From 4eb4692310fb9240a98ab59c84fb2c7a856f05c7 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 9 Dec 2016 16:16:26 -0500 Subject: [PATCH 01/34] update README --- README.md | 164 ++---------------------------------------------------- 1 file changed, 4 insertions(+), 160 deletions(-) diff --git a/README.md b/README.md index ef9b0b5..ab61020 100644 --- a/README.md +++ b/README.md @@ -1,165 +1,9 @@ ## squert - A Simple Query and Report Tool - -####### - -NOTE: This project is no longer in active develpment. See [here](http://www.pintumbler.org/words/youcantgobackonlyforward) for more detail. -Thanks to everyone that has supported me through the years while I worked on this. - -####### - - - -Home: [http://www.squertproject.org](http://www.squertproject.org) - -Talk: [Version 1.3 @CANHEIT 2014](http://www.pintumbler.org/squert-canheit2014.pdf) - -Intro: [http://www.youtube.com/watch?v=ZOsVw96XM8E](http://www.youtube.com/watch?v=ZOsVw96XM8E) - -Changes v1.1.6: [http://www.youtube.com/watch?v=_eheJv0MJDY](http://www.youtube.com/watch?v=_eheJv0MJDY) - -Changes v1.1.9: [http://www.youtube.com/watch?v=QkgrigopfQA](http://www.youtube.com/watch?v=QkgrigopfQA) - -Changes v1.2.0: Cleanup. Removed fixed credentials in sguil helpers. - -Changes v1.3.0: - -* ElasticSearch queries (Bro) -* Autocat editor -* Significant interface changes - -See: [Changes v1.3.0](http://www.squertproject.org/summaryofchangesforsquertversion130) - -Changes v1.4.0: - -* URLs -* Moved to menu on click -* Bugfixes - -See: [Changes v1.4.0](http://www.squertproject.org/summaryofchangesforsquertversion140) - -Changes v1.5.0 - -* Control layout changes -* Object colouring from context menu -* Bugfixes - -See: [Changes v1.5.0](http://www.squertproject.org/summaryofchangesforsquertversion150) - - ## Description -SQueRT is a tool that is used to query event data - -## Requirements - -* Sguil 0.9.0 [http://sguil.net](http://sguil.net). If you use Security Onion [http://securityonion.blogspot.ca](http://securityonion.blogspot.ca) you can get everything setup rather quickly. - - -* PHP55 with CLI - * mysql -* TCL, TclX - * mysqltcl - * uri - * ftp - * ftp::geturl - * md5 -* MySQL client - -## Upgrade - -You will need to run these commands: - -`mysql> ALTER TABLE filters ADD type VARCHAR(16) FIRST;` - -`mysql> ALTER TABLE filters ADD INDEX type (type);` - -`mysql> UPDATE filters SET type = 'filter' WHERE type IS NULL;` - -## Install - -1) Extract the squert tarball to a web directory and rename it to "squert" - -2) Copy squert/.inc/config.php.sample to squert/.inc/config.php - -3) Edit squert/.inc/config.php to match your sguildb and sguild server settings - -4) IMPORTANT!! Edit your MySQL server settings to include the following directive: - -`group_concat_max_len = 100000` - -this should be placed in the "[mysqld]" section of my.cnf - -Also, - -The ip2c TCL scripts uses "LOAD DATA LOCAL INFILE" to dump the results into the database. -While most stock MySQL installs are compiled with this, they don't always allow it. - -Find the my.cnf that your client is using and add: - -`local-infile=1` - -to the client section. If you just have the client installed and you cant find this -file just create it in /etc and add: - -`[client]` -`local-infile=1` - -Lastly, - -You will need to add indexes to the sid and cid columns in Sguils history table: - -`mysql -N -B --user=root -p -e "CREATE INDEX sid ON history (sid);"` -`mysql -N -B --user=root -p -e "CREATE INDEX cid ON history (cid);"` - -Performance WILL suffer if you do not do this. - -5) Create additional tables: - -`cat squert/.scripts/squert.sql | mysql -uroot -p -U sguildb` - -6) Create a mysql user account for squert to access sguildb (what you set in step 3): - -`mysql -N -B --user=root -p -e "GRANT SELECT ON sguildb.* TO 'squert_user'@'localhost' IDENTIFIED BY 'apassword';"` - -7) Give this user privileges to the ip2c table: - -`mysql -N -B --user=root -p -e "GRANT ALL PRIVILEGES ON sguildb.ip2c TO 'squert_user'@'localhost';"` - -8) Give this user privileges to the mappings table: - -`mysql -N -B --user=root -p -e "GRANT ALL PRIVILEGES ON sguildb.mappings TO 'squert_user'@'localhost';"` - -9) Give this user privileges to the filters table: - -`mysql -N -B --user=root -p -e "GRANT INSERT,UPDATE,DELETE ON sguildb.filters TO 'squert_user'@'localhost';"` - -10) Give this user privileges to sguils user_info table: - -`mysql -N -B --user=root -p -e "GRANT UPDATE ON sguildb.user_info TO 'squert_user'@'localhost';"`; - -11) Now populate the ip2c table: - -`squert/.scripts/ip2c.tcl` - -12) Add an index to comment column in Sguils history table: - -`mysql -N -B --user=root -p -e "CREATE INDEX comment ON sguildb.history (comment(50));"` - -13) The readonly user needs DELETE access to sguils history table (to delete comments): - -`mysql -N -B --user=root -p -e "GRANT DELETE on sguildb.history to 'readonly'@'localhost';"` - -14) Create a scheduled task to keep the mappings tables up to date: - -`*/5 * * * * /usr/local/bin/php -e /usr/local/www/squert/.inc/ip2c.php 1 > /dev/null 2>&1` - -This entry updates the database every 5 minutes. Make sure you use the correct paths to php and ip2c.php. - -15) Create a scheduled task to keep the ip2c table up to date: - -`0 0 1 * * /.scripts/ip2c.tcl > /dev/null 2>&1` - -This entry updates the ip2c database on the first day of every month. +SQueRT is a tool that is used to query event data. -That's it. Point your browser to https://yourhost/squert +NOTE: Squert was originally developed by [Paul Halliday](http://www.pintumbler.org/words/youcantgobackonlyforward). +Thanks to Paul for all of his hard work over the years! +This is a fork of Paul's latest version that is maintained by the Security Onion team and includes modifications specific to Security Onion. From bd15e0d0b8dcb9c3e3c8b1cf18543f343f308f8f Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 9 Dec 2016 16:57:18 -0500 Subject: [PATCH 02/34] update version and year --- .inc/vendor/elasticsearch/elasticsearch/run_travis_test.sh | 0 login.php | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) mode change 100755 => 100644 .inc/vendor/elasticsearch/elasticsearch/run_travis_test.sh diff --git a/.inc/vendor/elasticsearch/elasticsearch/run_travis_test.sh b/.inc/vendor/elasticsearch/elasticsearch/run_travis_test.sh old mode 100755 new mode 100644 diff --git a/login.php b/login.php index 2a39eda..68c1ef7 100644 --- a/login.php +++ b/login.php @@ -130,7 +130,7 @@ function cleanUp($string) {

-
Version 1.6.0©2015 Paul Halliday
+
Version 1.6.1©2016 Paul Halliday
From 78a950d5e1b405b6916ece68ec5d126c69ad33eb Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 9 Dec 2016 17:14:24 -0500 Subject: [PATCH 03/34] pivot to capme for transcript --- .css/squert.css | 5 +++++ .js/squertMain.js | 38 +++++++++++++++++++++++++++++++------- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/.css/squert.css b/.css/squert.css index 7f6f5b4..933d418 100644 --- a/.css/squert.css +++ b/.css/squert.css @@ -776,6 +776,11 @@ color:#4D5580; td.sub2_inactive { text-decoration:line-through; } +td.sub2_capme { +text-decoration:underline; +cursor:pointer; +color:#4D5580; +} td.sub_txt { width:900px; background: #f4f4f4; diff --git a/.js/squertMain.js b/.js/squertMain.js index cfa8f3d..52cc6f1 100644 --- a/.js/squertMain.js +++ b/.js/squertMain.js @@ -1309,11 +1309,23 @@ $(document).ready(function(){ } // Transcript link + // original Squert native pivot: + //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); + //txBit = "" + sid + "." + cid + ""; + //if (src_port != "-" && dst_port != "-") { + // txBit = "" + sid + "." + cid + ""; + //} + // new pivot to CapMe: txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); - - txBit = "" + sid + "." + cid + ""; + txBit = "" + sid + "." + cid + ""; if (src_port != "-" && dst_port != "-") { - txBit = "" + sid + "." + cid + ""; + var startDate = new Date(utctimestamp); + var start_tz_offset = (startDate.getTimezoneOffset()); + var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; + var endDate = new Date(utctimestamp); + var end_tz_offset = (endDate.getTimezoneOffset()); + var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; + txBit = " " + sid + "." + cid + ""; } row += "" + sid + "." + cid + ""; + //if (src_port != "-" && dst_port != "-") { + // txBit = "" + sid + "." + cid + ""; + //} + // new pivot to CapMe: txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); - - txBit = "" + sid + "." + cid + ""; + txBit = "" + sid + "." + cid + ""; if (src_port != "-" && dst_port != "-") { - txBit = "" + sid + "." + cid + ""; + var startDate = new Date(utctimestamp); + var start_tz_offset = (startDate.getTimezoneOffset()); + var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; + var endDate = new Date(utctimestamp); + var end_tz_offset = (endDate.getTimezoneOffset()); + var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; + txBit = " " + sid + "." + cid + ""; } - + row += ""; row += ""; From 8c5bb10da8ccaa050a1e5efd184a3d63764280d3 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 9 Dec 2016 17:23:01 -0500 Subject: [PATCH 04/34] add securityonion scripts and sql --- .scripts/securityonion_create_elsa_link.sh | 17 +++ .scripts/securityonion_update.sh | 53 +++++++++ .scripts/securityonion_update.sql | 120 +++++++++++++++++++++ 3 files changed, 190 insertions(+) create mode 100644 .scripts/securityonion_create_elsa_link.sh create mode 100644 .scripts/securityonion_update.sh create mode 100644 .scripts/securityonion_update.sql diff --git a/.scripts/securityonion_create_elsa_link.sh b/.scripts/securityonion_create_elsa_link.sh new file mode 100644 index 0000000..eb31c8e --- /dev/null +++ b/.scripts/securityonion_create_elsa_link.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +MYSQL="mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e" + +if [ -d /var/lib/mysql/securityonion_db/ ]; then + + # ELSA lookup + if grep "ELSA=YES" /etc/nsm/securityonion.conf >/dev/null 2>&1; then + if grep "pcap_url" /etc/elsa_web.conf >/dev/null 2>&1; then + #IP=`grep "pcap_url" /etc/elsa_web.conf | head -1 | cut -d\/ -f3` + URL="/elsa-query/?query_string=\"\${var}\"%20groupby:program" + HEXVAL=$(xxd -pu -c 256 <<< "$URL") + $MYSQL "REPLACE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','454C5341','','ELSA','$HEXVAL');" + fi + fi + +fi diff --git a/.scripts/securityonion_update.sh b/.scripts/securityonion_update.sh new file mode 100644 index 0000000..6002055 --- /dev/null +++ b/.scripts/securityonion_update.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +MYSQL="mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e" + +if [ -d /var/lib/mysql/securityonion_db/ ]; then + + # Non-idempotent operations + + # history table - comment index + $MYSQL "SHOW INDEX FROM history WHERE KEY_NAME = 'comment'" | grep comment >/dev/null 2>&1 || + $MYSQL "CREATE INDEX comment ON history (comment(50));" + + # history table - sid index + $MYSQL "SHOW INDEX FROM history WHERE KEY_NAME = 'sid'" | grep sid >/dev/null 2>&1 || + $MYSQL "CREATE INDEX sid ON history (sid);" + + # history table - cid index + $MYSQL "SHOW INDEX FROM history WHERE KEY_NAME = 'cid'" | grep cid >/dev/null 2>&1 || + $MYSQL "CREATE INDEX cid ON history (cid);" + + # user_info table - email + $MYSQL "DESCRIBE user_info" | grep email >/dev/null 2>&1 || + $MYSQL "ALTER TABLE user_info ADD email VARCHAR(320) NOT NULL DEFAULT 'none';" + + # user_info table - type + $MYSQL "DESCRIBE user_info" | grep type >/dev/null 2>&1 || + $MYSQL "ALTER TABLE user_info ADD type ENUM('ADMIN','USER') NOT NULL DEFAULT 'USER';" + + # user_info table - timeout + $MYSQL "DESCRIBE user_info" | grep timeout >/dev/null 2>&1 || + $MYSQL "ALTER TABLE user_info ADD timeout SMALLINT UNSIGNED NOT NULL DEFAULT '5000';" + + # user_info table - tzoffset + $MYSQL "DESCRIBE user_info" | grep tzoffset >/dev/null 2>&1 || + $MYSQL "ALTER TABLE user_info ADD tzoffset varchar(6) NOT NULL DEFAULT '+00:00';" + + # filters table - type + if $MYSQL "DESCRIBE filters" | grep type >/dev/null 2>&1 ; then + echo "filters table already has type field." + else + echo "Adding type field to filters table." + $MYSQL "ALTER TABLE filters ADD type VARCHAR(16) FIRST;" + $MYSQL "ALTER TABLE filters ADD INDEX type (type);" + $MYSQL "UPDATE filters SET type = 'filter' WHERE type IS NULL;;" + fi + + # Idempotent operations + cat /var/www/so/squert/.scripts/securityonion_update.sql | mysql --defaults-file=/etc/mysql/debian.cnf -U securityonion_db > /var/log/nsm/squert_update.log + + # ELSA lookup + bash /var/www/so/squert/.scripts/securityonion_create_elsa_link.sh + +fi diff --git a/.scripts/securityonion_update.sql b/.scripts/securityonion_update.sql new file mode 100644 index 0000000..0bacf2a --- /dev/null +++ b/.scripts/securityonion_update.sql @@ -0,0 +1,120 @@ +CREATE TABLE IF NOT EXISTS ip2c +( + registry VARCHAR(7), + cc VARCHAR(2), + c_long VARCHAR(255), + type VARCHAR(4), + start_ip INT UNSIGNED NOT NULL DEFAULT 0, + end_ip INT UNSIGNED NOT NULL DEFAULT 0, + date DATETIME, + status VARCHAR(25), + INDEX registry (registry), + INDEX cc (cc), + INDEX c_long (c_long), + INDEX type (type), + INDEX start_ip (start_ip), + INDEX end_ip (end_ip) +); + +INSERT IGNORE INTO ip2c (registry,cc,c_long,type,start_ip,end_ip,date,status) +VALUES ('RFC1918','LO','RFC1918','ipv4','167772160','184549375','1996-02-01','allocated'); + +INSERT IGNORE INTO ip2c (registry,cc,c_long,type,start_ip,end_ip,date,status) +VALUES ('RFC1918','LO','RFC1918','ipv4','2886729728','2886795263','1996-02-01','allocated'); + +INSERT IGNORE INTO ip2c (registry,cc,c_long,type,start_ip,end_ip,date,status) +VALUES ('RFC1918','LO','RFC1918','ipv4','3232235520','3232301055','1996-02-01','allocated'); + +CREATE TABLE IF NOT EXISTS mappings +( + registry VARCHAR(7), + cc VARCHAR(2), + c_long VARCHAR(255), + type VARCHAR(4), + ip INT UNSIGNED NOT NULL DEFAULT 0, + date DATETIME, + status VARCHAR(25), + age TIMESTAMP, + PRIMARY KEY (ip), + INDEX registry (registry), + INDEX cc (cc), + INDEX c_long (c_long), + INDEX age (age) +); + +CREATE TABLE IF NOT EXISTS stats +( + timestamp DATETIME, + type TINYINT, + object INT UNSIGNED NOT NULL DEFAULT 0, + count INT UNSIGNED NOT NULL DEFAULT 0, + INDEX type (type), + INDEX object (object) +); + +CREATE TABLE IF NOT EXISTS stat_types +( + type TINYINT, + description VARCHAR(255) +); + +INSERT IGNORE INTO stat_types (type,description) VALUES ('1','Event Severity'); +INSERT IGNORE INTO stat_types (type,description) VALUES ('2','Sensor ID'); +INSERT IGNORE INTO stat_types (type,description) VALUES ('3','Source IP'); +INSERT IGNORE INTO stat_types (type,description) VALUES ('4','Destination IP'); +INSERT IGNORE INTO stat_types (type,description) VALUES ('5','Signature ID'); + +CREATE TABLE IF NOT EXISTS object_mappings +( + type VARCHAR(4), + object VARCHAR(255), + value VARCHAR(255), + INDEX type (type), + INDEX object (object), + PRIMARY KEY (type,object) +); + +CREATE TABLE IF NOT EXISTS filters +( + type VARCHAR(16), + name VARCHAR(255), + alias VARCHAR(12), + username VARCHAR(16), + filter BLOB, + notes VARCHAR(255) NOT NULL DEFAULT 'None.', + global TINYINT(1) NOT NULL DEFAULT 0, + age TIMESTAMP, + INDEX type (type), + PRIMARY KEY (username,alias) +); + +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D20436F756E74727920436F6465','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','cc','286D7372632E6363203D20272427204F52206D6473742E6363203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D2044657374696E6174696F6E204950','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','dip','286473745F6970203D20494E45545F41544F4E282724272929'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D2044657374696E6174696F6E20506F7274','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','dpt','286473745F706F7274203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D204950','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','ip','287372635F6970203D20494E45545F41544F4E2827242729204F52206473745F6970203D20494E45545F41544F4E282724272929'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D205369676E6174757265204944','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','sid','287369676E61747572655F6964203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D205369676E6174757265','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','sig','287369676E6174757265204C494B45202725242527204F52207369676E6174757265204C494B4520272524252729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D20536F75726365204950','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','sip','287372635F6970203D20494E45545F41544F4E282724272929'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D20536F7572636520506F7274','546869732069732061206275696c742d696e20726561642d6f6e6c792066696c7465722e','spt','287372635F706F7274203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D20536F7572636520436F756E74727920436F6465','546869732069732061206275696C742D696E20726561642D6F6E6C792066696C7465722E','scc','286D7372632E6363203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D2044657374696E6174696F6E20436F756E74727920436F6465','546869732069732061206275696C742D696E20726561642D6F6E6C792066696C7465722E','dcc','286D6473742E6363203D2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('filter','','1','5368656C6C202D204576656E7420537461747573','546869732069732061206275696C742D696E20726561642D6F6E6C792066696C7465722E','st','286576656e742e737461747573203d2027242729'); + +GRANT INSERT,UPDATE,DELETE ON filters TO 'readonly'@'localhost'; + +GRANT DELETE on history to 'readonly'@'localhost'; + +GRANT UPDATE on user_info TO 'readonly'@'localhost'; + +GRANT INSERT,UPDATE ON object_mappings TO 'readonly'@'localhost'; From f1ada8695d8bbad42d9db62ef610ba2d2247efdc Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 12 Dec 2016 14:27:27 -0500 Subject: [PATCH 05/34] add URL lookups to securityonion_update.sql --- .scripts/securityonion_update.sql | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.scripts/securityonion_update.sql b/.scripts/securityonion_update.sql index 0bacf2a..b46e789 100644 --- a/.scripts/securityonion_update.sql +++ b/.scripts/securityonion_update.sql @@ -110,6 +110,25 @@ INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('filter','','1','5368656C6C202D2044657374696E6174696F6E20436F756E74727920436F6465','546869732069732061206275696C742D696E20726561642D6F6E6C792066696C7465722E','dcc','286D6473742E6363203D2027242729'); INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('filter','','1','5368656C6C202D204576656E7420537461747573','546869732069732061206275696C742D696E20726561642D6F6E6C792066696C7465722E','st','286576656e742e737461747573203d2027242729'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','5669727573546f74616c','','VirusTotal','68747470733a2f2f7777772e7669727573746f74616c2e636f6d2f656e2f69702d616464726573732f247b7661727d2f696e666f726d6174696f6e2f0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','446f6d61696e546f6f6c73','','DomainTools','687474703a2f2f77686f69732e646f6d61696e746f6f6c732e636f6d2f247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','43656e7472616c4f7073','','CentralOps','687474703a2f2f63656e7472616c6f70732e6e65742f636f2f446f6d61696e446f73736965722e617370783f616464723d247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','476f6f676c65','','Google','68747470733a2f2f7777772e676f6f676c652e636f6d2f7365617263683f713d247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','42696e67','','Bing','68747470733a2f2f7777772e62696e672e636f6d2f7365617263683f713d6970253341247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','416c657861','','Alexa','687474703a2f2f7777772e616c6578612e636f6d2f73697465696e666f2f247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','5361666542726f7773696e67','','SafeBrowsing','68747470733a2f2f7777772e676f6f676c652e636f6d2f7361666562726f7773696e672f646961676e6f737469633f736974653d247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','5a657573547261636b6572','','ZeusTracker','68747470733a2f2f7a657573747261636b65722e61627573652e63682f6d6f6e69746f722e7068703f7365617263683d247b7661727d0a'); +INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) +VALUES ('url','','1','4d616c77617265446f6d61696e4c697374','','MDL','687474703a2f2f7777772e6d616c77617265646f6d61696e6c6973742e636f6d2f6d646c2e7068703f7365617263683d247b7661727d0a'); + GRANT INSERT,UPDATE,DELETE ON filters TO 'readonly'@'localhost'; From 24d9eeffe3882f4bfbe06984abe399619e14aa72 Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 12 Dec 2016 15:19:12 -0500 Subject: [PATCH 06/34] fix OSSEC alerts --- .js/squertMain.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.js/squertMain.js b/.js/squertMain.js index 52cc6f1..913fc54 100644 --- a/.js/squertMain.js +++ b/.js/squertMain.js @@ -1822,9 +1822,7 @@ $(document).ready(function(){ var tmp = h2s(theData[2].data_payload).split("\n"); p_ascii = ''; for (var i in tmp) { - var parts = tmp[i].split(":\t"); - p_ascii += "
" + parts[0] + "
"; - p_ascii += "
" + parts[1] + "
"; + p_ascii += "
" + tmp[i] + "
"; } } From e38d428685dc84e5c0c0cd0658da576991c66e9d Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 12 Dec 2016 17:47:45 -0500 Subject: [PATCH 07/34] fix several issues --- .gitignore | 2 + .inc/ip2c.php | 6 ++ .scripts/clicat.tcl | 2 +- .scripts/securityonion-squert.cnf | 5 ++ debian/changelog | 29 +++++++++ debian/compat | 1 + debian/control | 15 +++++ debian/copyright | 36 +++++++++++ debian/docs | 1 + debian/install | 8 +++ debian/patches/add-config.php | 70 +++++++++++++++++++++ debian/patches/add-securityonion-squert.cnf | 33 ++++++++++ debian/patches/disable-ip2c.php | 41 ++++++++++++ debian/patches/fix-ip2c.php | 52 +++++++++++++++ debian/patches/series | 5 ++ debian/patches/update-path-in-clicat.tcl | 33 ++++++++++ debian/postinst | 51 +++++++++++++++ debian/postrm | 48 ++++++++++++++ debian/rules | 8 +++ debian/source/format | 1 + 20 files changed, 446 insertions(+), 1 deletion(-) create mode 100644 .scripts/securityonion-squert.cnf create mode 100644 debian/changelog create mode 100644 debian/compat create mode 100644 debian/control create mode 100644 debian/copyright create mode 100644 debian/docs create mode 100644 debian/install create mode 100644 debian/patches/add-config.php create mode 100644 debian/patches/add-securityonion-squert.cnf create mode 100644 debian/patches/disable-ip2c.php create mode 100644 debian/patches/fix-ip2c.php create mode 100644 debian/patches/series create mode 100644 debian/patches/update-path-in-clicat.tcl create mode 100644 debian/postinst create mode 100644 debian/postrm create mode 100755 debian/rules create mode 100644 debian/source/format diff --git a/.gitignore b/.gitignore index b9f3c68..24dcae6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ +.bzr .htaccess +.pc .scripts/*.md5 .inc/config.php .scripts/cliscript.tcl diff --git a/.inc/ip2c.php b/.inc/ip2c.php index 7613e72..fde93ef 100755 --- a/.inc/ip2c.php +++ b/.inc/ip2c.php @@ -125,6 +125,11 @@ function lookup($list) { } +/* + +Commenting out the following function per +https://github.com/int13h/squert/issues/76 + function TheHTML($string) { echo "\r @@ -142,6 +147,7 @@ function TheHTML($string) { \r \r"; } +*/ if (isset($argc)) { diff --git a/.scripts/clicat.tcl b/.scripts/clicat.tcl index 3a15f34..3abc1b6 100755 --- a/.scripts/clicat.tcl +++ b/.scripts/clicat.tcl @@ -1,4 +1,4 @@ -#!/usr/local/bin/tclsh +#!/usr/bin/tclsh # clicat.tcl - Based on "quickscript.tcl" # Portions Copyright (C) 2013 Paul Halliday diff --git a/.scripts/securityonion-squert.cnf b/.scripts/securityonion-squert.cnf new file mode 100644 index 0000000..fe81ad9 --- /dev/null +++ b/.scripts/securityonion-squert.cnf @@ -0,0 +1,5 @@ +[mysqld] +group_concat_max_len = 100000 + +[mysqltcl] +local-infile=1 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..231355b --- /dev/null +++ b/debian/changelog @@ -0,0 +1,29 @@ +securityonion-squert (20161212-1ubuntu1securityonion5) trusty; urgency=medium + + * fix ip2c.php + + -- Doug Burks Mon, 12 Dec 2016 17:31:29 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion4) trusty; urgency=medium + + * disable ip2c.php + + -- Doug Burks Mon, 12 Dec 2016 16:45:49 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion3) trusty; urgency=medium + + * update path in clicat.tcl + + -- Doug Burks Mon, 12 Dec 2016 16:35:50 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion2) trusty; urgency=medium + + * add config.php + + -- Doug Burks Mon, 12 Dec 2016 16:16:31 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion1) trusty; urgency=low + + * Initial release + + -- Doug Burks Mon, 12 Dec 2016 15:49:09 -0500 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..a59ed3f --- /dev/null +++ b/debian/control @@ -0,0 +1,15 @@ +Source: securityonion-squert +Section: net +Priority: extra +Maintainer: Doug Burks +Build-Depends: debhelper (>= 8.0.0) +Standards-Version: 3.9.3 +Homepage: http://www.squertproject.org/ +#Vcs-Git: git://git.debian.org/collab-maint/securityonion-squert.git +#Vcs-Browser: http://git.debian.org/?p=collab-maint/securityonion-squert.git;a=summary + +Package: securityonion-squert +Architecture: all +Depends: ${misc:Depends}, apache2, patch, php5, libapache2-mod-php5, php5-mysql, php5-cli, php5-gd, mysqltcl, mysql-server, mysql-client, graphviz, libtext-csv-perl, tclcurl +Description: squert + Squert is a web interface for the Sguil database. