'npmp-gui', 611, 'tcp' );
+replace services ( name, port, protocol ) values ( 'npmp-gui', 611, 'udp' );
+replace services ( name, port, protocol ) values ( 'hmmp-ind', 612, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hmmp-ind', 612, 'udp' );
+replace services ( name, port, protocol ) values ( 'ipp', 631, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ipp', 631, 'ucp' );
+replace services ( name, port, protocol ) values ( 'ldaps', 636, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ldaps', 636, 'udp' );
+replace services ( name, port, protocol ) values ( 'acap', 674, 'tcp' );
+replace services ( name, port, protocol ) values ( 'acap', 674, 'udp' );
+replace services ( name, port, protocol ) values ( 'ha-cluster', 694, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ha-cluster', 694, 'udp' );
+replace services ( name, port, protocol ) values ( 'kerberos-adm', 749, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kerberos-iv', 750, 'udp' );
+replace services ( name, port, protocol ) values ( 'kerberos-iv', 750, 'tcp' );
+replace services ( name, port, protocol ) values ( 'webster', 765, 'tcp' );
+replace services ( name, port, protocol ) values ( 'webster', 765, 'udp' );
+replace services ( name, port, protocol ) values ( 'phonebook', 767, 'tcp' );
+replace services ( name, port, protocol ) values ( 'phonebook', 767, 'udp' );
+replace services ( name, port, protocol ) values ( 'rsync', 873, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rsync', 873, 'udp' );
+replace services ( name, port, protocol ) values ( 'telnets', 992, 'tcp' );
+replace services ( name, port, protocol ) values ( 'telnets', 992, 'udp' );
+replace services ( name, port, protocol ) values ( 'imaps', 993, 'tcp' );
+replace services ( name, port, protocol ) values ( 'imaps', 993, 'udp' );
+replace services ( name, port, protocol ) values ( 'ircs', 994, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ircs', 994, 'udp' );
+replace services ( name, port, protocol ) values ( 'pop3s', 995, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pop3s', 995, 'udp' );
+replace services ( name, port, protocol ) values ( 'exec', 512, 'tcp' );
+replace services ( name, port, protocol ) values ( 'biff', 512, 'udp' );
+replace services ( name, port, protocol ) values ( 'login', 513, 'tcp' );
+replace services ( name, port, protocol ) values ( 'who', 513, 'udp' );
+replace services ( name, port, protocol ) values ( 'shell', 514, 'tcp' );
+replace services ( name, port, protocol ) values ( 'syslog', 514, 'udp' );
+replace services ( name, port, protocol ) values ( 'printer', 515, 'tcp' );
+replace services ( name, port, protocol ) values ( 'printer', 515, 'udp' );
+replace services ( name, port, protocol ) values ( 'talk', 517, 'udp' );
+replace services ( name, port, protocol ) values ( 'ntalk', 518, 'udp' );
+replace services ( name, port, protocol ) values ( 'utime', 519, 'tcp' );
+replace services ( name, port, protocol ) values ( 'utime', 519, 'udp' );
+replace services ( name, port, protocol ) values ( 'efs', 520, 'tcp' );
+replace services ( name, port, protocol ) values ( 'router', 520, 'udp' );
+replace services ( name, port, protocol ) values ( 'ripng', 521, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ripng', 521, 'udp' );
+replace services ( name, port, protocol ) values ( 'timed', 525, 'tcp' );
+replace services ( name, port, protocol ) values ( 'timed', 525, 'udp' );
+replace services ( name, port, protocol ) values ( 'tempo', 526, 'tcp' );
+replace services ( name, port, protocol ) values ( 'courier', 530, 'tcp' );
+replace services ( name, port, protocol ) values ( 'conference', 531, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netnews', 532, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netwall', 533, 'udp' );
+replace services ( name, port, protocol ) values ( 'uucp', 540, 'tcp' );
+replace services ( name, port, protocol ) values ( 'klogin', 543, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kshell', 544, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afpovertcp', 548, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afpovertcp', 548, 'udp' );
+replace services ( name, port, protocol ) values ( 'remotefs', 556, 'tcp' );
+replace services ( name, port, protocol ) values ( 'socks', 1080, 'tcp' );
+replace services ( name, port, protocol ) values ( 'socks', 1080, 'udp' );
+replace services ( name, port, protocol ) values ( 'bvcontrol', 1236, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bvcontrol', 1236, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323hostcallsc', 1300, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323hostcallsc', 1300, 'udp' );
+replace services ( name, port, protocol ) values ( 'lotus-notes', 1352, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ms-sql-s', 1433, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ms-sql-s', 1433, 'udp' );
+replace services ( name, port, protocol ) values ( 'ms-sql-m', 1434, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ms-sql-m', 1434, 'udp' );
+replace services ( name, port, protocol ) values ( 'ica', 1494, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ica', 1494, 'udp' );
+replace services ( name, port, protocol ) values ( 'wins', 1512, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wins', 1512, 'udp' );
+replace services ( name, port, protocol ) values ( 'ingreslock', 1524, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ingreslock', 1524, 'udp' );
+replace services ( name, port, protocol ) values ( 'prospero-np', 1525, 'tcp' );
+replace services ( name, port, protocol ) values ( 'prospero-np', 1525, 'udp' );
+replace services ( name, port, protocol ) values ( 'datametrics', 1645, 'tcp' );
+replace services ( name, port, protocol ) values ( 'datametrics', 1645, 'udp' );
+replace services ( name, port, protocol ) values ( 'sa-msg-port', 1646, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sa-msg-port', 1646, 'udp' );
+replace services ( name, port, protocol ) values ( 'kermit', 1649, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kermit', 1649, 'udp' );
+replace services ( name, port, protocol ) values ( 'l2tp', 1701, 'tcp' );
+replace services ( name, port, protocol ) values ( 'l2tp', 1701, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323gatedisc', 1718, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323gatedisc', 1718, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323gatestat', 1719, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323gatestat', 1719, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323hostcall', 1720, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323hostcall', 1720, 'udp' );
+replace services ( name, port, protocol ) values ( 'tftp-mcast', 1758, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tftp-mcast', 1758, 'udp' );
+replace services ( name, port, protocol ) values ( 'hello', 1789, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hello', 1789, 'udp' );
+replace services ( name, port, protocol ) values ( 'radius', 1812, 'tcp' );
+replace services ( name, port, protocol ) values ( 'radius', 1812, 'udp' );
+replace services ( name, port, protocol ) values ( 'radius-acct', 1813, 'tcp' );
+replace services ( name, port, protocol ) values ( 'radius-acct', 1813, 'udp' );
+replace services ( name, port, protocol ) values ( 'mtp', 1911, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mtp', 1911, 'udp' );
+replace services ( name, port, protocol ) values ( 'hsrp', 1985, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hsrp', 1985, 'udp' );
+replace services ( name, port, protocol ) values ( 'licensedaemon', 1986, 'tcp' );
+replace services ( name, port, protocol ) values ( 'licensedaemon', 1986, 'udp' );
+replace services ( name, port, protocol ) values ( 'gdp-port', 1997, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gdp-port', 1997, 'udp' );
+replace services ( name, port, protocol ) values ( 'nfs', 2049, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nfs', 2049, 'udp' );
+replace services ( name, port, protocol ) values ( 'zephyr-srv', 2102, 'tcp' );
+replace services ( name, port, protocol ) values ( 'zephyr-srv', 2102, 'udp' );
+replace services ( name, port, protocol ) values ( 'zephyr-clt', 2103, 'tcp' );
+replace services ( name, port, protocol ) values ( 'zephyr-clt', 2103, 'udp' );
+replace services ( name, port, protocol ) values ( 'zephyr-hm', 2104, 'tcp' );
+replace services ( name, port, protocol ) values ( 'zephyr-hm', 2104, 'udp' );
+replace services ( name, port, protocol ) values ( 'cvspserver', 2401, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cvspserver', 2401, 'udp' );
+replace services ( name, port, protocol ) values ( 'venus', 2430, 'tcp' );
+replace services ( name, port, protocol ) values ( 'venus', 2430, 'udp' );
+replace services ( name, port, protocol ) values ( 'venus-se', 2431, 'tcp' );
+replace services ( name, port, protocol ) values ( 'venus-se', 2431, 'udp' );
+replace services ( name, port, protocol ) values ( 'codasrv', 2432, 'tcp' );
+replace services ( name, port, protocol ) values ( 'codasrv', 2432, 'udp' );
+replace services ( name, port, protocol ) values ( 'codasrv-se', 2433, 'tcp' );
+replace services ( name, port, protocol ) values ( 'codasrv-se', 2433, 'udp' );
+replace services ( name, port, protocol ) values ( 'hpstgmgr', 2600, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hpstgmgr', 2600, 'udp' );
+replace services ( name, port, protocol ) values ( 'discp-client', 2601, 'tcp' );
+replace services ( name, port, protocol ) values ( 'discp-client', 2601, 'udp' );
+replace services ( name, port, protocol ) values ( 'discp-server', 2602, 'tcp' );
+replace services ( name, port, protocol ) values ( 'discp-server', 2602, 'udp' );
+replace services ( name, port, protocol ) values ( 'servicemeter', 2603, 'tcp' );
+replace services ( name, port, protocol ) values ( 'servicemeter', 2603, 'udp' );
+replace services ( name, port, protocol ) values ( 'nsc-ccs', 2604, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nsc-ccs', 2604, 'udp' );
+replace services ( name, port, protocol ) values ( 'nsc-posa', 2605, 'tcp' );
+replace services ( name, port, protocol ) values ( 'nsc-posa', 2605, 'udp' );
+replace services ( name, port, protocol ) values ( 'netmon', 2606, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netmon', 2606, 'udp' );
+replace services ( name, port, protocol ) values ( 'corbaloc', 2809, 'tcp' );
+replace services ( name, port, protocol ) values ( 'icpv2', 3130, 'tcp' );
+replace services ( name, port, protocol ) values ( 'icpv2', 3130, 'udp' );
+replace services ( name, port, protocol ) values ( 'mysql', 3306, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mysql', 3306, 'udp' );
+replace services ( name, port, protocol ) values ( 'trnsprntproxy', 3346, 'tcp' );
+replace services ( name, port, protocol ) values ( 'trnsprntproxy', 3346, 'udp' );
+replace services ( name, port, protocol ) values ( 'rwhois', 4321, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rwhois', 4321, 'udp' );
+replace services ( name, port, protocol ) values ( 'krb524', 4444, 'tcp' );
+replace services ( name, port, protocol ) values ( 'krb524', 4444, 'udp' );
+replace services ( name, port, protocol ) values ( 'rfe', 5002, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rfe', 5002, 'udp' );
+replace services ( name, port, protocol ) values ( 'cfengine', 5308, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cfengine', 5308, 'udp' );
+replace services ( name, port, protocol ) values ( 'cvsup', 5999, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cvsup', 5999, 'udp' );
+replace services ( name, port, protocol ) values ( 'x11', 6000, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-fileserver', 7000, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-fileserver', 7000, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-callback', 7001, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-callback', 7001, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-prserver', 7002, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-prserver', 7002, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-vlserver', 7003, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-vlserver', 7003, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-kaserver', 7004, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-kaserver', 7004, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-volser', 7005, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-volser', 7005, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-errors', 7006, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-errors', 7006, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-bos', 7007, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-bos', 7007, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-update', 7008, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-update', 7008, 'udp' );
+replace services ( name, port, protocol ) values ( 'afs3-rmtsys', 7009, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afs3-rmtsys', 7009, 'udp' );
