2021SC@SDUSC
一、Web部分源代码分析
1、简述
用户接触OSSIM平台最多的是 Web UI,通过Web 以可视化方式轻松获取各种安全分析的图表,作为普通运维人员或者监控人员,绝大多数操作都是通过Web UI 来完成。
Web UI 界面以及各部分所对应的功能,已在前面的博文中进行了详细的阐述讲解,本篇博文便不再赘述
2、Web UI对应源代码目录结构
Web UI 以 php 为主要编程语言,各部分功能对应的源代码目录如下表所示:
| 一级菜单 | 二级菜单 | 调用界面 |
|---|---|---|
| DASHBOARDS | Overview | ./dashboard/index.php |
| Deployment status | ./deployment/index.php | |
| Risk Maps | ./risk maps/view.php | |
| OTX | ./reputation/index.php | |
| Analysis | Alarms Group View | ./alarm/alarm_console.php ./alarm/alarm_group_console.php |
| Security Events (SIEM) Real Time | ./forensics/base_ary_main.php ./control_ panel/event_panel.php | |
| Raw Logs | ./sem/index.php | |
| Tickets | ./incidents/index.php | |
| ENVIRONMENT | Assets Asset Discovery | ./assets/index.php ./netscan/index.php |
| Groups&Networks Network Groups | ./assets/list_view.php ./netgroup/netgroup.php | |
| Vulnerabilities | Overview : ./vulnmeter/index.php ScanJobs : ./vulnmeter/manage_jobs.php Settings : ./vulnmeter/webconfig.php Threat Database : ./vulnmeter/threats-db.php | |
| Profiles | ./ntop/index.php | |
| NetFlow | ./nfsen/nfsen.php | |
| Traffic capture | ./pcap/index.php | |
| Availability | ./nagios/index.php | |
| Detection | ./ossec/status.php Agents : ./ossec/agent.php Agentless : ./ossec/agentless.php Edit Rules : ./ossec/index.php Config : ./ossec/config.php Ossec control : ./ossec/ossec_control.php Wireles IDS : ./wireless/index.php | |
| REPORTS | Alarms Report 生成文件 : ./report/os_reports/Alarms/generaL.php Business&Compliance ISO PCI Report生成文件 : ./report/os_reports/BussinessAndComplianceISOPCI/general.php Tickets Status Report生成文件 : ./report/os_reports/Tickets/general.php SIEM Events 生成文件 : ./reports/os_reports/Siem/general.php Vulnerabilities Report 生成文件 : ./vulnmeter/lr_respdf.php | |
| CONFIGURATION | Administration | USERS ./session/users.php Activity : ./conf/userlog.php |
| MAIN ./conf/index.php | ||
| BACKUP ./backup/index.php | ||
| Deployment | Alienvault Center : ./av_center/index.php Sensors : ./server/sensor.php Servers : ./server/server.php Scheduler : ./av_inventory/index.php Locations : ./sensor/locations.php | |
| Threat Intelligence | Policy : ./policy/policy.php Edit pPolicy Groups : ./policy/policygroup.php | |
| Actions : ./action/action.php | ||
| Ports : ./porUport.php Port Groups : ./port/portgroup.php | ||
| Directives : ./directives/index.php | ||
| ComplianceMapping : ./compliance/iso27001.php PCIDSS2.0 : ./compliance/pci-dss.php Run Scripts : ./compliance/mod scripts.php | ||
| Cross Correlation : ./conf/pluginref.php | ||
| Data Source : ./conf/plugin.php Data Source Groups : ./policy/plugingroups.php | ||
| Taxonomy : ./conficategory.php | ||
| Knowledge Base : ./repository/index.php | ||
| SETTINGS | My Profile | ./session/user_form.php |
| Current Sessions | ./userlogopened_sessions.php | |
| User Activity | ./userlog/user_ action _log.php | |
| Support | Help | ./help/index.php |
| Downloads | ./downloads/index.php |
3、security.php源码分析
本部分将对仪表盘子模块中 event模块中的一个比较重要的代码文件security.php的源代码进行初步分析。
源码地址:alienvault-ossim\os-sim\www\dashboard\sections\widgets\data\security.php
//首先在文件头部进行相关文件的引用,初始化函数库
require_once 'av_init.php';
require_once 'sensor_filter.php';
require_once '../widget_common.php';
require_once 'common.php';
引入相关文件的主要功能:
av_init.php:AlienVault 初始化文件,通过引用其他文件,完成一些初始化操作,例如创建session、设置class path、DB 管理、获取全局配置、设置语言等等。
sensor_filter.php:主要实现相关过滤的功能。包含资产过滤、传感器过滤、分类过滤等。
widget_common.php:控件相关操作。主要与数据库中
dashboard_widget_config表进行交互,进行控件重新排列、获取次序、获取数据等操作。common.php:获取一些数据的趋势,以小时和周为单位获取 SIEM 趋势
//通过Session检查当前登录用户是否有访问该菜单的权限
Session::logcheck("dashboard-menu", "ControlPanelExecutive");