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..da1f14d --- /dev/null +++ b/debian/copyright @@ -0,0 +1,36 @@ +Format: http://dep.debian.net/deps/dep5 +Upstream-Name: securityonion-squert +Source: + +Files: * +Copyright: + +License: + + + . + + +# If you want to use GPL v2 or later for the /debian/* files use +# the following clauses, or change it to suit. Delete these two lines +Files: debian/* +Copyright: 2014 Doug Burks +License: GPL-2+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". + +# Please also look if there are files or directories which have a +# different copyright/license attached and list them here. diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/debian/docs @@ -0,0 +1 @@ +README.md diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..a9dbea1 --- /dev/null +++ b/debian/install @@ -0,0 +1,8 @@ +.css var/www/so/squert/ +.flags var/www/so/squert/ +.inc var/www/so/squert/ +index.php var/www/so/squert/ +.js var/www/so/squert/ +login.php var/www/so/squert/ +.scripts var/www/so/squert/ +.scripts/securityonion-squert.cnf etc/mysql/conf.d/ diff --git a/debian/patches/add-config.php b/debian/patches/add-config.php new file mode 100644 index 0000000..9b363b1 --- /dev/null +++ b/debian/patches/add-config.php @@ -0,0 +1,70 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion2) trusty; urgency=medium + . + * add config.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.inc/config.php +@@ -0,0 +1,42 @@ ++ 'system', ++// \Guzzle\Http\Client::CURL_OPTIONS => [ ++// CURLOPT_SSL_VERIFYPEER => true, ++// CURLOPT_CAINFO => '/etc/ssl/elasticsearch/es.pem', ++// CURLOPT_SSLCERTTYPE => 'PEM', ++// ] ++//); ++ ++//$clientparams['connectionParams']['auth'] = array( ++// 'username', // Username ++// 'password', // Password ++// 'Basic' // Auth: Basic, Digest, NTLM, Any ++//); ++ ++// Where are the rules? If you have multiple dirs, separate each with: || ++$rulePath = "/etc/nsm/rules"; ++?> diff --git a/debian/patches/add-securityonion-squert.cnf b/debian/patches/add-securityonion-squert.cnf new file mode 100644 index 0000000..569cc07 --- /dev/null +++ b/debian/patches/add-securityonion-squert.cnf @@ -0,0 +1,33 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion1) trusty; urgency=low + . + * Initial release +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.scripts/securityonion-squert.cnf +@@ -0,0 +1,5 @@ ++[mysqld] ++group_concat_max_len = 100000 ++ ++[mysqltcl] ++local-infile=1 diff --git a/debian/patches/disable-ip2c.php b/debian/patches/disable-ip2c.php new file mode 100644 index 0000000..770e7c5 --- /dev/null +++ b/debian/patches/disable-ip2c.php @@ -0,0 +1,41 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion4) trusty; urgency=medium + . + * disable ip2c.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/ip2c.php ++++ securityonion-squert-20161212/.inc/ip2c.php +@@ -125,6 +125,7 @@ function IP2C($string,$isCLI) { + + } + ++/* + function TheHTML($string) { + + echo "\r +@@ -170,4 +171,5 @@ if (isset($argc)) { + TheHTML($string); + echo $html; + } ++*/ + ?> diff --git a/debian/patches/fix-ip2c.php b/debian/patches/fix-ip2c.php new file mode 100644 index 0000000..bce9dd8 --- /dev/null +++ b/debian/patches/fix-ip2c.php @@ -0,0 +1,52 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion5) trusty; urgency=medium + . + * fix ip2c.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/ip2c.php ++++ securityonion-squert-20161212/.inc/ip2c.php +@@ -126,6 +126,10 @@ function IP2C($string,$isCLI) { + } + + /* ++ ++Commenting out the following function per ++https://github.com/int13h/squert/issues/76 ++ + function TheHTML($string) { + + echo "\r +@@ -143,6 +147,7 @@ function TheHTML($string) { + \r + \r"; + } ++*/ + + if (isset($argc)) { + +@@ -171,5 +176,4 @@ if (isset($argc)) { + TheHTML($string); + echo $html; + } +-*/ + ?> diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..94d491d --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,5 @@ +add-securityonion-squert.cnf +add-config.php +update-path-in-clicat.tcl +disable-ip2c.php +fix-ip2c.php diff --git a/debian/patches/update-path-in-clicat.tcl b/debian/patches/update-path-in-clicat.tcl new file mode 100644 index 0000000..ff59f41 --- /dev/null +++ b/debian/patches/update-path-in-clicat.tcl @@ -0,0 +1,33 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion3) trusty; urgency=medium + . + * update path in clicat.tcl +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/clicat.tcl ++++ securityonion-squert-20161212/.scripts/clicat.tcl +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/tclsh ++#!/usr/bin/tclsh + + # clicat.tcl - Based on "quickscript.tcl" + # Portions Copyright (C) 2013 Paul Halliday diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..e8e906e --- /dev/null +++ b/debian/postinst @@ -0,0 +1,51 @@ +#!/bin/sh + +set -e + +case "$1" in + configure) + + a2enmod ssl || echo "Error enabling Apache ssl module." + a2dismod autoindex || echo "Error disabling Apache autoindex module." + a2dissite 000-default || echo "Error disabling Apache HTTP listener." + a2ensite securityonion || echo "Error enabling Apache securityonion site." + + FILE="/etc/apache2/ports.conf" + if [ ! -f $FILE ]; then + echo "$FILE not found." + else + if grep "Listen 80" $FILE>/dev/null; then + sed -i 's|^Listen 80$||g' $FILE || echo "Error updating $FILE." + fi + fi + + apache2ctl restart || echo "Error restarting Apache." + + if ! grep "/var/www/so/squert/.scripts/Ip2c/results.txt" /etc/apparmor.d/local/usr.sbin.mysqld >/dev/null; then + echo "/var/www/so/squert/.scripts/Ip2c/results.txt r," >> /etc/apparmor.d/local/usr.sbin.mysqld + service apparmor reload || echo "Error reloading apparmor." + fi + + [ -f /etc/mysql/conf.d/securityonion-squert.conf ] && rm -f /etc/mysql/conf.d/securityonion-squert.conf + + echo "Please wait while updating database..." + bash /var/www/so/squert/.scripts/securityonion_update.sh || echo "Error running SQL update. See /var/log/nsm/squert_update.log." + + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + + + +exit 0 diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..c89e098 --- /dev/null +++ b/debian/postrm @@ -0,0 +1,48 @@ +#!/bin/sh + +set -e + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + +# cat << EOF >> /tmp/patch +#--- /etc/apache2/ports.conf 2012-07-18 16:50:49.292909610 -0400 +#+++ ports.conf 2012-07-26 16:12:21.936798311 -0400 +#@@ -5,9 +5,6 @@ +# # Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and +# # README.Debian.gz +# +#-NameVirtualHost *:80 +#-Listen 80 +#- +# +# # If you add NameVirtualHost *:443 here, you will also have to change +# # the VirtualHost statement in /etc/apache2/sites-available/default-ssl +#EOF +# FILE="/etc/apache2/ports.conf" +# if [ -f $FILE ]; then +# if grep "Listen 80" $FILE>/dev/null; then +# echo "$FILE already contains Listen 80" +# else +# patch -R $FILE < /tmp/patch +# fi +# else +# echo "$FILE not found." +# fi +# +# rm -f /tmp/patch + + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..79fd842 --- /dev/null +++ b/debian/rules @@ -0,0 +1,8 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +%: + dh $@ diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) From ced733e0ff91fc3e521edd71ac3fc9fbd53c62b5 Mon Sep 17 00:00:00 2001 From: doug Date: Wed, 14 Dec 2016 09:42:30 -0500 Subject: [PATCH 08/34] add hash to object_mappings table --- .scripts/securityonion_update.sh | 9 +++ .scripts/securityonion_update.sql | 3 +- debian/changelog | 6 ++ .../patches/add-hash-to-object_mappings-table | 57 +++++++++++++++++++ debian/patches/series | 1 + 5 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 debian/patches/add-hash-to-object_mappings-table diff --git a/.scripts/securityonion_update.sh b/.scripts/securityonion_update.sh index 6002055..d802b51 100644 --- a/.scripts/securityonion_update.sh +++ b/.scripts/securityonion_update.sh @@ -44,6 +44,15 @@ if [ -d /var/lib/mysql/securityonion_db/ ]; then $MYSQL "UPDATE filters SET type = 'filter' WHERE type IS NULL;;" fi + # object_mappings table - hash + if $MYSQL "DESCRIBE object_mappings" | grep hash >/dev/null 2>&1 ; then + echo "object_mappings table already has hash field." + else + echo "Adding hash field to object_mappings table." + $MYSQL "ALTER TABLE object_mappings ADD hash CHAR(32);" + $MYSQL "ALTER TABLE object_mappings DROP PRIMARY KEY , ADD PRIMARY KEY (hash);" + fi + # Idempotent operations cat /var/www/so/squert/.scripts/securityonion_update.sql | mysql --defaults-file=/etc/mysql/debian.cnf -U securityonion_db > /var/log/nsm/squert_update.log diff --git a/.scripts/securityonion_update.sql b/.scripts/securityonion_update.sql index b46e789..e5bc7a7 100644 --- a/.scripts/securityonion_update.sql +++ b/.scripts/securityonion_update.sql @@ -69,9 +69,10 @@ CREATE TABLE IF NOT EXISTS object_mappings type VARCHAR(4), object VARCHAR(255), value VARCHAR(255), + hash CHAR(32), INDEX type (type), INDEX object (object), - PRIMARY KEY (type,object) + PRIMARY KEY (hash) ); CREATE TABLE IF NOT EXISTS filters diff --git a/debian/changelog b/debian/changelog index 231355b..ef3ba2a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion6) trusty; urgency=medium + + * add hash to object_mappings table + + -- Doug Burks Wed, 14 Dec 2016 09:41:28 -0500 + securityonion-squert (20161212-1ubuntu1securityonion5) trusty; urgency=medium * fix ip2c.php diff --git a/debian/patches/add-hash-to-object_mappings-table b/debian/patches/add-hash-to-object_mappings-table new file mode 100644 index 0000000..04fddc1 --- /dev/null +++ b/debian/patches/add-hash-to-object_mappings-table @@ -0,0 +1,57 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion6) trusty; urgency=medium + . + * add hash to object_mappings table +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion_update.sh ++++ securityonion-squert-20161212/.scripts/securityonion_update.sh +@@ -44,6 +44,15 @@ if [ -d /var/lib/mysql/securityonion_db/ + $MYSQL "UPDATE filters SET type = 'filter' WHERE type IS NULL;;" + fi + ++ # object_mappings table - hash ++ if $MYSQL "DESCRIBE object_mappings" | grep hash >/dev/null 2>&1 ; then ++ echo "object_mappings table already has hash field." ++ else ++ echo "Adding hash field to object_mappings table." ++ $MYSQL "ALTER TABLE object_mappings ADD hash CHAR(32);" ++ $MYSQL "ALTER TABLE object_mappings DROP PRIMARY KEY , ADD PRIMARY KEY (hash);" ++ fi ++ + # Idempotent operations + cat /var/www/so/squert/.scripts/securityonion_update.sql | mysql --defaults-file=/etc/mysql/debian.cnf -U securityonion_db > /var/log/nsm/squert_update.log + +--- securityonion-squert-20161212.orig/.scripts/securityonion_update.sql ++++ securityonion-squert-20161212/.scripts/securityonion_update.sql +@@ -69,9 +69,10 @@ CREATE TABLE IF NOT EXISTS object_mappin + type VARCHAR(4), + object VARCHAR(255), + value VARCHAR(255), ++ hash CHAR(32), + INDEX type (type), + INDEX object (object), +- PRIMARY KEY (type,object) ++ PRIMARY KEY (hash) + ); + + CREATE TABLE IF NOT EXISTS filters diff --git a/debian/patches/series b/debian/patches/series index 94d491d..68a382d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ add-config.php update-path-in-clicat.tcl disable-ip2c.php fix-ip2c.php +add-hash-to-object_mappings-table From 0fc6905d645a4bf322aa5583d9b62027ea3a5c8e Mon Sep 17 00:00:00 2001 From: doug Date: Wed, 14 Dec 2016 10:53:48 -0500 Subject: [PATCH 09/34] populate empty hash fields --- .scripts/securityonion_update.sh | 1 + debian/changelog | 6 ++++ debian/patches/populate-empty-hash-fields | 35 +++++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 43 insertions(+) create mode 100644 debian/patches/populate-empty-hash-fields diff --git a/.scripts/securityonion_update.sh b/.scripts/securityonion_update.sh index d802b51..21b5a5d 100644 --- a/.scripts/securityonion_update.sh +++ b/.scripts/securityonion_update.sh @@ -50,6 +50,7 @@ if [ -d /var/lib/mysql/securityonion_db/ ]; then else echo "Adding hash field to object_mappings table." $MYSQL "ALTER TABLE object_mappings ADD hash CHAR(32);" + $MYSQL "UPDATE object_mappings SET hash=md5(concat(type,object,value)) WHERE hash IS NULL;" $MYSQL "ALTER TABLE object_mappings DROP PRIMARY KEY , ADD PRIMARY KEY (hash);" fi diff --git a/debian/changelog b/debian/changelog index ef3ba2a..524ecc9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion7) trusty; urgency=medium + + * populate empty hash fields + + -- Doug Burks Wed, 14 Dec 2016 10:53:03 -0500 + securityonion-squert (20161212-1ubuntu1securityonion6) trusty; urgency=medium * add hash to object_mappings table diff --git a/debian/patches/populate-empty-hash-fields b/debian/patches/populate-empty-hash-fields new file mode 100644 index 0000000..0f7bbba --- /dev/null +++ b/debian/patches/populate-empty-hash-fields @@ -0,0 +1,35 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion7) trusty; urgency=medium + . + * populate empty hash fields +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion_update.sh ++++ securityonion-squert-20161212/.scripts/securityonion_update.sh +@@ -50,6 +50,7 @@ if [ -d /var/lib/mysql/securityonion_db/ + else + echo "Adding hash field to object_mappings table." + $MYSQL "ALTER TABLE object_mappings ADD hash CHAR(32);" ++ $MYSQL "UPDATE object_mappings SET hash=md5(concat(type,object,value)) WHERE hash IS NULL;" + $MYSQL "ALTER TABLE object_mappings DROP PRIMARY KEY , ADD PRIMARY KEY (hash);" + fi + diff --git a/debian/patches/series b/debian/patches/series index 68a382d..21d629d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ update-path-in-clicat.tcl disable-ip2c.php fix-ip2c.php add-hash-to-object_mappings-table +populate-empty-hash-fields From 8c9fbff2dcd2bfa88b1f57f5e39998ea19420ff6 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 16 Dec 2016 09:10:57 -0500 Subject: [PATCH 10/34] Squert: OSSEC HIDS alerts display NIDS rules #958 --- .inc/callback.php | 98 ++++++------ debian/changelog | 6 + ...-OSSEC-HIDS-alerts-display-NIDS-rules-#958 | 148 ++++++++++++++++++ debian/patches/series | 1 + login.php | 2 +- 5 files changed, 204 insertions(+), 51 deletions(-) create mode 100644 debian/patches/Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 diff --git a/.inc/callback.php b/.inc/callback.php index 1fa24f9..aa04521 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -113,61 +113,59 @@ function urlMkr($line) { $wasMatched = 0; $dirs = explode("||",$rulePath); - if ( $gID > 100 ) { - $dc = 0; - $wasMatched = 2; + if ( $gID == 10001 ) { + $result = array("ruletxt" => "Generator ID $gID. OSSEC rules can be found in /var/ossec/rules/.", + "rulefile" => "n/a", + "ruleline" => "n/a", + ); + } elseif ( $gID != 1 && $gID != 3 ) { + $result = array("ruletxt" => "Generator ID $gID. This event belongs to a preprocessor or decoder.", + "rulefile" => "n/a", + "ruleline" => "n/a", + ); } else { - $dc = (count($dirs) - 1); - } - - for ($i = 0; $i <= $dc; $i++) - if ($ruleDir = opendir($dirs[$i])) { - while (false !== ($ruleFile = readdir($ruleDir))) { - if ($ruleFile != "." && $ruleFile != "..") { - $ruleLines = file("$dirs[$i]/$ruleFile"); - $lineNumber = 1; - - foreach($ruleLines as $line) { - - $searchCount = preg_match("/sid\:\s*$sigID\s*\;/",$line); - - if($searchCount > 0) { - $tempMsg = preg_match("/\bmsg\s*:\s*\"(.+?)\"\s*;/i",$line,$ruleMsg); - - $line = urlMkr(htmlspecialchars($line)); - - $result = array("ruletxt" => $line, - "rulefile" => $ruleFile, - "ruleline" => $lineNumber, - ); - $wasMatched = 1; - break; - } - $lineNumber++; - } - } - } - - closedir($ruleDir); - } - - if ($wasMatched == 0) { - $result = array("ruletxt" => "No match for signature ID $sigID", - "rulefile" => "n/a", - "ruleline" => "n/a", - ); - } - - if ($wasMatched == 2) { - $result = array("ruletxt" => "Generator ID > 100. This event belongs to a preprocessor or the decoder. Generator ID: $gID ", - "rulefile" => "n/a", - "ruleline" => "n/a", - ); + $dc = (count($dirs) - 1); + for ($i = 0; $i <= $dc; $i++) + if ($ruleDir = opendir($dirs[$i])) { + while (false !== ($ruleFile = readdir($ruleDir))) { + if ($ruleFile != "." && $ruleFile != "..") { + $ruleLines = file("$dirs[$i]/$ruleFile"); + $lineNumber = 1; + + foreach($ruleLines as $line) { + + $searchCount = preg_match("/sid\:\s*$sigID\s*\;/",$line); + + if($searchCount > 0) { + $tempMsg = preg_match("/\bmsg\s*:\s*\"(.+?)\"\s*;/i",$line,$ruleMsg); + + $line = urlMkr(htmlspecialchars($line)); + + $result = array("ruletxt" => $line, + "rulefile" => $ruleFile, + "ruleline" => $lineNumber, + ); + $wasMatched = 1; + break; + } + $lineNumber++; + } + } + } + + closedir($ruleDir); + } + + if ($wasMatched == 0) { + $result = array("ruletxt" => "No match for signature ID $sigID", + "rulefile" => "n/a", + "ruleline" => "n/a", + ); + } } $theJSON = json_encode($result); echo $theJSON; - } function level0() { diff --git a/debian/changelog b/debian/changelog index 524ecc9..ebdff95 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion8) trusty; urgency=medium + + * Squert: OSSEC HIDS alerts display NIDS rules #958 + + -- Doug Burks Fri, 16 Dec 2016 09:09:13 -0500 + securityonion-squert (20161212-1ubuntu1securityonion7) trusty; urgency=medium * populate empty hash fields diff --git a/debian/patches/Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 b/debian/patches/Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 new file mode 100644 index 0000000..db29a56 --- /dev/null +++ b/debian/patches/Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 @@ -0,0 +1,148 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion8) trusty; urgency=medium + . + * Squert: OSSEC HIDS alerts display NIDS rules #958 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -113,61 +113,59 @@ function signatures() { + $wasMatched = 0; + $dirs = explode("||",$rulePath); + +- if ( $gID > 100 ) { +- $dc = 0; +- $wasMatched = 2; ++ if ( $gID == 10001 ) { ++ $result = array("ruletxt" => "Generator ID $gID. OSSEC rules can be found in /var/ossec/rules/.", ++ "rulefile" => "n/a", ++ "ruleline" => "n/a", ++ ); ++ } elseif ( $gID != 1 && $gID != 3 ) { ++ $result = array("ruletxt" => "Generator ID $gID. This event belongs to a preprocessor or decoder.", ++ "rulefile" => "n/a", ++ "ruleline" => "n/a", ++ ); + } else { +- $dc = (count($dirs) - 1); +- } +- +- for ($i = 0; $i <= $dc; $i++) +- if ($ruleDir = opendir($dirs[$i])) { +- while (false !== ($ruleFile = readdir($ruleDir))) { +- if ($ruleFile != "." && $ruleFile != "..") { +- $ruleLines = file("$dirs[$i]/$ruleFile"); +- $lineNumber = 1; +- +- foreach($ruleLines as $line) { +- +- $searchCount = preg_match("/sid\:\s*$sigID\s*\;/",$line); +- +- if($searchCount > 0) { +- $tempMsg = preg_match("/\bmsg\s*:\s*\"(.+?)\"\s*;/i",$line,$ruleMsg); +- +- $line = urlMkr(htmlspecialchars($line)); +- +- $result = array("ruletxt" => $line, +- "rulefile" => $ruleFile, +- "ruleline" => $lineNumber, +- ); +- $wasMatched = 1; +- break; +- } +- $lineNumber++; +- } +- } +- } +- +- closedir($ruleDir); +- } +- +- if ($wasMatched == 0) { +- $result = array("ruletxt" => "No match for signature ID $sigID", +- "rulefile" => "n/a", +- "ruleline" => "n/a", +- ); +- } +- +- if ($wasMatched == 2) { +- $result = array("ruletxt" => "Generator ID > 100. This event belongs to a preprocessor or the decoder. Generator ID: $gID ", +- "rulefile" => "n/a", +- "ruleline" => "n/a", +- ); ++ $dc = (count($dirs) - 1); ++ for ($i = 0; $i <= $dc; $i++) ++ if ($ruleDir = opendir($dirs[$i])) { ++ while (false !== ($ruleFile = readdir($ruleDir))) { ++ if ($ruleFile != "." && $ruleFile != "..") { ++ $ruleLines = file("$dirs[$i]/$ruleFile"); ++ $lineNumber = 1; ++ ++ foreach($ruleLines as $line) { ++ ++ $searchCount = preg_match("/sid\:\s*$sigID\s*\;/",$line); ++ ++ if($searchCount > 0) { ++ $tempMsg = preg_match("/\bmsg\s*:\s*\"(.+?)\"\s*;/i",$line,$ruleMsg); ++ ++ $line = urlMkr(htmlspecialchars($line)); ++ ++ $result = array("ruletxt" => $line, ++ "rulefile" => $ruleFile, ++ "ruleline" => $lineNumber, ++ ); ++ $wasMatched = 1; ++ break; ++ } ++ $lineNumber++; ++ } ++ } ++ } ++ ++ closedir($ruleDir); ++ } ++ ++ if ($wasMatched == 0) { ++ $result = array("ruletxt" => "No match for signature ID $sigID", ++ "rulefile" => "n/a", ++ "ruleline" => "n/a", ++ ); ++ } + } + + $theJSON = json_encode($result); + echo $theJSON; +- + } + + function level0() { +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.1©2016 Paul Halliday
++
Version 1.6.2©2016 Paul Halliday
+ + + diff --git a/debian/patches/series b/debian/patches/series index 21d629d..8c47bbc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ disable-ip2c.php fix-ip2c.php add-hash-to-object_mappings-table populate-empty-hash-fields +Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 diff --git a/login.php b/login.php index 68c1ef7..387e1c2 100644 --- a/login.php +++ b/login.php @@ -130,7 +130,7 @@ function cleanUp($string) {

-
Version 1.6.1©2016 Paul Halliday
+
Version 1.6.2©2016 Paul Halliday
From 2d1dbfb52bff70527c6cf015374c23b9302b3e9a Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 16 Dec 2016 10:07:53 -0500 Subject: [PATCH 11/34] initialize srcd, dstd, and alld in callback.php --- .inc/callback.php | 1 + debian/changelog | 6 +++ ...alize-srcd,-dstd,-and-alld-in-callback.php | 46 +++++++++++++++++++ debian/patches/series | 1 + login.php | 2 +- 5 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 debian/patches/initialize-srcd,-dstd,-and-alld-in-callback.php diff --git a/.inc/callback.php b/.inc/callback.php index aa04521..b38f29a 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -821,6 +821,7 @@ function map() { } $aSum = $bSum = $cSum = $aItems = $bItems = $cItems = 0; + $srcd = $dstd = $alld = ""; function makeDetail($x1,$x2) { $detail = ""; diff --git a/debian/changelog b/debian/changelog index ebdff95..f83778c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion9) trusty; urgency=medium + + * initialize srcd, dstd, and alld in callback.php + + -- Doug Burks Fri, 16 Dec 2016 10:06:58 -0500 + securityonion-squert (20161212-1ubuntu1securityonion8) trusty; urgency=medium * Squert: OSSEC HIDS alerts display NIDS rules #958 diff --git a/debian/patches/initialize-srcd,-dstd,-and-alld-in-callback.php b/debian/patches/initialize-srcd,-dstd,-and-alld-in-callback.php new file mode 100644 index 0000000..30c56a1 --- /dev/null +++ b/debian/patches/initialize-srcd,-dstd,-and-alld-in-callback.php @@ -0,0 +1,46 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion9) trusty; urgency=medium + . + * initialize srcd, dstd, and alld in callback.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -821,6 +821,7 @@ function map() { + } + + $aSum = $bSum = $cSum = $aItems = $bItems = $cItems = 0; ++ $srcd = $dstd = $alld = ""; + + function makeDetail($x1,$x2) { + $detail = ""; +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.2©2016 Paul Halliday
++
Version 1.6.3©2016 Paul Halliday
+ + + diff --git a/debian/patches/series b/debian/patches/series index 8c47bbc..7a33b7e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ fix-ip2c.php add-hash-to-object_mappings-table populate-empty-hash-fields Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 +initialize-srcd,-dstd,-and-alld-in-callback.php diff --git a/login.php b/login.php index 387e1c2..b2572d3 100644 --- a/login.php +++ b/login.php @@ -130,7 +130,7 @@ function cleanUp($string) {

-
Version 1.6.2©2016 Paul Halliday
+
Version 1.6.3©2016 Paul Halliday