+replace services ( name, port, protocol ) values ( 'sd', 9876, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sd', 9876, 'udp' );
+replace services ( name, port, protocol ) values ( 'amanda', 10080, 'tcp' );
+replace services ( name, port, protocol ) values ( 'amanda', 10080, 'udp' );
+replace services ( name, port, protocol ) values ( 'pgpkeyserver', 11371, 'tcp' );
+replace services ( name, port, protocol ) values ( 'pgpkeyserver', 11371, 'udp' );
+replace services ( name, port, protocol ) values ( 'h323callsigalt', 11720, 'tcp' );
+replace services ( name, port, protocol ) values ( 'h323callsigalt', 11720, 'udp' );
+replace services ( name, port, protocol ) values ( 'bprd', 13720, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bprd', 13720, 'udp' );
+replace services ( name, port, protocol ) values ( 'bpdbm', 13721, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bpdbm', 13721, 'udp' );
+replace services ( name, port, protocol ) values ( 'bpjava-msvc', 13722, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bpjava-msvc', 13722, 'udp' );
+replace services ( name, port, protocol ) values ( 'vnetd', 13724, 'tcp' );
+replace services ( name, port, protocol ) values ( 'vnetd', 13724, 'udp' );
+replace services ( name, port, protocol ) values ( 'bpcd', 13782, 'tcp' );
+replace services ( name, port, protocol ) values ( 'bpcd', 13782, 'udp' );
+replace services ( name, port, protocol ) values ( 'vopied', 13783, 'tcp' );
+replace services ( name, port, protocol ) values ( 'vopied', 13783, 'udp' );
+replace services ( name, port, protocol ) values ( 'wnn6', 22273, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wnn6', 22273, 'ucp' );
+replace services ( name, port, protocol ) values ( 'quake', 26000, 'tcp' );
+replace services ( name, port, protocol ) values ( 'quake', 26000, 'udp' );
+replace services ( name, port, protocol ) values ( 'wnn6-ds', 26208, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wnn6-ds', 26208, 'udp' );
+replace services ( name, port, protocol ) values ( 'traceroute', 33434, 'tcp' );
+replace services ( name, port, protocol ) values ( 'traceroute', 33434, 'udp' );
+replace services ( name, port, protocol ) values ( 'rtmp', 1, 'ddp' );
+replace services ( name, port, protocol ) values ( 'nbp', 2, 'ddp' );
+replace services ( name, port, protocol ) values ( 'echo', 4, 'ddp' );
+replace services ( name, port, protocol ) values ( 'zip', 6, 'ddp' );
+replace services ( name, port, protocol ) values ( 'kerberos_master', 751, 'udp' );
+replace services ( name, port, protocol ) values ( 'kerberos_master', 751, 'tcp' );
+replace services ( name, port, protocol ) values ( 'passwd_server', 752, 'udp' );
+replace services ( name, port, protocol ) values ( 'krbupdate', 760, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kpop', 1109, 'tcp' );
+replace services ( name, port, protocol ) values ( 'knetd', 2053, 'tcp' );
+replace services ( name, port, protocol ) values ( 'krb5_prop', 754, 'tcp' );
+replace services ( name, port, protocol ) values ( 'eklogin', 2105, 'tcp' );
+replace services ( name, port, protocol ) values ( 'supfilesrv', 871, 'tcp' );
+replace services ( name, port, protocol ) values ( 'supfiledbg', 1127, 'tcp' );
+replace services ( name, port, protocol ) values ( 'netstat', 15, 'tcp' );
+replace services ( name, port, protocol ) values ( 'linuxconf', 98, 'tcp' );
+replace services ( name, port, protocol ) values ( 'poppassd', 106, 'tcp' );
+replace services ( name, port, protocol ) values ( 'poppassd', 106, 'udp' );
+replace services ( name, port, protocol ) values ( 'smtps', 465, 'tcp' );
+replace services ( name, port, protocol ) values ( 'gii', 616, 'tcp' );
+replace services ( name, port, protocol ) values ( 'omirr', 808, 'tcp' );
+replace services ( name, port, protocol ) values ( 'omirr', 808, 'udp' );
+replace services ( name, port, protocol ) values ( 'swat', 901, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rndc', 953, 'tcp' );
+replace services ( name, port, protocol ) values ( 'rndc', 953, 'udp' );
+replace services ( name, port, protocol ) values ( 'skkserv', 1178, 'tcp' );
+replace services ( name, port, protocol ) values ( 'xtel', 1313, 'tcp' );
+replace services ( name, port, protocol ) values ( 'support', 1529, 'tcp' );
+replace services ( name, port, protocol ) values ( 'cfinger', 2003, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ninstall', 2150, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ninstall', 2150, 'udp' );
+replace services ( name, port, protocol ) values ( 'afbackup', 2988, 'tcp' );
+replace services ( name, port, protocol ) values ( 'afbackup', 2988, 'udp' );
+replace services ( name, port, protocol ) values ( 'squid', 3128, 'tcp' );
+replace services ( name, port, protocol ) values ( 'prsvp', 3455, 'tcp' );
+replace services ( name, port, protocol ) values ( 'prsvp', 3455, 'udp' );
+replace services ( name, port, protocol ) values ( 'postgres', 5432, 'tcp' );
+replace services ( name, port, protocol ) values ( 'postgres', 5432, 'udp' );
+replace services ( name, port, protocol ) values ( 'fax', 4557, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hylafax', 4559, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sgi-dgl', 5232, 'tcp' );
+replace services ( name, port, protocol ) values ( 'sgi-dgl', 5232, 'udp' );
+replace services ( name, port, protocol ) values ( 'noclog', 5354, 'tcp' );
+replace services ( name, port, protocol ) values ( 'noclog', 5354, 'udp' );
+replace services ( name, port, protocol ) values ( 'hostmon', 5355, 'tcp' );
+replace services ( name, port, protocol ) values ( 'hostmon', 5355, 'udp' );
+replace services ( name, port, protocol ) values ( 'canna', 5680, 'tcp' );
+replace services ( name, port, protocol ) values ( 'x11-ssh-offset', 6010, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ircd', 6667, 'tcp' );
+replace services ( name, port, protocol ) values ( 'ircd', 6667, 'udp' );
+replace services ( name, port, protocol ) values ( 'xfs', 7100, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tircproxy', 7666, 'tcp' );
+replace services ( name, port, protocol ) values ( 'http-alt', 8008, 'tcp' );
+replace services ( name, port, protocol ) values ( 'http-alt', 8008, 'udp' );
+replace services ( name, port, protocol ) values ( 'webcache', 8080, 'tcp' );
+replace services ( name, port, protocol ) values ( 'webcache', 8080, 'udp' );
+replace services ( name, port, protocol ) values ( 'tproxy', 8081, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tproxy', 8081, 'udp' );
+replace services ( name, port, protocol ) values ( 'jetdirect', 9100, 'tcp' );
+replace services ( name, port, protocol ) values ( 'mandelspawn', 9359, 'udp' );
+replace services ( name, port, protocol ) values ( 'kamanda', 10081, 'tcp' );
+replace services ( name, port, protocol ) values ( 'kamanda', 10081, 'udp' );
+replace services ( name, port, protocol ) values ( 'amandaidx', 10082, 'tcp' );
+replace services ( name, port, protocol ) values ( 'amidxtape', 10083, 'tcp' );
+replace services ( name, port, protocol ) values ( 'isdnlog', 20011, 'tcp' );
+replace services ( name, port, protocol ) values ( 'isdnlog', 20011, 'udp' );
+replace services ( name, port, protocol ) values ( 'vboxd', 20012, 'tcp' );
+replace services ( name, port, protocol ) values ( 'vboxd', 20012, 'udp' );
+replace services ( name, port, protocol ) values ( 'wnn4_Kr', 22305, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wnn4_Cn', 22289, 'tcp' );
+replace services ( name, port, protocol ) values ( 'wnn4_Tw', 22321, 'tcp' );
+replace services ( name, port, protocol ) values ( 'binkp', 24554, 'tcp' );
+replace services ( name, port, protocol ) values ( 'binkp', 24554, 'udp' );
+replace services ( name, port, protocol ) values ( 'asp', 27374, 'tcp' );
+replace services ( name, port, protocol ) values ( 'asp', 27374, 'udp' );
+replace services ( name, port, protocol ) values ( 'tfido', 60177, 'tcp' );
+replace services ( name, port, protocol ) values ( 'tfido', 60177, 'udp' );
+replace services ( name, port, protocol ) values ( 'fido', 60179, 'tcp' );
+replace services ( name, port, protocol ) values ( 'fido', 60179, 'udp' );
diff -Naur snort-2.2.0/snort-2.1.2/doc/README.fp snort-2.2.0fp/snort-2.1.2/doc/README.fp
--- snort-2.2.0/snort-2.1.2/doc/README.fp Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/snort-2.1.2/doc/README.fp Sun Jan 23 17:36:21 2005
@@ -0,0 +1,173 @@
+Snort!(fp): Real-Time Passive Network Fingerprinting with Snort!
+
+------------
+Introduction
+------------
+
+Snort!(fp) extends the capability of the Snort! intrusion detection
+open-source product to include OS and network daemon fingerprinting.
+
+Thus, with a properly configure Snort! environment (including the fp
+extension), you would be able to determine, given an IDS alert:
+(1) What operating system the (alert) source/destination system is running
+(2) What network services/daemons the (alert) source/destination
+system is running
+
+Example (1):
+An IDS alert indicates a DCOM vulnerability (known to only affect
+Windows System). Is the destination system running a Windows operating
+system? Snort!(fp) will tell you!
+
+Example (2):
+An IDS alert indicates a MS-SQL worm propogating on your network. Are the destination systems running MS-SQL? Snort!(fp) will tell you!
+
+Example (3):
+What new systems have appeared on my network? What OSes are they
+running? What services are they offering? Snort!(fp) will tell you!
+
+Example (4):
+Are any of my old systems offering new network services that they
+shouldn't be? Perhaps a backdoor of some kind? Snort!(fp) will tell you!
+
+------------
+Architecture
+------------
+
+Snort!(fp) is based on the following tools:
+
+IDS: Snort! (needs to be patched before building)
+DB: MySQL (no modifications except to tables)
+HTTPD: Apache (no modifications needed)
+Interface: ACID (needs to be patched to support fingerprinting)
+OS Fingerprinting: p0f (the 'p2s' utility converts to Snort!syntax)
+Service Fingerprinting: native Snort! rules
+
+Both Snort!and ACID have been extended to support fingerprinting functions. The ACID database schema has also been modified to support fingerprinting.
+
+Snort! Modifications:
+
+The following Snort!syntax has been modified/added to support OS fingerprinting. With the addition of this syntax, p0f rules can be identically replicated in Snort!
+
+window:[%,S,T]value; Added modulus, "S" and "T" p0f window functions.
+ttl:[<,>,=,<=,>=]value; Modified TTL to support <= and >= operators.
+length:[>,<,=]value; Added tests for actual packet length (as compared to dsize).
+tcpopts Added TCP options test. Multiple options separated by comma.
+tcpopts:nop; NOP.
+tcpopts:eol; EOL.
+tcpopts:ws[=,%]value; Window Scale
+tcpopts:mss[=,%]value; Maximum Segment Size
+tcpopts:sack; Selective ACK
+tcpopts:time[!,=]value; Timestamp
+tcpopts:number=value; Generic TCP option number equals value.
+quirks TCP Quirks checks (from p0f)
+quirks:opeol; TCP options past EOL.
+quirks:nzup; Non-zero urgent pointer.
+quirks:nzuf; Non-zero unused (reserved) TCP flags
+quirks:oddflags; Unususal TCP flags set.
+quirks:extra; Extra TCP payload data.
+quirks:broken; Broken TCP options.
+quirks:seqack; Sequence number equals acknowledgement number.
+quirks:rsttext; Text (payload data) found in RST packet.
+
+Additional modifications have been made in Snort! to support fingerprinting, especially within the database logging routines. These modifications had to be made to separate traditional alerts from fingerprint log information.
+
+Snort.conf and classification.config have also been modified. Most notably, an service-fingerprint and os-fingerprint classification type have been added. To increase efficiency, classification.config is now read earlier in snort.conf such that the database output plugin is aware of the fingerprinting data type. (This prevents a classification lookup for every packet logged.)
+
+Database Schema:
+
+The MySQL database schema (other DB's not yet supported) has been modified to support fingerprinting. Most notably, the addition of the "fpevent" table was created to separate standard alert events (originally and still in the "event" table) from fingerprint alerts. The fpevent table (and corresponding Snort!database routine functions) have been modified to store only the first and last fingerprint entries for a given IP and port number (OS fingerprints are identified by port 0). It is too impractical to store every fingerprint event. However, given the first and last timestamps, we can answer important questions such as "What new services have appeared on my network in the last 24 hours?"
+
+Additionally, generic fingerprint events are never replaced by existing specific fingerprint events. The standard Snort! "priority" field is used to identify more specific fingerprint descriptions. For example, a previously identified "specific" Apache Web Server should not be replaced by a "generic" TCP service fingerprint on port 80. Similar to Snort!alert syntax, a lower priority is considered a more specific fingerprint.
