php生成象限图源码,OSSIM之security.php源码分析

下面开始进行仪表盘子模块中event的一个重要的文件security.php源码的分析。

//引用文件,初始化函数库

require_once 'av_init.php';

require_once 'sensor_filter.php';

require_once '../widget_common.php';

require_once 'common.php';

//检查是否有权限访问这个菜单

Session::logcheck("dashboard-menu", "ControlPanelExecutive");

Session::logcheck("analysis-menu", "EventsForensics");

//开始数据库连接

$db = new ossim_db(TRUE);

$conn = $db->connect();

//获取当前用户信息

$user = Session::get_session_user();

设定安全控件的类型

$type = GET("type");

//ID of the widget

$id = GET("id");

//类型验证

ossim_valid($type, OSS_TEXT, 'illegal:' . _("type"));

ossim_valid($id, OSS_DIGIT, OSS_NULLABLE, 'illegal:' . _("Widget ID"));

//结束验证

//包含控件的数组信息,这是图表信息和标签云信息等

$winfo = array();

$chart_info = array();

//如果ID为空,则意味着我们在向导的预可视化中。我们可以从get参数中获取所有信息。

if (!isset($id) || empty($id))

{

$winfo['height'] = GET("height"); //定义控件高度

$winfo['wtype'] = GET("wtype"); //定义类型:图表标签云等

$winfo['asset'] = GET("asset"); //定义资产

$chart_info = json_decode(GET("value"),true); //图表类型,图例参数等

}

else //如果ID不为空,我们是正常情况下,从仪表板加载控件,在这种情况下,我们从数据库获取信息。

{

$winfo = get_widget_data($conn, $id); //检查widget_common.php

$chart_info = $winfo['params']; //图表类型,图例参数

}

// Validation

ossim_valid($winfo['wtype'], OSS_TEXT, 'illegal:' . _("Type"));

ossim_valid($winfo['height'], OSS_DIGIT, 'illegal:' . _("Widget ID"));

ossim_valid($winfo['asset'], OSS_HEX,OSS_SCORE,OSS_ALPHA,OSS_USER, 'illegal:' . _("Asset/User/Entity"));

if (is_array($chart_info) && !empty($chart_info))

{

$validation = get_array_validation();

foreach($chart_info as $key=>$val)

{

if ($validation[$key] == '')

{

continue;

}

eval("ossim_valid(\"\$val\", ".$validation[$key].", 'illegal:" . _($key)."');");

}

}

if (ossim_error())

{

die(ossim_error());

}

// End of validation.

$assets_filters = array();

$assets_filters = get_asset_filters($conn, $winfo['asset']);

//存储图表信息的变量

$data = array(); //定义一个控件自身数组

$label = array(); //定义标签数组

$links = array(); //定义每个元素的链接数组

session_write_close();

//控件的数据将根据控件的类型进行计算

switch($type)

{

case "tcp":

//资产过滤器

$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);

//在小部件中显示的最大***次数。

$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;

//SQL查询,比如在查询中使用参数

$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=6 $query_where group by port order by num desc limit $limit";

//回显 $sql;

$rs = $conn->CacheExecute($sql);

if (!$rs)

{

print $conn->ErrorMsg();

}

else

{

$array_aux = array();

while (!$rs->EOF)

{

$array_aux[$rs->fields["port"]] = $rs->fields["num"];

$link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?tcp_port[0][0]=&tcp_port[0][1]=layer4_dport&tcp_port[0][2]==&tcp_port[0][3]='.$rs->fields["port"].'&tcp_port[0][4]=&tcp_port[0][5]=&tcp_flags[0]=&layer4=TCP&num_result_rows=-1¤t_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');

$links[$rs->fields["port"]] = $link;

$rs->MoveNext();

}

//按照端口的名称排序结果,而不是***的数量。

ksort($array_aux);

$data = array_values($array_aux);

$label = array_keys($array_aux);

//图标显示

$serie = 'Amount of Attacks';

$colors = "#333333";

}

break;

case "udp":

//资产过滤器。

$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);

//在控件中显示的最大***次数。

$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;

//SQL查询

执行:在查询中使用参数

$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=17 $query_where group by port order by num desc limit $limit";

//回显$sql;

$rs = $conn->CacheExecute($sql);

if (!$rs)

{

print $conn->ErrorMsg();

}

else

{

$array_aux = array();

while (!$rs->EOF)

{

$array_aux[$rs->fields["port"]] = $rs->fields["num"];

$link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?udp_port[0][0]=&udp_port[0][1]=layer4_dport&udp_port[0][2]==&udp_port[0][3]='.$rs->fields["port"].'&udp_port[0][4]=&udp_port[0][5]=&udp_flags[0]=&layer4=UDP&num_result_rows=-1¤t_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');

$links[$rs->fields["port"]] = $link;

$rs->MoveNext();

}

/这里表示按照端口的名称排序结果,而不是***的数量。

ksort($array_aux);

$data = array_values($array_aux);

$label = array_keys($array_aux);

//图表显示

$serie = 'Amount of Attacks';

$colors = "#333333";

}

break;

case "promiscuous":

//定义日期范围。

$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;

//过滤资产

$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);

//设置主机在控件中显示的限制。

$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;

//连接到SIEM控制台页面

$forensic_link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');

//SQL查询,用户参数查询

$sqlgraph = "select count(distinct(ip_dst)) as num_events,ip_src as name from alienvault_siem.po_acid_event AS acid_event WHERE 1=1 $query_where group by ip_src having ip_src>0x00000000000000000000000000000000 order by num_events desc limit

$limit";

$rg = $conn->CacheExecute($sqlgraph);

if (!$rg)

{

print $conn->ErrorMsg();

}

else

{

while (!$rg->EOF)

{

$data[] = $rg->fields["num_events"];

$label[] = inet_ntop($rg->fields["name"]);

$links[] = $forensic_link . '&ip_addr[0][0]=+&ip_addr[0][1]=ip_src&ip_addr[0][2]=%3D&ip_addr[0][3]=' . inet_ntop($rg->fields["name"]) . '&ip_addr[0][8]=+&ip_addr[0][9]=+&ip_addr_cnt=1';

$rg->MoveNext();

}

}

$colors = get_widget_colors(count($data));

break;

case "unique":

//日期范围

$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;

//过滤资产

$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);

//主机在控件中显示的限制。

$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;

//链接到SIEM控制台页面

$forensic_link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');

... ...

//在控件中显示的小时数。

$max = ($chart_info['range'] == '')? 16 : $chart_info['range'];

//检索小部件的数据

$fdate = gmdate("Y-m-d H",$timetz-(3600*($max-1)));

$values = SIEM_trends($max, $assets_filters, $fdate);

//将信息格式化为对处理程序有效的格式。

for ($i=$max-1; $i>=0; $i--)

{

$tref = $timetz-(3600*$i);

$h = gmdate("j G",$tref)."h";

$label[] = preg_replace("/\d+ /","",$h);

$data[] = ($values[$h]!="") ? $values[$h] : 0;

... ...

$db->close();

//现在调用处理程序来绘制正确的小部件

require 'handler.php';

Tips:该源码可以看出所有事件存储在alienvault_siem.acid_event表中,有关OSSIM数据库分析大家可参考OSSIM疑难解析一书。

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值