From 0bae62b6870a71e6766b71aca24a42f001337ba8 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 21 Dec 2016 14:18:19 -0500 Subject: [PATCH 12/34] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ab61020..f42af43 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,6 @@ SQueRT is a tool that is used to query event data. -NOTE: Squert was originally developed by [Paul Halliday](http://www.pintumbler.org/words/youcantgobackonlyforward). +NOTE: SQueRT was originally developed by [Paul Halliday](http://www.pintumbler.org/words/youcantgobackonlyforward). Thanks to Paul for all of his hard work over the years! This is a fork of Paul's latest version that is maintained by the Security Onion team and includes modifications specific to Security Onion. From bd90e43d4096a4c0b23f19abde285f5ab3bb7122 Mon Sep 17 00:00:00 2001 From: Pete Date: Tue, 17 Jan 2017 13:51:30 -0500 Subject: [PATCH 13/34] Avoid hard loop when file unavailable When the download is not available, this script gets stuck in a hard loop retrying, filling up both logfiles and bandwidth to a proxy. This patch neuters the retry attempt by just continuing on. --- .scripts/ip2c.tcl | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.scripts/ip2c.tcl b/.scripts/ip2c.tcl index 9a450cc..498961f 100755 --- a/.scripts/ip2c.tcl +++ b/.scripts/ip2c.tcl @@ -403,8 +403,7 @@ if {$fail == "no"} { set x [expr $x - 1] } } else { - puts "Checksum not found. Retrying..\n" - set x [expr $x - 1] + puts "Checksum not found. Skipping..\n" } } From e3f24905cbee24baf9e86cebb32d3eee43060446 Mon Sep 17 00:00:00 2001 From: doug Date: Sat, 21 Jan 2017 05:07:56 -0500 Subject: [PATCH 14/34] Squert: error when removing comment #1066 --- .inc/callback.php | 2 +- debian/changelog | 6 ++++ .../Squert:-error-when-removing-comment-#1066 | 36 +++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 debian/patches/Squert:-error-when-removing-comment-#1066 diff --git a/.inc/callback.php b/.inc/callback.php index b38f29a..f9b384f 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -724,7 +724,7 @@ function remove_comment() { $user = $_SESSION['sUser']; $comment = hextostr($_REQUEST['comment']); $comment = mysql_real_escape_string($comment); - $query = "DELETE FROM sguildb.history WHERE comment = '$comment'"; + $query = "DELETE FROM history WHERE comment = '$comment'"; mysql_query($query); $result = mysql_error(); $return = array("msg" => $result); diff --git a/debian/changelog b/debian/changelog index f83778c..7cafa16 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion10) trusty; urgency=medium + + * Squert: error when removing comment #1066 + + -- Doug Burks Sat, 21 Jan 2017 05:06:53 -0500 + securityonion-squert (20161212-1ubuntu1securityonion9) trusty; urgency=medium * initialize srcd, dstd, and alld in callback.php diff --git a/debian/patches/Squert:-error-when-removing-comment-#1066 b/debian/patches/Squert:-error-when-removing-comment-#1066 new file mode 100644 index 0000000..a0c203c --- /dev/null +++ b/debian/patches/Squert:-error-when-removing-comment-#1066 @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion10) trusty; urgency=medium + . + * Squert: error when removing comment #1066 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -724,7 +724,7 @@ function remove_comment() { + $user = $_SESSION['sUser']; + $comment = hextostr($_REQUEST['comment']); + $comment = mysql_real_escape_string($comment); +- $query = "DELETE FROM sguildb.history WHERE comment = '$comment'"; ++ $query = "DELETE FROM history WHERE comment = '$comment'"; + mysql_query($query); + $result = mysql_error(); + $return = array("msg" => $result); diff --git a/debian/patches/series b/debian/patches/series index 7a33b7e..28e41f1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -7,3 +7,4 @@ add-hash-to-object_mappings-table populate-empty-hash-fields Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 initialize-srcd,-dstd,-and-alld-in-callback.php +Squert:-error-when-removing-comment-#1066 From 170edb0c6ccc8aa85dd61aa256b19a9ee54c4959 Mon Sep 17 00:00:00 2001 From: doug Date: Sat, 21 Jan 2017 05:10:16 -0500 Subject: [PATCH 15/34] update README.md --- debian/patches/series | 1 + debian/patches/update-README.md | 35 +++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 debian/patches/update-README.md diff --git a/debian/patches/series b/debian/patches/series index 28e41f1..d68838e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ populate-empty-hash-fields Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 initialize-srcd,-dstd,-and-alld-in-callback.php Squert:-error-when-removing-comment-#1066 +update-README.md diff --git a/debian/patches/update-README.md b/debian/patches/update-README.md new file mode 100644 index 0000000..1e2af74 --- /dev/null +++ b/debian/patches/update-README.md @@ -0,0 +1,35 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion10) trusty; urgency=medium + . + * Squert: error when removing comment #1066 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/README.md ++++ securityonion-squert-20161212/README.md +@@ -4,6 +4,6 @@ + + SQueRT is a tool that is used to query event data. + +-NOTE: Squert was originally developed by [Paul Halliday](http://www.pintumbler.org/words/youcantgobackonlyforward). ++NOTE: SQueRT was originally developed by [Paul Halliday](http://www.pintumbler.org/words/youcantgobackonlyforward). + Thanks to Paul for all of his hard work over the years! + This is a fork of Paul's latest version that is maintained by the Security Onion team and includes modifications specific to Security Onion. From 5a604c1a2f7985a6cc0dc755656d6f1aa548da43 Mon Sep 17 00:00:00 2001 From: doug Date: Sat, 21 Jan 2017 05:19:35 -0500 Subject: [PATCH 16/34] bump version to 1.6.4 --- debian/changelog | 6 +++++ debian/patches/bump-version-to-1.6.4 | 36 ++++++++++++++++++++++++++++ debian/patches/series | 1 + login.php | 2 +- 4 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 debian/patches/bump-version-to-1.6.4 diff --git a/debian/changelog b/debian/changelog index 7cafa16..43e6d05 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion11) trusty; urgency=medium + + * bump version to 1.6.4 + + -- Doug Burks Sat, 21 Jan 2017 05:18:59 -0500 + securityonion-squert (20161212-1ubuntu1securityonion10) trusty; urgency=medium * Squert: error when removing comment #1066 diff --git a/debian/patches/bump-version-to-1.6.4 b/debian/patches/bump-version-to-1.6.4 new file mode 100644 index 0000000..92485f5 --- /dev/null +++ b/debian/patches/bump-version-to-1.6.4 @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion11) trusty; urgency=medium + . + * bump version to 1.6.4 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.3©2016 Paul Halliday
++
Version 1.6.4©2016 Paul Halliday
+ + + diff --git a/debian/patches/series b/debian/patches/series index d68838e..5eec968 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ Squert:-OSSEC-HIDS-alerts-display-NIDS-rules-#958 initialize-srcd,-dstd,-and-alld-in-callback.php Squert:-error-when-removing-comment-#1066 update-README.md +bump-version-to-1.6.4 diff --git a/login.php b/login.php index b2572d3..81d483d 100644 --- a/login.php +++ b/login.php @@ -130,7 +130,7 @@ function cleanUp($string) {

-
Version 1.6.3©2016 Paul Halliday
+
Version 1.6.4©2016 Paul Halliday
From aa844d821bfc9c701a685f4453a0fb83b9ec95b9 Mon Sep 17 00:00:00 2001 From: doug Date: Sat, 21 Jan 2017 07:00:21 -0500 Subject: [PATCH 17/34] Squert: ip2c avoid hard loop when file unavailable #1067 --- debian/changelog | 6 +++ ...void-hard-loop-when-file-unavailable-#1067 | 37 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 44 insertions(+) create mode 100644 debian/patches/Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 diff --git a/debian/changelog b/debian/changelog index 43e6d05..f2efa21 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion12) trusty; urgency=medium + + * Squert: ip2c avoid hard loop when file unavailable #1067 + + -- Doug Burks Sat, 21 Jan 2017 06:59:49 -0500 + securityonion-squert (20161212-1ubuntu1securityonion11) trusty; urgency=medium * bump version to 1.6.4 diff --git a/debian/patches/Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 b/debian/patches/Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 new file mode 100644 index 0000000..e76f95b --- /dev/null +++ b/debian/patches/Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 @@ -0,0 +1,37 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion12) trusty; urgency=medium + . + * Squert: ip2c avoid hard loop when file unavailable #1067 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/ip2c.tcl ++++ securityonion-squert-20161212/.scripts/ip2c.tcl +@@ -403,8 +403,7 @@ if {$fail == "no"} { + set x [expr $x - 1] + } + } else { +- puts "Checksum not found. Retrying..\n" +- set x [expr $x - 1] ++ puts "Checksum not found. Skipping..\n" + } + } + diff --git a/debian/patches/series b/debian/patches/series index 5eec968..3763de4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,4 @@ initialize-srcd,-dstd,-and-alld-in-callback.php Squert:-error-when-removing-comment-#1066 update-README.md bump-version-to-1.6.4 +Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 From b9641097085dd87ed00e959c89ffdd7aebda8581 Mon Sep 17 00:00:00 2001 From: doug Date: Thu, 17 Aug 2017 07:27:09 -0400 Subject: [PATCH 18/34] Squert: comment search not working #1119 --- .inc/callback.php | 4 +- debian/changelog | 6 +++ .../Squert:-comment-search-not-working-#1119 | 50 +++++++++++++++++++ debian/patches/series | 1 + login.php | 2 +- 5 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 debian/patches/Squert:-comment-search-not-working-#1119 diff --git a/.inc/callback.php b/.inc/callback.php index f9b384f..e8db0a4 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -174,9 +174,9 @@ function level0() { $filter = hextostr($_REQUEST['filter']); if ($filter != 'empty') { if (substr($filter, 0,4) == 'cmt ') { - $comment = mysql_real_escape_string(explode('cmt ', $filter)); + $comment = explode('cmt ', $filter); $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '$comment[1]'"; + WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "'"; } else { // this needs to be fixed $filter = str_replace('<','<', $filter); diff --git a/debian/changelog b/debian/changelog index f2efa21..80aa8bc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion13) trusty; urgency=medium + + * Squert: comment search not working #1119 + + -- Doug Burks Thu, 17 Aug 2017 07:26:33 -0400 + securityonion-squert (20161212-1ubuntu1securityonion12) trusty; urgency=medium * Squert: ip2c avoid hard loop when file unavailable #1067 diff --git a/debian/patches/Squert:-comment-search-not-working-#1119 b/debian/patches/Squert:-comment-search-not-working-#1119 new file mode 100644 index 0000000..f8365ca --- /dev/null +++ b/debian/patches/Squert:-comment-search-not-working-#1119 @@ -0,0 +1,50 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion13) trusty; urgency=medium + . + * Squert: comment search not working #1119 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -174,9 +174,9 @@ function level0() { + $filter = hextostr($_REQUEST['filter']); + if ($filter != 'empty') { + if (substr($filter, 0,4) == 'cmt ') { +- $comment = mysql_real_escape_string(explode('cmt ', $filter)); ++ $comment = explode('cmt ', $filter); + $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '$comment[1]'"; ++ WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "'"; + } else { + // this needs to be fixed + $filter = str_replace('<','<', $filter); +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.4©2016 Paul Halliday
++
Version 1.6.5©2016 Paul Halliday
+ + + diff --git a/debian/patches/series b/debian/patches/series index 3763de4..b57f78a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,3 +11,4 @@ Squert:-error-when-removing-comment-#1066 update-README.md bump-version-to-1.6.4 Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 +Squert:-comment-search-not-working-#1119 diff --git a/login.php b/login.php index 81d483d..6b15014 100644 --- a/login.php +++ b/login.php @@ -130,7 +130,7 @@ function cleanUp($string) {

-
Version 1.6.4©2016 Paul Halliday
+
Version 1.6.5©2016 Paul Halliday
From 8460aa74c76ca2f9d33471fa8d9fdd16d6897674 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 18 Aug 2017 08:57:56 -0400 Subject: [PATCH 19/34] fix error in times function --- .inc/callback.php | 12 +++- debian/changelog | 6 ++ debian/patches/fix-error-in-times-function | 75 ++++++++++++++++++++++ debian/patches/series | 1 + login.php | 2 +- 5 files changed, 93 insertions(+), 3 deletions(-) create mode 100644 debian/patches/fix-error-in-times-function diff --git a/.inc/callback.php b/.inc/callback.php index e8db0a4..30d4641 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -1483,26 +1483,34 @@ function times() { global $offset, $when, $sensors; $filter = hextostr($_REQUEST['filter']); if ($filter != 'empty') { + if (substr($filter, 0,4) == 'cmt ') { + $comment = explode('cmt ', $filter); + $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid + WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' + AND $when $sensors"; + } else { + // this needs to be fixed $filter = str_replace('<','<', $filter); $filter = str_replace('>','>', $filter); $filter = "AND " . $filter; $qp2 = "WHERE $when $sensors $filter"; + } } else { $qp2 = "WHERE $when $sensors"; } $query = "SELECT - SUBSTRING(CONVERT_TZ(timestamp,'+00:00','$offset'),12,5) AS time, + SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5) AS time, COUNT(signature) AS count FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip $qp2 GROUP BY time - ORDER BY timestamp"; + ORDER BY event.timestamp"; $result = mysql_query($query); $rows = array(); $r = $m = 0; diff --git a/debian/changelog b/debian/changelog index 80aa8bc..d1e28b9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion14) trusty; urgency=medium + + * fix error in times function + + -- Doug Burks Fri, 18 Aug 2017 08:57:12 -0400 + securityonion-squert (20161212-1ubuntu1securityonion13) trusty; urgency=medium * Squert: comment search not working #1119 diff --git a/debian/patches/fix-error-in-times-function b/debian/patches/fix-error-in-times-function new file mode 100644 index 0000000..fb032ba --- /dev/null +++ b/debian/patches/fix-error-in-times-function @@ -0,0 +1,75 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion14) trusty; urgency=medium + . + * fix error in times function +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -1483,26 +1483,34 @@ function times() { + global $offset, $when, $sensors; + $filter = hextostr($_REQUEST['filter']); + if ($filter != 'empty') { ++ if (substr($filter, 0,4) == 'cmt ') { ++ $comment = explode('cmt ', $filter); ++ $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid ++ WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' ++ AND $when $sensors"; ++ } else { ++ // this needs to be fixed + $filter = str_replace('<','<', $filter); + $filter = str_replace('>','>', $filter); + $filter = "AND " . $filter; + $qp2 = "WHERE $when + $sensors + $filter"; ++ } + } else { + $qp2 = "WHERE $when + $sensors"; + } + + $query = "SELECT +- SUBSTRING(CONVERT_TZ(timestamp,'+00:00','$offset'),12,5) AS time, ++ SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5) AS time, + COUNT(signature) AS count + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip + $qp2 + GROUP BY time +- ORDER BY timestamp"; ++ ORDER BY event.timestamp"; + $result = mysql_query($query); + $rows = array(); + $r = $m = 0; +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.5©2016 Paul Halliday
++
Version 1.6.6©2016 Paul Halliday
+ + + diff --git a/debian/patches/series b/debian/patches/series index b57f78a..c67e7d2 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -12,3 +12,4 @@ update-README.md bump-version-to-1.6.4 Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 Squert:-comment-search-not-working-#1119 +fix-error-in-times-function diff --git a/login.php b/login.php index 6b15014..51879cd 100644 --- a/login.php +++ b/login.php @@ -130,7 +130,7 @@ function cleanUp($string) {

-
Version 1.6.5©2016 Paul Halliday
+
Version 1.6.6©2016 Paul Halliday
From 9c527e849c4576be2dc345ce379a08f0082c14ec Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 20 Dec 2017 19:14:10 +0000 Subject: [PATCH 20/34] validate filter 'name' field --- .js/squertBoxes.js | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.js/squertBoxes.js b/.js/squertBoxes.js index 50d5b51..3eb3382 100644 --- a/.js/squertBoxes.js +++ b/.js/squertBoxes.js @@ -490,7 +490,7 @@ $(document).ready(function(){ } } if (emptyVal > 0) throw 0; - + // Sanitize alias var re = /^[?a-zA-Z][\w-]*$/; var OK = re.exec(filterTxt.alias); @@ -503,7 +503,21 @@ $(document).ready(function(){ // Make sure we dont match a builtin var builtins = ["cc","dip","dpt","ip","sid","sig","sip","spt","scc","dcc","st"]; if (builtins.indexOf(filterTxt.alias) != -1) throw 1; + + // Sanitize name + var re = /^[?a-zA-Z][\w-]*$/; + var OK = re.exec(filterTxt.name); + if (!OK) throw 2; + if (filterTxt.name == "New") throw 2; + // If creating a new filter make sure this name doesn't already exist + if ($("#tr_" + filterTxt.name)[0] && $('#tr_New')[0]) throw 2; + + // Make sure we dont match a builtin + var builtins = ["cc","dip","dpt","ip","sid","sig","sip","spt","scc","dcc","st"]; + if (builtins.indexOf(filterTxt.name) != -1) throw 2; + + // Continue.. oldCL = currentCL; var ftype = $(".hp_type_active").data("val"); @@ -553,6 +567,12 @@ $(document).ready(function(){ eMsg += "Aa-Zz, 0-9, - and _ . "; eMsg += "The word \"New\" is reserved and may not be used."; break; + case 2: + eMsg += "
Error! " + eMsg += "Valid characters are: "; + eMsg += "Aa-Zz, 0-9, - and _ . "; + eMsg += "The word \"New\" is reserved and may not be used."; + break; default: eMsg += "
Format error! "; eMsg += "Please ensure the format above is valid JSON. "; From d77b667ad267674807c688e40862cdae15fb9ede Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 20 Dec 2017 19:29:06 +0000 Subject: [PATCH 21/34] remove check for built-in(s) --- .js/squertBoxes.js | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.js/squertBoxes.js b/.js/squertBoxes.js index 3eb3382..10db95b 100644 --- a/.js/squertBoxes.js +++ b/.js/squertBoxes.js @@ -512,11 +512,6 @@ $(document).ready(function(){ // If creating a new filter make sure this name doesn't already exist if ($("#tr_" + filterTxt.name)[0] && $('#tr_New')[0]) throw 2; - - // Make sure we dont match a builtin - var builtins = ["cc","dip","dpt","ip","sid","sig","sip","spt","scc","dcc","st"]; - if (builtins.indexOf(filterTxt.name) != -1) throw 2; - // Continue.. oldCL = currentCL; From edab7056bce5d5855a8edcc51c13d8db6275bd1e Mon Sep 17 00:00:00 2001 From: doug Date: Wed, 20 Dec 2017 15:39:41 -0500 Subject: [PATCH 22/34] improve input validation and output filtering --- .inc/callback.php | 11 ++- debian/changelog | 6 ++ ...rove-input-validation-and-output-filtering | 98 +++++++++++++++++++ debian/patches/series | 1 + login.php | 2 +- 5 files changed, 116 insertions(+), 2 deletions(-) create mode 100644 debian/patches/improve-input-validation-and-output-filtering diff --git a/.inc/callback.php b/.inc/callback.php index 30d4641..c77c020 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -622,7 +622,16 @@ function filters() { $rows = array(); while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; + # we're now iterating through each row of the filter table + # for each field in that row, we need to sanitize before output + foreach ($row as &$value) { + # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know + $value = htmlentities($value, ENT_QUOTES | ENT_HTML5, 'UTF-8'); + } + # must unset $value per http://php.net/manual/en/control-structures.foreach.php + unset($value); + # now add the sanitized row to the $rows array + $rows[] = $row; } $theJSON = json_encode($rows); diff --git a/debian/changelog b/debian/changelog index d1e28b9..c0c8db6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion15) trusty; urgency=medium + + * improve input validation and output filtering + + -- Doug Burks Wed, 20 Dec 2017 15:38:21 -0500 + securityonion-squert (20161212-1ubuntu1securityonion14) trusty; urgency=medium * fix error in times function diff --git a/debian/patches/improve-input-validation-and-output-filtering b/debian/patches/improve-input-validation-and-output-filtering new file mode 100644 index 0000000..77fe31a --- /dev/null +++ b/debian/patches/improve-input-validation-and-output-filtering @@ -0,0 +1,98 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion15) trusty; urgency=medium + . + * improve input validation and output filtering +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -622,7 +622,16 @@ function filters() { + $rows = array(); + + while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; ++ # we're now iterating through each row of the filter table ++ # for each field in that row, we need to sanitize before output ++ foreach ($row as &$value) { ++ # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know ++ $value = htmlentities($value, ENT_QUOTES | ENT_HTML5, 'UTF-8'); ++ } ++ # must unset $value per http://php.net/manual/en/control-structures.foreach.php ++ unset($value); ++ # now add the sanitized row to the $rows array ++ $rows[] = $row; + } + + $theJSON = json_encode($rows); +--- securityonion-squert-20161212.orig/.js/squertBoxes.js ++++ securityonion-squert-20161212/.js/squertBoxes.js +@@ -490,7 +490,7 @@ $(document).ready(function(){ + } + } + if (emptyVal > 0) throw 0; +- ++ + // Sanitize alias + var re = /^[?a-zA-Z][\w-]*$/; + var OK = re.exec(filterTxt.alias); +@@ -503,7 +503,16 @@ $(document).ready(function(){ + // Make sure we dont match a builtin + var builtins = ["cc","dip","dpt","ip","sid","sig","sip","spt","scc","dcc","st"]; + if (builtins.indexOf(filterTxt.alias) != -1) throw 1; +- ++ ++ // Sanitize name ++ var re = /^[?a-zA-Z][\w-]*$/; ++ var OK = re.exec(filterTxt.name); ++ if (!OK) throw 2; ++ if (filterTxt.name == "New") throw 2; ++ ++ // If creating a new filter make sure this name doesn't already exist ++ if ($("#tr_" + filterTxt.name)[0] && $('#tr_New')[0]) throw 2; ++ + // Continue.. + oldCL = currentCL; + var ftype = $(".hp_type_active").data("val"); +@@ -553,6 +562,12 @@ $(document).ready(function(){ + eMsg += "Aa-Zz, 0-9, - and _ . "; + eMsg += "The word \"New\" is reserved and may not be used."; + break; ++ case 2: ++ eMsg += "
Error! " ++ eMsg += "Valid characters are: "; ++ eMsg += "Aa-Zz, 0-9, - and _ . "; ++ eMsg += "The word \"New\" is reserved and may not be used."; ++ break; + default: + eMsg += "
Format error! "; + eMsg += "Please ensure the format above is valid JSON. "; +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.6©2016 Paul Halliday
++
Version 1.6.7©2016 Paul Halliday
+ + + diff --git a/debian/patches/series b/debian/patches/series index c67e7d2..401dd89 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -13,3 +13,4 @@ bump-version-to-1.6.4 Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 Squert:-comment-search-not-working-#1119 fix-error-in-times-function +improve-input-validation-and-output-filtering diff --git a/login.php b/login.php index 51879cd..93a44eb 100644 --- a/login.php +++ b/login.php @@ -130,7 +130,7 @@ function cleanUp($string) {

-
Version 1.6.6©2016 Paul Halliday
+
Version 1.6.7©2016 Paul Halliday
From 9bec1b23159b09d72c0f81198d14c93dfaa52202 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 21 Dec 2017 03:09:11 +0000 Subject: [PATCH 23/34] add check for notes and url --- .js/squertBoxes.js | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/.js/squertBoxes.js b/.js/squertBoxes.js index 10db95b..3606206 100644 --- a/.js/squertBoxes.js +++ b/.js/squertBoxes.js @@ -505,14 +505,24 @@ $(document).ready(function(){ if (builtins.indexOf(filterTxt.alias) != -1) throw 1; // Sanitize name - var re = /^[?a-zA-Z][\w-]*$/; + var re = /^[?a-zA-Z][\w-\s]*$/; var OK = re.exec(filterTxt.name); if (!OK) throw 2; if (filterTxt.name == "New") throw 2; // If creating a new filter make sure this name doesn't already exist if ($("#tr_" + filterTxt.name)[0] && $('#tr_New')[0]) throw 2; - + + // Sanitize notes + var re = /^[?a-zA-Z][\w-.\s]*$/; + var OK = re.exec(filterTxt.notes); + if (!OK) throw 2; + + // Sanitize url + var re = /^[?\/a-zA-Z0-9.\/:?${}(),_!&'@=\-\*#%]*$/; + var OK = re.exec(filterTxt.url); + if (!OK) throw 3; + // Continue.. oldCL = currentCL; var ftype = $(".hp_type_active").data("val"); @@ -568,13 +578,17 @@ $(document).ready(function(){ eMsg += "Aa-Zz, 0-9, - and _ . "; eMsg += "The word \"New\" is reserved and may not be used."; break; + case 3: + eMsg += "
Error! " + eMsg += "URL format not valid!"; + break; default: eMsg += "
Format error! "; eMsg += "Please ensure the format above is valid JSON. "; - eMsg += "I am looking for an opening curly brace \"{\" followed by \"object\": \"value\" "; + eMsg += "Ex. An opening curly brace \"{\" followed by \"object\": \"value\" "; eMsg += "pairs.
Each \"object\": \"value\" pair terminates with a comma \",\" except "; eMsg += "the last pair before the closing curly brace \"}\"."; - eMsg += " Strings must be enclosed within double quotes."; + eMsg += "Strings must be enclosed within double quotes."; break; } $('.filter_error').append(eMsg); From fdd20ee928875dc041fe7d758c844571efa65466 Mon Sep 17 00:00:00 2001 From: doug Date: Thu, 21 Dec 2017 06:21:53 -0500 Subject: [PATCH 24/34] merge and adjust comment --- .inc/callback.php | 2 +- debian/changelog | 6 ++ debian/patches/merge-and-adjust-comment | 86 +++++++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 debian/patches/merge-and-adjust-comment diff --git a/.inc/callback.php b/.inc/callback.php index c77c020..5ad7dd0 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -621,8 +621,8 @@ function filters() { $rows = array(); + # iterate through each row of the filter table while ($row = mysql_fetch_assoc($result)) { - # we're now iterating through each row of the filter table # for each field in that row, we need to sanitize before output foreach ($row as &$value) { # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know diff --git a/debian/changelog b/debian/changelog index c0c8db6..8d73921 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion16) trusty; urgency=medium + + * merge and adjust comment + + -- Doug Burks Thu, 21 Dec 2017 06:21:12 -0500 + securityonion-squert (20161212-1ubuntu1securityonion15) trusty; urgency=medium * improve input validation and output filtering diff --git a/debian/patches/merge-and-adjust-comment b/debian/patches/merge-and-adjust-comment new file mode 100644 index 0000000..beae656 --- /dev/null +++ b/debian/patches/merge-and-adjust-comment @@ -0,0 +1,86 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion16) trusty; urgency=medium + . + * merge and adjust comment +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -621,8 +621,8 @@ function filters() { + + $rows = array(); + ++ # iterate through each row of the filter table + while ($row = mysql_fetch_assoc($result)) { +- # we're now iterating through each row of the filter table + # for each field in that row, we need to sanitize before output + foreach ($row as &$value) { + # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know +--- securityonion-squert-20161212.orig/.js/squertBoxes.js ++++ securityonion-squert-20161212/.js/squertBoxes.js +@@ -505,14 +505,24 @@ $(document).ready(function(){ + if (builtins.indexOf(filterTxt.alias) != -1) throw 1; + + // Sanitize name +- var re = /^[?a-zA-Z][\w-]*$/; ++ var re = /^[?a-zA-Z][\w-\s]*$/; + var OK = re.exec(filterTxt.name); + if (!OK) throw 2; + if (filterTxt.name == "New") throw 2; + + // If creating a new filter make sure this name doesn't already exist + if ($("#tr_" + filterTxt.name)[0] && $('#tr_New')[0]) throw 2; +- ++ ++ // Sanitize notes ++ var re = /^[?a-zA-Z][\w-.\s]*$/; ++ var OK = re.exec(filterTxt.notes); ++ if (!OK) throw 2; ++ ++ // Sanitize url ++ var re = /^[?\/a-zA-Z0-9.\/:?${}(),_!&'@=\-\*#%]*$/; ++ var OK = re.exec(filterTxt.url); ++ if (!OK) throw 3; ++ + // Continue.. + oldCL = currentCL; + var ftype = $(".hp_type_active").data("val"); +@@ -568,13 +578,17 @@ $(document).ready(function(){ + eMsg += "Aa-Zz, 0-9, - and _ . "; + eMsg += "The word \"New\" is reserved and may not be used."; + break; ++ case 3: ++ eMsg += "
Error! " ++ eMsg += "URL format not valid!"; ++ break; + default: + eMsg += "
Format error! "; + eMsg += "Please ensure the format above is valid JSON. "; +- eMsg += "I am looking for an opening curly brace \"{\" followed by \"object\": \"value\" "; ++ eMsg += "Ex. An opening curly brace \"{\" followed by \"object\": \"value\" "; + eMsg += "pairs.