+
+ACID Modifications:
+
+Two major modifications have been added to ACID. First, the IP query (acid_stat_ipaddr) screen has been modified to include any fingerprints assocatied with the queried address. Second, a "Network Fingerprints" (acid_stat_fingerprints) query has been added to display a list of all fingerprints. Fingerprints can be sorted by address, port, signature, first seen (time), last seen (time), and service description.
+
+------------
+Installation
+------------
+
+These are general installation directions. The reader is assumed to
+have knowledge of integrating ACID, MYSQL, Apache and Snort!
+
+1. Download, build and install MYSQL database (www.mysql.com)
+
+2. Download, build and install Apache httpd (www.apache.org)
+
+3. Snort! IDS
+
+3.1 Download the Snort! 2.1.2 source code (www.Snort.org)
+3.2 Apply the 2.1.2fp patch
+
+ $ cd snort-2.1.2
+ $ patch -Np1 < snort-2.1.2fp.patch
+
+3.3 Build Snort! with MYSQL DB support enabled
+
+ $ configure --with-mysql[=/mysql/directory/path]
+ $ make
+
+ Warning(s) that can be safely ignored:
+
+ spo_database.c:2417: warning: second parameter of `va_start'
+ not last named argument
+
+ # make install
+
+4. Update MYSQL Schema
+
+ Replace (as in destroy all previous data) MySQL database to support
+ fingerprinting.
+ YES, THIS WILL DESTROY ANY OLD DATA, so backup appropriately.
+
+ $ mysql -u root -p < ./contrib/create_mysql_fp
+
+5. ACID
+
+5.1 Download, build and install ACID (http://www.andrew.cmu.edu/~rdanyliw/Snort/Snortacid.html, also available in ./contrib directory)
+
+5.2 Apply the acid-0.9.6b23fp.patch directly in your htdocs/acid directory (patch available in ./contrib directory)
+
+ # cd /usr/local/apache2/htdocs/acid
+ # patch -Np1 < acid-0.9.6b23fp.patch
+
+6. Configure snort.conf for MYSQL database support -- be sure to use
+the patched snort.conf and classification.conf files
+
+7. Copy osfp-syn.rules and servicefp.rules from the 2.1.2 patched
+directory to your Snort! rules directory.
+
+8. Start your HTTPD, MYSQL, and Snort! daemons
+
+9. Browse ACID -- See the "Network Fingerprints" links on main page.
+
+---
+p2s
+---
+
+p2s is a conversion utility to convert p0f files to Snort! rules.
+See ./contrib/p2s-2.1.tar.gz for more info, including source and README.p2s
+
+--------------
+TODO/NEED HELP
+--------------
+
+(1) Complete testing of the p0f Snort! signatures. See README.p2s in the
+gzipped archive for testing status.
+(2) Test on other platforms. Successfully tested on Red Hat Linux 8.0.
+(3) Write DB routines in spo_database.c to support other databases.
+Presently, only MYSQL supported.
+(4) Write more OS and service signatures!
+
+------------
+Bugs/Support
+------------
+
+If you'd like to report a bug or contribute in another way to the Snort!(fp) project,
+please contact me directly at sdreed@verizon.net.
+
+On-On!
+
+
+
+
diff -Naur snort-2.2.0/src/decode.c snort-2.2.0fp/src/decode.c
--- snort-2.2.0/src/decode.c Thu Jun 3 14:11:05 2004
+++ snort-2.2.0fp/src/decode.c Sun Jan 23 17:35:56 2005
@@ -1724,6 +1724,9 @@
/* lay the IP struct over the raw data */
p->iph = (IPHdr *) pkt;
+ /* SDR ADDED NEXT LINE */
+ p->ip_hop_count = IP_HOP_COUNT_UNDEFINED;
+
DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "Packet!\n"););
/* do a little validation */
@@ -1953,6 +1956,9 @@
/* lay the IP struct over the raw data */
p->orig_iph = (IPHdr *) pkt;
+
+ /* SDR ADDED NEXT LINE */
+ p->ip_hop_count = IP_HOP_COUNT_UNDEFINED;
DEBUG_WRAP(DebugMessage(DEBUG_DECODE, "DecodeIPOnly: ip header starts at: %p, "
"length is %lu\n", p->orig_iph, (unsigned long) len););
diff -Naur snort-2.2.0/src/decode.h snort-2.2.0fp/src/decode.h
--- snort-2.2.0/src/decode.h Thu Mar 11 15:25:52 2004
+++ snort-2.2.0fp/src/decode.h Sun Jan 23 17:36:14 2005
@@ -188,6 +188,8 @@
#define IP_MAXPACKET 65535 /* maximum packet size */
#endif /* IP_MAXPACKET */
+#define IP_HOP_COUNT_UNDEFINED -1 /* SDR: Added for fingerprinting */
+
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
@@ -1079,6 +1081,7 @@
IPHdr *iph, *orig_iph; /* and orig. headers for ICMP_*_UNREACH family */
u_int32_t ip_options_len;
u_int8_t *ip_options_data;
+ int ip_hop_count; /* SDR ADDED: IP hop count */
TCPHdr *tcph, *orig_tcph;
u_int32_t tcp_options_len;
diff -Naur snort-2.2.0/src/detection-plugins/Makefile.am snort-2.2.0fp/src/detection-plugins/Makefile.am
--- snort-2.2.0/src/detection-plugins/Makefile.am Wed Jun 16 12:49:24 2004
+++ snort-2.2.0fp/src/detection-plugins/Makefile.am Sun Jan 23 21:33:07 2005
@@ -16,6 +16,8 @@
sp_tcp_win_check.c sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h \
sp_clientserver.c sp_clientserver.h sp_byte_check.c sp_byte_check.h \
sp_byte_jump.c sp_byte_jump.h sp_pcre.c sp_pcre.h sp_isdataat.c sp_isdataat.h \
-sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h
+sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h \
+sp_ip_length_check.c sp_ip_length_check.h sp_tcp_option_check.c \
+sp_tcp_option_check.h sp_tcp_quirks_check.s sp_tcp_quirks_check.h
INCLUDES = @INCLUDES@
diff -Naur snort-2.2.0/src/detection-plugins/Makefile.in snort-2.2.0fp/src/detection-plugins/Makefile.in
--- snort-2.2.0/src/detection-plugins/Makefile.in Wed Aug 11 13:51:03 2004
+++ snort-2.2.0fp/src/detection-plugins/Makefile.in Sun Jan 23 21:37:25 2005
@@ -97,7 +97,9 @@
sp_tcp_win_check.c sp_tcp_win_check.h sp_ttl_check.c sp_ttl_check.h \
sp_clientserver.c sp_clientserver.h sp_byte_check.c sp_byte_check.h \
sp_byte_jump.c sp_byte_jump.h sp_pcre.c sp_pcre.h sp_isdataat.c sp_isdataat.h \
-sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h
+sp_flowbits.c sp_flowbits.h sp_asn1.c sp_asn1.h \
+sp_ip_length_check.c sp_ip_length_check.h sp_tcp_option_check.c \
+sp_tcp_option_check.h sp_tcp_quirks_check.s sp_tcp_quirks_check.h
subdir = src/detection-plugins
mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
@@ -120,7 +122,8 @@
sp_tcp_win_check.$(OBJEXT) sp_ttl_check.$(OBJEXT) \
sp_clientserver.$(OBJEXT) sp_byte_check.$(OBJEXT) \
sp_byte_jump.$(OBJEXT) sp_pcre.$(OBJEXT) sp_isdataat.$(OBJEXT) \
- sp_flowbits.$(OBJEXT) sp_asn1.$(OBJEXT)
+ sp_flowbits.$(OBJEXT) sp_asn1.$(OBJEXT) sp_ip_length_check.$(OBJEXT) \
+ sp_tcp_option_check.$(OBJEXT) sp_tcp_quirks_check.$(OBJEXT)
libspd_a_OBJECTS = $(am_libspd_a_OBJECTS)
DEFS = @DEFS@
@@ -135,6 +138,8 @@
CCLD = $(CC)
LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
CFLAGS = @CFLAGS@
+CCASCOMPILE = $(CCAS) $(AM_CCASFLAGS) $(CCASFLAGS)
+CCASFLAGS = @CCASFLAGS@
DIST_SOURCES = $(libspd_a_SOURCES)
DIST_COMMON = Makefile.am Makefile.in
SOURCES = $(libspd_a_SOURCES)
@@ -142,7 +147,7 @@
all: all-am
.SUFFIXES:
-.SUFFIXES: .c .o .obj
+.SUFFIXES: .c .o .obj .s
$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4)
cd $(top_srcdir) && \
$(AUTOMAKE) --foreign src/detection-plugins/Makefile
@@ -169,6 +174,12 @@
.c.obj:
$(COMPILE) -c `cygpath -w $<`
+
+.s.o:
+ $(CCASCOMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$<
+
+.s.obj:
+ $(CCASCOMPILE) -c `cygpath -w $<`
uninstall-info-am:
ETAGS = etags
diff -Naur snort-2.2.0/src/detection-plugins/sp_ip_length_check.c snort-2.2.0fp/src/detection-plugins/sp_ip_length_check.c
--- snort-2.2.0/src/detection-plugins/sp_ip_length_check.c Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/src/detection-plugins/sp_ip_length_check.c Sun Jan 23 17:36:13 2005
@@ -0,0 +1,299 @@
+/*
+** Copyright (C) 1998-2002 Martin Roesch
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+*/
+
+/* $Id$ */
+/* SDR ADDED FILE */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include
+#include
+#include
+#include
+
+#ifdef HAVE_STRINGS_H
+#include
+#endif
+
+#include "rules.h"
+#include "decode.h"
+#include "plugbase.h"
+#include "parser.h"
+#include "debug.h"
+#include "plugin_enum.h"
+#include "util.h"
+
+typedef struct _IpLengthData
+{
+ u_int16_t ip_length;
+ u_int8_t not_flag;
+
+} IpLengthData;
+
+void IpLengthCheckInit(char *, OptTreeNode *, int);
+void ParseIpLength(char *, OptTreeNode *);
+int IpLengthCheckEq(Packet *, struct _OptTreeNode *, OptFpList *);
+int IpLengthCheckLT(Packet *, struct _OptTreeNode *, OptFpList *);
+int IpLengthCheckGT(Packet *, struct _OptTreeNode *, OptFpList *);
+
+
+/****************************************************************************
+ *
+ * Function: SetupIpLengthCheck()
+ *
+ * Purpose: Associate the length keyword with IpLengthCheckInit
+ *
+ * Arguments: None.
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void SetupIpLengthCheck()
+{
+ /* map the keyword to an initialization/processing function */
+ RegisterPlugin("length", IpLengthCheckInit);
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Plugin: IpLengthCheck Initialized\n"););
+}
+
+
+/****************************************************************************
+ *
+ * Function: IpLengthCheckInit(char *, OptTreeNode *)
+ *
+ * Purpose: Setup the length data struct and link the function into option
+ * function pointer list
+ *
+ * Arguments: data => rule arguments/data
+ * otn => pointer to the current rule option list node
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void IpLengthCheckInit(char *data, OptTreeNode *otn, int protocol)
+{
+ /* multiple declaration check */
+ if(otn->ds_list[PLUGIN_IP_LENGTH_CHECK])
+ {
+ FatalError("%s(%d): Multiple IP length options in rule\n", file_name,
+ file_line);
+ }
+
+ /* allocate the data structure and attach it to the
+ rule's data struct list */
+ otn->ds_list[PLUGIN_IP_LENGTH_CHECK] = (IpLengthData *)
+ SnortAlloc(sizeof(IpLengthData));
+
+ /* this is where the keyword arguments are processed and placed into the
+ rule option's data structure */
+ ParseIpLength(data, otn);
+
+}
+
+
+
+/****************************************************************************
+ *
+ * Function: ParseIpLength(char *, OptTreeNode *)
+ *
+ * Purpose: Convert the length option argument to data and plug it into the
+ * data structure
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void ParseIpLength(char *data, OptTreeNode *otn)
+{
+ IpLengthData *ds_ptr; /* data struct pointer */
+
+ /* set the ds pointer to make it easier to reference the option's
+ particular data struct */
+ ds_ptr = otn->ds_list[PLUGIN_IP_LENGTH_CHECK];
+
+ /* get rid of any whitespace */
+ while(isspace((int)*data))
+ {
+ data++;
+ }
+
+ /* process operator(s) */
+ if(data[0] == '!')
