OSSIM之security.php源碼分析
下面開始進行儀表盤子模塊中event的一個重要的文件security.php源碼的分析。php
//引用文件,初始化函數庫sql
require_once 'av_init.php'; require_once 'sensor_filter.php'; require_once '../widget_common.php'; require_once 'common.php';
//檢查是否有權限訪問這個菜單 數據庫
Session::logcheck("dashboard-menu", "ControlPanelExecutive");
Session::logcheck("analysis-menu", "EventsForensics");
//開始數據庫鏈接json
$db = new ossim_db(TRUE); $conn = $db->connect();
//獲取當前用戶信息$user = Session::get_session_user();
設定安全控件的類型$type = GET("type");
//ID of the widget$id = GET("id");
//類型驗證數組
ossim_valid($type, OSS_TEXT, 'illegal:' . _("type"));
ossim_valid($id, OSS_DIGIT, OSS_NULLABLE, 'illegal:' . _("Widget ID"));
//結束驗證安全
//包含控件的數組信息,這是圖表信息和標籤雲信息等session
$winfo = array(); $chart_info = array();
//若是ID爲空,則意味着咱們在嚮導的預可視化中。咱們能夠從get參數中獲取全部信息。if (!isset($id) || empty($id))
{$winfo['height'] = GET("height"); //定義控件高度$winfo['wtype'] = GET("wtype"); //定義類型:圖表標籤雲等$winfo['asset'] = GET("asset"); //定義資產$chart_info = json_decode(GET("value"),true); //圖表類型,圖例參數等tcp
}
else //若是ID不爲空,咱們是正常狀況下,從儀表板加載控件,在這種狀況下,咱們從數據庫獲取信息。
{$winfo = get_widget_data($conn, $id); //檢查widget_common.php$chart_info = $winfo['params']; //圖表類型,圖例參數
}
// Validationide
ossim_valid($winfo['wtype'], OSS_TEXT, 'illegal:' . _("Type"));
ossim_valid($winfo['height'], OSS_DIGIT, 'illegal:' . _("Widget ID"));
ossim_valid($winfo['asset'], OSS_HEX,OSS_SCORE,OSS_ALPHA,OSS_USER, 'illegal:' . _("Asset/User/Entity"));
if (is_array($chart_info) && !empty($chart_info))
{
$validation = get_array_validation();
foreach($chart_info as $key=>$val)
{
if ($validation[$key] == '')
{
continue;
}
eval("ossim_valid(\"\$val\", ".$validation[$key].", 'illegal:" . _($key)."');");
}
}
if (ossim_error())
{
die(ossim_error());
}
// End of validation.函數
$assets_filters = array(); $assets_filters = get_asset_filters($conn, $winfo['asset']);
//存儲圖表信息的變量
$data = array(); //定義一個控件自身數組
$label = array(); //定義標籤數組
$links = array(); //定義每一個元素的連接數組
session_write_close();
//控件的數據將根據控件的類型進行計算
switch($type)
{
case "tcp":
//資產過濾器$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//在小部件中顯示的最大***次數。$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
//SQL查詢,好比在查詢中使用參數$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=6 $query_where group by port order by num desc limit $limit";
//回顯 $sql;
$rs = $conn->CacheExecute($sql);
if (!$rs)
{
print $conn->ErrorMsg();
}
else
{
$array_aux = array();
while (!$rs->EOF)
{
$array_aux[$rs->fields["port"]] = $rs->fields["num"];
$link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?tcp_port[0][0]=&tcp_port[0][1]=layer4_dport&tcp_port[0][2]==&tcp_port[0][3]='.$rs->fields["port"].'&tcp_port[0][4]=&tcp_port[0][5]=&tcp_flags[0]=&layer4=TCP&num_result_rows=-1¤t_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
$links[$rs->fields["port"]] = $link;
$rs->MoveNext();
}
//按照端口的名稱排序結果,而不是***的數量。
ksort($array_aux);
$data = array_values($array_aux);
$label = array_keys($array_aux);
//圖標顯示
$serie = 'Amount of Attacks';
$colors = "#333333";
}
break;
case "udp":
//資產過濾器。$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//在控件中顯示的最大***次數。$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
//SQL查詢