Each \"object\": \"value\" pair terminates with a comma \",\" except "; + eMsg += "the last pair before the closing curly brace \"}\"."; +- eMsg += " Strings must be enclosed within double quotes."; ++ eMsg += "Strings must be enclosed within double quotes."; + break; + } + $('.filter_error').append(eMsg); diff --git a/debian/patches/series b/debian/patches/series index 401dd89..7434cb0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -14,3 +14,4 @@ Squert:-ip2c-avoid-hard-loop-when-file-unavailable-#1067 Squert:-comment-search-not-working-#1119 fix-error-in-times-function improve-input-validation-and-output-filtering +merge-and-adjust-comment From 4718fdf5eb6f5e0fce3f81153c57ca25a6132d91 Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 1 Jan 2018 16:59:58 -0500 Subject: [PATCH 25/34] improve calls to clicat --- login.php => .auth/squert/login.php | 0 {.js => .auth/squert}/squertMain.js | 0 .auth/sso/login.php | 141 ++ .auth/sso/squertMain.js | 3276 +++++++++++++++++++++++++++ .inc/callback.php | 97 +- debian/postinst | 22 + 6 files changed, 3465 insertions(+), 71 deletions(-) rename login.php => .auth/squert/login.php (100%) rename {.js => .auth/squert}/squertMain.js (100%) create mode 100644 .auth/sso/login.php create mode 100644 .auth/sso/squertMain.js diff --git a/login.php b/.auth/squert/login.php similarity index 100% rename from login.php rename to .auth/squert/login.php diff --git a/.js/squertMain.js b/.auth/squert/squertMain.js similarity index 100% rename from .js/squertMain.js rename to .auth/squert/squertMain.js diff --git a/.auth/sso/login.php b/.auth/sso/login.php new file mode 100644 index 0000000..0f778e6 --- /dev/null +++ b/.auth/sso/login.php @@ -0,0 +1,141 @@ + +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation, either version 3 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see . +// +// + +include_once '.inc/config.php'; + +$username = $password = $err = ''; +$focus = 'username'; +session_set_cookie_params(0, NULL, NULL, NULL, TRUE); + +function cleanUp($string) { + if (get_magic_quotes_gpc()) { + $string = stripslashes($string); + } + $string = mysql_real_escape_string($string); + return $string; +} + +//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ + //$username = $_REQUEST['username']; + //$password = $_REQUEST['password']; + $username = $_SERVER['PHP_AUTH_USER']; + $password = $_SERVER['PHP_AUTH_PW']; + + $ua = $_SERVER['HTTP_USER_AGENT']; + $rqt = $_SERVER['REQUEST_TIME']; + $rqaddr = $_SERVER['REMOTE_ADDR']; + $max = mt_getrandmax(); + $rqt .= mt_rand(0,$max); + $rqaddr .= mt_rand(0,$max); + $ua .= mt_rand(0,$max); + $cmpid = $rqt . $rqaddr . $ua; + $id = md5($cmpid); + $db = mysql_connect($dbHost,$dbUser,$dbPass); + $link = mysql_select_db($dbName, $db); + if ($link) { + $user = cleanUp($username); + $query = "SELECT * FROM user_info WHERE username = '$user'"; + $result = mysql_query($query); + $numRows = mysql_num_rows($result); + + if ($numRows > 0) { + while ($row = mysql_fetch_row($result)) { + $userName = $row[1]; + $lastLogin = $row[2]; + $userHash = $row[3]; + $userEmail = $row[4]; + $userType = $row[5]; + $userTime = $row[6]; + $tzoffset = $row[7]; + } + // The first 2 chars are the salt + $theSalt = substr($userHash, 0,2); + + // The remainder is the hash + $theHash = substr($userHash, 2); + + // Now we hash the users input + $testHash = sha1($password . $theSalt); + + // Does it match? If yes, start the session. + if ($testHash === $theHash) { + session_start(); + + // Protect against session fixation attack + if (!isset($_SESSION['initiated'])) { + session_regenerate_id(); + $_SESSION['initiated'] = true; + } + + $_SESSION['sLogin'] = 1; + $_SESSION['sUser'] = $userName; + $_SESSION['sPass'] = $password; + $_SESSION['sEmail'] = $userEmail; + $_SESSION['sType'] = $userType; + $_SESSION['sTime'] = $userTime; + $_SESSION['tzoffset'] = $tzoffset; + $_SESSION['sTab'] = 't_sum'; + $_SESSION['id'] = $id; + + header ("Location: index.php?id=$id"); + } else { + $err = 'The user name or password is incorrect.'; + $focus = 'username'; + } + } else { + $err = 'The user name or password is incorrect.'; + $focus = 'username'; + } + } else { + $err = 'Connection Failed'; + } +//} +?> + + + +Please login to continue + + + + +
+
+ + + + + + +
+squert - Please login to continue
+Username
+
+Password
+
+

+
Version 1.6.4©2016 Paul Halliday
+
+
+ + + diff --git a/.auth/sso/squertMain.js b/.auth/sso/squertMain.js new file mode 100644 index 0000000..cf36819 --- /dev/null +++ b/.auth/sso/squertMain.js @@ -0,0 +1,3276 @@ +/* Copyright (C) 2012 Paul Halliday */ + +$(document).ready(function(){ + + $(document).on('click', '[class*="bpr"]', function() { + // We disallow filtering if any events have already been selected + // or if we stray from the event tab + if ($('.d_row_active')[0]) return; + if ($(".chk_event:checked").length > 0) return; + if ($(".tab_active").attr('id') != 't_sum') return; + + var prClass = $(this).attr('class').split('b')[1]; + var prOld = $(this).data('pr'); + + function flipIt(pattern) { + $(pattern).closest('tr').hide(); + $(pattern).closest('tr').attr('class','hidden'); + if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); + } + if ($('.b' + prClass).attr('class') == 'bprA') { + $('.b' + prClass).attr('class', 'bpr' + prOld); + $('.hidden').attr('class','d_row'); + $('.d_row').show(); + if ($('#gr').text() == 'on') { + $('.chk_event').prop("disabled",false); + $('.chk_all').prop("checked",false); + $('.chk_event').css("background-color", "#fafafa"); + } + } else { + // See if we are already filtered + if ($('.bprA')[0]) { + $('.hidden').attr('class','d_row'); + $('.d_row').show(); + if ($('#gr').text() == 'on') { + $('.chk_event').prop("disabled",false); + $('.chk_all').prop("checked",false); + $('.chk_event').css("background-color", "#fafafa"); + } + var prPrev = $('.bprA').data('pr'); + $('.bprA').attr('class', 'bpr' + prPrev); + } + $('.b' + prClass).attr('class','bprA'); + switch (prClass) { + case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; + case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; + case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; + case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; + } + flipIt(ptrn); + } + }); + + // + // Load main content + // + + // Keep track of context + thisUser = $('#t_usr').data('c_usr'); + thisTZ = $('#user_tz').val(); + rtbit = 0; + eventList("0-aaa-00"); + $("#loader").show(); + lastclasscount = 0; + + $(document).on("click", "#dt_savetz", function(event) { + if ($('.dt_error').data('err') == 0) { + var newOffset = $('#ts_offset').val(); + profileUpdate("tz", s2h(newOffset)); + $('#user_tz').val(newOffset); + } + }); + + // Depending on context a 'No result' may be confusing + // so we turn off active queue and show everything + $(document).on('click', '#retry', function() { + $('#rt').attr('class','tvalue_off'); + $('#rt').text('off'); + rtbit = 0; + $('.b_update').click(); + }); + + // Get event statuses + var eTotal = 0, qTotal = 0; + function statusPoll(caller) { + // See if we are filtering by sensor + var theSensors = s2h('empty'); + if ($('.chk_sen:checked').length > 0) { + var active_sensors = "AND event.sid IN("; + var iter = $('.chk_sen:checked').length; + $('.chk_sen:checked').each(function() { + active_sensors += "'" + $(this).val() + "',"; + }); + active_sensors = active_sensors.replace(/,+$/,''); + active_sensors += ")"; + theSensors = s2h(active_sensors); + } + + var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); + }); + + function cb(data){ + // Check to make sure we still have a valid session. If we don't + // let the user know and return them to the login page. + if (data[0] == "<") { + $("span.class_msg").text("Your session has expired!"); + $("span.class_msg").css("background-color", "#cc0000"); + $("span.class_msg").css("color", "#fff"); + $("span.class_msg").show(); + var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); + if (sessionDead) { + $("#logout").click(); + } + } + eval("ec=" + data); + + var esum = 0; + + for (var i=0; i 0) { + var p = parseFloat(ecount/esum*100).toFixed(1); + var w = parseInt(p*2); + } + if (eclass == 0) { + qTotal = ecount; + } + $("#c-" + eclass).text(ecount); + $("#c-" + eclass).append("(" + p + "%)"); + } + + var lastcount = $("#cat_sum").val(); + var newcount = esum; + $("#cat_sum").val(esum); + eTotal = esum; + $("#event_sum").val(eTotal); + + if (caller == 0) { // Fresh load + lastcount = newcount; + } + + // Last RT value + var lastQ = Number($("#qtotal").html()); + if (lastcount < newcount) { + $("#etotal").html(eTotal); + } + + if (lastQ < qTotal) { + if (caller != 0) { + if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); + } + $("#etotal").html(eTotal); + $("#qtotal").html(qTotal); + } + + $("#title").html("squert (" + qTotal + ") - " + thisUser); + + } + + } + + // + // Event monitor (how often we poll for new events) + // + + var emTimeout = 30000; + window.setInterval(function(){ + if ($('#search').val().length == 0) { + statusPoll(1); + } + }, emTimeout); + + $(document).on("click", '[class*="cl_"]', function(event) { + var nc = $(this).attr('class').split("_"); + var ct = $(this).parents('table').data('comment'); + $(".cat_msg_txt").val(ct); + $('#b_class-' + nc[1]).click(); + }); + + // Tabs + var tab_cached = $("#sel_tab").val(); + + switch (tab_cached) { + case "t_sum": + $('.content-right').show(); + break; + case "t_ovr": + $('.content-right').hide(); + $('.content-left').hide(); + if ($('#ovestat').text().length == 0) loadSummary(); + break; + case "t_view": + $('.content-right').hide(); + $('.content-left').hide(); + loadViews(); + default: + $('.content-right').hide(); + $('.content-left').hide(); + break; + } + + $('#' + tab_cached).attr('class','tab_active'); + $("#" + tab_cached + "_content").attr('class','content_active'); + + $(".tab,.tab_active").click(function(event) { + var active = $(".tab_active").attr('id'); + var content = $(".content_active").attr('id'); + if ($(".fl_val_on")[0]) { + $('.b_update').click(); + } + + if ( this.id != active ) { + $("#" + active).removeClass('tab_active'); + $("#" + active).addClass('tab'); + $(this).attr('class','tab_active'); + $("#" + content).attr('class','content'); + $("#" + this.id + "_content").attr('class','content_active'); + activeTab = $(".tab_active").attr('id'); + $('.pin').hide(); + + switch (activeTab) { + case "t_sum": + $('.content-right').show(); + if (Number($('.botog').data('val')) == 1) $('.content-left').show(); + $('.t_pbar').css('opacity',1); + $('.db_links').hide(); + $('.pin').show(); + break; + case "t_ovr": + $('.content-right').hide(); + $('.content-left').hide(); + if ($('#ovestat').text().length == 0) loadSummary(); + $('.t_pbar').css('opacity',.1); + $('.db_links').hide(); + break; + case "t_view": + $('.content-right').hide(); + $('.content-left').hide(); + $('.t_pbar').css('opacity',.1); + loadViews(); + break; + default: + $('.content-right').hide(); + $('.content-left').hide(); + $('.t_pbar').css('opacity',.1); + $('.db_links').hide(); + break; + } + + $('#sel_tab').val(activeTab); + var ctab = $('#sel_tab').val(); + var urArgs = "type=" + 5 + "&tab=" + ctab; + $.get(".inc/callback.php?" + urArgs); + } + }); + + // Sub tab groups + $(".tsg").click(function(event) { + var nc = Number($(this).attr('class').split(/\s/).length); + var ct = $(this).data('tab'); + $('.tsg_active').attr('class','tsg'); + $(this).attr('class','tsg tsg_active'); + }); + + // Toggle and update views + function newView(req) { + // No racing please + var bail = $("#loader").css('display'); + if (bail != 'none') return; + // Remove any stale views + $("#tl0,#tl1,#tl3a,#tl3b").remove(); + var f = "0-aaa-00"; + var s = "2a-aaa-00"; + var cv = $("#gr").text(); + + switch (cv) { + case "on": + eventList(f); + $("#loader").show(); + break; + case "off": + eventList(s); + $("#loader").show(); + break; + } + } + + // Group and ungroup + $(document).on("click", "#gr", function(event) { + var bail = $("#loader").css('display'); + if (bail != 'none') return; + var cv = $('#gr').text(); + switch (cv) { + case 'on': + $('#gr').attr('class','tvalue_off'); + $('#gr').text('off'); + break; + case 'off': + $('#gr').attr('class','tvalue_on'); + $('#gr').text('on'); + $("#event_sort").val("DESC"); + break; + } + }); + + // RT check/uncheck + $(document).on("click", "#rt", function(event) { + var bail = $("#loader").css('display'); + if (bail != 'none') return; + var cv = $('#rt').text(); + switch (cv) { + case 'on': + $('#rt').attr('class','tvalue_off'); + $('#rt').text('off'); + rtbit = 0; + break; + case 'off': + $('#rt').attr('class','tvalue_on'); + $('#rt').text('on'); + rtbit = 1; + break; + } + }); + + // Toggle side/lower bars + $(document).on("click", ".botog", function(event) { + if ($('.tab_active').attr('id') != 't_sum') return; + var n = Number($('.botog').data("val")); + switch (n) { + case 1: + $('.botog').data("val","0"); + $('.content-right').css("width","100%"); + $('.botog').attr('src','.css/layout0.png'); + break; + case 0: + $('.botog').data("val","1"); + $('.content-right').css("width","82%"); + $('.botog').attr('src','.css/layout1.png'); + break; + } + $('.bottom').animate({height: 'toggle'}); + $('.content-left').animate({width: 'toggle'}); + }); + + // Section show and hide + $(".st").click(function() { + var thisSec = $(this).data("sec"); + var thisSecID = "#sec_" + thisSec; + var thisSecVis = $(thisSecID).css("display"); + var lastSection = "h"; + switch (thisSecVis) { + case "none": + $(this).attr("src", ".css/uarr.png"); + $(thisSecID).slideDown(); + break; + default: + $(this).attr("src", ".css/darr.png"); + $(thisSecID).slideUp(); + break; + } + }); + + // If search is in focus, update on enter + $('#search').keypress(function(e) { + if (!e) e=window.event; + key = e.keyCode ? e.keyCode : e.which; + if (key == 13) { + // Close comment box if it is open + if ($('#cat_box').css('display') != 'none') { + $('#ico01').click(); + } + $('.b_update').click(); + } + }); + + // Sort ASC/DESC + $(document).on("click", ".event_time", function(event) { + var csv = $(".event_time").text(); + switch (csv) { + case "show oldest first": + $("#event_sort").val("ASC"); + break; + case "show newest first": + $("#event_sort").val("DESC"); + break; + } + newView("u"); + }); + + // Update page + $(document).on("click", ".b_update", function(event) { + $(".icon_notifier").fadeToggle(); + $(".tag").remove(); + $(".tag_empty").show(); + // Remove any supplementary results + if ($("#extresult")[0]) $("#extresult").remove(); + // Where are we? + var curTab = $('.tab_active').attr('id'); + switch (curTab) { + case 't_ovr': + loadSummary(); + break; + case 't_view': + mkView(); + break; + default: + $(".b_update_note").hide(); + newView("u"); + break; + } + }); + + // Clear search and refresh + $('#clear_search').click(function() { + if ($('#search').val() != '') { + $('#search').val(''); + $("#search").focus(); + if ($(".fl_val_on")[0]) { + $('.b_update').click(); + } + } + }); + + // Logout + $("#logout").click(function(event) { + //$.get("/logout.html", function(){location.reload()}); + location.replace("/logout.html"); + }); + + // Toggle filters + $(document).on('click', '.fl_val_on', function(event) { + var wF = $(this).data("ft"); + switch (wF) { + case "tl": + + break; + case "ob": + $('#clear_search').click(); + break; + case "sn": + $(".chk_sen").each(function() { + $(this).prop("checked",false); + }); + $('.b_update').click(); + break; + } + }); + + function clearTags() { + //$(".tag").remove(); + //$(".tag_empty").show(); + $(".tag").removeClass('tag_active'); + } + + // + // Rows + // + + function closeRow() { + $("#active_eview").remove(); + $("#" + this.id).attr('class','d_row'); + $(".d_row").css('opacity','1'); + ltCol = $(".d_row_active").find('td.lt').html(); + $(".d_row_active").find('td.lt').css('background', ltCol); + $(".d_row_active").attr('class','d_row'); + // Update class_count + $("#class_count").text(lastclasscount); + // Get rid of any crashed loaders + $("#loader").hide(); + // Reset checkbox + $(".chk_all").prop("checked",false); + // Clear Tags + clearTags(); + } + function closeSubRow() { + $("#eview_sub1").remove(); + $("#" + this.id).attr('class','d_row_sub'); + $(".d_row_sub").css('opacity','1'); + $(".d_row_sub_active").attr('class','d_row_sub'); + // Update class_count + $("#class_count").text(lastclasscount); + curclasscount = lastclasscount; + $("#loader").hide(); + // Reset and show checkbox + $(".chk_all").prop("checked",false); + $("#ca0").show(); + // Remove any open externals + if ($("#extresult")[0]) $("#extresult").remove(); + // Clear Tags + clearTags(); + } + function closeSubRow1() { + $("#eview_sub2").remove(); + $("#" + this.id).attr('class','d_row_sub1'); + if (!$("#eview_sub3")[0]) { + $(".d_row_sub1").css('opacity','1'); + $(".d_row_sub_active1").attr('class','d_row_sub1'); + } + $("#loader").hide(); + // Reset checkbox + $(".chk_all").prop("checked",false); + // Remove any open externals + if ($("#extresult")[0]) $("#extresult").remove(); + // Clear Tags + clearTags(); + } + function closeSubRow2() { + $("#eview_sub3").remove(); + $("#" + this.id).attr('class','d_row_sub1'); + if (!$("#eview_sub2")[0]) { + $(".d_row_sub1").css('opacity','1'); + $(".d_row_sub1_active").attr('class','d_row_sub1'); + } + $("#loader").hide(); + // Clear Tags + clearTags(); + } + + // + // Level 1 + // + + $(document).on("click", ".row_active", function(event) { + var curID = $(this).parent('tr').attr('id'); + // What type of row are we? + rowType = curID.substr(0,3); + + // Make sure no other instances are open + if (!$(".d_row_active")[0] && rowType == 'sid') { + $("#loader").show(); + // This leaves us with sid-gid + var rowValue = curID.replace("sid-",""); + var sigID = rowValue.split("-")[0]; + + $(".d_row_active").attr('class', 'd_row'); + $("#active_eview").attr('class','d_row'); + + // This is now the active row + $("#" + curID).attr('class','d_row_active'); + $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); + // History + var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); + hItemAdd(itemToAdd); + // Set the class count (counted again after load) + curclasscount = $('.d_row_active').data('event_count'); + var cols = $('th.sort').length; + var tbl = ''; + tbl += ""; + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += ""; + tbl += "CATEGORIZE"; + tbl += curclasscount + "EVENT(S)  "; + tbl += "    "; + tbl += "CREATE FILTER: "; + tbl += "src  "; + tbl += "dst  "; + tbl += "both"; + tbl += "
"; + $("#" + curID).after(tbl); + + // Lookup signature + sigLookup(rowValue); + + // Fetch results + eventList("1-" + rowValue); + + $("#eview").show(); + $(".d_row").fadeTo('0','0.2'); + } else { + closeRow(); + } + }); + + // + // Level 2 + // + + $(document).on("click", ".sub_active", function() { + if (!$(".d_row_sub_active")[0]) { + var callerID = $(this).parent('tr').attr('id'); + + // Reset checkbox + $(".chk_all").prop("checked",false); + + // RT or ALL? + switch (rtbit) { + case 1: adqp = s2h("AND event.status = 0"); break; + case 0: adqp = s2h("empty"); break; + } + // We are now the active row + $("#" + callerID).attr('class','d_row_sub_active'); + + // Populate search times + var bt = $("#" + callerID).find('[class*="timestamp"]').html(); + var est = mkStamp(bt,"-",3600000,thisTZ); + var eet = mkStamp(bt,"+",3600000,thisTZ); + + $('#el_start').val(est); + $('#el_end').val(eet); + + // Clear search terms + $("#srchterms").html(''); + $(".srch_txt").val(''); + + // History and search + $("#" + callerID).find('[class*="sub_filter"]').each(function() { + if ($(this).data('type') == 'cc') { + var itemToAdd = $(this).data('value'); + } else { + var itemToAdd = $(this).text(); + // Add search terms + $("#srchterms").append("" + itemToAdd + "  "); + } + hItemAdd(itemToAdd); + }); + + $("#loader").show(); + eventList("2-" + callerID + "-" + adqp); + } else { + closeSubRow(); + } + }); + + // + // Level 3 (a or b) request payload + // + + $(document).on("click", ".sub1_active", function() { + // Close transcript if it is open + if ($(".eview_sub3")[0]) closeSubRow2(); + if (!$(".d_row_sub_active1")[0]) { + var callerID = $(this).parent('tr').attr('id'); + $("#" + callerID).attr('class','d_row_sub_active1'); + + // Populate search times + var bt = $("#" + callerID).find('[class*="timestamp"]').html(); + var est = mkStamp(bt,"-",1800000,thisTZ); + var eet = mkStamp(bt,"+",1800000,thisTZ); + + $('#el_start').val(est); + $('#el_end').val(eet); + + // Clear search terms + $("#srchterms").html(''); + $(".srch_txt").val(''); + + // History + $("#" + callerID).find('[class*="sub_filter"]').each(function() { + if ($(this).data('type') == 'cc') { + var itemToAdd = $(this).data('value'); + } else { + var itemToAdd = $(this).text(); + } + if ($(this).data('type') == 'ip') { + // Add search terms + $("#srchterms").append("" + itemToAdd + "  "); + } + hItemAdd(itemToAdd); + }); + $("#loader").show(); + eventList("3-" + callerID); + } else { + closeSubRow1() + } + }); + + // + // Level 3 (a or b) request transcript + // + + $(document).on("click", ".sub2_active", function(event) { + // Close payload if it is open + if ($(".eview_sub2")[0]) closeSubRow1(); + var bail = $("#loader").css('display'); + if (bail != 'none') return; + if (!$(".eview_sub3")[0]) { + $("#loader").show(); + composite = $(this).data('tx').split("-"); + rowLoke = composite[0]; + $("#" + rowLoke).attr('class','d_row_sub1_active'); + nCols = $("#" + rowLoke).find('td').length; + cid = composite[1]; + txdata = composite[2]; + + // See if a transcript is available + var urArgs = "type=" + 7 + "&txdata=" + txdata; + $(function(){ + $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); + }); + + function cb5(data){ + eval("txRaw=" + data); + txCMD = txRaw.cmd; + txResult = txRaw.tx; + txDebug = txRaw.dbg; + if (txResult == "DEBUG:") txResult += " No data was returned."; + if (!txResult) { + txResult = "Transcript request failed!

"; + txResult += "The command was:
" + txCMD + "

"; + txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); + } + + var row = '',tbl = ''; + row += ""; + row += ""; + row += "
"; + row += txResult; + row += "
"; + + tbl += ""; + tbl += row; + tbl += ""; + $("#" + rowLoke).after(tbl); + + // Turn off fade effect for large results + var rC = $(".d_row_sub1").length; + if ( rC <= 399 ) { + $(".d_row_sub1").fadeTo('fast','0.2'); + } + + $("#loader").hide(); + } + } else { + closeSubRow2(); + } + }); + + // Toggle RT depending on entry point + $(document).on("click", ".b_ec_hot", function() { + rtbit = 1; + }); + $(document).on("click", ".b_ec_total", function() { + rtbit = 0; + }); + + // Filter constructor + function mkFilter() { + if ($('#search').val().length > 0) { + + var srchVal = $('#search').val(); + var fParts = ""; + + // If no term is supplied default to a string, IP or wildcard IP search + chkVal: + if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { + var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; + if (re.exec(srchVal)) { + srchVal = "ip " + srchVal; + break chkVal; + } + + var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; + if (re.exec(srchVal)) { + srchVal = "wip " + srchVal; + break chkVal; + } + + srchVal = "sig " + srchVal; + } + + fParts = srchVal.replace(/^!/,"").split(" "); + if (fParts[0] == 'cmt') { + var theFilter = s2h($('#search').val()); + rtbit = 0; + } else { + // Now see if the requested filter exists + if ($("#tr_" + fParts[0]).length > 0) { + tmpFilter = $("#tr_" + fParts[0]).data('filter'); + // Now see if we need to modify the query + if (fParts[1]) { + // This is the base filter + preFilter = h2s(tmpFilter); + // This is the user supplied text. + var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); + theQuestion = fParts.join(' ').replace(re, ""); + // We will accept multiple questions if they are comma delimited + questionParts = theQuestion.split(","); + if (questionParts.length > 1) { + var f = '('; + for (var i = 0; i < questionParts.length; i++) { + f += preFilter.replace(/\$/g, questionParts[i]); + if (i != (questionParts.length - 1)) { + f += " OR "; + } + } + f += ')'; + theFilter = s2h(f); + } else { + var newFilter = preFilter.replace(/\$/g, questionParts[0]); + theFilter = s2h(newFilter); + } + } else { + theFilter = tmpFilter; + } + } else { // The filter does not exist + theFilter = s2h('empty'); + } + } + } else { // No filter supplied + theFilter = s2h('empty'); + } + return theFilter; + } + + // + // This creates the views for each level + // + + function eventList (type) { + theWhen = getTimestamp(); + statusPoll(0); + var parts = type.split("-"); + var filterMsg = ''; + var rt = 0; + var theSensors = s2h('empty'); + var theFilter = mkFilter(); + + // See if we are just RT events + if ($('#rt').text() == 'on' || rtbit == 1) { + rt = 1; + rtbit = 1; + } + // How are we sorting? + var sortval = $("#event_sort").val(), sorttxt; + switch (sortval) { + case "DESC": sorttxt = "show oldest first"; break; + case "ASC": sorttxt = "show newest first"; break; + } + + // See if we are filtering by sensor + if ($('.chk_sen:checked').length > 0) { + var active_sensors = "AND event.sid IN("; + var iter = $('.chk_sen:checked').length; + $('.chk_sen:checked').each(function() { + active_sensors += "'" + $(this).val() + "',"; + }); + active_sensors = active_sensors.replace(/,+$/,''); + active_sensors += ")"; + theSensors = s2h(active_sensors); + } + + // Check for any filters + if (h2s(theFilter) != 'empty') { + $('.fl_val').text('YES'); + } else { + $('.fl_val').text('NO'); + } + + switch (parts[0]) { + + // Level 0 view - Grouped by Signature + case "0": + $('.value').text('-'); + + // Times Chart + var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; + $(function(){ + $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); + }); + + function cb22(data){ + eval("chartData=" + data); + var r = chartData.r; + if (r > 0) { + mkLine(".times",chartData.rows,chartData.m); + } + } + + var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); + }); + function cb1(data){ + eval("d0=" + data); + var tbl = ''; + var head = ''; + var row = ''; + var cols = 11; + + if (rt == 0) cols = 12; + head += ""; + head += ""; + head += "QUEUE"; + if (rt == 0) head += "ALL"; + head += ""; + head += "SC"; + head += "DC"; + if (rt == 0) head += "CLASS"; + head += "ACTIVITY"; + head += "LAST EVENT"; + head += "SIGNATURE"; + head += "ID"; + head += "PROTO"; + head += "% TOTAL"; + head += ""; + + var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; + + if (d0.length > 0) { + // Sums for boxes + for (var i=0; i"; + row += "No result. If this is unexpected try this"; + } + + if (rt == 1) { + sumSC = "-"; + sumDC = "-"; + sumEC = eTotal; + } + + var sumRT = 0; + + // Tag Array + var tags = new Array(); + + for (var i=0; i 0 ) { + rtClass = "b_ec_hot"; + sumRT += parseInt(unClass); + } else { + rtClass = "b_ec_cold"; + } + + // Sum priorities + var prC = Number(d0[i].f1); + switch (d0[i].f13) { + case "1": spr1 += prC; break; + case "2": spr2 += prC; break; + case "3": spr3 += prC; break; + default: spr4 += prC; break; + } + + rid = "r" + i + "-" + parts[1]; + var cells = mkGrid(d0[i].f12); + if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); + row += ""; + row += "
" + unClass + "
"; + if (rt == 0) row += "
" + d0[i].f1 + "
"; + row += "
" + d0[i].f13 + "
"; + row += "" +d0[i].f6+ ""; + row += "" +d0[i].f7+ ""; + if (rt == 0) row += "" + catCells + ""; + + timeParts = d0[i].f5.split(" "); + timeStamp = timeParts[1]; + + if ( sumEC > 0) { + rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); + } else { + rowPer = "0.000"; + } + + row += "" + cells + ""; + row += "" + timeStamp + ""; + row += ""; + //row += "
" + d0[i].f2 + "
"; + row += d0[i].f2 + ""; + row += "" + d0[i].f3 + ""; + row += "" + d0[i].f8 + ""; + + + row += "" + rowPer + "%"; + row += ""; + } + + // Populate event summary + $('#qtotal').text(sumRT); + $('#etotal').text(sumEC); + $('#esignature').text(sumSI); + + // Populate tags + for (var i=0; i < tags.length; i++) { + addTag(tags[i]); + } + + tbl += ""; + tbl += head; + tbl += row; + tbl += "
"; + + $('#' + parts[1] + '-' + parts[2]).append(tbl); + + if (d0.length > 0) { + var prVals = [spr1,spr2,spr3,spr4]; + var pryBar = mkPribar(prVals); + } else { + var pryBar = mkPribar([0]); + } + $('#tl1').fadeIn('slow'); + $("#tl1").tablesorter(); + $("#loader").hide(); + } + break; + + // Level 1 view - Grouped by signature, source, destination + + case "1": + var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); + }); + + function cb2(data){ + eval("theData=" + data); + tbl = ''; + head = ''; + row = ''; + head += "QUEUE"; + if (rt == 0) head += "TOTAL"; + if (rt == 0) head += "CLASS"; + head += "ACTIVITY"; + head += "LAST EVENT"; + head += "SOURCE"; + head += "AGE"; + head += "COUNTRY"; + head += "DESTINATION"; + head += "AGE"; + head += "COUNTRY"; + head += ""; + var curclasscount = 0, tlCount = 0, rtCount = 0; + var timeValues = "", scid = ""; + + // Tag array + var tags = new Array(); + + for (var i=0; i 0 ) { + rtClass = "b_ec_hot"; + isActive = "sub_active"; + } else { + rtClass = "b_ec_cold"; + isActive = "sub"; + } + + // Aggregate time values + timeValues += theData[i].c_ts + ","; + var cells = mkGrid(theData[i].f12); + if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); + + // Event sums + tlCount += parseInt(count,10); + rtCount += parseInt(unclass,10); + + rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; + row += ""; + row += "
" + unclass + "
"; + if (rt == 0) row += "
" + count + "
"; + if (rt == 0) row += "" + catCells + ""; + row += "" + cells + ""; + row += "" + max_time + ""; + row += "
" + src_ip + ""; + row += "" + src_age_n + ""; + row += ""; + row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; + row += "
" + dst_ip + ""; + row += "" + dst_age_n + ""; + row += ""; + row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; + row += ""; + } + + // Populate tags + for (var i=0; i < tags.length; i++) { + addTag(tags[i]); + } + + // Add scid's to checkbox + $("#ca0").data("scid", scid.replace(/,$/, "")); + + // If queue is empty provide event sums in case the user + // intends to reclass anything + if (rtbit == 1) { + curclasscount = rtCount; + } else { + curclasscount = tlCount; + } + + // update class_count + $("#class_count").html(curclasscount); + lastclasscount = $("#class_count").html(); + + // While in grouped events (RT) we remove rows as + // they are classed and subtract the values from "Total Events" + // This keeps etotal up to date so the math doesn't get silly + var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); + var oldec = Number($("#etotal").text()); + if (oldrt < rtCount) { + newrtcount = parseInt((rtCount - oldrt) + oldec); + $("#etotal").text(newrtcount); + } + + // Update parent counts + $(".d_row_active").find(".b_ec_hot").text(rtCount); + if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); + + tbl += "
"; + tbl += head; + tbl += row; + tbl += "
"; + $("#eview").after(tbl); + $("#tl2").tablesorter({ + headers: { + 4: {sorter:'ipv4'}, + 6: {sorter:'ipv4'} + } + }); + $("#loader").hide(); + } + break; + + // Level 2 view - No grouping, individual events + + case "2": + var rowLoke = parts[1]; + var filter = $('#' + parts[1]).data('filter'); + var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); + }); + + function cb3(data){ + eval("d2=" + data); + tbl = ''; + head = ''; + row = ''; + head += ""; + head += ""; + head += "ST"; + head += "TIMESTAMP"; + head += "EVENT ID"; + head += "SOURCE"; + head += "PORT"; + head += "DESTINATION"; + head += "PORT"; + head += "SIGNATURE"; + head += ""; + + // Update class_count + $("#class_count").html(0); + var tlCount=0, rtCount=0; + + // Tag array + var tags= new Array(); + + for (var i=0; i"; + tclass = "c" + eclass; + cv = classifications.class[tclass][0].short; + + // Populate tags array + if (src_tag != "-") { + var src_tags = src_tag.split(","); + $.each(src_tags, function(n,tag) { + var t = tags.indexOf(tag); + if (t < 0) tags.push(tag); + }); + } + + if (dst_tag != "-") { + var dst_tags = dst_tag.split(","); + $.each(dst_tags, function(n,tag) { + var t = tags.indexOf(tag); + if (t < 0) tags.push(tag); + }); + } + + // Timestamp + var compts = d2[i].f2.split(",") || "--"; + var timestamp = compts[0]; + var utctimestamp = compts[1]; + + // Event sums + tlCount += parseInt(1,10); + if (cv == "RT") { + rtCount += parseInt(1,10); + } + + // Transcript link + // original Squert native pivot: + //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); + //txBit = "" + sid + "." + cid + "
"; + //if (src_port != "-" && dst_port != "-") { + // txBit = "" + sid + "." + cid + ""; + //} + // new pivot to CapMe: + txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); + txBit = "" + sid + "." + cid + ""; + if (src_port != "-" && dst_port != "-") { + var startDate = new Date(utctimestamp); + var start_tz_offset = (startDate.getTimezoneOffset()); + var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; + var endDate = new Date(utctimestamp); + var end_tz_offset = (endDate.getTimezoneOffset()); + var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; + txBit = " " + sid + "." + cid + ""; + } + + row += ""; + row += "
"; + row += cv + "
"; + row += "" + timestamp + ""; + row += txBit; + row += "" + src_ip + ""; + row += "" + src_port + ""; + row += "" + dst_ip + ""; + row += "" + dst_port + ""; + row += "" + signature + ""; + row += ""; + } + + // Update parent counts + $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); + if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { + $(".d_row_sub_active").find(".b_ec_total").text(tlCount); + } + + var cols = $('th.sort').length; + + // Populate tags + clearTags(); + for (var i=0; i < tags.length; i++) { + addTag(tags[i]); + } + + tbl += ""; + tbl += ""; + tbl += head; + tbl += row; + tbl += "
"; + $("#" + rowLoke).after(tbl); + $(".d_row_sub").fadeTo('0','0.2'); + $("#loader").hide(); + $("#tl3").tablesorter({ + headers: { + 0:{sorter:false}, + 4:{sorter:'ipv4'}, + 6:{sorter:'ipv4'} + }, + cancelSelection:false + }); + $("#ca0").hide(); + } + break; + + // Level 2a view - No grouping, individual events + + case "2a": + $('.value').text('-'); + var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); + }); + + function cb3a(data){ + eval("d2a=" + data); + var tbl = ''; + var head = ''; + var row = ''; + var disabled = ''; + if (d2a.length == 0) { + disabled = "disabled"; + row += ""; + row += "No result. If this is unexpected try this"; + } + + head += ""; + head += ""; + head += ""; + head += "ST"; + head += ""; + head += "TIMESTAMP"; + head += "ID"; + head += "SOURCE"; + head += "PORT"; + head += "AGE"; + head += "CC"; + head += "DESTINATION"; + head += "PORT"; + head += "AGE"; + head += "CC"; + head += "SIGNATURE"; + head += ""; + + // Aggregate time values + var timeValues = ""; + for (var ts=0; ts" + sid + "." + cid + ""; + //if (src_port != "-" && dst_port != "-") { + // txBit = "" + sid + "." + cid + ""; + //} + // new pivot to CapMe: + txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); + txBit = "" + sid + "." + cid + ""; + if (src_port != "-" && dst_port != "-") { + var startDate = new Date(utctimestamp); + var start_tz_offset = (startDate.getTimezoneOffset()); + var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; + var endDate = new Date(utctimestamp); + var end_tz_offset = (endDate.getTimezoneOffset()); + var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; + txBit = " " + sid + "." + cid + ""; + } + + row += ""; + row += ""; + row += "