+ {
+ ds_ptr->not_flag = 1;
+ }
+
+ /* Locate the operator, and set appropriate handling function */
+
+ switch (*data) {
+ case '=':
+ AddOptFuncToList ( IpLengthCheckEq, otn );
+ data++;
+ break;
+ case '>':
+ AddOptFuncToList ( IpLengthCheckGT, otn );
+ data++;
+ break;
+ case '<':
+ AddOptFuncToList ( IpLengthCheckLT, otn );
+ data++;
+ break;
+ default:
+ /* default to the '=' operator, but don't advance pointer */
+ /* in case that 'data' is legal digit */
+ AddOptFuncToList ( IpLengthCheckEq, otn );
+ break;
+ }
+
+ /* get rid of any whitespace */
+ while(isspace((int)*data))
+ {
+ data++;
+ }
+
+
+ if(index(data, (int) 'x') == NULL && index(data, (int)'X') == NULL)
+ {
+ ds_ptr->ip_length = atoi(data);
+ }
+ else
+ {
+ if(index(data,(int)'x'))
+ {
+ ds_ptr->ip_length = (u_char) strtol((index(data, (int)'x')+1), NULL, 16);
+ }
+ else
+ {
+ ds_ptr->ip_length = (u_char) strtol((index(data, (int)'X')+1), NULL, 16);
+ }
+ }
+
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"ip length set to %d\n", ds_ptr->ip_length););
+}
+
+
+/****************************************************************************
+ *
+ * Function: IpLengthCheckEq(char *, OptTreeNode *)
+ *
+ * Purpose: Test the ip header's length field to see if its value is equal to the
+ * value in the rule.
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+int IpLengthCheckEq(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ if(!p->iph)
+ return 0; /* if error occured while ip header
+ * was processed, return 0 automagically.
+ */
+
+ if((((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->ip_length ==
+ htons(p->iph->ip_len)) ^ (((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->not_flag))
+ {
+ /* call the next function in the function list recursively */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+ }
+ else
+ {
+ /* you can put debug comments here or not */
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n"););
+ }
+
+ /* if the test isn't successful, return 0 */
+ return 0;
+}
+
+/****************************************************************************
+ *
+ * Function: IpLengthCheckLT(char *, OptTreeNode *)
+ *
+ * Purpose: Test the ip header's length field to see if its value is less than the
+ * value in the rule.
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+int IpLengthCheckLT(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ if(!p->iph)
+ return 0; /* if error occured while ip header
+ * was processed, return 0 automagically.
+ */
+
+ if( ntohs(p->iph->ip_len) <
+ ((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->ip_length )
+ {
+ /* call the next function in the function list recursively */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+ }
+ else
+ {
+ /* you can put debug comments here or not */
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n"););
+ }
+
+ /* if the test isn't successful, return 0 */
+ return 0;
+}
+
+/****************************************************************************
+ *
+ * Function: IpLengthCheckGT(char *, OptTreeNode *)
+ *
+ * Purpose: Test the ip header's length field to see if its value is greater than the
+ * value in the rule.
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+int IpLengthCheckGT(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ if(!p->iph)
+ return 0; /* if error occured while ip header
+ * was processed, return 0 automagically.
+ */
+
+ if( ntohs(p->iph->ip_len) >
+ ((IpLengthData *)otn->ds_list[PLUGIN_IP_LENGTH_CHECK])->ip_length )
+ {
+ /* call the next function in the function list recursively */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+ }
+ else
+ {
+ /* you can put debug comments here or not */
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"No match\n"););
+ }
+
+ /* if the test isn't successful, return 0 */
+ return 0;
+}
diff -Naur snort-2.2.0/src/detection-plugins/sp_ip_length_check.h snort-2.2.0fp/src/detection-plugins/sp_ip_length_check.h
--- snort-2.2.0/src/detection-plugins/sp_ip_length_check.h Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/src/detection-plugins/sp_ip_length_check.h Sun Jan 23 17:36:12 2005
@@ -0,0 +1,25 @@
+/*
+** Copyright (C) 1998-2002 Martin Roesch
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+*/
+
+/* $Id$ */
+#ifndef __SP_IP_LENGTH_CHECK_H__
+#define __SP_IP_LENGTH_CHECK_H__
+
+void SetupIpLengthCheck();
+
+#endif /* __SP_IP_LENGTH_CHECK_H__ */
diff -Naur snort-2.2.0/src/detection-plugins/sp_tcp_ack_check.c snort-2.2.0fp/src/detection-plugins/sp_tcp_ack_check.c
--- snort-2.2.0/src/detection-plugins/sp_tcp_ack_check.c Mon Oct 20 09:03:32 2003
+++ snort-2.2.0fp/src/detection-plugins/sp_tcp_ack_check.c Sun Jan 23 17:36:12 2005
@@ -38,6 +38,8 @@
typedef struct _TcpAckCheckData
{
u_long tcp_ack;
+ u_int8_t not_flag; /* ADDED SDR */
+
} TcpAckCheckData;
void TcpAckCheckInit(char *, OptTreeNode *, int);
@@ -129,6 +131,20 @@
/* set the ds pointer to make it easier to reference the option's
particular data struct */
ds_ptr = otn->ds_list[PLUGIN_TCP_ACK_CHECK];
+ /* BEGIN ADD SDR */
+ ds_ptr->not_flag = 0;
+
+ while(isspace((int)*data))
+ {
+ data++;
+ }
+
+ if(data[0] == '!')
+ {
+ ds_ptr->not_flag = 1;
+ data++;
+ }
+ /* END ADD SDR */
ds_ptr->tcp_ack = strtoul(data, ep, 0);
ds_ptr->tcp_ack = htonl(ds_ptr->tcp_ack);
@@ -155,7 +171,9 @@
if(!p->tcph)
return 0; /* if error appeared when tcp header was processed,
* test fails automagically */
- if(((TcpAckCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_ack == p->tcph->th_ack)
+ /* SDR REPLACED FOLLOWING LINE */
+ if((((TcpAckCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->tcp_ack == p->tcph->th_ack) ^
+ (((TcpAckCheckData *)otn->ds_list[PLUGIN_TCP_ACK_CHECK])->not_flag))
{
/* call the next function in the function list recursively */
return fp_list->next->OptTestFunc(p, otn, fp_list->next);
diff -Naur snort-2.2.0/src/detection-plugins/sp_tcp_option_check.c snort-2.2.0fp/src/detection-plugins/sp_tcp_option_check.c
--- snort-2.2.0/src/detection-plugins/sp_tcp_option_check.c Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/src/detection-plugins/sp_tcp_option_check.c Sun Jan 23 17:36:12 2005
@@ -0,0 +1,312 @@
+/*
+** Copyright (C) 1998-2002 Martin Roesch
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+*/
+
+/* $Id$ */
+/* SDR ADDED FILE */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include
+#include
+#include
+#include
+
+#include "rules.h"
+#include "decode.h"
+#include "plugbase.h"
+#include "parser.h"
+#include "debug.h"
+#include "util.h"
+#include "plugin_enum.h"
+#include "mstring.h"
+
+/* _Option data type doesn't really work for us here, so we will create our own */
+
+typedef struct _TcpOptionData
+{
+ u_int8_t code[TCP_OPTLENMAX];
+ u_char operator[TCP_OPTLENMAX];
+ u_int16_t value[TCP_OPTLENMAX];
+ u_int16_t tcp_option_count;
+} TcpOptionData;
+
+void TcpOptionInit(char *, OptTreeNode *, int);
+void ParseTcpOptionData(char *, OptTreeNode *);
+int CheckTcpOptions(Packet *, struct _OptTreeNode *, OptFpList *);
+
+/****************************************************************************
+ *
+ * Function: SetupTcpOptionCheck()
+ *
+ * Purpose: Associate the 'tcpopts' keyword with TcpOptionInit
+ *
+ * Arguments: None.
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void SetupTcpOptionCheck()
+{
+ /* map the keyword to an initialization/processing function */
+ RegisterPlugin("tcpopts", TcpOptionInit);
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: TcpOptionCheck Initialized\n"););
+}
+
+
+/****************************************************************************
+ *
+ * Function: TcpOptionInit(char *, OptTreeNode *)
+ *
+ * Purpose: Setup the TcpOptionData struct and link the function into option
+ * function pointer list
+ *
+ * Arguments: data => rule arguments/data
+ * otn => pointer to the current rule option list node
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void TcpOptionInit(char *data, OptTreeNode *otn, int protocol)
+{
+ /* multiple declaration check */
+ if(otn->ds_list[PLUGIN_TCP_OPTION_CHECK])
+ {
+ FatalError("%s(%d): Multiple tcpopts options in rule\n", file_name,
+ file_line);
+ }
+
+ /* allocate the data structure and attach it to the
+ rule's data struct list */
+ otn->ds_list[PLUGIN_TCP_OPTION_CHECK] = (TcpOptionData *)
+ SnortAlloc(sizeof(TcpOptionData));
+
+ /* this is where the keyword arguments are processed and placed into the
+ rule option's data structure */
+ ParseTcpOptionData(data, otn);
+
+ /* finally, attach the option's detection function to the rule's
+ detect function pointer list */
+ AddOptFuncToList(CheckTcpOptions, otn);
+}
+
+/****************************************************************************
+ *
+ * Function: ParseTcpOptionData(char *, OptTreeNode *)
+ *
+ * Purpose: Convert the tcpopts argument to data and plug it into the
+ * data structure
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void ParseTcpOptionData(char *data, OptTreeNode *otn)
+{
+ TcpOptionData *ds_ptr; /* data struct pointer */
+ char **toks; /* tokens found in option data */
+ int num_toks; /* number of tokens found in option data */
+ int i;
+ char *p;
+
+
+ /* set the ds pointer to make it easier to reference the option's
+ particular data struct */
+ ds_ptr = otn->ds_list[PLUGIN_TCP_OPTION_CHECK];
+
+ /* initialize variables in structure */
+ for ( i = 0; i < TCP_OPTLENMAX; i ++ ) {
+ ds_ptr->code[i] = ds_ptr->value[i] = 0;
+ ds_ptr->operator[i] = '\0';
+ }
+ ds_ptr->tcp_option_count = 0;
+
+ if(data == NULL)
+ {
+ FatalError("TCP Option keyword missing argument!\n", file_name, file_line);
+ }
+
+ /* Parse the data options into something useful */
+ toks = mSplit ( data, ",", TCP_OPTLENMAX, &num_toks, '\\' );
+
+ for ( i = 0; i < num_toks; i++ ) {
+ if ( strstr ( toks[i], "nop" ) ) {
+ ds_ptr->code[i] = TCPOPT_NOP;
+ ds_ptr->tcp_option_count++;
+ free ( toks[i] ); /* done parsing this token, free up memory */
+ continue;
+ }
+ if ( strstr ( toks[i], "eol" ) ) {
+ ds_ptr->code[i] = TCPOPT_EOL;
+ ds_ptr->tcp_option_count++;
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "sack" ) ) {
+ ds_ptr->code[i] = TCPOPT_SACKOK;
+ ds_ptr->tcp_option_count++;
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "eol" ) ) {
+ ds_ptr->code[i] = TCPOPT_EOL;
+ ds_ptr->tcp_option_count++;
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "ws" ) ) {
+ ds_ptr->code[i] = TCPOPT_WSCALE;
+ ds_ptr->tcp_option_count++;
+ if ( ( p = strchr ( toks[i], '%' ) ) ) {
+ ds_ptr->operator[i] = '%';
+ ds_ptr->value[i] = atoi ( p+1 );
+ }
+ if ( ( p = strchr ( toks[i], '=' ) ) ) {
+ ds_ptr->operator[i] = '=';
+ ds_ptr->value[i] = atoi ( p+1 );
+ }
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "mss" ) ) {
+ ds_ptr->code[i] = TCPOPT_MAXSEG;
+ ds_ptr->tcp_option_count++;
+ if ( ( p = strchr ( toks[i], '%' ) ) ) {
+ ds_ptr->operator[i] = '%';
+ ds_ptr->value[i] = atoi ( p+1 );
+ }
+ if ( ( p = strchr ( toks[i], '=' ) ) ) {
+ ds_ptr->operator[i] = '=';
+ ds_ptr->value[i] = atoi ( p+1 );
+ }
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "time" ) ) {
+ ds_ptr->code[i] = TCPOPT_TIMESTAMP;
+ ds_ptr->tcp_option_count++;
+ if ( ( p = strchr ( toks[i], '=' ) ) ) {
+ if ( *(p-1) == '!' )
+ ds_ptr->operator[i] = '!';
+ else
+ ds_ptr->operator[i] = '=';
+ ds_ptr->value[i] = atoi ( p+1 );
+ }
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "number" ) && ( p = strchr ( toks[i], '=' ) ) ) {
+ ds_ptr->code[i] = atoi ( p+1 );
+ ds_ptr->tcp_option_count++;
+ free ( toks[i] );
+ continue;
+ }
+
+ /* if we made it here, we can't parse the option! */
+ FatalError("%s(%d) => Unknown TCP option argument: %s!\n",
+ file_name, file_line, data);
+ }
+
+ return;
+
+}
+
+
+/****************************************************************************
+ *
+ * Function: CheckTcpOptions(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+ *
+ * Purpose: Test the ip header's length field to see if its value is equal to the
+ * value in the rule.