執行:在查詢中使用參數$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=17 $query_where group by port order by num desc limit $limit";
//回顯$sql;
$rs = $conn->CacheExecute($sql);
if (!$rs)
{
print $conn->ErrorMsg();
}
else
{
$array_aux = array();
while (!$rs->EOF)
{
$array_aux[$rs->fields["port"]] = $rs->fields["num"];
$link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?udp_port[0][0]=&udp_port[0][1]=layer4_dport&udp_port[0][2]==&udp_port[0][3]='.$rs->fields["port"].'&udp_port[0][4]=&udp_port[0][5]=&udp_flags[0]=&layer4=UDP&num_result_rows=-1¤t_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
$links[$rs->fields["port"]] = $link;
$rs->MoveNext();
}
/這裏表示按照端口的名稱排序結果,而不是***的數量。
ksort($array_aux);
$data = array_values($array_aux);
$label = array_keys($array_aux);
//圖表顯示
$serie = 'Amount of Attacks';
$colors = "#333333";
}
break;
case "promiscuous":
//定義日期範圍。$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;
//過濾資產$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//設置主機在控件中顯示的限制。
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;
//鏈接到SIEM控制檯頁面
$forensic_link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
//SQL查詢,用戶參數查詢
$sqlgraph = "select count(distinct(ip_dst)) as num_events,ip_src as name from alienvault_siem.po_acid_event AS acid_event WHERE 1=1 $query_where group by ip_src having ip_src>0x00000000000000000000000000000000 order by num_events desc limit
$limit";
$rg = $conn->CacheExecute($sqlgraph);
if (!$rg)
{
print $conn->ErrorMsg();
}
else
{
while (!$rg->EOF)
{
$data[] = $rg->fields["num_events"];
$label[] = inet_ntop($rg->fields["name"]);
$links[] = $forensic_link . '&ip_addr[0][0]=+&ip_addr[0][1]=ip_src&ip_addr[0][2]=%3D&ip_addr[0][3]=' . inet_ntop($rg->fields["name"]) . '&ip_addr[0][8]=+&ip_addr[0][9]=+&ip_addr_cnt=1';
$rg->MoveNext();
}
}
$colors = get_widget_colors(count($data));
break;
case "unique":
//日期範圍
$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;
//過濾資產
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//主機在控件中顯示的限制。
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;
//連接到SIEM控制檯頁面
$forensic_link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
... ...
//在控件中顯示的小時數。$max = ($chart_info['range'] == '')? 16 : $chart_info['range'];
//檢索小部件的數據
$fdate = gmdate("Y-m-d H",$timetz-(3600*($max-1)));
$values = SIEM_trends($max, $assets_filters, $fdate);
//將信息格式化爲對處理程序有效的格式。
for ($i=$max-1; $i>=0; $i--)
{
$tref = $timetz-(3600*$i);
$h = gmdate("j G",$tref)."h";
$label[] = preg_replace("/\d+ /","",$h);
$data[] = ($values[$h]!="") ? $values[$h] : 0;
... ...
$db->close();
//如今調用處理程序來繪製正確的小部件
require 'handler.php';
Tips:該源碼能夠看出全部事件存儲在alienvault_siem.acid_event表中,有關OSSIM數據庫分析你們可參考OSSIM疑難解析一書。
- 1. CI框架源碼解析十一之安全類文件Security.php
- 2. 深度學習OSSIM關聯分析(附源碼註解)
- 3. 【go源碼分析】go源碼之反射reflect源碼分析
- 4. OSSIM關聯分析討論
- 5. 源碼|jdk源碼之HashMap分析(二)
- 6. 源碼|jdk源碼之LinkedHashMap分析
- 7. 【 源碼之間 - Flutter 】 FutureBuilder源碼分析
- 8. 源碼|jdk源碼之HashMap分析(一)
- 9. Memcached源碼分析之資源分享
- 10. opennebula源碼分析之框架分析
- 更多相關文章...
- • Docker 資源彙總 - Docker教程
- • Java操作Neo4j數據庫(附帶源碼) - NoSQL教程
- • 互聯網組織的未來:剖析GitHub員工的任性之源
- • Java Agent入門實戰(二)-Instrumentation源碼概述
-
每一个你不满意的现在,都有一个你没有努力的曾经。