"; + row += cv + "
"; + row += "
" + d2a[i].f16 + "
"; + row += "" + timestamp + ""; + row += txBit; + row += "
" + src_ip + ""; + row += "" + src_port + ""; + row += "" + src_age_n + ""; + row += "" + cs[1] + ""; + row += "
" + dst_ip + ""; + row += "" + dst_port + ""; + row += "" + dst_age_n + "" + row += "" + cd[1] + ""; + row += "" + signature + ""; + } + + var sumED = 0, sumEC = 0, cmsg = ""; + + if (d2a.length > 0) { + sumED = i; + sumEC = d2a.length; + } + + if (d2a.length >= maxI) { + sumRE = sumEC - maxI; + cmsg = " / " + sumRE + " not shown"; + } + + $("#qtotal").html(rsumRT); + + // Populate tags + clearTags(); + for (var i=0; i < tags.length; i++) { + addTag(tags[i]); + } + + // Draw + tbl += ""; + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += "categorize " + 0 + ""; + tbl += " of " + sumED + " event(s)" + cmsg; + tbl += "
"; + tbl += "
" + sorttxt + "
"; + tbl += "
"; + tbl += "
"; + tbl += ""; + tbl += head; + tbl += row; + tbl += "
"; + $('#' + parts[1] + '-' + parts[2]).after(tbl); + + if (d2a.length > 0) { + var prVals = [spr1,spr2,spr3,spr4]; + var pryBar = mkPribar(prVals); + } else { + var pryBar = mkPribar([0]); + } + $("#tl3a,#tl3b").fadeIn('slow'); + $("#tl3b").tablesorter({ + headers: { + 0:{sorter:false}, + 1:{sorter:false}, + 5:{sorter:'ipv4'}, + 8:{sorter:'ipv4'} + }, + cancelSelection:false + }); + $("#loader").hide(); + } + break; + + // Level 3 view - Packet Data + + case "3": + var rowLoke = parts[1]; + var nCols = $('#' + parts[1]).data('cols'); + var filter = $('#' + parts[1]).data('filter'); + var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; + var sg = $('#' + parts[1]).data('sg'); + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); + }); + + function cb4(data){ + eval("theData=" + data); + + var tbl = '', head = '', row = ''; + + // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) + if (theData[0].ip_ver != 0) { + + var PDATA = 0; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + head += ""; + + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; + + switch (theData[0].ip_proto) { + case "1": + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; + break; + + case "6": + // TCP flags + var tmpFlags = theData[1].tcp_flags || 'z'; + switch (tmpFlags) { + case 'z': var tcpFlags = '--------'; break; + default: + var binFlags = Number(theData[1].tcp_flags).toString(2); + var binPad = 8 - binFlags.length; + var tcpFlags = "00000000".substring(0,binPad) + binFlags; + break; + } + var tcp_seq = theData[1].tcp_seq || '-'; + var tcp_ack = theData[1].tcp_ack || '-'; + var tcp_off = theData[1].tcp_off || '-'; + var tcp_res = theData[1].tcp_res || '-'; + var tcp_win = theData[1].tcp_win || '-'; + var tcp_urp = theData[1].tcp_urp || '-'; + var tcp_csum = theData[1].tcp_csum || '-'; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; + break; + + case "17": + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; + break; + } + + var p_hex = '', p_ascii = '', p_ascii_l = ''; + + // Data + if (!theData[2]) { + p_hex = "No Data Sent."; + p_ascii = "No Data Sent."; + } else { + p_pl = theData[2].data_payload; + p_length = theData[2].data_payload.length; + var b0 = 0; + + for(var i=0; i < p_length; i+=2) { + b0++; + t_hex = p_pl.substr(i,2); + t_int = parseInt(t_hex,16); + + if ((t_int < 32) || (t_int > 126)) { + p_hex += t_hex + " "; + p_ascii += "."; + p_ascii_l += "."; + } else if (t_int == 60) { + p_hex += t_hex + " "; + p_ascii += "<"; + p_ascii_l += "<"; + } else if (t_int == 62) { + p_hex += t_hex + " "; + p_ascii += ">"; + p_ascii_l += ">"; + } else { + p_hex += t_hex + " "; + p_ascii += String.fromCharCode(parseInt(t_hex, 16)); + p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); + } + + if ((b0 == 16) && (i < p_length)) { + p_hex += "
"; + p_ascii += "
"; + b0 = 0; + } + } + } + + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += ""; + row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; + + } else { + + head += ""; + var p_ascii = "No Data Sent."; + // This needs to be more robust. + if (theData[2]) { + var tmp = h2s(theData[2].data_payload).split("\n"); + p_ascii = ''; + for (var i in tmp) { + p_ascii += "
" + tmp[i] + "
"; + } + + } + row += ""; + row += ""; + row += "
" + p_ascii + "
"; + } + + tbl += ""; + + // If we are not grouped we show the signature text + if ( sg != 0 ) { + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += "
"; + tbl += "
"; + sigLookup(sg); + } + + // Comments and tags are done here + var tags = new Array(); + var eventTag = 'None.'; + var eventComment = theData[0].comment || 'None.'; + var src_tag = theData[0].srctag || '-'; + var dst_tag = theData[0].dsttag || '-'; + + // Populate tags array + if (src_tag != "-") { + var src_tags = src_tag.split(","); + $.each(src_tags, function(n,tag) { + var t = tags.indexOf(tag + ",s"); + if (t < 0) tags.push(tag + ",s"); + }); + } + + if (dst_tag != "-") { + var dst_tags = dst_tag.split(","); + $.each(dst_tags, function(n,tag) { + var t = tags.indexOf(tag + ",d"); + if (t < 0) tags.push(tag + ",d"); + }); + } + + if (tags.length > 0) eventTag = ''; + + tbl += "
COMMENTS
"; + tbl += "
" + eventComment + "
"; + tbl += "
TAGS
"; + tbl += "
" + eventTag + "
"; + if (PDATA != 0) { + tbl += "
DETAILS
"; + } else { + tbl += "
PAYLOAD
"; + } + tbl += head; + tbl += row; + tbl += ""; + $("#" + rowLoke).after(tbl); + $("#loader").hide(); + + // Turn off fade effect for large results + var rC = $(".d_row_sub1").length; + if ( rC <= 499 ) { + $(".d_row_sub1").fadeTo('fast','0.2'); + } + + // Populate tags + clearTags(); + for (var i=0; i < tags.length; i++) { + addTag(tags[i]); + } + + } + break; + } + // If event queue is off we need to reset this after load if b_ec_hot was + // the entry point + if ($('#rt').text() == 'off') rtbit = 0; + } + + // + // Object click handlers + // + + $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { + // Check if we are coming from a legit object + var prefix = $(this).data('type'); + if (prefix == "none") return; + + // Check if we are coming from a sane selection + var selLen = window.getSelection().toString().length; + if (selLen > 4) { + if (selLen < 255) { // Might need to change these based on how people use this + prefix = "zz"; + var suffix = window.getSelection().toString(); + var re = /\s/g; + var NOK = re.exec(suffix); + if (NOK) return; + } else { + return; + } + } else { + var suffix = $(this).text(); + } + + var mX = e.pageX; + var mY = e.pageY; + + var colour = $(this).data('col') || "FFFFFF"; + var tfocus = "#search"; + switch (prefix) { + case 'ip': + hItemAdd(suffix); + var sord = $(this).data('sord'); + mkPickBox(prefix,suffix,sord,colour,mX,mY); + break; + case 'spt': + case 'dpt': + hItemAdd(suffix); + mkPickBox(prefix,suffix,0,colour,mX,mY); + break; + case 'cc': + case 'scc': + case 'dcc': + var cc = $(this).data('value'); + hItemAdd(cc); + mkPickBox(prefix,cc,suffix,colour,mX,mY); + break; + case 'cmt': + suffix = $(this).data('comment'); + $("#rt").text("off"); + $("#rt").attr('class','tvalue_off'); + $('#search').val(prefix + " " + suffix); + hItemAdd(suffix); + if ($('#cat_box').css('display') != 'none') { + $('#ico01').click(); + } + $('.b_update').click(); + break; + case 'cmt_c': + $('.cat_msg_txt').val(suffix); + hItemAdd(suffix); + tfocus = ".cat_msg_txt"; + break; + case 'fil': + var fil = $(this).data('value'); + $('#search').val(fil); + hItemAdd(fil); + if ($('#fltr_box').css('display') != 'none') { + $('#ico04').click(); + } + $('.b_update').click(); + break; + case 'sid': + var value = $(this).data('value'); + hItemAdd(suffix); + mkPickBox(prefix,value,suffix,colour,mX,mY); + break; + case 'st': + var suffix = $(this).attr('id').split('-')[1]; + $('#search').val(prefix + " " + suffix); + // RT must be off to return anything + $('#rt').attr('class','tvalue_off'); + $('#rt').text('off'); + rtbit = 0; + $('.b_update').click(); + break; + case 'el': + var suffix = $(this).data('value'); + mkPickBox(prefix,suffix,0,colour,mX,mY); + break; + case 'zz': + hItemAdd(suffix); + mkPickBox(prefix,suffix,0,colour,mX,mY); + break; + } + }); + + // + // Picker Box + // + + function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { + var doexternals = "yes"; + var objhex = s2h(suffix); + var tbl = '', row = ''; + // Local stuff first + switch (prefix[prefix.length - 1]) { + case "c": + row += ":: SRC or DST"; + row += ":: SRC"; + row += ":: DST"; + row += ":: SEARCH"; + break; + case "p": + row += ":: SRC or DST"; + row += ":: SRC"; + row += ":: DST"; + row += ":: ADD / REMOVE TAG"; + if ($('.sigtxt')[0]) { + row += ":: HISTORY"; + } + row += ":: SEARCH"; + row += ":: COLOUR  "; + row += ""; + row += "apply"; + row += "apply all"; + row += ""; + break; + case "t": + row += ":: SRC"; + row += ":: DST"; + row += ":: SEARCH"; + break; + case "d": + row += ":: SIGNATURE"; + if ($('.sigtxt')[0]) { + row += ":: HISTORY"; + } + row += ":: SEARCH"; + break; + case "l": + row += ":: COLOUR  "; + row += ""; + row += "update"; + doexternals = "no"; + break; + case "z": + row += ":: SEARCH"; + break; + } + + // If applicable populate externals + if (doexternals == "yes") { + $('.f_row').each(function() { + var ct = $(this).data('type'); + if (ct == 'url') { + var alias = $(this).data('alias'); + var name = $(this).data('name'); + var url = $(this).data('filter'); + row += ""; + row += "" + name + ""; + row += ""; + } + }); + } + + tbl += ""; + tbl += row; + tbl += "
"; + + var boxlabel = suffix; + + // Use more descriptive names where possible + var re = /(sid|cc|scc|dcc)/; + var OK = re.exec(prefix); + if (OK) { + var boxlabel = rsuffix; + } + + if (boxlabel.length > 24) { + boxlabel = boxlabel.substring(0,24); + boxlabel += ".."; + } + + $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); + + if ($('#tlpick')[0]) $('#tlpick').remove(); + $(".pickbox_tbl").append(tbl); + $('.pickbox').fadeIn('fast'); + + // Colour Picker + $("#menucol").spectrum({ + showInput: true, + className: "full-spectrum", + showInitial: true, + showPalette: true, + showSelectionPalette: true, + maxPaletteSize: 6, + preferredFormat: "hex", + localStorageKey: "spectrum.demo", + move: function (color) {}, + show: function () {}, + beforeShow: function () {}, + hide: function () {}, + change: function() {}, + palette: [ + ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], + ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], + ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], + ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], + ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] + ] + }); + } + + // Pickbox click events + $(document).on('click', '.p_row', function() { + if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); + var ctype = $(this).data('type'); + var alias = $(this).data('alias'); + var args = $('#tlpick').data('val'); + switch(ctype) { + case "l": + $('.pickbox').fadeOut('fast'); + $('#search').val(alias + " " + args); + $('.b_update').click(); + break; + case "r": + $('.pickbox').fadeOut('fast'); + var url = h2s($(this).data('url')).replace("${var}", args); + window.open(url); + break; + case "t": + $('.tagbox').fadeIn('fast'); + $('.taginput').focus(); + break; + case "s": + $('.pickbox').fadeOut('fast', function() {; + $('#ico05').click(); + }); + $('.srch_txt').val(args); + break; + case "h": + doHistory(args); + $('.pickbox').fadeOut('fast'); + break; + default: return; + } + }); + + // + // Tags + // + + // Truncate + function truncTag(tag,len) { + if (tag.length > len) tag = tag.substring(0,len) + ".."; + return tag; + } + + // Filter results or add as new + $(document).on('click', '.tag', function() { + var tag = $(this).data('val'); + if($('.taginput').is(":visible")) { + $('.taginput').val(tag); + $('.taginput').focus(); + } else { + $('#search').val('tag ' + tag); + $('.b_update').click(); + } + }); + + // Remove individual tags on "(X)" click via payload area + $(document).on('mouseenter', '.tag_d, .tag_s', function() { + var tag = $(this).data('val'); + if ($(".tag_x")[0]) return; + var dw = $(this).width() - 5 + "px"; + $(this).append("
X
"); + $(".tag_x").css("margin-left", dw); + $(".tag_x").fadeIn("slow"); + + }); + + $(document).on('mouseleave', '.tag_d, .tag_s', function() { + $('.tag_x').remove(); + }); + + $(document).on('click', '.tag_x', function() { + var tag = $(this).parent().data("val"); + var obj = $(this).parent().data("obj"); + $(this).parent().remove(); + var len = $("#tag_area").text().length; + if (len == 0) $("#tag_area").append("None."); + //doTag(s2h(obj),tag,'rm'); + }); + + // Fire tag add on enter + $('.taginput').keypress(function(e) { + if (!e) e=window.event; + key = e.keyCode ? e.keyCode : e.which; + if (key == 13) $('.tagok').click(); + }); + + // Close tag entry + $(document).on('click', '.tagcancel', function() { + $('.taginput').val(''); + $('.tagbox').fadeOut('fast'); + }); + + // Add a tag + $(document).on('click', '.tagok', function() { + var tag = $('.taginput').val(); + var obj = $('#pickbox_label').text(); + var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; + var OK = re.exec(tag); + if (OK) doTag(s2h(obj),tag,'add'); + }); + + // Remove a tag + $(document).on('click', '.tagrm', function() { + var tag = truncTag($('.taginput').val(),20); + var obj = $('#pickbox_label').text(); + doTag(s2h(obj),tag,'rm'); + $(".tag" + ":contains('" + tag + "')").remove(); + $('.tagcancel').click(); + }); + + // Display or Toggle tags + function addTag(tag) { + // If we entered from payload we have some additional info + if ($('#eview_sub2')[0]) { + var longTag = tag.split(",")[0]; + var theClass = tag.split(",")[1]; + var t_tag = truncTag(longTag,20); + } else { + var t_tag = truncTag(tag,20); + } + + // Hide empty + $('.tag_empty').hide(); + + // Check if tag exists + var tag_exists = 0; + $('.tag').each(function() { + if ($(this).text() == t_tag) { + $(this).addClass('tag_active'); + tag_exists = 1; + } + }); + + // Add tag to left pane + if (tag_exists == 0) { + var newTag = "
" + t_tag + "
"; + $('#tg_box').prepend(newTag); + } + + // If we have the payload open, add here as well + if ($('#eview_sub2')[0]) { + if($('#pickbox_label').is(":visible")) { + theClass = $('#pickbox_label').data('sord')[0]; + } + // Remove placeholder + if ($('#tag_none')[0]) $('#tag_none').remove(); + var newTag = "
" + t_tag + "
"; + $('#tag_area').prepend(newTag); + } + + } + + function doTag(obj,tag,op) { + var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; + $(function(){ + $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); + }); + + function cb22(data){ + eval("theData=" + data); + if (theData.msg != '') { + alert(theData.msg); + } else { + if (op != 'rm') addTag(tag); + $('.tagcancel').click(); + } + } + } + + // Colours + $(document).on('click', '.csave', function() { + var obtype = $(this).data('obtype'); + var object = $(this).data('object'); + var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); + var op = "add"; + var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; + var OK = re.exec(colour); + if (!OK) return; + // Single or multiple? + if (obtype == "src" || obtype == "dst") { + var vr = new Array(); + $("." + obtype).each(function() { + var v = $(this).text(); + var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; + var OK = re.exec(v); + if (OK) { + var t = vr.indexOf(v); + if (t < 0) vr.push(v); + } + }); + object = vr.toString(); + } + + var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; + $(function(){ + $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); + }); + + function cb22(data){ + eval("theData=" + data); + if (theData.msg != '') { + alert(theData.msg); + } else { // We should be good.. + var curObject = $('#pickbox_label').text(); + if (obtype == "el") { + var html = "
" + colour; + $('#el_' + curObject).html(html); + $('#el_' + curObject).data('col', colour); + } else { + $(".sub_filter:contains(" + curObject + ")").each(function() { + $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); + }); + } + $('.pickbox').fadeOut('fast'); + } + } + }); + + $(document).on('click', '.pickbox_close', function() { + $('.tagcancel').click(); + $('.pickbox').fadeOut('fast'); + }); + + // + // Object History + // + + function hItemAdd(item) { + var itemTitle = item; + // Truncate + if (item.length > 33) { + itemTitle = item.substring(0,33) + ".."; + } + // Remove empty message + $('.history_empty').hide(); + + // If the item doesn't exist, add it. Otherwise, we start counting. + if ($(".h_item:contains('" + itemTitle + "')").length > 0) { + var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); + var nc = Number(oc) + 1; + var bg = '#c9c9c9'; + var fn = 'normal'; + if (nc <= 3) { + bg = '#000'; + } else if (nc > 3) { + bg = '#cc0000'; + fn = 'bold'; + } + + $(".h_item:contains('" + itemTitle + "')").css('color', bg); + $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); + $(".h_item:contains('" + itemTitle + "')").data('n',nc); + $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); + } else { + var toAdd = " " + itemTitle + ""; + $('#h_box').prepend(toAdd); + } + } + + if (!$('.h_item')[0]) { + $('.history_empty').show(); + } + + // Alt mappings for icons + + $.alt('1', function() { + $("#ico01").click(); + }); + $.alt('2', function() { + $("#ico02").click(); + }); + $.alt('3', function() { + $("#ico03").click(); + }); + $.alt('4', function() { + $("#ico05").click(); + }); + $.alt('5', function() { + $("#ico04").click(); + }); + + // + // Event classification + // + + // Use function keys to trigger status buttons + $(document).keydown(function(event){ + + function stopOthers() { + event.originalEvent.keyCode = 0; + event.preventDefault(); + event.stopPropagation(); + } + + switch (event.keyCode) { + case 112: stopOthers(); $('#b_class-11').click(); break; + case 113: stopOthers(); $('#b_class-12').click(); break; + case 114: stopOthers(); $('#b_class-13').click(); break; + case 115: stopOthers(); $('#b_class-14').click(); break; + case 116: stopOthers(); $('#b_class-15').click(); break; + case 117: stopOthers(); $('#b_class-16').click(); break; + case 118: stopOthers(); $('#b_class-17').click(); break; + case 119: stopOthers(); $('#b_class-1').click(); break; + case 120: stopOthers(); $('#b_class-2').click(); break; + } + }); + + // Comment window status buttons + $(document).on("click", "#cw_buttons", function(event) { + var newclass = $(event.target).data('n'); + if (newclass == 0) { + $('#b_class-' + newclass).click(); + } else { + $('#b_class-' + newclass).click(); + } + }); + + // Highlight colour for selected events + var hlcol = "#FFFFE0"; + var hlhov = "#FDFDD6"; + + // Individual selects + var clickOne = 0, clck1 = 0, clck2 = 0; + $(document).on("click", ".chk_event", function(event) { + $("#tl3b").trigger('update'); + var clickTwo = this.id.split("_"); + if (Number(clickOne[1]) > Number(clickTwo[1])) { + clck1 = clickTwo[1]; + clck2 = clickOne[1]; + } else { + clck1 = clickOne[1]; + clck2 = clickTwo[1]; + } + + if (event.shiftKey) { + if (clck1 != clck2) { + $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); + $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); + $("#s" + clck1).nextUntil("#s" + clck2).hover( + function(){$(this).css("background-color", hlhov)}, + function(){$(this).css("background-color", hlcol)}); + clickOne = 0, clck1 = 0, clck2 = 0; + } + } + + // Update class_count + $("#class_count").html($(".chk_event:checked").length); + if ($("#ca1:checked").length > 0) { + $("#ca1").prop("checked",false); + } + clickOne = this.id.split("_"); + + if ($(this).prop("checked") == true) { + $("#s" + clickTwo[1]).css("background-color", hlcol); + $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, + function(){$(this).css("background-color", hlcol)}); + } else { + $("#s" + clickTwo[1]).css("background-color", "transparent"); + $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, + function(){$(this).css("background-color", "transparent")}); + } + }); + + // Select all (2) + $(document).on("click", "#ca1", function(event) { + var chkLen = $("#ca1:checked").length; + switch(chkLen) { + case 0: + $(".chk_event").prop("checked",false); + $("#ca0").prop("checked",false); + $(".d_row_sub1").css("background-color", "transparent"); + $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, + function(){$(this).css("background-color", "transparent")}); + break; + default: + $(".chk_event").each(function() { + if ($(this).prop("disabled") == false) { + $(this).prop("checked",true); + } + }); + $(".d_row_sub1").css("background-color", hlcol); + $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, + function(){$(this).css("background-color", hlcol)}); + $("#ca0").prop("checked",true); + break; + } + + if ($(".eview_sub1")[0]) { + // Update class_count + $("#class_count").html($(".chk_event:checked").length); + } + + }); + + // Select all (2a) - clean this up, the above is almost identical + $(document).on("click", "#ca2", function(event) { + var chkLen = $("#ca2:checked").length; + switch(chkLen) { + case 0: + $(".chk_event").prop("checked",false); + $("#ca2").prop("checked",false); + $(".d_row_sub1").css("background-color", "transparent"); + $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, + function(){$(this).css("background-color", "transparent")}); + break; + default: + $(".chk_event").each(function() { + if ($(this).prop("disabled") == false) { + $(this).prop("checked",true); + } + }); + $(".d_row_sub1").css("background-color", hlcol); + $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, + function(){$(this).css("background-color", hlcol)}); + $("#ca2").prop("checked",true); + break; + } + // Update class_count + $("#class_count").html($(".chk_event:checked").length); + }); + + // Class button click + $(document).on("click", "[id*=\"b_class-\"]", function() { + // We only fire if something is selected + var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); + var intclass = $(this).attr('id').split("-"); + if (chkLen > 0 && intclass[1] != 0) { + eClass(this,intclass[1]); + } + }); + + function eClass(caller,intclass) { + // The sid.cid values + var scid= "", scidlist = "", ecls = 0; + if ($(".eview_sub1")[0] || $("#ca2")[0]) { + $(".chk_event:checked").each(function() { + if ($(this).data('eclass') == 0) { + ecls++; + } + scid += $(this).val() + ","; + }); + scidlist = scid.replace(/,$/, ""); + } else { + ecls = $(".d_row_active").find(".b_ec_hot").text(); + scidlist = $("#ca0").data("scid"); + } + + // Was there a message? + var msg = "none"; + if ($(".cat_msg_txt").val().length != 0) { + msg = $(".cat_msg_txt").val(); + } + + if ($('#cat_box').css('display') != 'none') { + $('#ico01').click(); + } + + // We are now ready to class + var catdata = intclass + "|||" + msg + "|||" + scidlist; + var urArgs = "type=" + 9; + $(function(){ + $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); + }); + + function cb9(data){ + eval("catRaw=" + data); + catDbg = catRaw.dbg; + if (catDbg == "0") { + + var curtotalrtcount = Number(ecls); + // Working on grouped events + if ($("#gr").text() == "on") { + curclasscount = Number($("#class_count").text()); + var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); + // Do we have queued events? + if (curtotalparentcount > 0) { + + // Are we working on queued events? + if (curtotalrtcount > 0) { + curclasscount = curtotalrtcount; + } else { + curclasscount = 0; + } + // Adjust the parent count + newparentcount = parseInt(curtotalparentcount - curclasscount,10); + $(".d_row_active").find(".b_ec_hot").text(newparentcount); + + if (newparentcount == 0) { + $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); + $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); + } + + // If we are working within the child, adjust accordingly + if ($(".eview_sub1")[0]) { + // How many are in the child + curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); + + // Adjust the child count + newchildcount = parseInt(curtotalchildcount - curclasscount,10); + $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); + if (newchildcount == 0) { + $("#ca1").prop("disabled",true); + $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); + $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); + } + // Otherwise we were called from the parent + } else { + $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); + $(".d_row_sub").find(".b_ec_hot").text(0); + $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); + $("#ca0").prop("disabled",true); + } + lastclasscount = newparentcount; + } + + // Lastly, update class_count + if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { + $("#class_count").html(0); + } else { + $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); + } + + // Working on ungrouped events + } else { + $("#class_count").html(lastclasscount); + } + + // What the new classification is + selClass = $(caller).data("cn"); + newClass = "a_" + selClass; + + // Change visible class and disable if RT + // If we are RT ungrouped, we just remove + if ($('#rt').text() == 'on' && $("#ca2")[0]) { + $(".chk_event:checked").each(function() { + var pid = $(this).attr("id").split("_"); + var nid = parseInt(Number(pid[1]) + 1); + // Remove any open payload or TX panes + if ($("[id^=eview_]")[0]) { + $("[id^=eview_]").remove(); + $(".d_row_sub1").css('opacity','1'); + } + // Remove the row + $("#s" + pid[1]).fadeOut('fast', function() { + $("#s" + pid[1]).remove(); + }); + }); + + // Update table (for sorter) + $("#tl3b").trigger('update'); + } else { + // If we are RT and all events are classed we just remove + if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { + $("#active_eview").remove(); + $(".d_row_active").fadeOut('slow', function (event) { + $(".d_row_active").remove(); + var newsigtotal = "-"; + var sigtotal = $("#esignature").text(); + if (sigtotal > 0) { + newsigtotal = parseInt(sigtotal - 1); + } + $("#esignature").text(newsigtotal); + }); + $(".d_row").css('opacity','1'); + } else { + $(".chk_event:checked").each(function() { + var n = this.id.split("_"); + $("#class_box_" + n[1]).attr('class', newClass); + $("#class_box_" + n[1]).text(selClass); + if (curtotalparentcount > 0) { + $(this).prop("disabled",true); + } + }); + } + $(".d_row_sub1").css("background-color", "#fafafa"); + $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, + function(){$(this).css("background-color", "#fafafa")}); + } + + // Uncheck everything + $(".chk_event").prop("checked", false); + $(".chk_all").prop("checked", false); + // Remove these scids from the L1 scidlist + if ($("#ca0")[0] && rtbit == 1) { + var cur_scidlist = scidlist.split(','); + var active_scidlist = $("#ca0").data("scid"); + for (var i = 0; i < cur_scidlist.length; i++) { + active_scidlist = active_scidlist.replace(cur_scidlist[i],''); + } + active_scidlist = active_scidlist.replace(/,{2,}/g,','); + active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); + $("#ca0").data("scid", active_scidlist); + } + catMsg(scidlist.split(',').length, curtotalrtcount); + } else { + catMsg(0); + } + } + } + + function catMsg(count, rtcount) { + switch (count) { + default: + var ess = ''; + if ( count > 1 ) ess = 's'; + + var numrows = Number($('.d_row').length + $('.d_row_sub1').length); + var newboxtotal = 0, newcatcount = 0; + newboxtotal = parseInt($("#qtotal").text() - rtcount); + $("#qtotal").text(newboxtotal); + + // If we are just rt update Total boxes as we go + if ($("#ca2")[0]) { // We are ungrouped + newcatcount = parseInt($("#cat_count").text() - count); + if (newcatcount == 0) { + newView("u"); + } else { + $("#cat_count").text(newcatcount); + } + } + + if (numrows == 0) { + newView("u"); + } + + var msg = count + " event" + ess + " categorized"; + clearTags(); + break; + } + + $("span.class_msg").text(msg); + $("span.class_msg").fadeIn('slow', function() { + setTimeout(function(){ + $(".class_msg").fadeOut('slow'); + }, 3000); + }); + } + + // Load summary tab + function loadSummary() { + var limit = 10; + if ($('#wm0')[0]) { + doMap("redraw"); + } else { + doMap("draw"); + } + mkSummary("signature",limit); + mkSummary("srcip",limit); + mkSummary("dstip",limit); + mkSummary("srcpt",limit); + mkSummary("dstpt",limit); + mkSummary("srccc",limit); + mkSummary("dstcc",limit); + } + + // Toggle summary section + $(document).on("click", ".hidepane", function(e) { + $('#topsignature').toggle(); + }); + + // Summary tab + function mkSummary(box,limit) { + var theWhen = getTimestamp(); + var theSensors = s2h('empty'); + var theFilter = mkFilter(); + // See if we are filtering by sensor + if ($('.chk_sen:checked').length > 0) { + var active_sensors = "AND event.sid IN("; + var iter = $('.chk_sen:checked').length; + $('.chk_sen:checked').each(function() { + active_sensors += "'" + $(this).val() + "',"; + }); + active_sensors = active_sensors.replace(/,+$/,''); + active_sensors += ")"; + theSensors = s2h(active_sensors); + } + + var ldr = "
"; + $('#ov_' + box + '_sl').prepend(ldr); + $('#top' + box).fadeTo('fast', 0.2); + switch (box) { + case "srcip": + var cbArgs = "srcip"; + var qargs = "ip-src"; + var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); + }); + break; + case "dstip": + var cbArgs = "dstip"; + var qargs = "ip-dst"; + var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); + }); + break; + case "srcpt": + var cbArgs = "srcpt"; + var qargs = "pt-src"; + var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); + }); + break; + case "dstpt": + var cbArgs = "dstpt"; + var qargs = "pt-dst"; + var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); + }); + break; + case "signature": + var qargs = "sig-sig"; + var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); + }); + break; + case "srccc": + var cbArgs = "srccc"; + var qargs = "cc-src"; + var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); + }); + break; + case "dstcc": + var cbArgs = "dstcc"; + var qargs = "cc-dst"; + var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); + }); + break; + } + + // IP and Country + function cb15(data,cbArgs){ + var ch = "SRC"; + var wip = "d"; + if (cbArgs[0] == "s") ch = "DST", wip = "s"; + eval("raw=" + data); + var tbl = '', head = '', row = ''; + head += ""; + head += "COUNT"; + head += "%TOTAL"; + head += "#SIG"; + head += "#" + ch + ""; + if (cbArgs[3] == "c") { + head += "COUNTRY"; + head += "#IP"; + } else { + head += "IP"; + head += "COUNTRY"; + } + head += ""; + + var eventsum = raw[raw.length - 1].n || 0; + var records = raw[raw.length - 1].r || 0; + if (records == 0) { + row = "No result."; + $("#ov_" + cbArgs + "_sl").text(""); + } + for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); + row += ""; + row += "" + cnt + ""; + row += "" + per + "%"; + row += "" + sigs + ""; + row += "" + ip2 + ""; + + if (cbArgs[3] == "c") { + row += ""; + row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; + row += "" + ip + ""; + } else { + row += "
" + ip + ""; + row += ""; + row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; + } + row += ""; + row += "
"; + } + tbl += ""; + tbl += head; + tbl += row; + tbl += "
"; + if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); + $("#ov_" + cbArgs + "_sl").after(tbl); + $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); + mkSlider("ov_" + cbArgs + "_sl", i, records); + } + + // Ports + function cb17(data,cbArgs){ + eval("raw=" + data); + var tbl = '', head = '', row = ''; + head += ""; + head += "COUNT"; + head += "%TOTAL"; + head += "#SIG"; + head += "#SRC" + head += "#DST"; + head += "PORT"; + head += ""; + + var eventsum = raw[raw.length - 1].n || 0; + var records = raw[raw.length - 1].r || 0; + if (records == 0) { + row = "No result."; + $("#ov_" + cbArgs + "_sl").text(""); + } + for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); + row += ""; + row += "" + cnt + ""; + row += "" + per + "%"; + row += "" + sigs + ""; + row += "" + src + ""; + row += "" + dst + ""; + row += "" + port + ""; + row += ""; + row += "
"; + } + tbl += ""; + tbl += head; + tbl += row; + tbl += "
"; + if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); + $("#ov_" + cbArgs + "_sl").after(tbl); + $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); + mkSlider("ov_" + cbArgs + "_sl", i, records); + } + // Signature + function cb16(data){ + eval("raw=" + data); + var tbl = '', head = '', row = ''; + head += ""; + head += "COUNT"; + head += "%TOTAL"; + head += "#SRC"; + head += "#DST"; + head += "SIGNATURE"; + head += "ID"; + head += ""; + + var eventsum = raw[raw.length - 1].n || 0; + var records = raw[raw.length - 1].r || 0; + if (records == 0) { + row = "No result."; + $("#ov_signature_sl").text(""); + $("#ovestat").html("(No events)"); + } else { + $("#ovestat").html("(" + eventsum + " events)"); + } + for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); + row += ""; + row += "" + cnt + ""; + row += "" + per + "%"; + row += "" + src + ""; + row += "" + dst + ""; + row += "" + sig + ""; + row += "" + sid + ""; + row += ""; + row += "
"; + } + + tbl += ""; + tbl += head; + tbl += row; + tbl += "
"; + if ($('#topsignature')[0]) $('#topsignature').remove(); + $("#ov_signature_sl").after(tbl); + $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); + mkSlider("ov_signature_sl", i, records); + } + } + + $(".ovsl").mouseup(function() { + var section = $(this).attr('id'); + var base = section.split("_")[1]; + var limit = Number($("#" + section + "_lbl").text()); + if (limit > 0) mkSummary(base, limit); + }); + + // + // Views tab + // + + function loadViews() { + $('.db_links').show(); + if (!$("#db_view_cont")[0]) mkView(); + } + + // Link handlers + $(document).on('click', '.db_link', function() { + $('.db_link').each(function() { + if ($(this).data('state') == '1') { + $(this).removeClass('db_link_active'); + $(this).data('state', '0'); + } + }); + $(this).data('state', '1'); + mkView(); + }); + + $(document).on('click', '.db_type', function() { + $('.db_type').each(function() { + if ($(this).data('state') == '1') { + $(this).removeClass('db_type_active'); + $(this).data('state', '0'); + } + }); + $(this).data('state', '1'); + mkView(); + }); + + $(document).on('click','.db_save', function() { + + }); + + // Create the view + function mkView() { + $('#db_view_cont,#hp_info').remove(); + if (!$("#db_view_ldr")[0]) { + var view = 'ip'; + $('.db_link').each(function() { + if ($(this).data('state') == '1') { + $(this).addClass('db_link_active'); + view = $(this).data('val'); + } + }); + + var type = 'sk'; + $('.db_type').each(function() { + if ($(this).data('state') == '1') { + $(this).addClass('db_type_active'); + type = $(this).data('type'); + } + }); + + var theWhen = getTimestamp(); + var theSensors = s2h('empty'); + var theFilter = mkFilter(); + // See if we are filtering by sensor + if ($('.chk_sen:checked').length > 0) { + var active_sensors = "AND event.sid IN("; + var iter = $('.chk_sen:checked').length; + $('.chk_sen:checked').each(function() { + active_sensors += "'" + $(this).val() + "',"; + }); + active_sensors = active_sensors.replace(/,+$/,''); + active_sensors += ")"; + theSensors = s2h(active_sensors); + } + + var ldr = "
"; + $('.db_view').after(ldr); + var qargs = view + "-" + type; + var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); + }); + + function cb17(data,type) { + eval("viewData=" + data); + var records = viewData.records; + if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); + if (records > 0) { + $('.db_view').after("
"); + switch (type) { + case 'sk': + var w = $(window).width(); + var h = viewData.links.length * 12; + if (h < 100) h = 100; + mkSankey("db_view_cont",viewData,w,h); + break; + } + } else { + $('.db_view').after("
The query returned no results.