+ *
+ * Arguments: p => pointer to current packet being processed
+ * otn => pointer to the current rule's OTN
+ fp_list => pointer to linked list of functions to test
+ *
+ * Returns: (0) on failure (options and values do not match the rule's)
+ * (non-zero) on success
+ *
+ ****************************************************************************/
+int CheckTcpOptions(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ TcpOptionData *ds_ptr; /* data struct pointer */
+ u_int8_t i;
+ u_int16_t optionValue;
+ char *optionValueStr;
+
+ if(!p->iph)
+ return 0; /* if error occured while ip header
+ * was processed, return 0 automagically.
+ */
+
+ /* set the ds pointer to make it easier to reference the option's
+ particular data struct */
+ ds_ptr = otn->ds_list[PLUGIN_TCP_OPTION_CHECK];
+
+ /* First, check to see if the option count is the same or
+ * no options to check */
+ if ( ( ds_ptr->tcp_option_count != p->tcp_option_count )
+ || ! p->tcp_option_count )
+ return 0;
+
+ /* Now, compare option by option, including operators if present */
+ for ( i = 0; i < ds_ptr->tcp_option_count; i++ ) {
+
+ /* verify same code number */
+ if ( ds_ptr->code[i] != p->tcp_options[i].code )
+ return 0;
+
+ switch ( ds_ptr->code[i] ) {
+
+ case TCPOPT_WSCALE:
+ case TCPOPT_MAXSEG:
+ case TCPOPT_TIMESTAMP:
+ optionValueStr = TCPOptionValue ( &p->tcp_options[i] );
+ optionValue = atoi ( optionValueStr );
+ free ( optionValueStr );
+
+ switch ( ds_ptr->operator[i] ) {
+ case '=':
+ if ( optionValue != ds_ptr->value[i] ) return 0;
+ break;
+ case '%':
+ if ( (ulong) optionValue % (ulong) ds_ptr->value[i] ) return 0;
+ break;
+ case '!':
+ if ( optionValue == ds_ptr->value[i] ) return 0;
+ break;
+ default:
+ /* if there's no operator, then still okay */
+ break;
+ } /* end switch */
+
+ default:
+ /* all other operators have no argument */
+ break;
+
+ } /* end switch */
+
+ } /* end for */
+
+ /* we have a match, keep processing this rule! */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+
+}
diff -Naur snort-2.2.0/src/detection-plugins/sp_tcp_option_check.h snort-2.2.0fp/src/detection-plugins/sp_tcp_option_check.h
--- snort-2.2.0/src/detection-plugins/sp_tcp_option_check.h Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/src/detection-plugins/sp_tcp_option_check.h Sun Jan 23 17:36:13 2005
@@ -0,0 +1,25 @@
+/*
+** Copyright (C) 1998-2002 Martin Roesch
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+*/
+
+/* $Id$ */
+#ifndef __SP_TCPOPTION_CHECK_H__
+#define __SP_TCPOPTION_CHECK_H__
+
+void SetupTcpOptionCheck();
+
+#endif /* __SP_IPOPTION_CHECK_H__ */
diff -Naur snort-2.2.0/src/detection-plugins/sp_tcp_quirks_check.c snort-2.2.0fp/src/detection-plugins/sp_tcp_quirks_check.c
--- snort-2.2.0/src/detection-plugins/sp_tcp_quirks_check.c Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/src/detection-plugins/sp_tcp_quirks_check.c Sun Jan 23 17:36:12 2005
@@ -0,0 +1,294 @@
+/*
+** Copyright (C) 1998-2002 Martin Roesch
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+*/
+
+/* $Id$ */
+/* SDR ADDED FILE */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#include
+#include
+#include
+#include
+
+#include "rules.h"
+#include "decode.h"
+#include "plugbase.h"
+#include "parser.h"
+#include "debug.h"
+#include "util.h"
+#include "plugin_enum.h"
+#include "mstring.h"
+
+#define OPS_PAST_EOL 0x01 /* TCP Options Past EOL */
+#define NONZERO_URG 0x02 /* Non-Zero Urgent Pointer */
+#define EXTRA_DATA 0x04 /* Extra data found in TCP Packet */
+#define BROKEN_OPTION 0x08 /* Broken Option */
+#define SEQ_EQ_ACK 0x10 /* SEQ # = ACK # */
+#define TEXT_IN_RST 0x20 /* Text found in RST packet */
+#define NONZERO_RESV 0x40 /* Non-Zero reserved bits/flags */
+#define ODD_FLAGS 0x80 /* Unusual flags set (PUSH, URG) */
+
+#define MAX_QUIRKS_OPS 8 /* Maximum Quirk operands */
+
+typedef struct _TcpQuirksData
+{
+ u_int8_t flags;
+} TcpQuirksData;
+
+void TcpQuirksInit(char *, OptTreeNode *, int);
+void ParseTcpQuirksData(char *, OptTreeNode *);
+int CheckTcpQuirks(Packet *, struct _OptTreeNode *, OptFpList *);
+
+/****************************************************************************
+ *
+ * Function: SetupTemplate()
+ *
+ * Purpose: Generic detection engine plugin template. Registers the
+ * configuration function and links it to a rule keyword.
+ *
+ * Arguments: None.
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void SetupTcpQuirksCheck()
+{
+ /* map the keyword to an initialization/processing function */
+ RegisterPlugin("quirks", TcpQuirksInit);
+ DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,"Plugin: TcpQuirksCheck Initialized\n"););
+
+}
+
+/****************************************************************************
+ *
+ * Function: TemplateInit(char *, OptTreeNode *)
+ *
+ * Purpose: Generic rule configuration function. Handles parsing the rule
+ * information and attaching the associated detection function to
+ * the OTN.
+ *
+ * Arguments: data => rule arguments/data
+ * otn => pointer to the current rule option list node
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void TcpQuirksInit(char *data, OptTreeNode *otn, int protocol)
+{
+ /* multiple declaration check */
+ if(otn->ds_list[PLUGIN_TCP_QUIRKS_CHECK])
+ {
+ FatalError("%s(%d): Multiple quirks options in rule\n", file_name,
+ file_line);
+ }
+
+ /* allocate the data structure and attach it to the
+ rule's data struct list */
+ otn->ds_list[PLUGIN_TCP_QUIRKS_CHECK] = (TcpQuirksData *)
+ SnortAlloc(sizeof(TcpQuirksData));
+
+ /* this is where the keyword arguments are processed and placed into the
+ rule option's data structure */
+ ParseTcpQuirksData(data, otn);
+
+ /* finally, attach the option's detection function to the rule's
+ detect function pointer list */
+ AddOptFuncToList(CheckTcpQuirks, otn);
+}
+
+/****************************************************************************
+ *
+ * Function: TemplateRuleParseFunction(char *, OptTreeNode *)
+ *
+ * Purpose: This is the function that is used to process the option keyword's
+ * arguments and attach them to the rule's data structures.
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+void ParseTcpQuirksData(char *data, OptTreeNode *otn)
+{
+ TcpQuirksData *ds_ptr; /* data struct pointer */
+ char **toks; /* tokens found in Quirks data */
+ int num_toks; /* number of tokens found in Quirks data */
+ int i;
+
+ /* set the ds pointer to make it easier to reference the Quirks's
+ particular data struct */
+ ds_ptr = otn->ds_list[PLUGIN_TCP_QUIRKS_CHECK];
+
+ /* initialize variables in structure */
+ ds_ptr->flags = 0;
+
+ if(data == NULL)
+ {
+ FatalError("quirks keyword missing argument!\n", file_name, file_line);
+ }
+
+ /* Parse the data options into something useful */
+ toks = mSplit ( data, ",", MAX_QUIRKS_OPS, &num_toks, '\\' );
+
+ for ( i = 0; i < num_toks; i++ ) {
+ if ( strstr ( toks[i], "opeol" ) ) {
+ ds_ptr->flags |= OPS_PAST_EOL;
+ free ( toks[i] ); /* done parsing this token, free up memory */
+ continue;
+ }
+ if ( strstr ( toks[i], "nzup" ) ) {
+ ds_ptr->flags |= NONZERO_URG;
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "extra" ) ) {
+ ds_ptr->flags |= EXTRA_DATA;
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "broken" ) ) {
+ ds_ptr->flags |= BROKEN_OPTION;
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "seqack" ) ) {
+ ds_ptr->flags |= SEQ_EQ_ACK;
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "rsttext" ) ) {
+ ds_ptr->flags |= TEXT_IN_RST;
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "nzuf" ) ) {
+ ds_ptr->flags |= NONZERO_RESV;
+ free ( toks[i] );
+ continue;
+ }
+ if ( strstr ( toks[i], "oddflags" ) ) {
+ ds_ptr->flags |= ODD_FLAGS;
+ free ( toks[i] );
+ continue;
+ }
+
+ /* if we made it here, we can't parse the option! */
+ FatalError("%s(%d) => Unknown TCP quirks argument: %s!\n",
+ file_name, file_line, data);
+ }
+
+ return;
+
+}
+
+/****************************************************************************
+ *
+ * Function: TemplateDetectorFunction(char *, OptTreeNode *)
+ *
+ * Purpose: Use this function to perform the particular detection routine
+ * that this rule keyword is supposed to encompass.
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+int CheckTcpQuirks(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ TcpQuirksData *ds_ptr; /* data struct pointer */
+ u_int8_t i,j;
+
+ if(!p->iph || !p->tcph )
+ return 0; /* if error occured while ip header
+ * was processed, return 0 automagically.
+ */
+
+ /* set the ds pointer to make it easier to reference the option's
+ particular data struct */
+ ds_ptr = otn->ds_list[PLUGIN_TCP_QUIRKS_CHECK];
+
+ /* Loop through the quirks (in binary); test individually */
+ /* 64 = 2 raised to the MAX_QUIRKS_OP power */
+ for ( i = 1; i < 64; i *= 2 )
+
+ if ( i & ds_ptr->flags )
+
+ switch ( i ) {
+
+ case OPS_PAST_EOL:
+ for ( j = 0; j < p->tcp_option_count; j++ )
+ if ( p->tcp_options[j].code == TCPOPT_EOL ) break;
+ if ( j == p->tcp_option_count )
+ return 0;
+ break;
+
+ case NONZERO_URG:
+ if ( ! p->tcph->th_urp )
+ return 0;
+ break;
+
+ case EXTRA_DATA:
+ if ( p->caplen < ( p->iph->ip_len + p->ip_options_len + 20 ) )
+ return 0;
+ break;
+
+ case BROKEN_OPTION:
+ /* this is an odd case, since we have to check all possible OPTs */
+ for ( j = 0; j < p->tcp_option_count; j++ )
+ if ( p->tcp_options[j].code == TCPOPT_MAXSEG ||
+ p->tcp_options[j].code == TCPOPT_WSCALE ||
+ p->tcp_options[j].code == TCPOPT_TIMESTAMP )
+ if ( ! p->tcp_options[j].data )
+ break;
+ return 0;
+ break; /* dead code, but keeps the compiler happy */
+
+ case SEQ_EQ_ACK:
+ if ( p->tcph->th_seq != p->tcph->th_ack )
+ return 0;
+ break;
+
+ case TEXT_IN_RST:
+ if ( ! ( ( p->tcph->th_flags & R_RST ) && p->dsize ) )
+ return 0;
+ break;
+
+ case NONZERO_RESV:
+ if ( ! ( p->tcph->th_flags & (R_RES1|R_RES2) ) )
+ return 0;
+ break;
+
+ case ODD_FLAGS:
+ if ( ! ( p->tcph->th_flags & (R_PSH|R_URG) ) )
+ return 0;
+ break;
+
+ default:
+ break;
+
+ }
+
+ /* we have a match, keep processing this rule! */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+
+}
diff -Naur snort-2.2.0/src/detection-plugins/sp_tcp_quirks_check.h snort-2.2.0fp/src/detection-plugins/sp_tcp_quirks_check.h
--- snort-2.2.0/src/detection-plugins/sp_tcp_quirks_check.h Wed Dec 31 17:00:00 1969
+++ snort-2.2.0fp/src/detection-plugins/sp_tcp_quirks_check.h Sun Jan 23 17:36:13 2005
@@ -0,0 +1,25 @@
+/*
+** Copyright (C) 1998-2002 Martin Roesch
+**
+** This program is free software; you can redistribute it and/or modify
+** it under the terms of the GNU General Public License as published by
+** the Free Software Foundation; either version 2 of the License, or
+** (at your option) any later version.