Session::logcheck("analysis-menu", "EventsForensics");
//接下来连接数据库
$db = new ossim_db(TRUE);
$conn = $db->connect();
//获取当前用户信息
$user = Session::get_session_user();
//get方式获取控件类型,设置安全控件的类型
$type = GET("type");
//get方式获取控件ID
$id = GET("id");
//对控件类型、ID进行有效性验证
ossim_valid($type, OSS_TEXT, 'illegal:' . _("type"));
ossim_valid($id, OSS_DIGIT, OSS_NULLABLE, 'illegal:' . _("Widget ID"));
if (ossim_error())
{
die(ossim_error());
}
//控件的数组信息,图表信息和标签云信息等
$winfo = array();
$chart_info = array();
接下来判断ID
//如果ID为空,代表着目前在向导的预可视化中。系统可以从get参数中获取所有信息。
if (!isset($id) || empty($id)){
//定义控件高度
$winfo['height'] = GET("height");
//定义类型:图表标签云等
$winfo['wtype'] = GET("wtype");
//定义资产
$winfo['asset'] = GET("asset");
//图表类型,图例参数等
$chart_info = json_decode(GET("value"),true);
}
//如果ID不为空,正常情况下,从仪表板加载控件,在这种情况下,系统从数据库获取相关信息。
else
{
$winfo = get_widget_data($conn, $id);
//图表类型,图例参数
$chart_info = $winfo['params'];
}
// 有效性检验
ossim_valid($winfo['wtype'], OSS_TEXT, 'illegal:' . _("Type"));
ossim_valid($winfo['height'], OSS_DIGIT, 'illegal:' . _("Widget ID"));
ossim_valid($winfo['asset'], OSS_HEX,OSS_SCORE,OSS_ALPHA,OSS_USER, 'illegal:' . _("Asset/User/Entity"));
if (is_array($chart_info) && !empty($chart_info))
{
$validation = get_array_validation();
foreach($chart_info as $key=>$val)
{
if ($validation[$key] == '')
{
continue;
}
eval("ossim_valid(\"\$val\", ".$validation[$key].", 'illegal:" . _($key)."');");
}
}
if (ossim_error())
{
die(ossim_error());
}
//存储图表信息的变量
//定义一个控件自身数组
$data = array();
//控件的标签,例如图表中的图例、标签云中的标题等...
$label = array();
//定义每个元素的链接数组
$links = array();
//switch case根据控件的类型对控件的数据进行计算
//type=“tcp”
switch($type)
{
case "tcp":
//资产过滤器
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//在控件中显示的最大攻击次数。
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
//SQL查询
//在查询中使用参数
$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=6 $query_where group by port order by num desc limit $limit";
//回显 $sql;
$rs = $conn->CacheExecute($sql);
if (!$rs)
{
print $conn->ErrorMsg();
}
else
{
$array_aux = array();
while (!$rs->EOF)
{
$array_aux[$rs->fields["port"]] = $rs->fields["num"];
$link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?tcp_port[0][0]=&tcp_port[0][1]=layer4_dport&tcp_port[0][2]==&tcp_port[0][3]='.$rs->fields["port"].'&tcp_port[0][4]=&tcp_port[0][5]=&tcp_flags[0]=&layer4=TCP&num_result_rows=-1¤t_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
$links[$rs->fields["port"]] = $link;
$rs->MoveNext();
}
//按照端口的名称排序对结果进行排序,而不是攻击的数量。
ksort($array_aux);
$data = array_values($array_aux);
$label = array_keys($array_aux);
//serie名称
$serie = 'Amount of Attacks';
//颜色设置
$colors = "#333333";
}
break;
//type=“promiscuous”
case "promiscuous":
//日期范围
$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;
//资产过滤
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//设置主机在控件中显示的限制。
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;
//连接到SIEM控制台页面
$forensic_link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
//SQL查询
//在查询中使用参数,用户参数查询
$sqlgraph = "select count(distinct(ip_dst)) as num_events,ip_src as name from alienvault_siem.po_acid_event AS acid_event WHERE 1=1 $query_where group by ip_src having ip_src>0x00000000000000000000000000000000 order by num_events desc limit $limit";
$rg = $conn->CacheExecute($sqlgraph);
if (!$rg)
{
print $conn->ErrorMsg();
}
else
{
while (!$rg->EOF)
{
$data[] = $rg->fields["num_events"];
$label[] = inet_ntop($rg->fields["name"]);
$links[] = $forensic_link . '&ip_addr[0][0]=+&ip_addr[0][1]=ip_src&ip_addr[0][2]=%3D&ip_addr[0][3]=' . inet_ntop($rg->fields["name"]) . '&ip_addr[0][8]=+&ip_addr[0][9]=+&ip_addr_cnt=1';
$rg->MoveNext();