+**
+** This program is distributed in the hope that it will be useful,
+** but WITHOUT ANY WARRANTY; without even the implied warranty of
+** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+** GNU General Public License for more details.
+**
+** You should have received a copy of the GNU General Public License
+** along with this program; if not, write to the Free Software
+** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+*/
+
+/* $Id: sp_ipoption_check.h,v 1.6 2002/05/13 20:14:06 chrisgreen Exp $ */
+#ifndef __SP_TCPQUIRKS_CHECK_H__
+#define __SP_TCPQUIRKS_CHECK_H__
+
+void SetupTcpQuirksCheck();
+
+#endif /* __SP_IPOPTION_CHECK_H__ */
diff -Naur snort-2.2.0/src/detection-plugins/sp_tcp_win_check.c snort-2.2.0fp/src/detection-plugins/sp_tcp_win_check.c
--- snort-2.2.0/src/detection-plugins/sp_tcp_win_check.c Mon Oct 20 09:03:33 2003
+++ snort-2.2.0fp/src/detection-plugins/sp_tcp_win_check.c Sun Jan 23 17:36:13 2005
@@ -49,6 +49,12 @@
void TcpWinCheckInit(char *, OptTreeNode *, int);
void ParseTcpWin(char *, OptTreeNode *);
int TcpWinCheckEq(Packet *, struct _OptTreeNode *, OptFpList *);
+/* SDR BEGIN ADD */
+int TcpWinCheckMod(Packet *, struct _OptTreeNode *, OptFpList *);
+int TcpWinCheckModMSS(Packet *, struct _OptTreeNode *, OptFpList *);
+int TcpWinCheckModMTU(Packet *, struct _OptTreeNode *, OptFpList *);
+/* SDR END ADD */
+
@@ -110,7 +116,8 @@
/* finally, attach the option's detection function to the rule's
detect function pointer list */
- AddOptFuncToList(TcpWinCheckEq, otn);
+ /* SDR: Next line commented out. Functionality moved to ParseTcpWin */
+ /* AddOptFuncToList(TcpWinCheckEq, otn); */
}
@@ -136,6 +143,7 @@
/* set the ds pointer to make it easier to reference the option's
particular data struct */
ds_ptr = otn->ds_list[PLUGIN_TCP_WIN_CHECK];
+ ds_ptr->tcp_win = 0; /* ADDED LINE SDR */
/* get rid of any whitespace */
while(isspace((int)*data))
@@ -146,8 +154,43 @@
if(data[0] == '!')
{
ds_ptr->not_flag = 1;
+ data++; /* SDR ADDED LINE */
}
+ /* SDR BEGIN ADD */
+ /* Locate the operator, and set appropriate handling function */
+ switch (*data)
+ {
+ case '=':
+ AddOptFuncToList ( TcpWinCheckEq, otn );
+ data++;
+ break;
+ case '%':
+ AddOptFuncToList ( TcpWinCheckMod, otn );
+ data++;
+ break;
+ case 'S':
+ AddOptFuncToList ( TcpWinCheckModMSS, otn );
+ data++;
+ break;
+ case 'T':
+ AddOptFuncToList ( TcpWinCheckModMTU, otn );
+ data++;
+ break;
+ default:
+ /* default to the '=' operator, but don't advance pointer */
+ /* in case that 'data' is legal digit */
+ AddOptFuncToList ( TcpWinCheckEq, otn );
+ break;
+ }
+
+ /* get rid of any whitespace */
+ while(isspace((int)*data))
+ {
+ data++;
+ }
+ /* SDR END ADD */
+
if(index(data, (int) 'x') == NULL && index(data, (int)'X') == NULL)
{
win_size = atoi(data);
@@ -209,3 +252,139 @@
/* if the test isn't successful, return 0 */
return 0;
}
+
+/* SDR BEGIN ADD */
+/****************************************************************************
+ *
+ * Function: TcpWinCheckMod(char *, OptTreeNode *)
+ *
+ * Purpose: Test the TCP header's window to see if its value is modulus to the
+ * value in the rule (p0f '%' operator)
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+int TcpWinCheckMod(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ if(!p->tcph)
+ return 0; /* if error occured while ip header
+ * was processed, return 0 automagically.
+ */
+
+ if( ntohs(p->tcph->th_win) % ((TcpWinData *)otn->ds_list[PLUGIN_TCP_WIN_CHECK])->tcp_win )
+ return ( 0 );
+
+ /* Success! */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+
+}
+
+/****************************************************************************
+ *
+ * Function: TcpWinCheckModMSS(char *, OptTreeNode *)
+ *
+ * Purpose: Test the TCP header's window to see if its value is modulus of the
+ * maximum segment size (MSS) value in the rule (p0f 'S' operator)
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+int TcpWinCheckModMSS(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ u_int16_t mssPacket, winPacket, winRule;
+ char *mssValueStr;
+ u_int8_t i;
+
+ if(!p->tcph )
+ return 0; /* if error occured while ip header
+ * was processed, return 0 automagically.
+ */
+
+ for ( i = 0; i < p->tcp_option_count; i++ )
+ if ( p->tcp_options[i].code == TCPOPT_MAXSEG ) break;
+
+ if ( i == p->tcp_option_count )
+ return ( 0 );
+
+ mssValueStr = TCPOptionValue ( &p->tcp_options[i] );
+ mssPacket = atoi ( mssValueStr );
+ free ( mssValueStr );
+ winPacket = ntohs (p->tcph->th_win);
+
+ winRule = ((TcpWinData *)otn->ds_list[PLUGIN_TCP_WIN_CHECK])->tcp_win;
+
+ if ( mssPacket && ! ( winPacket % mssPacket ) ) {
+ if ( winPacket / mssPacket != winRule )
+ return 0;
+ }
+ else if ( ! ( winPacket % 1460 ) ) {
+ if ( ( winPacket / 1460 ) != winRule )
+ return 0;
+ }
+ else
+ return 0;
+
+ /* match */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+
+}
+
+/****************************************************************************
+ *
+ * Function: TcpWinCheckModMTU(char *, OptTreeNode *)
+ *
+ * Purpose: Test the TCP header's window to see if its value is modulus of the
+ * maximum transmission unit (MTU=MSS+40) value in the rule (p0f 'T' operator)
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: void function
+ *
+ ****************************************************************************/
+int TcpWinCheckModMTU(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ u_int16_t mssPacket, winPacket, winRule;
+ char *mssValueStr;
+ u_int8_t i;
+
+ if(!p->tcph )
+ return 0; /* if error occured while ip header
+ * was processed, return 0 automagically.
+ */
+
+ for ( i = 0; i < p->tcp_option_count; i++ )
+ if ( p->tcp_options[i].code == TCPOPT_MAXSEG ) break;
+
+ if ( i == p->tcp_option_count )
+ return ( 0 );
+
+ mssValueStr = TCPOptionValue ( &p->tcp_options[i] );
+ mssPacket = atoi ( mssValueStr );
+ free ( mssValueStr );
+ winPacket = ntohs ( p->tcph->th_win );
+
+ winRule = ((TcpWinData *)otn->ds_list[PLUGIN_TCP_WIN_CHECK])->tcp_win;
+
+ if ( mssPacket && ! ( winPacket % (mssPacket+40) ) ) {
+ if ( winPacket / (mssPacket+40) != winRule )
+ return 0;
+ }
+ else if ( ! ( winPacket % 1500 ) ) {
+ if ( ( winPacket / 1500 ) != winRule )
+ return 0;
+ }
+ else
+ return 0;
+
+ /* match */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+
+}
+/* SDR END ADD */
diff -Naur snort-2.2.0/src/detection-plugins/sp_ttl_check.c snort-2.2.0fp/src/detection-plugins/sp_ttl_check.c
--- snort-2.2.0/src/detection-plugins/sp_ttl_check.c Mon Oct 20 09:03:33 2003
+++ snort-2.2.0fp/src/detection-plugins/sp_ttl_check.c Sun Jan 23 17:36:13 2005
@@ -47,6 +47,11 @@
int CheckTtlGT(Packet *, struct _OptTreeNode *, OptFpList *);
int CheckTtlLT(Packet *, struct _OptTreeNode *, OptFpList *);
int CheckTtlRG(Packet *, struct _OptTreeNode *, OptFpList *);
+/* SDR BEGIN ADD */
+int CheckTtlLTEQ(Packet *, struct _OptTreeNode *, OptFpList *);
+int CheckTtlGTEQ(Packet *, struct _OptTreeNode *, OptFpList *);
+int CalculateHopCount ( OptTreeNode *otn, Packet *p );
+/* SDR END ADD */
@@ -123,6 +128,7 @@
{
TtlCheckData *ds_ptr; /* data struct pointer */
char ttlrel;
+ int eqflag = 0; /* SDR ADDED LINE */
/* set the ds pointer to make it easier to reference the option's
particular data struct */
@@ -137,6 +143,14 @@
ds_ptr->h_ttl = -1; /* leading dash flag */
case '>':
case '<':
+ /* SDR BEGIN ADD */
+ if ( (data+1) && *(data+1) == '=' )
+ {
+ eqflag = 1;
+ data += 2;
+ break;
+ }
+ /* SDR END ADD */
case '=':
data++;
break;
@@ -157,12 +171,20 @@
ttlrel = '-';
}
switch (ttlrel) {
+ /* SDR BEGIN MODIFY */
case '>':
- AddOptFuncToList(CheckTtlGT, otn);
+ if ( eqflag )
+ AddOptFuncToList(CheckTtlGTEQ, otn );
+ else
+ AddOptFuncToList(CheckTtlGT, otn);
break;
- case '<':
- AddOptFuncToList(CheckTtlLT, otn);
+ case '<':
+ if ( eqflag )
+ AddOptFuncToList(CheckTtlLTEQ, otn );
+ else
+ AddOptFuncToList(CheckTtlLT, otn);
break;
+ /* SDR END MODIFY */
case '=':
AddOptFuncToList(CheckTtlEq, otn);
break;
@@ -304,10 +326,6 @@
return 0;
}
-
-
-
-
/****************************************************************************
*
* Function: CheckTtlRG(char *, OptTreeNode *)
@@ -346,3 +364,121 @@
/* if the test isn't successful, return 0 */
return 0;
}
+
+/* SDR BEGIN ADD */
+/****************************************************************************
+ *
+ * Function: CheckTtlLTEQ(char *, OptTreeNode *)
+ *
+ * Purpose: Test the packet's payload size against the rule payload size
+ * value. This test determines if the packet payload size is
+ * less than or equal to the rule ttl (p0f)
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: 0 on failure, return value of next list function on success
+ *
+ ****************************************************************************/
+int CheckTtlLTEQ(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ if(p->iph &&
+ (p->iph->ip_ttl <= ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl))
+ {
+ /* call the next function in the function list recursively */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+ }
+#ifdef DEBUG
+ else
+ {
+ /* you can put debug comments here or not */
+ DebugMessage(DEBUG_PLUGIN, "CheckTtlLTEQ: Not Less/equal than %d\n",
+ ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl);
+ }
+#endif
+
+ /* if the test isn't successful, return 0 */
+ return 0;
+}
+
+/****************************************************************************
+ *
+ * Function: CheckTtlGTEQ(char *, OptTreeNode *)
+ *
+ * Purpose: Test the packet's payload size against the rule payload size
+ * value. This test determines if the packet payload size is
+ * greater than or equal to the rule ttl (p0f)
+ *
+ * Arguments: data => argument data
+ * otn => pointer to the current rule's OTN
+ *
+ * Returns: 0 on failure, return value of next list function on success
+ *
+ ****************************************************************************/
+int CheckTtlGTEQ(Packet *p, struct _OptTreeNode *otn, OptFpList *fp_list)
+{
+ if(p->iph &&
+ (p->iph->ip_ttl >= ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl))
+ {
+ /* call the next function in the function list recursively */
+ return fp_list->next->OptTestFunc(p, otn, fp_list->next);
+ }
+#ifdef DEBUG
+ else
+ {
+ /* you can put debug comments here or not */
+ DebugMessage(DEBUG_PLUGIN, "CheckTtlGTEQ: Not greater/equal than %d\n",
+ ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl);
+ }
+#endif
+
+ /* if the test isn't successful, return 0 */
+ return 0;
+}
+
+/****************************************************************************
+ *
+ * Function: CalculateHopCount(OptTreeNode *, Packet *)
+ *
+ * Purpose: Calculate the distance (hop count) of the packet.
+ * Used to aid fingerprinting (p0f), has no use for IDS mode (?)
+ * NOTE: This function is called once after a rule match is made
+ * in fpdetect.c (it's prototyped as an extern)
+ *
+ * Result is stored in p->ip_hop_count.
+ *
+ * Returns: hop count, or IP_HOP_COUNT_UNDEFINED if hop count can not be
+ * calculated
+ *
+ ***************************************************************************/
+int CalculateHopCount ( OptTreeNode *otn, Packet *p ) {
+
+ /* Best case, the rule has a TTL value that we can use to calculate the hop count */
+ /* We make the assumption here that the matching rule is a fingerprint rule */
+ if ( otn->ds_list[PLUGIN_TTL_CHECK] && p->iph ) {
+
+ p->ip_hop_count = ((TtlCheckData *)otn->ds_list[PLUGIN_TTL_CHECK])->ttl -
+ p->iph->ip_ttl;
+
+ }
+ /* otherwise, use some standard default TTL values */
+ else if ( p->iph ) {
+
+ p->ip_hop_count =
+ ( p->iph->ip_ttl <= 32 ) ? 32 - p->iph->ip_ttl :
+ ( p->iph->ip_ttl <= 64 ) ? 64 - p->iph->ip_ttl :
+ ( p->iph->ip_ttl <= 128 ) ? 128 - p->iph->ip_ttl : 255 - p->iph->ip_ttl;
+ }
+ /* of course, if it's not an IP packet, we can't do anything */
+ else {
+
+ p->ip_hop_count = IP_HOP_COUNT_UNDEFINED;
+
+ }
+
+ return ( p->ip_hop_count );
+
+}
+/* SDR END ADD */
+
+
diff -Naur snort-2.2.0/src/fpdetect.c snort-2.2.0fp/src/fpdetect.c
--- snort-2.2.0/src/fpdetect.c Thu Jun 3 14:11:05 2004
+++ snort-2.2.0fp/src/fpdetect.c Sun Jan 23 21:49:41 2005
@@ -142,7 +142,8 @@
//static INLINE int fpLogEvent(RuleTreeNode *rtn, OptTreeNode *otn, Packet *p);
extern u_int8_t *doe_ptr;
-
+/* SDR ADDED NEXT LINE */
+extern int CalculateHopCount ( OptTreeNode *otn, Packet *p );
static OTNX_MATCH_DATA omd;
/* initialize the global OTNX_MATCH_DATA variable */
@@ -730,6 +731,9 @@
if(otnx && otnx->otn)
{
+ /* SDR ADDED NEXT LINE */
+ CalculateHopCount ( otnx->otn, p );
+
/*
** QueueEvent
*/
diff -Naur snort-2.2.0/src/output-plugins/spo_database.c snort-2.2.0fp/src/output-plugins/spo_database.c
--- snort-2.2.0/src/output-plugins/spo_database.c Tue Mar 23 08:34:46 2004
+++ snort-2.2.0fp/src/output-plugins/spo_database.c Sun Jan 23 17:36:15 2005
@@ -53,6 +53,8 @@
#include
#include
#include
+/* SDR ADDED NEXT LINE */
+#include
#include "event.h"
#include "decode.h"
@@ -236,6 +238,8 @@
void Connect(DatabaseData *);
void DatabasePrintUsage();
void FreeSharedDataList();
+/* SDR ADDED NEXT LINE */
+int SelectMultiple ( char *, DatabaseData *, char *, ... );
/******** Global Variables ********************************************/
@@ -245,6 +249,9 @@
static SharedDatabaseDataNode *sharedDataList = NULL;
static int instances = 0;
+/* SDR ADDED NEXT LINE */
+int OSFingerPrint, ServiceFingerPrint;
+
/******** Database Specific Extras ************************************/
/* The following is for supporting Microsoft SQL Server */
@@ -316,7 +323,28 @@
SharedDatabaseDataNode *current = NULL;
char * escapedSensorName = NULL;
char * escapedInterfaceName = NULL;
-
+ /* SDR BEGIN ADD */
+ ClassType *fpClass;
+ int fp_event_cid;
+
+ /* set our fingerprint class ids for quick comparison in future */
+ fpClass = ClassTypeLookupByType ( "os-fingerprint" );
+ if ( fpClass )
+ OSFingerPrint = fpClass->id;
+ else
+ ErrorMessage("database: Could not find 'os-fingerprint' classification. "
+ "Check classification.config.\nAlso, be sure that classification.config "
+ "is read before the database output plugin in snort.conf\n" );
+
+ fpClass = ClassTypeLookupByType ( "service-fingerprint" );
+ if ( fpClass )
+ ServiceFingerPrint = fpClass->id;
+ else
+ ErrorMessage("database: Could not find 'service-fingerprint' classification. "
+ "Check classification.config.\nAlso, be sure that classification.config "
+ "is read before the database output plugin in snort.conf\n" );
+ /* SDR END ADD */
+
/* parse the argument list from the rules file */
data = ParseDatabaseArgs(args);
@@ -538,6 +566,14 @@
data->shared->sid);
event_cid = Select(select_max_sensor_id, data);
+ /* SDR BEGIN ADD */
+ snprintf(select_max_sensor_id, MAX_QUERY_LENGTH,
+ "SELECT MAX(cid) FROM fpevent WHERE sid = '%u'", data->shared->sid);
+ fp_event_cid = Select(select_max_sensor_id,data);
+
+ event_cid = ( fp_event_cid > event_cid ) ? fp_event_cid : event_cid;
+ /* SDR END ADD */
+
if ( event_cid > sensor_cid )
{
UpdateLastCid(data, data->shared->sid, event_cid);
@@ -932,6 +968,11 @@
unsigned int ref_id, class_id=0;
ClassType *class_ptr;
ReferenceNode *refNode;
+ /* SDR BEGIN ADD */
+ unsigned int tmp_sid, tmp_cid, fp_sid, fp_cid, fp_sig_priority, osfp_flag, port_src;
+ int smresult;
+ char fp_time[SMALLBUFFER];
+ /* SDR END ADD */
query = NewQueryNode(NULL, 0);
root = query;
@@ -1325,7 +1366,74 @@
}
free(sig_name); sig_name = NULL;
-
+
+ /* SDR BEGIN ADD */
+
+ /* Code to handle Fingerprint types */
+ tmp_sid = data->shared->sid;
+ tmp_cid = data->shared->cid;
+
+ /* Check for a fingerprint event type */
+ /* A 'switch' won't work here becase OSFingerprint & ServiceFingerPrint aren't static int */
+ if ( event->classification == OSFingerPrint ||
+ event->classification == ServiceFingerPrint )
+ {
+ /* it's just too dangerous to rely on the source port as the osfp flag... */
+ osfp_flag = ( event->classification == OSFingerPrint ) ? 1 : 0;
+ port_src = ( event->classification == OSFingerPrint ) ? 0 :
+ (p->tcph) ? ntohs(p->tcph->th_sport) :
+ (p->udph) ? ntohs(p->udph->uh_sport) : 0 ;
+
+ select0 = (char *) malloc (MAX_QUERY_LENGTH+1);
+ snprintf(select0, MAX_QUERY_LENGTH,
+ "SELECT sid, cid, sig_priority, firstseen FROM fpevent "
+ "WHERE ip_src = '%lu' AND port_src = '%u' AND osfp_flag = '%u'",
+ (u_long)ntohl(p->iph->ip_src.s_addr), port_src, osfp_flag );
+ smresult = SelectMultiple ( select0, data, "%u,%u,%u,%s",
+ &fp_sid, &fp_cid, &fp_sig_priority, fp_time );
+ free ( select0 );
+
+ /* only replace the fpevent entry if we have better data */
+ if ( smresult == 4 )
+ {
+ if ( event->priority <= fp_sig_priority )
+ {
+ data->shared->sid = fp_sid;
+ data->shared->cid = fp_cid;
+ }
+ /* ignore logging this packet */
+ else
+ {
+ free (timestamp_string);
+ FreeQueryNode (root);
+#ifdef ENABLE_DB_TRANSACTIONS
+ CommitTransaction(data);
+#endif
+ /* A Unixodbc bugfix */
+#ifdef ENABLE_ODBC
+ if(data->shared->cid == 600)
+ {
+ data->shared->cid = 601;
+ }
+#endif
+ return;
+ }
+ } /* if smresult is not 4 then we have new entry */
+
+ snprintf(query->val, MAX_QUERY_LENGTH,
+ "REPLACE fpevent ( ip_src, port_src, protocol, signature, osfp_flag, sig_priority, "
+ "sid, cid, firstseen, lastseen, hopcount ) "
+ "VALUES ( '%lu', '%u', '%s', '%u', '%u', '%u', '%u', '%u', '%s', '%s', '%d' )",
+ (u_long)ntohl(p->iph->ip_src.s_addr), port_src,
+ (p->tcph) ? "TCP" : "UDP",
+ sig_id, osfp_flag, event->priority,
+ data->shared->sid, data->shared->cid,
+ ( smresult == 4 ) ? fp_time : timestamp_string,
+ timestamp_string, p->ip_hop_count );
+ }
+ else
+ {
+ /* SDR END ADD */
if ( (data->shared->dbtype_id == DB_ORACLE) &&
(data->DBschema_version >= 105) )
{
@@ -1351,6 +1459,9 @@
"VALUES ('%u', '%u', '%u', '%s')",
data->shared->sid, data->shared->cid, sig_id, timestamp_string);
}
+ /* BEGIN SDR */
+ }
+ /* END SDR */
free(timestamp_string); timestamp_string = NULL;
@@ -1371,7 +1482,7 @@
if(p->ext)
{
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) "
"VALUES ('%u','%u','%u','%u','%u','%u','%u')",
data->shared->sid,
@@ -1385,7 +1496,7 @@
else
{
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum) "
"VALUES ('%u','%u','%u','%u','%u')",
data->shared->sid,
@@ -1398,7 +1509,7 @@
else
{
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"icmphdr (sid, cid, icmp_type, icmp_code) "
"VALUES ('%u','%u','%u','%u')",
data->shared->sid,
@@ -1414,7 +1525,7 @@
if(data->detail)
{
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"tcphdr (sid, cid, tcp_sport, tcp_dport, "
" tcp_seq, tcp_ack, tcp_off, tcp_res, "
" tcp_flags, tcp_win, tcp_csum, tcp_urp) "
@@ -1435,7 +1546,7 @@
else
{
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) "
"VALUES ('%u','%u','%u','%u','%u')",
data->shared->sid,
@@ -1461,7 +1572,7 @@
packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len);
}
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
"VALUES ('%u','%u','%u','%u','%u','%u','%s')",
data->shared->sid,
@@ -1482,7 +1593,7 @@
if(data->detail)
{
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) "
"VALUES ('%u', '%u', '%u', '%u', '%u', '%u')",
data->shared->sid,
@@ -1495,7 +1606,7 @@
else
{
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"udphdr (sid, cid, udp_sport, udp_dport) "
"VALUES ('%u', '%u', '%u', '%u')",
data->shared->sid,
@@ -1514,7 +1625,7 @@
if(data->detail)
{
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, "
" ip_tos, ip_len, ip_id, ip_flags, ip_off,"
" ip_ttl, ip_proto, ip_csum) "
@@ -1538,7 +1649,7 @@
{
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"iphdr (sid, cid, ip_src, ip_dst, ip_proto) "
"VALUES ('%u','%u','%lu','%lu','%u')",
data->shared->sid,
@@ -1566,7 +1677,7 @@
}
snprintf(query->val, MAX_QUERY_LENGTH,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) "
"VALUES ('%u','%u','%u','%u','%u','%u','%s')",
data->shared->sid,
@@ -1607,7 +1718,7 @@
packet_data = snort_escape_string(packet_data_not_escaped, data);
snprintf(query->val, (p->dsize * 2) + MAX_QUERY_LENGTH - 3,
- "INSERT INTO "
+ "REPLACE " /* SDR MODIFIED */
"data (sid,cid,data_payload) "
"VALUES ('%u','%u','%s",
data->shared->sid,
@@ -1643,7 +1754,19 @@
root = NULL;
/* Increment the cid*/
- data->shared->cid++;
+ /* SDR BEGIN MODIFY */
+ if ( data->shared->cid != fp_cid )
+ {
+ data->shared->cid++;
+ data->shared->sid = tmp_sid;
+ }
+ else
+ {
+ data->shared->cid = tmp_cid;
+ data->shared->sid = tmp_sid;
+ }
+ /* SDR END MODIFY */
+
#ifdef ENABLE_DB_TRANSACTIONS
if ( ok_transaction )
@@ -2853,3 +2976,132 @@
return(0);
}
#endif
+
+/* SDR BEGIN ADD */
+
+/*******************************************************************************
+ *
+ * Function: SelectMultiple(char * query, DatabaseData * data, char *format, ... )
+ *
+ * Purpose: MySQL function for SQL selects that can return an arbitrary number of
+ * columns and data types. Similar to printf/scanf.