}
}
$colors = get_widget_colors(count($data));
break;
//type=“siemhours”
case 'siemhours':
//在控件中显示的小时数。
$max = ($chart_info['range'] == '')? 16 : $chart_info['range'];
//检索小部件的数据
$js = "analytics";
$fdate = gmdate("Y-m-d H",$timetz-(3600*($max-1)));
$values = SIEM_trends($max, $assets_filters, $fdate);
//将信息格式化为对处理程序有效的格式。
for ($i=$max-1; $i>=0; $i--)
{
$tref = $timetz-(3600*$i);
$h = gmdate("j G",$tref)."h";
$label[] = preg_replace("/\d+ /","",$h);
$data[] = ($values[$h]!="") ? $values[$h] : 0;
$link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time[0][0]=+&time[0][1]=>%3D&time[0][2]=".gmdate("m",$tref)."&time[0][3]=".gmdate("d",$tref)."&time[0][4]=".gmdate("Y",$tref)."&time[0][5]=".gmdate("H",$tref)."&time[0][6]=00&time[0][7]=00&time[0][8]=+&time[0][9]=AND&time[1][0]=+&time[1][1]=<%3D&time[1][2]=".gmdate("m",$tref)."&time[1][3]=".gmdate("d",$tref)."&time[1][4]=".gmdate("Y",$tref)."&time[1][5]=".gmdate("H",$tref)."&time[1][6]=59&time[1][7]=59&time[1][8]=+&time[1][9]=+&submit=Query+DB&num_result_rows=-1&time_cnt=2&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
$key = preg_replace('/^0/', '', gmdate("H",$tref) . 'h');
$links[$key] = $link;
}
$siem_url = $links;
$colors = "'#444444'";
//部件为空时的消息。
$nodata_text = "No data available yet";
break;
//最后调用处理程序来绘制适当的小部件,即:任何类型的图表、tag_cloud 等…
require 'handler.php';
4、Overview源码分析
index.php 主要为 php 代码,带有少部分 HTML 代码,主要实现当前菜单的基本内容的获取、权限判断等功能。
//引用文件
require_once 'av_init.php';
//检查是否有权限获取当前菜单
Session::logcheck("dashboard-menu", "ControlPanelExecutive");
//获取当前用户信息
$login = Session::get_session_user();
$pro = Session::is_pro();
//获取默认选项卡
/*如果用户session里面存储了默认选项卡,直接赋值给default_tab*/
if (!empty($_SESSION['default_tab']))
{
$default_tab = $_SESSION['default_tab'];
}
/*如果没有设置默认选项卡,新建用户配置,存储默认配置*/
else
{
$config_aux = new User_config($conn);
$default_tab = $config_aux->get($login, 'panel_default', 'simple', "main");
$default_tab = ($default_tab > 0) ? $default_tab : 1;
//把选项卡保存在session中
$_SESSION['default_tab'] = $default_tab;
}
//获取当前 panel
$panel_id = $default_tab;
//判断是否为空
if (GET('panel_id') != "")
{
$panel_id = GET('panel_id');
}
elseif ($_SESSION['_db_panel_selected'] != "")
{
$panel_id = $_SESSION['_db_panel_selected'];
}
//获取选项卡列表
$tab_list = Dashboard_tab::get_tabs_by_user($login, $edit);
//判断选项卡列表是否为空
if (empty($tab_list))
{
//tab_list为空
$config_nt = array(
'content' => _('No tabs have been found').".",
'options' => array (
'type' => 'nf_warning',
'cancel_button' => ''
),
//前端css代码
'style' => ' margin:25px auto 0 auto;text-align:center;padding:3px 30px;'
);
$nt = new Notification('nt_panel', $config_nt);
$nt->show();
die();
}
tabs.php 为 HTML+php 代码,主要实现选项卡的增加、删除、排序等选项卡相关操作的前端代码
<div class='dashboard_tab_add'>
<a href='<?php echo $add_url ?>' title="<?php echo _('New Tab') ?>" class='coolbox_add'>+</a>
</div>
本篇文章部分内容参考或转载自下列文章及书籍。侵权即删。
参考书籍:
- 《开源安全运维平台OSSIM疑难解析(入门篇)》——李晨光著
- 《开源安全运维平台OSSIM疑难解析(提高篇)》——李晨光著
- 《开源安全运维平台:OSSIM最佳实践》——李晨光著
参考文章:
- https://blog.51cto.com/chenguang/2426473
- https://blog.csdn.net/lcgweb/article/details/101284949
- https://blog.51cto.com/chenguang/1665012
- https://www.cnblogs.com/lsdb/p/10000061.html
- https://blog.51cto.com/chenguang/1691090
- https://blog.51cto.com/chenguang/category10.html
- https://blog.51cto.com/topic/ossim.html
- https://blog.csdn.net/isinstance/article/details/53694361
- https://blog.51cto.com/chenguang/1332329
- https://www.cnblogs.com/airoot/p/8072727.html
- https://blog.51cto.com/chenguang/1738731
- https://blog.csdn.net/security_yj/article/details/120153992
上一篇(架构分析):OSSIM开源安全信息管理系统(三)
下一篇(代码分析):
154
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