+ *
+ * Arguments: query - the sql statement to execute
+ * data - pointer to the current database data struct for this sql connection
+ * format - character array akin to printf/scanf with the number and types of
+ * columns to return
+ * %s - returns a character string. Corresponding argument must be
+ * pre-allocated to sufficient length. Otherwise bad things happen
+ * (just like printf/scanf!)
+ * %d,%u - returns a integer. Corresponding argument must be preallocated
+ * to sufficient size.
+ * Example:
+ * char String1[25];
+ * int Number1, Number2;
+ *
+ * SelectMultiple ( SqlString, CurrentDB, "%s,%d,%u", String1, &Number1, &Number2 );
+ *
+ * In this case, SelectMultiple will execute SqlString, based on CurrentDB, and
+ * attempt to parse three values and place them in String1, Number1 and Number2.
+ *
+ * Returns: Number of columns (values) successfully processed. (In the above example -- 3.)
+ *
+ ******************************************************************************/
+int SelectMultiple(char * query, DatabaseData * data, char *format, ... )
+{
+ va_list argv;
+ int argc = 0, result = 0;
+ char *p;
+
+#ifdef ENABLE_POSTGRESQL
+/* Not implemented */
+#endif
+
+#ifdef ENABLE_MYSQL
+ if(data->shared->dbtype_id == DB_MYSQL)
+ {
+ if(mysql_query(data->m_sock,query))
+ {
+ result = 0;
+ }
+ else
+ {
+ if(!(data->m_result = mysql_use_result(data->m_sock)))
+ {
+ result = 0;
+ }
+ else
+ {
+ if((data->m_row = mysql_fetch_row(data->m_result)))
+ {
+ /* calculate number of expected arguments */
+ p = format;
+ while ( p ) {
+ if ( *p == '%' ) argc++;
+ p++;
+ }
+ va_start ( argv, argc );
+
+ /* now convert them based on type */
+ while ( *format ) {
+ while ( *format && *format != '%' ) format++;
+ if ( *format && *(format+1) && data->m_row[result] != NULL ) {
+ format++;
+ switch ( *format ) {
+ case 'u':
+ case 'd':
+ *(va_arg(argv, int *)) = atoi(data->m_row[result]);
+ result++;
+ break;
+ case 's':
+ strcpy ( va_arg(argv, char *), data->m_row[result] );
+ result++;
+ break;
+ default:
+ /* unrecognized format character */
+ break;
+ } /* end of switch */
+ } /* end of if */
+ }
+ va_end ( argv );
+ }
+ }
+ mysql_free_result(data->m_result);
+ }
+ if(!result)
+ {
+ if(mysql_errno(data->m_sock))
+ {
+ ErrorMessage("database: mysql_error: %s\n", mysql_error(data->m_sock));
+ }
+ }
+ }
+#endif
+
+#ifdef ENABLE_ODBC
+/* Not implemented */
+#endif
+
+#ifdef ENABLE_ORACLE
+/* Not implemented */
+#endif
+
+#ifdef ENABLE_MSSQL
+/* Not implemented */
+#endif
+
+#ifdef DEBUG
+ if(result)
+ {
+ DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): (%s) returned %u\n", query, result););
+ }
+ else
+ {
+ DEBUG_WRAP(DebugMessage(DEBUG_LOG,"database(debug): (%s) failed\n", query););
+ }
+#endif
+
+ return result;
+}
+
+/* SDR END ADD */
diff -Naur snort-2.2.0/src/plugbase.c snort-2.2.0fp/src/plugbase.c
--- snort-2.2.0/src/plugbase.c Wed Jun 16 12:49:24 2004
+++ snort-2.2.0fp/src/plugbase.c Sun Jan 23 21:57:53 2005
@@ -89,6 +89,11 @@
#include "detection-plugins/sp_pcre.h"
#include "detection-plugins/sp_flowbits.h"
#include "detection-plugins/sp_asn1.h"
+/* SDR BEGIN ADD */
+#include "detection-plugins/sp_tcp_option_check.h"
+#include "detection-plugins/sp_tcp_quirks_check.h"
+#include "detection-plugins/sp_ip_length_check.h"
+/* SDR END ADD */
#ifdef ENABLE_RESPONSE
#include "detection-plugins/sp_react.h"
#include "detection-plugins/sp_respond.h"
@@ -155,6 +160,11 @@
SetupPcre();
SetupFlowBits();
SetupAsn1();
+ /* SDR BEGIN ADD */
+ SetupTcpOptionCheck();
+ SetupTcpQuirksCheck();
+ SetupIpLengthCheck();
+ /* SDR END ADD */
#ifdef ENABLE_RESPONSE
SetupReact();
SetupRespond();
@@ -1500,3 +1510,117 @@
}
return ptr;
}
+
+/* SDR BEGIN ADD -- WAS STILL IN 2.0.4 */
+/****************************************************************************
+ *
+ * Function: TCPOptionValue(Options *o)
+ *
+ * Purpose: To return a string representing the value of an TCP option
+ *
+ * Arguments: An Options struct.
+ *
+ * Returns: char * -- You must free this char * when you are done with it.
+ *
+ ***************************************************************************/
+char *TCPOptionValue(Options *o)
+{
+ char * rval;
+ char * rvalptr;
+ u_char tmp[5];
+ int x;
+
+ rval = (char *)malloc(SMALLBUFFER);
+ rvalptr = rval;
+
+ switch(o->code)
+ {
+ case TCPOPT_MAXSEG:
+ bzero((char *)tmp, 5);
+ strncpy((char*)tmp, (char*)(o->data), 2);
+ snprintf(rval, SMALLBUFFER, "%u", EXTRACT_16BITS(tmp));
+ break;
+
+ case TCPOPT_EOL:
+ rval[0] = '\0';
+ break;
+
+ case TCPOPT_NOP:
+ rval[0] = '\0';
+ break;
+
+ case TCPOPT_WSCALE:
+ snprintf(rval, SMALLBUFFER, "%u", o->data[0]);
+ break;
+
+ case TCPOPT_SACK:
+ bzero((char *)tmp, 5);
+ memcpy(tmp, o->data, 2);
+ snprintf(rval, SMALLBUFFER, "%u@", EXTRACT_16BITS(tmp));
+ x = strlen(rval);
+ rvalptr += x;
+ bzero((char *)tmp, 5);
+ memcpy(tmp, (o->data)+2, 2);
+ snprintf(rvalptr, SMALLBUFFER - x, "%u", EXTRACT_16BITS(tmp));
+ break;
+
+ case TCPOPT_SACKOK:
+ rval[0] = '\0';
+ break;
+
+ case TCPOPT_ECHO:
+ bzero((char *)tmp, 5);
+ memcpy(tmp, o->data, 4);
+ snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp));
+ break;
+
+ case TCPOPT_ECHOREPLY:
+ bzero((char *)tmp, 5);
+ memcpy(tmp, o->data, 4);
+ snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp));
+ break;
+
+ case TCPOPT_TIMESTAMP:
+ bzero((char *)tmp, 5);
+ memcpy(tmp, o->data, 4);
+ snprintf(rval, SMALLBUFFER, "%u ", EXTRACT_32BITS(tmp));
+ rvalptr += strlen(rval);
+ bzero((char *)tmp, 5);
+ memcpy(tmp, (o->data)+4, 4);
+ snprintf(rvalptr, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp));
+ break;
+
+ case TCPOPT_CC:
+ bzero((char *)tmp, 5);
+ memcpy(tmp, o->data, 4);
+ snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp));
+ break;
+
+ case TCPOPT_CCNEW:
+ bzero((char *)tmp, 5);
+ memcpy(tmp, o->data, 4);
+ snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp));
+ break;
+
+ case TCPOPT_CCECHO:
+ bzero((char *)tmp, 5);
+ memcpy(tmp, o->data, 4);
+ snprintf(rval, SMALLBUFFER, "%u", EXTRACT_32BITS(tmp));
+ break;
+
+ default:
+ rval[0] = '\0';
+ if(o->len > 2)
+ {
+ for(x = 0; x < (int) (o->len-2); x+=2)
+ {
+ snprintf(tmp, 5, "%02X%02X ", o->data[x], o->data[x+1]);
+ if(strlen(rval) < SMALLBUFFER - 5);
+ strncat(rval, tmp, SMALLBUFFER - strlen(rval));
+ }
+ }
+ break;
+ }
+ return rval;
+}
+/* SDR END ADD */
diff -Naur snort-2.2.0/src/plugin_enum.h snort-2.2.0fp/src/plugin_enum.h
--- snort-2.2.0/src/plugin_enum.h Mon Oct 20 09:03:22 2003
+++ snort-2.2.0fp/src/plugin_enum.h Sun Jan 23 17:35:55 2005
@@ -34,4 +34,9 @@
PLUGIN_TTL_CHECK,
PLUGIN_BYTE_TEST,
PLUGIN_PCRE,
+/* BEGIN ADD SDR */
+ PLUGIN_IP_LENGTH_CHECK,
+ PLUGIN_TCP_OPTION_CHECK,
+ PLUGIN_TCP_QUIRKS_CHECK,
+/* END ADD SDR */
};
diff -Naur snort-2.2.0/src/util.c snort-2.2.0fp/src/util.c
--- snort-2.2.0/src/util.c Wed Aug 4 08:28:25 2004
+++ snort-2.2.0fp/src/util.c Sun Jan 23 17:35:55 2005
@@ -262,7 +262,8 @@
****************************************************************************/
int DisplayBanner()
{
- fprintf(stderr, "\n-*> Snort! <*-\nVersion %s (Build %s)\n"
+ /* SDR ADDED (fp)... just so you know which version you are running */
+ fprintf(stderr, "\n-*> Snort!(fp) <*-\nVersion %s (Build %s)\n"
"By Martin Roesch (roesch@sourcefire.com, www.snort.org)\n"
#ifdef WIN32
"1.7-WIN32 Port By Michael Davis (mike@datanerds.net, www.datanerds.net/~mike)\n"