"); + } + $('#db_view_ldr').remove(); + } + } + } + + // Make a map + function doMap() { + theWhen = getTimestamp(); + var theFilter = mkFilter(); + var working = "Working
"; + + $('#wm0').html(working); + + var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); + }); + + function cb10(data){ + eval("mapRaw=" + data); + try { + var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); + var srcc = mapRaw.srcc; + var srce = mapRaw.srce; + var dstc = mapRaw.dstc; + var dste = mapRaw.dste; + var allc = mapRaw.allc; + var alle = mapRaw.alle; + } + catch(e) { + var mapDetail = "{\"\"}"; + } + + // What is our current event total? + var esum = $('#event_sum').val(); + var w = $(window).width() - 72; + var h = w / 2.7 ; + $("#ov_map").html("
"); + $('#wm0').vectorMap({ + map: 'world_mill_en', + color: '#f4f3f0', + backgroundColor: '#CFE1FC', + zoomOnScroll: false, + onRegionClick: function(event, code){ + hItemAdd(code); + $('#search').val("cc" + " " + code); + $('#search').focus(); + }, + series: { + regions: [{ + values: mapDetail, + scale: ['#ffffff', '#000000'], + normalizeFunction: 'polynomial' + }] + }, + onRegionLabelShow: function(e, el, code){ + if (mapDetail[code]) { + var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); + el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); + } else { + el.html(el.html()); + } + } + }); + + var stats = "("; + stats += allc + " distinct countries)"; + $("#ovmapstat").html(stats); + } + } + + // Redraw map + $(document).on("click", "#map_src, #map_dst", function() { + doMap($(this).attr('id').split("_")[1]); + }); + + // + // History + // + + function doHistory(object) { + $('#loader').show(); + var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); + }); + + function cb21(data){ + eval("chartData=" + data); + var r1 = chartData.r1; + var r2 = chartData.r2; + var sum = 0; + if (r1 > 0) { + mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); + $('#obhist_sig').remove(); + if (r2 > 0) { + + for (var i=0; i < r2; i++) { + sum += Number(chartData.rows2[i].value); + } + + var tbl = '', head = '', row = ''; + head += ""; + head += "COUNT"; + head += "%TOTAL"; + head += "SIGNATURE"; + head += ""; + row += ""; + + for (var i=0; i < r2; i++) { + + var cnt = chartData.rows2[i].value || "-"; + var sig = chartData.rows2[i].label || "-"; + var sid = chartData.rows2[i].sid || "-"; + var per = 0; + if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); + var tsg = truncTag(sig,60); + + row += ""; + row += "" + cnt + ""; + row += "" + per + "%"; + row += "" + tsg + ""; + row += "" + row += "
"; + } + + row += ""; + tbl += ""; + tbl += head; + tbl += row; + tbl += "
"; + if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); + $(".ev_py").append(tbl); + } + } else { + return; + } + if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); + $("#loader").hide(); + } + } +// The End. +}); diff --git a/.inc/callback.php b/.inc/callback.php index 5ad7dd0..b09ed5e 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -537,74 +537,8 @@ function tab() { } function transcript() { - - global $offset; - $txdata = hextostr($_REQUEST['txdata']); - $usr = $_SESSION['sUser']; - $pwd = $_SESSION['sPass']; - list($sid, $timestamp, $sip, $spt, $dip, $dpt) = explode("|", $txdata); - $sqlsid = mysql_real_escape_string($sid); - // Lookup sensorname - $query = "SELECT hostname FROM sensor - WHERE sid = '$sqlsid'"; - - $qResult = mysql_query($query); - - $sensorName = mysql_result($qResult, 0); - $cmdsid = escapeshellarg($sid); - $cmdsip = escapeshellarg($sip); - $cmddip = escapeshellarg($dip); - $cmdspt = escapeshellarg($spt); - $cmddpt = escapeshellarg($dpt); - - $cmd = "../.scripts/cliscript.tcl \"$usr\" \"$sensorName\" \"$timestamp\" $cmdsid $cmdsip $cmddip $cmdspt $cmddpt"; - $descspec = array( - 0 => array("pipe", "r"), - 1 => array("pipe", "w"), - 2 => array("pipe", "w") - ); - - $proc = proc_open($cmd, $descspec, $pipes); - $debug = "Process execution failed"; - $_raw = $fmtd = ""; - if (is_resource($proc)) { - fwrite($pipes[0], $pwd); - fclose($pipes[0]); - $_raw = stream_get_contents($pipes[1]); - fclose($pipes[1]); - $debug = fgets($pipes[2]); - fclose($pipes[2]); - } - - $raw = explode("\n", $_raw); - foreach ($raw as $line) { - - $line = htmlspecialchars($line); - $type = substr($line, 0,3); - - switch ($type) { - case "DEB": $debug .= preg_replace('/^DEBUG:.*$/', "$0", $line) . "
"; $line = ''; break; - case "HDR": $line = preg_replace('/(^HDR:)(.*$)/', "$2", $line); break; - case "DST": $line = preg_replace('/^DST:.*$/', "$0", $line); break; - case "SRC": $line = preg_replace('/^SRC:.*$/', "$0", $line); break; - default: $line = ""; break; - } - - if (strlen($line) > 0) { - $fmtd .= $line . "
"; - } - } - - if (strlen($fmtd) > 0) { - $fmtd .= "
" . $debug; - } - - $result = array("tx" => "$fmtd", - "dbg" => "$_raw", - "cmd" => "$cmd"); - - $theJSON = json_encode($result); - echo $theJSON; + # We no longer use Squert's native transcript functionality. + # Squert now pivots to CapMe for transcripts. } function filters() { @@ -684,7 +618,12 @@ function cat() { list($cat, $msg, $lst) = explode("|||", $catdata); $msg = htmlentities($msg); - $cmd = "../.scripts/clicat.tcl 0 \"$usr\" \"$cat\" \"$msg\" \"$lst\""; + $cmdusr = escapeshellarg($usr); + $cmdcat = escapeshellarg($cat); + $cmdmsg = escapeshellarg($msg); + $cmdlst = escapeshellarg($lst); + + $cmd = "../.scripts/clicat.tcl 0 $cmdusr $cmdcat $cmdmsg $cmdlst"; $descspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w") @@ -1243,7 +1182,19 @@ function autocat() { $expires = gmdate("Y-m-d H:i:s", strtotime("+ $expires")); } - $cmd = "../.scripts/clicat.tcl 1 \"$usr\" \"$expires\" \"$v[sensor]\" \"$v[src_ip]\" \"$v[src_port]\" \"$v[dst_ip]\" \"$v[dst_port]\" \"$v[proto]\" \"$v[signature]\" \"$v[status]\" \"$v[comment]\""; + $cmdusr = escapeshellarg($usr); + $cmdexpires = escapeshellarg($expires); + $cmdsensor = escapeshellarg($v['sensor']); + $cmdsrcip = escapeshellarg($v['src_ip']); + $cmdsrcport = escapeshellarg($v['src_port']); + $cmddstip = escapeshellarg($v['dst_ip']); + $cmddstport = escapeshellarg($v['dst_port']); + $cmdproto = escapeshellarg($v['proto']); + $cmdsignature = escapeshellarg($v['signature']); + $cmdstatus = escapeshellarg($v['status']); + $cmdcomment = escapeshellarg($v['comment']); + + $cmd = "../.scripts/clicat.tcl 1 $cmdusr $cmdexpires $cmdsensor $cmdsrcip $cmdsrcport $cmddstip $cmddstport $cmdproto $cmdsignature $cmdstatus $cmdcomment"; $descspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); $proc = proc_open($cmd, $descspec, $pipes); $debug = "Process execution failed"; @@ -1267,7 +1218,11 @@ function autocat() { $type = 3; } - $cmd = "../.scripts/clicat.tcl $type \"$usr\" $id"; + $cmdtype = escapeshellarg($type); + $cmdusr = escapeshellarg($usr); + $cmdid = escapeshellarg($id); + + $cmd = "../.scripts/clicat.tcl $cmdtype $cmdusr $cmdid"; $descspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); $proc = proc_open($cmd, $descspec, $pipes); $debug = "Process execution failed"; diff --git a/debian/postinst b/debian/postinst index e8e906e..7758897 100644 --- a/debian/postinst +++ b/debian/postinst @@ -19,6 +19,28 @@ case "$1" in fi fi + # Originally, Squert had its own authentication. + # We've moved to SSO for the Elastic integration. + # Two files need to be updated for Squert or SSO auth: + LOGIN="/var/www/so/squert/login.php" + JS="/var/www/so/squert/.js/squertMain.js" + # Default to Squert auth. + # If SSO is configured, copy SSO files. + # Otherwise, copy Squert auth files. + FROM="/var/www/so/squert/.auth/squert" + if ! [ -f ${LOGIN} ]; then + echo "${LOGIN} does not exist. Configuring for Squert authentication." + else + if grep -q PHP_AUTH_USER ${LOGIN} ; then + echo "${LOGIN} is configured for SSO authentication. Updating SSO auth files." + FROM="/var/www/so/squert/.auth/sso" + else + echo "${LOGIN} is configured for Squert authentication. Updating Squert auth files." + fi + fi + cp ${FROM}/login.php ${LOGIN} || echo "Error copying ${FROM}/login.php to ${LOGIN}." + cp ${FROM}/squertMain.js ${JS} || echo "Error copying ${FROM}/squertMain.js to ${JS}." + apache2ctl restart || echo "Error restarting Apache." if ! grep "/var/www/so/squert/.scripts/Ip2c/results.txt" /etc/apparmor.d/local/usr.sbin.mysqld >/dev/null; then From 57e89c404bd181f255249e05c35d4578793c17f4 Mon Sep 17 00:00:00 2001 From: doug Date: Tue, 23 Jan 2018 12:38:32 -0500 Subject: [PATCH 26/34] version 1.7.0 --- .inc/callback.php | 1166 +- .scripts/securityonion_create_elsa_link.sh | 14 + .scripts/securityonion_update.sql | 2 + .../native/squert/.js}/squertMain.js | 0 {.auth => auth/native}/squert/login.php | 42 +- .../sso => auth/sso/squert/.js}/squertMain.js | 0 {.auth/sso => auth/sso/squert}/login.php | 39 +- debian/changelog | 60 + debian/install | 2 +- debian/patches/allow-pivot-to-elsa-or-elastic | 53 + ...egin-transition-to-pdo-prepared-statements | 269 + ....php-and-grant-permission-to-autocat-table | 1680 ++ debian/patches/improve-calls-to-clicat | 10413 ++++++++++++ debian/patches/improve-postinst | 13709 ++++++++++++++++ .../migrate-login.php-to-prepared-statements | 150 + debian/patches/move-auth-to-optsquert | 13709 ++++++++++++++++ debian/patches/series | 8 + debian/patches/set-version-to-1.7.0 | 47 + debian/postinst | 31 +- 19 files changed, 40882 insertions(+), 512 deletions(-) rename {.auth/squert => auth/native/squert/.js}/squertMain.js (100%) rename {.auth => auth/native}/squert/login.php (78%) rename {.auth/sso => auth/sso/squert/.js}/squertMain.js (100%) rename {.auth/sso => auth/sso/squert}/login.php (80%) create mode 100644 debian/patches/allow-pivot-to-elsa-or-elastic create mode 100644 debian/patches/begin-transition-to-pdo-prepared-statements create mode 100644 debian/patches/improve-callback.php-and-grant-permission-to-autocat-table create mode 100644 debian/patches/improve-calls-to-clicat create mode 100644 debian/patches/improve-postinst create mode 100644 debian/patches/migrate-login.php-to-prepared-statements create mode 100644 debian/patches/move-auth-to-optsquert create mode 100644 debian/patches/set-version-to-1.7.0 diff --git a/.inc/callback.php b/.inc/callback.php index b09ed5e..e93e945 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -9,10 +9,18 @@ $base = dirname(__FILE__); include_once "$base/config.php"; include_once "$base/functions.php"; - -$link = mysql_connect($dbHost,$dbUser,$dbPass); -$db = mysql_select_db($dbName,$link); - +// PDO prepared statements +try { + // first connect to database with the PDO object. + $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ + PDO::ATTR_EMULATE_PREPARES => false, + PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, + PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION + ]); +} catch(PDOException $e){ + // if connection fails, log PDO error. + error_log("Error connecting to mysql: ". $e->getMessage()); +} $type = $_REQUEST['type']; $types = array( @@ -46,7 +54,7 @@ if (isset($_REQUEST['ts'])) { // Need EC - $tsParts = explode("|", mysql_real_escape_string(hextostr($_REQUEST['ts']))); + $tsParts = explode("|", hextostr($_REQUEST['ts'])); $sdate = $tsParts[0]; $edate = $tsParts[1]; $stime = $tsParts[2]; @@ -55,21 +63,125 @@ $start = "CONVERT_TZ('$sdate $stime','$offset','+00:00')"; $end = "CONVERT_TZ('$edate $etime','$offset','+00:00')"; $when = "event.timestamp BETWEEN $start AND $end"; + // combine start date and start time for prepared statements + $sdatetime = "$sdate $stime"; + // combine end date and end time for prepared statements + $edatetime = "$edate $etime"; } +// user can specify sensors +$sensors = ''; +$sensorsclean = ''; +$in = ''; +$sensor_params = array(); if (isset($_REQUEST['sensors'])) { $sensors = hextostr($_REQUEST['sensors']); if ($sensors == 'empty') { $sensors = ''; + } else { + // $sensors looks like this: + // AND event.sid IN('3','1') + // let's clean that up so we can use prepared statements + $sensorsclean = ltrim($sensors, 'AND event.sid IN('); + $sensorsclean = rtrim($sensorsclean, ')'); + $sensorsclean = str_replace("'","", $sensorsclean); + // now we need to dynamically build IN for prepared statement based on: + // https://phpdelusions.net/pdo#like + $ids = explode(",", $sensorsclean); + foreach ($ids as $i => $item) + { + $key = ":id".$i; + $in .= "$key,"; + $sensor_params[$key] = $item; // collecting values into key-value array + } + $in = rtrim($in,","); // :id0,:id1,:id2 + $sensors = "AND event.sid IN($in)"; } } -if (isset($_REQUEST['rt'])) { - $rt = $_REQUEST['rt']; - if ($rt == 1) { - $rt = "AND event.status = 0"; +// rt is the queue-only toggle on the left side of the EVENTS tab +$rt = ""; +if (isset($_REQUEST['rt']) && $_REQUEST['rt'] == 1) { + $rt = "AND event.status = 0"; +} + +// $sv is for sorting. For example: DESC +// this cannot be done via prepared statement, so we use a whitelist approach +$sv = ""; +if (isset($_REQUEST['sv'])) { + $sv = $_REQUEST['sv'] == 'DESC' ? 'DESC' : 'ASC'; +} + +// many functions below rely on filters so let's build that out now +if (isset($_REQUEST['filter'])) { + $filter = hextostr($_REQUEST['filter']); + // $filter comes from the filter box in the upper right corner of the EVENTS tab. Default: empty + if ($filter != 'empty') { + if (substr($filter, 0,4) == 'cmt ') { + // user entered cmt into the filter box + // pull their filter out and place it into the prepared statement array + $comment = explode('cmt ', $filter); + $filtercmt = $comment[1]; + $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid + WHERE history.comment = :filtercmt"; + // build parameters for prepared statement + $qp2_params = [":filtercmt" => "$filtercmt"]; + } else { + // if the user didn't enter cmt, then they may be using one of the built-in filters + // for example, if the user wants to search for alerts with src or dst ip in US: + // cc us + // we'll then receive the following: + // (msrc.cc = 'us' OR mdst.cc = 'us') + // the general strategy is to try to match this with one of the built-in filters to ensure validity + // then build a prepared statement + // this needs to be fixed + $filter = str_replace('<','<', $filter); + $filter = str_replace('>','>', $filter); + // build parameters for prepared statement + $qp2_params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; + // find whatever is enclosed in single ticks and replace with $ + $exploded=explode("'",$filter); + $filtervar=$exploded[1]; + $compfilter = str_replace($filtervar, '$', $filter); + // retrieve all valid filters from database + $statement="SELECT UNHEX(filter) from filters where type='filter';"; + $query = $dbpdo->prepare("$statement"); + $query->execute(); + $rows = $query->fetchAll(PDO::FETCH_BOTH); + // search for user filter in list of valid filters + $newfilter = ""; + $filter = ""; + // "signature LIKE" is a special case + if ( "$compfilter" == "(signature LIKE '$' OR signature LIKE '$')" ) { + $filter = "AND (signature LIKE :filtervar1 OR signature LIKE :filtervar2)"; + $qp2_params[":filtervar1"] = "%$filtervar%"; + $qp2_params[":filtervar2"] = "%$filtervar%"; + } else { + foreach ($rows as $row) { + if ( "$compfilter" == "$row[0]" ) { + $newfilter = $row[0]; + $i=0; + while (strpos($newfilter, "'\$'") !== false) { + $newfilter = preg_replace('/\'\$\'/', ":filtervar$i", "$newfilter", 1); + $qp2_params[":filtervar$i"] = $filtervar; + $i++; + } + $filter = "AND " . $newfilter; + } + } + } + $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + $filter + $rt"; + } } else { - $rt = ""; + // filter box was empty so we'll just build a prepared statement using sensors and rt values + $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + $rt"; + // build parameters for prepared statement + $qp2_params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; } } @@ -78,23 +190,26 @@ } function ec() { - - global $when, $sensors; - - $query = "SELECT COUNT(status) AS count, status - FROM event - LEFT JOIN sensor AS s ON event.sid = s.sid - WHERE $when - $sensors - GROUP BY status"; - - $result = mysql_query($query); - - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // This function returns event count grouped by status. + // This is used to populate the numbers in the Classification section on the left side of the EVENTS tab. + // This function has been updated to use PDO prepared statements. + global $sdatetime, $edatetime, $offset, $sensors, $sensor_params, $dbpdo; + + // build statement + $statement = "SELECT COUNT(status) AS count, status FROM event LEFT JOIN sensor AS s ON event.sid = s.sid + WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + GROUP BY status;"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; + // execute the prepared statement and pass it the local params array and the sensor_params array + $query->execute(array_merge($params,$sensor_params)); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } @@ -169,42 +284,22 @@ function urlMkr($line) { } function level0() { - global $offset, $when, $sensors, $rt; - $sv = mysql_real_escape_string($_REQUEST['sv']); - $filter = hextostr($_REQUEST['filter']); - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "'"; - } else { - // this needs to be fixed - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter - $rt"; - } - } else { - $qp2 = "WHERE $when - $sensors - $rt"; - } - - $query = "SELECT COUNT(event.signature) AS f1, + // This function returns the aggegrated event data in the main section of the EVENTS tab. + // This function has been updated to use PDO prepared statements. + global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensor_params, $dbpdo, $qp2, $qp2_params, $sv; + // build statement + $statement="SELECT COUNT(event.signature) AS f1, event.signature AS f2, event.signature_id AS f3, event.signature_gen AS f4, - MAX(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS f5, + MAX(CONVERT_TZ(event.timestamp,'+00:00',:maxoffset)) AS f5, COUNT(DISTINCT(event.src_ip)) AS f6, COUNT(DISTINCT(event.dst_ip)) AS f7, event.ip_proto AS f8, GROUP_CONCAT(DISTINCT(event.status)) AS f9, GROUP_CONCAT(DISTINCT(event.sid)) AS f10, GROUP_CONCAT(event.status) AS f11, - GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', '$offset'),12,2)) AS f12, + GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', :groupoffset),12,2)) AS f12, event.priority AS f13, GROUP_CONCAT(DISTINCT(src_tag.value)) AS f14, GROUP_CONCAT(DISTINCT(dst_tag.value)) AS f15 @@ -216,51 +311,37 @@ function level0() { $qp2 GROUP BY f3 ORDER BY f5 $sv"; - - $result = mysql_query($query); - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // add params for local part of statement + $local_params[':maxoffset'] = "$offset"; + $local_params[':groupoffset'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function level1() { - - global $offset, $when, $sensors, $rt; - $sid = mysql_real_escape_string($_REQUEST['object']); - $sv = mysql_real_escape_string($_REQUEST['sv']); - $filter = hextostr($_REQUEST['filter']); - - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' - AND event.signature_id = '$sid'"; - } else { - // this needs to be fixed - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - AND event.signature_id = '$sid' - $filter - $rt"; - } - } else { - $qp2 = "WHERE $when - $sensors - AND event.signature_id = '$sid' - $rt"; - } - - // LEVEL 1 - $query = "SELECT COUNT(event.signature) AS count, - MAX(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS maxTime, + // This function is called when the user clicks a number in the Queue column to drill into a group of aggregated events. + // This function has been updated to use PDO prepared statements. + global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensor_params, $dbpdo, $qp2, $qp2_params, $sv; + // sid is signature_id (snort/suricata ID, OSSEC rule ID, etc.) + $sid = $_REQUEST['object']; + // add sid to $qp2 and $qp2_params + $qp2 = "$qp2 + AND event.signature_id = :sid"; + $qp2_params[':sid'] = "$sid"; + // build statement + $statement = "SELECT COUNT(event.signature) AS count, + MAX(CONVERT_TZ(event.timestamp,'+00:00', :maxoffset)) AS maxTime, INET_NTOA(event.src_ip) AS src_ip, msrc.c_long AS src_cc, INET_NTOA(event.dst_ip) AS dst_ip, @@ -272,8 +353,8 @@ function level1() { GROUP_CONCAT(event.sid) AS c_sid, GROUP_CONCAT(event.cid) AS c_cid, GROUP_CONCAT(event.status) AS c_status, - GROUP_CONCAT(SUBSTR(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5)) AS c_ts, - GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', '$offset'),12,2)) AS f12, + GROUP_CONCAT(SUBSTR(CONVERT_TZ(event.timestamp,'+00:00', :groupoffset1),12,5)) AS c_ts, + GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', :groupoffset2),12,2)) AS f12, event.priority AS f13, msrc.age AS src_age, mdst.age AS dst_age, @@ -289,58 +370,46 @@ function level1() { $qp2 GROUP BY event.src_ip, event.dst_ip ORDER BY maxTime $sv"; - - $result = mysql_query($query); - - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // add params for local part of statement + $local_params[':maxoffset'] = "$offset"; + $local_params[':groupoffset1'] = "$offset"; + $local_params[':groupoffset2'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function level2() { - - global $offset, $when, $sensors, $rt; - $comp = mysql_real_escape_string($_REQUEST['object']); - $filter = hextostr($_REQUEST['filter']); - $sv = mysql_real_escape_string($_REQUEST['sv']); - $adqp = mysql_real_escape_string(hextostr($_REQUEST['adqp'])); + // This function is called when the user clicks a number in the Queue column in the second level of aggregation. + // This function has been updated to use PDO prepared statements. + global $offset, $when, $sensors, $rt, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + $comp = $_REQUEST['object']; list($ln,$sid,$src_ip,$dst_ip) = explode("-", $comp); $src_ip = sprintf("%u", ip2long($src_ip)); $dst_ip = sprintf("%u", ip2long($dst_ip)); - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' - AND (event.signature_id = '$sid' - AND event.src_ip = '$src_ip' - AND event.dst_ip = '$dst_ip')"; - } else { - $qp2 = "WHERE $when - $sensors - AND (event.signature_id = '$sid' - AND event.src_ip = '$src_ip' - AND event.dst_ip = '$dst_ip')"; - } - } else { - if ($adqp === "empty") { - $adqp = ""; - } - $qp2 = "WHERE $when - $sensors - $adqp - AND (event.signature_id = '$sid' - AND event.src_ip = '$src_ip' - AND event.dst_ip = '$dst_ip')"; - } - - $query = "SELECT event.status AS f1, - CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00','$offset'),event.timestamp) AS f2, + // add sid, src_ip, and dst_ip to $qp2 and $qp2_params + $qp2 = "$qp2 + AND (event.signature_id = :sid + AND event.src_ip = :src_ip + AND event.dst_ip = :dst_ip)"; + $qp2_params[':sid'] = "$sid"; + $qp2_params[':src_ip'] = "$src_ip"; + $qp2_params[':dst_ip'] = "$dst_ip"; + + // build statement using $qp2 + $statement = "SELECT event.status AS f1, + CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00',:concatoffset),event.timestamp) AS f2, INET_NTOA(event.src_ip) AS f3, event.src_port AS f4, INET_NTOA(event.dst_ip) AS f5, @@ -357,50 +426,34 @@ function level2() { LEFT JOIN object_mappings AS src_tag ON event.src_ip = src_tag.object AND src_tag.type = 'tag' LEFT JOIN object_mappings AS dst_tag ON event.dst_ip = dst_tag.object AND dst_tag.type = 'tag' $qp2 - $rt GROUP BY event.sid,event.cid ORDER BY event.timestamp $sv"; - $result = mysql_query($query); - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // add params for local part of statement + $local_params[':concatoffset'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function level2a() { - - global $offset, $when, $sensors, $rt; - $sv = mysql_real_escape_string($_REQUEST['sv']); - $filter = hextostr($_REQUEST['filter']); - - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "'"; - } else { - // this needs to be fixed... - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter - $rt"; - } - } else { - $qp2 = "WHERE $when - $sensors - $rt"; - } - - $query = "SELECT event.status AS f1, - CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00','$offset'),event.timestamp) AS f2, + // This function is called when grouping is turned off. + // This function has been updated to use PDO prepared statements. + global $offset, $when, $sensors, $rt, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + // build statement + $statement = "SELECT event.status AS f1, + CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00',:concatoffset),event.timestamp) AS f2, INET_NTOA(event.src_ip) AS f3, event.src_port AS f4, msrc.c_long AS f5, @@ -428,30 +481,39 @@ function level2a() { $qp2 GROUP BY event.sid, event.cid ORDER BY event.timestamp $sv"; - - $result = mysql_query($query); - $rows = array(); - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // add params for local part of statement + $local_params[':concatoffset'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function payload() { + // This function retrieves the payload of the event. + // This function has been updated to use PDO prepared statements. - global $offset; - $comp = mysql_real_escape_string($_REQUEST['object']); + global $offset, $dbpdo; + $comp = $_REQUEST['object']; list($sid,$cid) = explode("-", $comp); - $query = "SELECT INET_NTOA(event.src_ip), + $statement = "SELECT INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_ver, event.ip_hlen, event.ip_tos, event.ip_len, event.ip_id, event.ip_flags, event.ip_off, event.ip_ttl, event.ip_csum, event.src_port, event.dst_port, event.ip_proto, event.signature, event.signature_id, - CONVERT_TZ(event.timestamp,'+00:00','$offset'), event.sid, event.cid, + CONVERT_TZ(event.timestamp,'+00:00', :offset), event.sid, event.cid, GROUP_CONCAT(history.comment SEPARATOR ' || ') AS comment, GROUP_CONCAT(src_tag.value) AS srctag, GROUP_CONCAT(dst_tag.value) AS dsttag @@ -459,21 +521,28 @@ function payload() { LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid LEFT JOIN object_mappings AS src_tag ON event.src_ip = src_tag.object AND src_tag.type = 'tag' LEFT JOIN object_mappings AS dst_tag ON event.dst_ip = dst_tag.object AND dst_tag.type = 'tag' - WHERE event.sid='$sid' AND event.cid='$cid'"; - - $result = mysql_query($query); - + WHERE event.sid=:sid AND event.cid=:cid"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":offset" => "$offset", ":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data + $row = $query->fetchall(PDO::FETCH_ASSOC); $rows = array(); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; - $ipp = $row["ip_proto"]; + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + } + $ipp = $row[0]["ip_proto"]; // Protocol switch ($ipp) { case 1: - $query = "SELECT event.icmp_type AS icmp_type, + $statement = "SELECT event.icmp_type AS icmp_type, event.icmp_code AS icmp_code, icmphdr.icmp_csum AS icmp_csum, icmphdr.icmp_id AS icmp_id, @@ -481,54 +550,78 @@ function payload() { FROM event, icmphdr WHERE event.sid=icmphdr.sid AND event.cid=icmphdr.cid - AND event.sid='$sid' - AND event.cid='$cid'"; - - $result = mysql_query($query); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; + AND event.sid=:sid + AND event.cid=:cid"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + } break; case 6: - $query = "SELECT tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_urp, tcp_csum + $statement = "SELECT tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_urp, tcp_csum FROM tcphdr - WHERE sid='$sid' AND cid='$cid'"; - - $result = mysql_query($query); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; + WHERE sid=:sid AND cid=:cid"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + } break; case 17: - $query = "SELECT udp_len, udp_csum + $statement = "SELECT udp_len, udp_csum FROM udphdr - WHERE sid='$sid' AND cid='$cid'"; - - $result = mysql_query($query); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; + WHERE sid=:sid AND cid=:cid"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + } break; default: $result = array(0 => 0); $rows[] = $row; break; } - // Data - $query = "SELECT data_payload + $statement = "SELECT data_payload FROM data - WHERE sid='$sid' AND cid='$cid'"; - - $result = mysql_query($query); - - $row = mysql_fetch_assoc($result); - $rows[] = $row; + WHERE sid=:sid AND cid=:cid"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":sid" => "$sid", ":cid" => "$cid"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // fetch the data and encode to json + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; + } $theJSON = json_encode($rows); echo $theJSON; - } function tab() { @@ -542,21 +635,28 @@ function transcript() { } function filters() { + // This function queries and updates the filters table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; $user = $_SESSION['sUser']; - $mode = mysql_real_escape_string($_REQUEST['mode']); + $mode = $_REQUEST['mode']; switch ($mode) { case "query" : - $query = "SELECT type, UNHEX(name) AS name, alias, filter, UNHEX(notes) as notes, age, global, username + $statement = "SELECT type, UNHEX(name) AS name, alias, filter, UNHEX(notes) as notes, age, global, username FROM filters ORDER BY global,name ASC"; - $result = mysql_query($query); - $rows = array(); + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement with params + $query->execute(); # iterate through each row of the filter table - while ($row = mysql_fetch_assoc($result)) { + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { # for each field in that row, we need to sanitize before output foreach ($row as &$value) { # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know @@ -582,23 +682,50 @@ function filters() { $filter = str_ireplace($remove, "", $filter); $filter = strtohex($filter); - $query = "INSERT INTO filters (type,name,alias,username,filter,notes) - VALUES ('$type','$name','$alias','$user','$filter','$notes') + $statement = "INSERT INTO filters (type,name,alias,username,filter,notes) + VALUES (:type1,:name1,:alias1,:user1,:filter1,:notes1) ON DUPLICATE KEY UPDATE - type='$type',name='$name',alias='$alias',filter='$filter',notes='$notes'"; + type=:type2,name=:name2,alias=:alias2,filter=:filter2,notes=:notes2"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":type1" => "$type", ":name1" => "$name", ":alias1" => "$alias", ":user1" => "$user", ":filter1" => "$filter", ":notes1" => "$notes", ":type2" => "$type", ":name2" => "$name", ":alias2" => "$alias", ":filter2" => "$filter", ":notes2" => "$notes"]; + // execute the prepared statement with params + $query->execute(array_merge($params)); + // check for errors + $error = $query->errorInfo(); + $result = ""; + // if there was no error, then $error[2] should be null + if ( ! is_null($error[2]) ) { + $result = $error[2]; + } - mysql_query($query); - $result = mysql_error(); $return = array("msg" => $result); $theJSON = json_encode($return); break; case "remove" : - $alias = mysql_real_escape_string($_REQUEST['data']); - $query = "DELETE FROM filters WHERE username = '$user' AND (alias = '$alias' AND global = 0)"; - mysql_query($query); - $result = mysql_error(); + $alias = $_REQUEST['data']; + $statement = "DELETE FROM filters WHERE username = :user AND (alias = :alias AND global = 0)"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":user" => "$user", ":alias" => "$alias"]; + // execute the prepared statement with the params + $query->execute(array_merge($params)); + // check for errors + $error = $query->errorInfo(); + $result = ""; + // if there was no error, then $error[2] should be null + if ( ! is_null($error[2]) ) { + $result = $error[2]; + } + $return = array("msg" => $result); $theJSON = json_encode($return); @@ -644,7 +771,10 @@ function cat() { } function comments() { - $query = "SELECT COUNT(comment) AS f1, + // This function retrieves comments from the history table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; + $statement = "SELECT COUNT(comment) AS f1, comment AS f2, u.username AS f3, MIN(timestamp) AS f4, @@ -657,53 +787,52 @@ function comments() { AND (comment NOT IN('NULL','Auto Update','') AND comment NOT LIKE ('autoid %')) GROUP BY comment ORDER BY f5 DESC"; - - $result = mysql_query($query); - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement + $query->execute(); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function remove_comment() { + // This function removes a comment from the history table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; $user = $_SESSION['sUser']; $comment = hextostr($_REQUEST['comment']); - $comment = mysql_real_escape_string($comment); - $query = "DELETE FROM history WHERE comment = '$comment'"; - mysql_query($query); - $result = mysql_error(); + $comment = $comment; + $statement = "DELETE FROM history WHERE comment = :comment"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":comment" => "$comment"]; + // execute the prepared statement with the params + $query->execute(array_merge($params)); + // check for errors + $error = $query->errorInfo(); + $result = ""; + // if there was no error, then $error[2] should be null + if ( ! is_null($error[2]) ) { + $result = $error[2]; + } $return = array("msg" => $result); - $theJSON = json_encode($return); echo $theJSON; } function map() { - global $when, $sensors; - $filter = hextostr($_REQUEST['filter']); - - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '$comment[1]'"; - } else { - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter"; - } - } else { - $qp2 = "WHERE $when - $sensors"; - } + // This function is called when the user clicks the SUMMARY tab. + // This function has been updated to use PDO prepared statements. - $srcq = "SELECT COUNT(src_ip) AS c, msrc.cc + global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + $srcstatement = "SELECT COUNT(src_ip) AS c, msrc.cc FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip @@ -715,7 +844,7 @@ function map() { GROUP BY msrc.cc ORDER BY c DESC"; - $dstq = "SELECT COUNT(dst_ip) AS c, mdst.cc + $dststatement = "SELECT COUNT(dst_ip) AS c, mdst.cc FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip @@ -726,16 +855,23 @@ function map() { AND mdst.cc IS NOT NULL GROUP BY mdst.cc ORDER BY c DESC"; - - $srcr = mysql_query($srcq); - $dstr = mysql_query($dstq); + // prepare statements + $srcquery = $dbpdo->prepare("$srcstatement"); + // merge params + $merged_params = array_merge($sensor_params, $qp2_params); + // debug + //error_log("srcstatement: $srcstatement"); + //error_log("dststatement: $dststatement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $srcquery->execute($merged_params); // A => src, B=> dst, C=> cumulative $a1 = $a2 = $b1 = $b2 = array(); $aHit = $bHit = $cHit = 'no'; // Source countries and count - while ($row = mysql_fetch_row($srcr)) { + while ($row = $srcquery->fetch(PDO::FETCH_NUM)) { $a1[] = $row[0]; $a2[] = $row[1]; $c1[] = $row[0]; @@ -744,10 +880,12 @@ function map() { $cHit = 'yes'; } + $dstquery = $dbpdo->prepare("$dststatement"); + $dstquery->execute($merged_params); // Destination countries and count // As we loop through we check to see if we hit a country // that we already processed so that we can derive a sum - while ($row = mysql_fetch_row($dstr)) { + while ($row = $dstquery->fetch(PDO::FETCH_NUM)) { $b1[] = $row[0]; $b2[] = $row[1]; if ($aHit == 'yes') { @@ -821,7 +959,11 @@ function makeDetail($x1,$x2) { } function sensors() { - $query = "SELECT net_name AS f1, + // This function gets the list of sensors. + // This function has been updated to use PDO prepared statements. + global $dbpdo; + //$query = "SELECT net_name AS f1, + $statement = "SELECT net_name AS f1, hostname AS f2, agent_type AS f3, sensor.sid AS f4 @@ -829,26 +971,44 @@ function sensors() { WHERE agent_type != 'pcap' AND active = 'Y' ORDER BY net_name ASC"; - - $result = mysql_query($query); - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement + $query->execute(); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function user_profile() { + // This function updates the timezone offset in the user profile. + // This function has been updated to use PDO prepared statements. + global $dbpdo; $user = $_SESSION['sUser']; $tz = hextostr($_REQUEST['tz']); $validtz = "/^(-12:00|-11:00|-10:00|-09:30|-09:00|-08:00|-07:00|-06:00|-05:00|-04:30|-04:00|-03:30|-03:00|-02:00|-01:00|\+00:00|\+01:00|\+02:00|\+03:00|\+03:30|\+04:00|\+04:30|\+05:00|\+05:30|\+05:45|\+06:00|\+06:30|\+07:00|\+08:00|\+08:45|\+09:00|\+09:30|\+10:00|\+10:30|\+11:00|\+11:30|\+12:00|\+12:45|\+13:00|\+14:00)$/"; if (preg_match($validtz, $tz)) { - $query = "UPDATE user_info SET tzoffset = '$tz' WHERE username = '$user'"; - mysql_query($query); - $result = mysql_error(); + // prepare statement + $statement = "UPDATE user_info SET tzoffset = :tz WHERE username = :user"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":tz" => "$tz", ":user" => "$user"]; + // execute the prepared statement with the params + $query->execute($params); + // check for errors + $error = $query->errorInfo(); + $result = ""; + // if there was no error, then $error[2] should be null + if ( ! is_null($error[2]) ) { + $result = $error[2]; + } // Update session offset $_SESSION['tzoffset'] = $tz; } else { @@ -860,56 +1020,54 @@ function user_profile() { } function summary() { - global $when, $sensors; + // This function is called when the user clicks the SUMMARY tab. + // This function has been updated to use PDO prepared statements. + + global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; $limit = $_REQUEST['limit']; $qargs = $_REQUEST['qargs']; $filter = hextostr($_REQUEST['filter']); list($type,$subtype) = explode("-", $qargs); $oppip = "src"; - if ($subtype == "src") { $oppip = "dst"; } - - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '$comment[1]'"; - } else { - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter"; - } - } else { - $qp2 = "WHERE $when - $sensors"; - } + // subtype is controlled by user, don't trust it + $cleansubtype = ""; + switch ($subtype) { + case "src": + $cleansubtype = "src"; + $oppip = "dst"; + break; + case "dst": + $cleansubtype = "dst"; + break; + case "sig": + $cleansubtype = "sig"; + break; + } switch ($type) { case "ip": - $query = "SELECT COUNT(event.{$subtype}_ip) AS f1, + $statement = "SELECT COUNT(event.{$cleansubtype}_ip) AS f1, COUNT(DISTINCT(event.signature)) AS f2, COUNT(DISTINCT(event.{$oppip}_ip)) AS f3, - m{$subtype}.cc AS f4, - m{$subtype}.c_long AS f5, - INET_NTOA(event.{$subtype}_ip) AS f6, - o{$subtype}.value AS f7 + m{$cleansubtype}.cc AS f4, + m{$cleansubtype}.c_long AS f5, + INET_NTOA(event.{$cleansubtype}_ip) AS f6, + o{$cleansubtype}.value AS f7 FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip - LEFT JOIN object_mappings AS o{$subtype} ON event.{$subtype}_ip = o{$subtype}.object - AND o{$subtype}.type = 'ip_c' + LEFT JOIN object_mappings AS o{$cleansubtype} ON event.{$cleansubtype}_ip = o{$cleansubtype}.object + AND o{$cleansubtype}.type = 'ip_c' $qp2 GROUP BY f6 ORDER BY f1 DESC"; break; case "pt": - $query = "SELECT COUNT(event.{$subtype}_port) AS f1, + $statement = "SELECT COUNT(event.{$cleansubtype}_port) AS f1, COUNT(DISTINCT(event.signature)) AS f2, COUNT(DISTINCT(event.src_ip)) AS f3, COUNT(DISTINCT(event.dst_ip)) AS f4, - event.{$subtype}_port AS f5 + event.{$cleansubtype}_port AS f5 FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip @@ -918,7 +1076,7 @@ function summary() { ORDER BY f1 DESC"; break; case "sig": - $query = "SELECT COUNT(event.signature) AS f1, + $statement = "SELECT COUNT(event.signature) AS f1, COUNT(DISTINCT(event.src_ip)) AS f2, COUNT(DISTINCT(event.dst_ip)) AS f3, event.signature_id AS f4, @@ -931,64 +1089,62 @@ function summary() { ORDER BY f1 DESC"; break; case "cc": - $query = "SELECT COUNT(event.{$subtype}_ip) AS f1, + $statement = "SELECT COUNT(event.{$cleansubtype}_ip) AS f1, COUNT(DISTINCT(event.signature)) AS f2, COUNT(DISTINCT(event.{$oppip}_ip)) AS f3, - m{$subtype}.cc AS f4, - m{$subtype}.c_long AS f5, - COUNT(DISTINCT(event.{$subtype}_ip)) AS f6 + m{$cleansubtype}.cc AS f4, + m{$cleansubtype}.c_long AS f5, + COUNT(DISTINCT(event.{$cleansubtype}_ip)) AS f6 FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip $qp2 - AND event.{$subtype}_ip NOT BETWEEN 167772160 AND 184549375 - AND event.{$subtype}_ip NOT BETWEEN 2886729728 AND 2886795263 - AND event.{$subtype}_ip NOT BETWEEN 3232235520 AND 3232301055 - AND m{$subtype}.cc IS NOT NULL GROUP BY m{$subtype}.cc ORDER BY f1 DESC"; + AND event.{$cleansubtype}_ip NOT BETWEEN 167772160 AND 184549375 + AND event.{$cleansubtype}_ip NOT BETWEEN 2886729728 AND 2886795263 + AND event.{$cleansubtype}_ip NOT BETWEEN 3232235520 AND 3232301055 + AND m{$cleansubtype}.cc IS NOT NULL GROUP BY m{$cleansubtype}.cc ORDER BY f1 DESC"; break; } - $result = mysql_query($query); + + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + $rows = array(); $i = 0; $n = 0; - $r = mysql_num_rows($result); - while ($row = mysql_fetch_assoc($result)) { + // unbuffered query can't do rowCount, replacing with $i below + //$r = $query->rowCount(); + + # iterate through each row of the filter table + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { $n += $row["f1"]; $i++; if ($i <= $limit) $rows[] = $row; } - $rows[] = array("n" => $n, "r" => $r); + $rows[] = array("n" => $n, "r" => $i); $theJSON = json_encode($rows); echo $theJSON; } function view() { - global $when, $sensors; + // This function is called when the user clicks the VIEWS tab. + // This function has been updated to use PDO prepared statements. + + global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; $qargs = $_REQUEST['qargs']; $filter = hextostr($_REQUEST['filter']); list($type,$subtype) = explode("-", $qargs); - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '$comment[1]'"; - } else { - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter"; - } - } else { - $qp2 = "WHERE $when - $sensors"; - } - switch ($type) { case "ip": - $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, + $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, CONCAT_WS('|', INET_NTOA(event.dst_ip), mdst.cc, mdst.c_long) AS target, COUNT(event.src_ip) AS value FROM event @@ -999,7 +1155,7 @@ function view() { GROUP BY source,target"; break; case "ips": - $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, + $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, event.signature AS sig, CONCAT_WS('|', INET_NTOA(event.dst_ip), mdst.cc, mdst.c_long) AS target, COUNT(event.src_ip) AS value @@ -1011,7 +1167,7 @@ function view() { GROUP BY source,target"; break; case "sc": - $query = "SELECT CONCAT_WS('|' ,msrc.c_long, msrc.cc) AS source, + $statement = "SELECT CONCAT_WS('|' ,msrc.c_long, msrc.cc) AS source, CONCAT_WS('|',INET_NTOA(event.dst_ip), mdst.cc) AS target, COUNT(event.src_ip) AS value FROM event @@ -1025,7 +1181,7 @@ function view() { GROUP BY source,target"; break; case "dc": - $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc) AS source, + $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc) AS source, CONCAT_WS('|', mdst.c_long, mdst.cc) AS target, COUNT(event.dst_ip) AS value FROM event @@ -1039,18 +1195,23 @@ function view() { GROUP BY source,target"; break; } - $result = mysql_query($query); - $rc = mysql_num_rows($result); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + + // unbuffered query can't do rowCount, replacing with $records below + //$rc = $query->rowCount(); $records = 0; $rows = $srcs = $tgts = $vals = $skip = $names = $_names = array(); - - if ($rc == 0) { - $theJSON = json_encode(array("nodes" => $names, "links" => $rows, "records" => $records)); - echo $theJSON; - exit(); - } - - while ($row = mysql_fetch_assoc($result)) { +/* +*/ + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { if ($type == "ips") { $srcs[] = $row["source"]; $tgts[] = $row["sig"]; @@ -1066,6 +1227,12 @@ function view() { $sads[] = 0; $records++; } + + if ($records == 0) { + $theJSON = json_encode(array("nodes" => $names, "links" => $rows, "records" => $records)); + echo $theJSON; + exit(); + } // Value counts $src_c = array_count_values($srcs); $tgt_c = array_count_values($tgts); @@ -1075,33 +1242,33 @@ function view() { foreach ($srcs as $index => $src) { // Find the target if (in_array($index, $skip)) { continue; } - $tgt = $tgts[$index]; - // Find the keys for all instances of the target as a source - $tgt_keys = array_keys($srcs,$tgt); - // Now see if any have the source as a target - foreach ($tgt_keys as $pos) { - if ($tgts[$pos] == $src) { - $sads_val = $vals[$pos]; - unset($srcs[$pos]); - unset($tgts[$pos]); - unset($vals[$pos]); - unset($sads[$pos]); - // Add offset to be skipped - $skip[] = $pos; - // By setting this we flag that this source is also a target - $sads[$index] = $sads_val; + $tgt = $tgts[$index]; + // Find the keys for all instances of the target as a source + $tgt_keys = array_keys($srcs,$tgt); + // Now see if any have the source as a target + foreach ($tgt_keys as $pos) { + if ($tgts[$pos] == $src) { + $sads_val = $vals[$pos]; + unset($srcs[$pos]); + unset($tgts[$pos]); + unset($vals[$pos]); + unset($sads[$pos]); + // Add offset to be skipped + $skip[] = $pos; + // By setting this we flag that this source is also a target + $sads[$index] = $sads_val; + } } - } - // If there is no filter, remove 1:1s with a count of 1 - if ($filter == 'empty') { - if ($vals[$index] == 1 && $sads[$index] == 0 && $src_c[$src] == 1) { - unset($srcs[$index]); - unset($tgts[$index]); - unset($vals[$index]); - unset($sads[$index]); - } - } + // If there is no filter, remove 1:1s with a count of 1 + if ($filter == 'empty') { + if ( isset($vals[$index]) && $vals[$index] == 1 && isset($sads[$index]) && $sads[$index] == 0 && isset($src_c[$src]) && $src_c[$src] == 1) { + unset($srcs[$index]); + unset($tgts[$index]); + unset($vals[$index]); + unset($sads[$index]); + } + } } // We have probably truncated these so realign the indexes @@ -1146,29 +1313,34 @@ function view() { } function autocat() { + // This function queries and updates sguild's list of autocats. + // This function has been updated to use PDO prepared statements. + global $dbpdo; $usr = $_SESSION['sUser']; $pwd = $_SESSION['sPass']; $offset = $_SESSION['tzoffset']; - $mode = mysql_real_escape_string($_REQUEST['mode']); + $mode = $_REQUEST['mode']; switch ($mode) { case "query" : - $query = "SELECT autoid, CONVERT_TZ(erase,'+00:00','$offset') AS erase, sensorname, + // build statement + $statement = "SELECT autoid, CONVERT_TZ(erase,'+00:00', :offset1) AS erase, sensorname, src_ip, src_port, dst_ip, dst_port, ip_proto, - signature, status, active, CONVERT_TZ(timestamp,'+00:00','$offset') AS ts, + signature, status, active, CONVERT_TZ(timestamp,'+00:00', :offset2) AS ts, u.username AS user, comment FROM autocat LEFT JOIN user_info AS u ON autocat.uid = u.uid ORDER BY ts DESC"; - - $result = mysql_query($query); - - $rows = array(); - - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } - + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":offset1" => "$offset", ":offset2" => "$offset"]; + // execute the prepared statement with the params + $query->execute($params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); break; @@ -1235,10 +1407,22 @@ function autocat() { } if ($rm == 1) { - $query = "DELETE FROM autocat WHERE autoid = $id"; + $statement = "DELETE FROM autocat WHERE autoid = :id"; + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":id" => "$id"]; + // execute the prepared statement with the params + $query->execute($params); + $result = $query->errorInfo(); + $err = ""; + // if there was no error, then $result[2] should be null + if ( ! is_null($result[2]) ) { + $err = $result[2]; + } - mysql_query($query); - $err = mysql_error(); } $result = array("dbg" => htmlspecialchars($debug), @@ -1328,11 +1512,13 @@ function esquery() { } function addremoveobject() { - $user = $_SESSION['sUser']; - $obtype = mysql_real_escape_string($_REQUEST['obtype']); - $object = mysql_real_escape_string(hextostr($_REQUEST['object'])); - $value = mysql_real_escape_string($_REQUEST['value']); - $op = mysql_real_escape_string($_REQUEST['op']); + // This function adds objects to and removes objects from the object_mappings table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; + $obtype = $_REQUEST['obtype']; + $object = hextostr($_REQUEST['object']); + $value = $_REQUEST['value']; + $op = $_REQUEST['op']; // For everything but tags we want to replace the existing value $hash = md5($obtype . $object); @@ -1346,48 +1532,70 @@ function addremoveobject() { break; } + // Are we adding or removing? switch ($op) { case "add": - $query = "INSERT INTO object_mappings (type,object,value,hash) - VALUES ('$obtype','$object','$value','$hash') + // If adding object, insert into table. + $statement = "INSERT INTO object_mappings (type,object,value,hash) + VALUES (:obtype1,:object1,:value1,:hash1) ON DUPLICATE KEY UPDATE - type='$obtype',object='$object',value='$value',hash='$hash'"; + type=:obtype2,object=:object2,value=:value2,hash=:hash2"; + // build parameters for prepared statement + $params = [":obtype1" => "$obtype", ":object1" => "$object", ":value1" => "$value", ":hash1" => "$hash", ":obtype2" => "$obtype", ":object2" => "$object", ":value2" => "$value", ":hash2" => "$hash"]; break; case "rm": - $query = "DELETE FROM object_mappings WHERE hash = '$hash'"; + // If removing object, delete from table. + $statement = "DELETE FROM object_mappings WHERE hash = :hash"; + // build parameters for prepared statement + $params = [":hash" => "$hash"]; break; } - - mysql_query($query); - $result = mysql_error(); - $return = array("msg" => $result); - + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement with the params + $query->execute($params); + // check for errors + $result = $query->errorInfo(); + $error = ""; + // if there was no error, then $result[2] should be null + if ( ! is_null($result[2]) ) { + $error = $result[2]; + } + $return = array("msg" => $error); $theJSON = json_encode($return); echo $theJSON; } function getcolour() { - $user = $_SESSION['sUser']; - - $query = "SELECT object, value AS colour + // This function gets the color mappings from the object_mappings table. + // This function has been updated to use PDO prepared statements. + global $dbpdo; + // build statement + $statement = "SELECT object, value AS colour FROM object_mappings WHERE type = 'el_c'"; - - $result = mysql_query($query); - $rows = array(); - while ($row = mysql_fetch_assoc($result)) { - $rows[] = $row; - } + // debug + //error_log("$statement"); + // prepare statement + $query = $dbpdo->prepare("$statement"); + // execute the prepared statement + $query->execute(); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); $theJSON = json_encode($rows); echo $theJSON; } function objhistory () { - global $offset, $start, $sdate; + // This function returns the history for an object over the last 7 days. + // This function has been updated to use PDO prepared statements. + global $offset, $start, $sdate, $sdatetime, $offset, $dbpdo; $object = hextostr($_REQUEST['object']); $object = str_replace("aa", "", $object); - // Plant, animal or mineral? + // Is object an IP address? $re = '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/'; $obtype = 0; if (preg_match($re, $object)) { @@ -1395,45 +1603,66 @@ function objhistory () { } switch ($obtype) { - case 0: $subject = "signature_id = '$object'"; break; - case 1: $subject = "(src_ip = INET_ATON('$object') OR dst_ip = INET_ATON('$object'))"; break; - } - - $query = "SELECT - DATE(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS day, - HOUR(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS hour, + case 0: + $subject = "signature_id = :object"; + $statement = "SELECT + DATE(CONVERT_TZ(event.timestamp,'+00:00', :offset1)) AS day, + HOUR(CONVERT_TZ(event.timestamp,'+00:00', :offset2)) AS hour, + COUNT(event.timestamp) AS value + FROM event + WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset3,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset4,'+00:00') + INTERVAL 1 DAY + AND signature_id = :object + GROUP BY day,hour + ORDER BY day ASC"; + $params = [":offset1" => "$offset", ":offset2" => "$offset", ":sdatetime1" => "$sdatetime", ":offset3" => "$offset", ":sdatetime2" => "$sdatetime", ":offset4" => "$offset", ":object" => "$object"]; + break; + + case 1: + $subject = "(src_ip = INET_ATON('$object') OR dst_ip = INET_ATON('$object'))"; + $statement = "SELECT + DATE(CONVERT_TZ(event.timestamp,'+00:00', :offset1)) AS day, + HOUR(CONVERT_TZ(event.timestamp,'+00:00', :offset2)) AS hour, COUNT(event.timestamp) AS value FROM event - WHERE event.timestamp BETWEEN $start - INTERVAL 6 DAY AND $start + INTERVAL 1 DAY - AND $subject + WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset3,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset4,'+00:00') + INTERVAL 1 DAY + AND (src_ip = INET_ATON(:object1) OR dst_ip = INET_ATON(:object2)) GROUP BY day,hour ORDER BY day ASC"; + $params = [":offset1" => "$offset", ":offset2" => "$offset", ":sdatetime1" => "$sdatetime", ":offset3" => "$offset", ":sdatetime2" => "$sdatetime", ":offset4" => "$offset", ":object1" => "$object", ":object2" => "$object"]; + break; + } + $query = $dbpdo->prepare("$statement"); + // original used unbuffered query, but that doesn't seem to work with PDO? + //$result = mysql_unbuffered_query($query); + //$query->setAttribute( PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, False ); + $query->execute(array_merge($params)); $rows1 = $rows2 = array(); $r1 = $r2 = 0; - - $result = mysql_unbuffered_query($query); - - while ($row = mysql_fetch_assoc($result)) { + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { $rows1[] = $row; $r1++; } - $result = ""; if ($r1 != 0 && $obtype == 1) { - $query = "SELECT + $statement = "SELECT COUNT(signature_id) AS value, signature AS label, signature_id AS sid FROM event - WHERE event.timestamp BETWEEN $start - INTERVAL 6 DAY AND $start + INTERVAL 1 DAY - AND $subject + WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset1,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset2,'+00:00') + INTERVAL 1 DAY + AND (src_ip = INET_ATON(:object1) OR dst_ip = INET_ATON(:object2)) GROUP BY signature_id ORDER BY value DESC"; - $result = mysql_unbuffered_query($query); - while ($row = mysql_fetch_assoc($result)) { + $params = [":sdatetime1" => "$sdatetime", ":offset1" => "$offset", ":sdatetime2" => "$sdatetime", ":offset2" => "$offset", ":object1" => "$object", ":object2" => "$object"]; + // original used unbuffered query, but that doesn't seem to work with PDO? + //$result = mysql_unbuffered_query($query); + //$query->setAttribute( PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, False ); + $query = $dbpdo->prepare("$statement"); + $query->execute(array_merge($params)); + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { $rows2[] = $row; $r2++; } @@ -1444,30 +1673,12 @@ function objhistory () { } function times() { - global $offset, $when, $sensors; - $filter = hextostr($_REQUEST['filter']); - if ($filter != 'empty') { - if (substr($filter, 0,4) == 'cmt ') { - $comment = explode('cmt ', $filter); - $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid - WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' - AND $when $sensors"; - } else { - // this needs to be fixed - $filter = str_replace('<','<', $filter); - $filter = str_replace('>','>', $filter); - $filter = "AND " . $filter; - $qp2 = "WHERE $when - $sensors - $filter"; - } - } else { - $qp2 = "WHERE $when - $sensors"; - } + // This function returns data to the times visualization on the EVENTS tab. + // This function has been updated to use PDO prepared statements. - $query = "SELECT - SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5) AS time, + global $offset, $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + $statement = "SELECT + SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00',:substringoffset),12,5) AS time, COUNT(signature) AS count FROM event LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip @@ -1475,11 +1686,22 @@ function times() { $qp2 GROUP BY time ORDER BY event.timestamp"; - $result = mysql_query($query); + // add params for local part of statement + $local_params[':substringoffset'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); + // merge params + $merged_params = array_merge($local_params, $sensor_params, $qp2_params); + // debug + //error_log("statement: $statement"); + //error_log("merged_params: " . print_r($merged_params,1)); + // execute the prepared statement with the params + $query->execute($merged_params); + $rows = array(); $r = $m = 0; - while ($row = mysql_fetch_assoc($result)) { + while ($row = $query->fetch(PDO::FETCH_ASSOC)) { $rows[] = $row; $cnts[] = $row['count']; $r++; diff --git a/.scripts/securityonion_create_elsa_link.sh b/.scripts/securityonion_create_elsa_link.sh index eb31c8e..abf1f21 100644 --- a/.scripts/securityonion_create_elsa_link.sh +++ b/.scripts/securityonion_create_elsa_link.sh @@ -4,6 +4,8 @@ MYSQL="mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e" if [ -d /var/lib/mysql/securityonion_db/ ]; then + # Configure Squert to pivot to ELSA or Elastic for lookups. + # ELSA lookup if grep "ELSA=YES" /etc/nsm/securityonion.conf >/dev/null 2>&1; then if grep "pcap_url" /etc/elsa_web.conf >/dev/null 2>&1; then @@ -14,4 +16,16 @@ if [ -d /var/lib/mysql/securityonion_db/ ]; then fi fi + # Elastic lookup + if grep 'KIBANA_ENABLED="yes"' /etc/nsm/securityonion.conf >/dev/null 2>&1; then + # Remove ELSA link from Squert + mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'delete from filters where alias="ELSA";' + # Add Elastic link to Squert + ALIAS="Kibana" + HEXALIAS=$(xxd -pu -c 256 <<< "$ALIAS") + URL="/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\"\${var}\"')),sort:!('@timestamp',desc))" + HEXURL=$(xxd -pu -c 356 <<< "$URL") + $MYSQL "REPLACE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','$HEXALIAS','','$ALIAS','$HEXURL');" + fi + fi diff --git a/.scripts/securityonion_update.sql b/.scripts/securityonion_update.sql index e5bc7a7..4efc304 100644 --- a/.scripts/securityonion_update.sql +++ b/.scripts/securityonion_update.sql @@ -133,6 +133,8 @@ VALUES ('url','','1','4d616c77617265446f6d61696e4c697374','','MDL','687474703a2f GRANT INSERT,UPDATE,DELETE ON filters TO 'readonly'@'localhost'; +GRANT DELETE on autocat to 'readonly'@'localhost'; + GRANT DELETE on history to 'readonly'@'localhost'; GRANT UPDATE on user_info TO 'readonly'@'localhost'; diff --git a/.auth/squert/squertMain.js b/auth/native/squert/.js/squertMain.js similarity index 100% rename from .auth/squert/squertMain.js rename to auth/native/squert/.js/squertMain.js diff --git a/.auth/squert/login.php b/auth/native/squert/login.php similarity index 78% rename from .auth/squert/login.php rename to auth/native/squert/login.php index 93a44eb..7de8547 100644 --- a/.auth/squert/login.php +++ b/auth/native/squert/login.php @@ -36,6 +36,10 @@ function cleanUp($string) { if ($_SERVER['REQUEST_METHOD'] == 'POST'){ $username = $_REQUEST['username']; $password = $_REQUEST['password']; + // sso + //$username = $_SERVER['PHP_AUTH_USER']; + //$password = $_SERVER['PHP_AUTH_PW']; + $ua = $_SERVER['HTTP_USER_AGENT']; $rqt = $_SERVER['REQUEST_TIME']; $rqaddr = $_SERVER['REMOTE_ADDR']; @@ -45,16 +49,29 @@ function cleanUp($string) { $ua .= mt_rand(0,$max); $cmpid = $rqt . $rqaddr . $ua; $id = md5($cmpid); - $db = mysql_connect($dbHost,$dbUser,$dbPass); - $link = mysql_select_db($dbName, $db); - if ($link) { - $user = cleanUp($username); - $query = "SELECT * FROM user_info WHERE username = '$user'"; - $result = mysql_query($query); - $numRows = mysql_num_rows($result); + // PDO prepared statements + try { + // first connect to database with the PDO object. + $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ + PDO::ATTR_EMULATE_PREPARES => false, + PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, + PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION + ]); + } catch(PDOException $e){ + // if connection fails, log PDO error. + error_log("Error connecting to mysql: ". $e->getMessage()); + } - if ($numRows > 0) { - while ($row = mysql_fetch_row($result)) { + if (isset($dbpdo)) { + // prepare statement + $statement = "SELECT * FROM user_info WHERE username = :user"; + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":user" => "$username"]; + // execute the prepared statement and pass it params + $query->execute($params); + // fetch the data + while ($row = $query->fetch(PDO::FETCH_NUM)) { $userName = $row[1]; $lastLogin = $row[2]; $userHash = $row[3]; @@ -62,7 +79,10 @@ function cleanUp($string) { $userType = $row[5]; $userTime = $row[6]; $tzoffset = $row[7]; - } + } + + // if $username was found in database, then check password + if ( isset($userName) && $username == $userName) { // The first 2 chars are the salt $theSalt = substr($userHash, 0,2); @@ -130,7 +150,7 @@ function cleanUp($string) {

-
Version 1.6.7©2016 Paul Halliday
+
Version 1.7.0©2016 Paul Halliday
diff --git a/.auth/sso/squertMain.js b/auth/sso/squert/.js/squertMain.js similarity index 100% rename from .auth/sso/squertMain.js rename to auth/sso/squert/.js/squertMain.js diff --git a/.auth/sso/login.php b/auth/sso/squert/login.php similarity index 80% rename from .auth/sso/login.php rename to auth/sso/squert/login.php index 0f778e6..83d6042 100644 --- a/.auth/sso/login.php +++ b/auth/sso/squert/login.php @@ -36,6 +36,7 @@ function cleanUp($string) { //if ($_SERVER['REQUEST_METHOD'] == 'POST'){ //$username = $_REQUEST['username']; //$password = $_REQUEST['password']; + // sso $username = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; @@ -48,16 +49,29 @@ function cleanUp($string) { $ua .= mt_rand(0,$max); $cmpid = $rqt . $rqaddr . $ua; $id = md5($cmpid); - $db = mysql_connect($dbHost,$dbUser,$dbPass); - $link = mysql_select_db($dbName, $db); - if ($link) { - $user = cleanUp($username); - $query = "SELECT * FROM user_info WHERE username = '$user'"; - $result = mysql_query($query); - $numRows = mysql_num_rows($result); + // PDO prepared statements + try { + // first connect to database with the PDO object. + $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ + PDO::ATTR_EMULATE_PREPARES => false, + PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, + PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION + ]); + } catch(PDOException $e){ + // if connection fails, log PDO error. + error_log("Error connecting to mysql: ". $e->getMessage()); + } - if ($numRows > 0) { - while ($row = mysql_fetch_row($result)) { + if (isset($dbpdo)) { + // prepare statement + $statement = "SELECT * FROM user_info WHERE username = :user"; + $query = $dbpdo->prepare("$statement"); + // build parameters for prepared statement + $params = [":user" => "$username"]; + // execute the prepared statement and pass it params + $query->execute($params); + // fetch the data + while ($row = $query->fetch(PDO::FETCH_NUM)) { $userName = $row[1]; $lastLogin = $row[2]; $userHash = $row[3]; @@ -65,7 +79,10 @@ function cleanUp($string) { $userType = $row[5]; $userTime = $row[6]; $tzoffset = $row[7]; - } + } + + // if $username was found in database, then check password + if ( isset($userName) && $username == $userName) { // The first 2 chars are the salt $theSalt = substr($userHash, 0,2); @@ -133,7 +150,7 @@ function cleanUp($string) {

-
Version 1.6.4©2016 Paul Halliday
+
Version 1.7.0©2016 Paul Halliday
diff --git a/debian/changelog b/debian/changelog index 8d73921..4d854bf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,63 @@ +securityonion-squert (20161212-1ubuntu1securityonion26) trusty; urgency=medium + + * migrate login.php to prepared statements + + -- Doug Burks Sun, 21 Jan 2018 13:33:27 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion25) trusty; urgency=medium + + * allow pivot to ELSA or Elastic + + -- Doug Burks Fri, 19 Jan 2018 16:55:16 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion24) trusty; urgency=medium + + * improve callback.php and grant permission to autocat table + + -- Doug Burks Fri, 19 Jan 2018 16:11:02 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion23) trusty; urgency=medium + + * begin transition to pdo prepared statements + + -- Doug Burks Fri, 05 Jan 2018 18:03:20 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion22) trusty; urgency=medium + + * set version to 1.7.0 + + -- Doug Burks Wed, 03 Jan 2018 07:46:38 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion21) trusty; urgency=medium + + * move auth files to /opt/squert + + -- Doug Burks Wed, 03 Jan 2018 06:46:00 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion20) trusty; urgency=medium + + * fix postinst + + -- Doug Burks Tue, 02 Jan 2018 17:45:10 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion19) trusty; urgency=medium + + * improve postinst + + -- Doug Burks Tue, 02 Jan 2018 14:44:58 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion18) trusty; urgency=medium + + * fix install + + -- Doug Burks Mon, 01 Jan 2018 19:26:53 -0500 + +securityonion-squert (20161212-1ubuntu1securityonion17) trusty; urgency=medium + + * improve calls to clicat + + -- Doug Burks Mon, 01 Jan 2018 17:00:23 -0500 + securityonion-squert (20161212-1ubuntu1securityonion16) trusty; urgency=medium * merge and adjust comment diff --git a/debian/install b/debian/install index a9dbea1..7a17818 100644 --- a/debian/install +++ b/debian/install @@ -1,8 +1,8 @@ +auth opt/squert/ .css var/www/so/squert/ .flags var/www/so/squert/ .inc var/www/so/squert/ index.php var/www/so/squert/ .js var/www/so/squert/ -login.php var/www/so/squert/ .scripts var/www/so/squert/ .scripts/securityonion-squert.cnf etc/mysql/conf.d/ diff --git a/debian/patches/allow-pivot-to-elsa-or-elastic b/debian/patches/allow-pivot-to-elsa-or-elastic new file mode 100644 index 0000000..41c1c21 --- /dev/null +++ b/debian/patches/allow-pivot-to-elsa-or-elastic @@ -0,0 +1,53 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion25) trusty; urgency=medium + . + * allow pivot to ELSA or Elastic +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion_create_elsa_link.sh ++++ securityonion-squert-20161212/.scripts/securityonion_create_elsa_link.sh +@@ -4,6 +4,8 @@ MYSQL="mysql --defaults-file=/etc/mysql/ + + if [ -d /var/lib/mysql/securityonion_db/ ]; then + ++ # Configure Squert to pivot to ELSA or Elastic for lookups. ++ + # ELSA lookup + if grep "ELSA=YES" /etc/nsm/securityonion.conf >/dev/null 2>&1; then + if grep "pcap_url" /etc/elsa_web.conf >/dev/null 2>&1; then +@@ -14,4 +16,16 @@ if [ -d /var/lib/mysql/securityonion_db/ + fi + fi + ++ # Elastic lookup ++ if grep 'KIBANA_ENABLED="yes"' /etc/nsm/securityonion.conf >/dev/null 2>&1; then ++ # Remove ELSA link from Squert ++ mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e 'delete from filters where alias="ELSA";' ++ # Add Elastic link to Squert ++ ALIAS="Kibana" ++ HEXALIAS=$(xxd -pu -c 256 <<< "$ALIAS") ++ URL="/app/kibana#/dashboard/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\"\${var}\"')),sort:!('@timestamp',desc))" ++ HEXURL=$(xxd -pu -c 356 <<< "$URL") ++ $MYSQL "REPLACE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','$HEXALIAS','','$ALIAS','$HEXURL');" ++ fi ++ + fi diff --git a/debian/patches/begin-transition-to-pdo-prepared-statements b/debian/patches/begin-transition-to-pdo-prepared-statements new file mode 100644 index 0000000..324792d --- /dev/null +++ b/debian/patches/begin-transition-to-pdo-prepared-statements @@ -0,0 +1,269 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion23) trusty; urgency=medium + . + * begin transition to pdo prepared statements +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -9,10 +9,20 @@ if (!(isset($_SESSION['sLogin']) && $_SE + $base = dirname(__FILE__); + include_once "$base/config.php"; + include_once "$base/functions.php"; +- ++// original database connection info + $link = mysql_connect($dbHost,$dbUser,$dbPass); + $db = mysql_select_db($dbName,$link); +- ++// PDO prepared statements ++try { ++ // first connect to database with the PDO object. ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=utf8", "$dbUser", "$dbPass", [ ++ PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ++ ]); ++} catch(PDOException $e){ ++ // if connection fails, log PDO error. ++ error_log("Error connecting to mysql: ". $e->getMessage()); ++} + $type = $_REQUEST['type']; + + $types = array( +@@ -43,10 +53,12 @@ $types = array( + ); + + $type = $types[$type]; ++//error_log("type is $type"); + + if (isset($_REQUEST['ts'])) { + // Need EC + $tsParts = explode("|", mysql_real_escape_string(hextostr($_REQUEST['ts']))); ++ //$tsParts = explode("|", hextostr($_REQUEST['ts'])); + $sdate = $tsParts[0]; + $edate = $tsParts[1]; + $stime = $tsParts[2]; +@@ -55,15 +67,43 @@ if (isset($_REQUEST['ts'])) { + $start = "CONVERT_TZ('$sdate $stime','$offset','+00:00')"; + $end = "CONVERT_TZ('$edate $etime','$offset','+00:00')"; + $when = "event.timestamp BETWEEN $start AND $end"; ++ // combine start date and start time for prepared statements ++ $sdatetime = "$sdate $stime"; ++ // combine end date and end time for prepared statements ++ $edatetime = "$edate $etime"; + } + ++// user can specify sensors + if (isset($_REQUEST['sensors'])) { + $sensors = hextostr($_REQUEST['sensors']); + if ($sensors == 'empty') { + $sensors = ''; ++ $sensorsclean = ''; ++ $in = ''; ++ $sensor_params = array(); ++ } else { ++ // $sensors looks like this: ++ // AND event.sid IN('3','1') ++ // let's clean that up so we can use prepared statements ++ $sensorsclean = ltrim($sensors, 'AND event.sid IN('); ++ $sensorsclean = rtrim($sensorsclean, ')'); ++ $sensorsclean = str_replace("'","", $sensorsclean); ++ // now we need to dynamically build IN for prepared statement based on: ++ // https://phpdelusions.net/pdo#like ++ $ids = explode(",", $sensorsclean); ++ $in = ""; ++ foreach ($ids as $i => $item) ++ { ++ $key = ":id".$i; ++ $in .= "$key,"; ++ $sensor_params[$key] = $item; // collecting values into key-value array ++ } ++ $in = rtrim($in,","); // :id0,:id1,:id2 ++ $sensors = "AND event.sid IN($in)"; + } + } + ++// rt is the queue-only toggle on the left + if (isset($_REQUEST['rt'])) { + $rt = $_REQUEST['rt']; + if ($rt == 1) { +@@ -78,23 +118,26 @@ if (!$type) { + } + + function ec() { +- +- global $when, $sensors; +- +- $query = "SELECT COUNT(status) AS count, status +- FROM event +- LEFT JOIN sensor AS s ON event.sid = s.sid +- WHERE $when +- $sensors +- GROUP BY status"; +- +- $result = mysql_query($query); +- +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // This function returns event count grouped by status. ++ // This is used to populate the numbers in the Classification section on the left side of the Events tab. ++ // This function has been updated to use PDO prepared statements. ++ global $sdatetime, $edatetime, $offset, $sensors, $sensor_params, $dbpdo; ++ ++ // build statement ++ $statement = "SELECT COUNT(status) AS count, status FROM event LEFT JOIN sensor AS s ON event.sid = s.sid ++ WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') ++ $sensors ++ GROUP BY status;"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; ++ // execute the prepared statement and pass it the local params array and the sensor_params array ++ $query->execute(array_merge($params,$sensor_params)); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } +@@ -169,42 +212,86 @@ function signatures() { + } + + function level0() { +- global $offset, $when, $sensors, $rt; +- $sv = mysql_real_escape_string($_REQUEST['sv']); ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensorsclean, $sensor_params, $dbpdo; ++ // $sv is for sorting. For example: DESC ++ // this cannot be done via prepared statement, so we use a whitelist approach ++ $sv = mysql_real_escape_string($_REQUEST['sv']) == 'DESC' ? 'DESC' : 'ASC'; + $filter = hextostr($_REQUEST['filter']); ++ // $filter comes from the filter box in the upper right corner of the Events tab. Default: empty + if ($filter != 'empty') { + if (substr($filter, 0,4) == 'cmt ') { ++ // user entered cmt into the filter box ++ // pull their filter out and place it into the prepared statement array + $comment = explode('cmt ', $filter); ++ $filtercmt = mysql_real_escape_string($comment[1]); + $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "'"; ++ WHERE history.comment = :filtercmt"; ++ // build parameters for prepared statement ++ $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset", ":filtercmt" => "$filtercmt"]; + } else { ++ // if the user didn't enter cmt, then they may be using one of the built-in filters ++ // for example, if the user wants to search for alerts with src or dst ip in US: ++ // cc us ++ // we'll then receive the following: ++ // (msrc.cc = 'us' OR mdst.cc = 'us') ++ // the general strategy is to try to match this with one of the built-in filters to ensure validity ++ // then build a prepared statement + // this needs to be fixed + $filter = str_replace('<','<', $filter); + $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when ++ // build parameters for prepared statement ++ $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset"]; ++ // find whatever is enclosed in single ticks and replace with $ ++ $exploded=explode("'",$filter); ++ $filtervar=$exploded[1]; ++ $compfilter = str_replace($filtervar, '$', $filter); ++ // retrieve all valid filters from database ++ $statement="SELECT UNHEX(filter) from filters where type='filter';"; ++ $query = $dbpdo->prepare("$statement"); ++ $query->execute(); ++ $rows = $query->fetchAll(PDO::FETCH_BOTH); ++ // search for user filter in list of valid filters ++ $newfilter = ""; ++ foreach ($rows as $row) { ++ if ( "$compfilter" == "$row[0]" ) { ++ $newfilter = $row[0]; ++ $i=0; ++ while (strpos($newfilter, "'\$'") !== false) { ++ $newfilter = preg_replace('/\'\$\'/', ":filtervar$i", "$newfilter", 1); ++ $params[":filtervar$i"] = $filtervar; ++ $i++; ++ } ++ $filter = "AND " . $newfilter; ++ } ++ } ++ $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + $filter + $rt"; + } + } else { +- $qp2 = "WHERE $when ++ // filter box was empty so we'll just build a prepared statement using sensors and rt values ++ $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') + $sensors + $rt"; ++ // build parameters for prepared statement ++ $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset"]; + } + +- $query = "SELECT COUNT(event.signature) AS f1, ++ // build statement ++ $statement="SELECT COUNT(event.signature) AS f1, + event.signature AS f2, + event.signature_id AS f3, + event.signature_gen AS f4, +- MAX(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS f5, ++ MAX(CONVERT_TZ(event.timestamp,'+00:00',:maxoffset)) AS f5, + COUNT(DISTINCT(event.src_ip)) AS f6, + COUNT(DISTINCT(event.dst_ip)) AS f7, + event.ip_proto AS f8, + GROUP_CONCAT(DISTINCT(event.status)) AS f9, + GROUP_CONCAT(DISTINCT(event.sid)) AS f10, + GROUP_CONCAT(event.status) AS f11, +- GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', '$offset'),12,2)) AS f12, ++ GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', :groupoffset),12,2)) AS f12, + event.priority AS f13, + GROUP_CONCAT(DISTINCT(src_tag.value)) AS f14, + GROUP_CONCAT(DISTINCT(dst_tag.value)) AS f15 +@@ -216,13 +303,14 @@ function level0() { + $qp2 + GROUP BY f3 + ORDER BY f5 $sv"; +- +- $result = mysql_query($query); +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement and pass it the local params array and the sensor_params array ++ $query->execute(array_merge($params,$sensor_params)); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } diff --git a/debian/patches/improve-callback.php-and-grant-permission-to-autocat-table b/debian/patches/improve-callback.php-and-grant-permission-to-autocat-table new file mode 100644 index 0000000..152c02f --- /dev/null +++ b/debian/patches/improve-callback.php-and-grant-permission-to-autocat-table @@ -0,0 +1,1680 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion24) trusty; urgency=medium + . + * improve callback.php and grant permission to autocat table +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -9,14 +9,12 @@ if (!(isset($_SESSION['sLogin']) && $_SE + $base = dirname(__FILE__); + include_once "$base/config.php"; + include_once "$base/functions.php"; +-// original database connection info +-$link = mysql_connect($dbHost,$dbUser,$dbPass); +-$db = mysql_select_db($dbName,$link); + // PDO prepared statements + try { + // first connect to database with the PDO object. +- $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=utf8", "$dbUser", "$dbPass", [ ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ + PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, + PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION + ]); + } catch(PDOException $e){ +@@ -53,12 +51,10 @@ $types = array( + ); + + $type = $types[$type]; +-//error_log("type is $type"); + + if (isset($_REQUEST['ts'])) { + // Need EC +- $tsParts = explode("|", mysql_real_escape_string(hextostr($_REQUEST['ts']))); +- //$tsParts = explode("|", hextostr($_REQUEST['ts'])); ++ $tsParts = explode("|", hextostr($_REQUEST['ts'])); + $sdate = $tsParts[0]; + $edate = $tsParts[1]; + $stime = $tsParts[2]; +@@ -74,13 +70,14 @@ if (isset($_REQUEST['ts'])) { + } + + // user can specify sensors ++$sensors = ''; ++$sensorsclean = ''; ++$in = ''; ++$sensor_params = array(); + if (isset($_REQUEST['sensors'])) { + $sensors = hextostr($_REQUEST['sensors']); + if ($sensors == 'empty') { + $sensors = ''; +- $sensorsclean = ''; +- $in = ''; +- $sensor_params = array(); + } else { + // $sensors looks like this: + // AND event.sid IN('3','1') +@@ -91,7 +88,6 @@ if (isset($_REQUEST['sensors'])) { + // now we need to dynamically build IN for prepared statement based on: + // https://phpdelusions.net/pdo#like + $ids = explode(",", $sensorsclean); +- $in = ""; + foreach ($ids as $i => $item) + { + $key = ":id".$i; +@@ -103,13 +99,89 @@ if (isset($_REQUEST['sensors'])) { + } + } + +-// rt is the queue-only toggle on the left +-if (isset($_REQUEST['rt'])) { +- $rt = $_REQUEST['rt']; +- if ($rt == 1) { +- $rt = "AND event.status = 0"; ++// rt is the queue-only toggle on the left side of the EVENTS tab ++$rt = ""; ++if (isset($_REQUEST['rt']) && $_REQUEST['rt'] == 1) { ++ $rt = "AND event.status = 0"; ++} ++ ++// $sv is for sorting. For example: DESC ++// this cannot be done via prepared statement, so we use a whitelist approach ++$sv = ""; ++if (isset($_REQUEST['sv'])) { ++ $sv = $_REQUEST['sv'] == 'DESC' ? 'DESC' : 'ASC'; ++} ++ ++// many functions below rely on filters so let's build that out now ++if (isset($_REQUEST['filter'])) { ++ $filter = hextostr($_REQUEST['filter']); ++ // $filter comes from the filter box in the upper right corner of the EVENTS tab. Default: empty ++ if ($filter != 'empty') { ++ if (substr($filter, 0,4) == 'cmt ') { ++ // user entered cmt into the filter box ++ // pull their filter out and place it into the prepared statement array ++ $comment = explode('cmt ', $filter); ++ $filtercmt = $comment[1]; ++ $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid ++ WHERE history.comment = :filtercmt"; ++ // build parameters for prepared statement ++ $qp2_params = [":filtercmt" => "$filtercmt"]; ++ } else { ++ // if the user didn't enter cmt, then they may be using one of the built-in filters ++ // for example, if the user wants to search for alerts with src or dst ip in US: ++ // cc us ++ // we'll then receive the following: ++ // (msrc.cc = 'us' OR mdst.cc = 'us') ++ // the general strategy is to try to match this with one of the built-in filters to ensure validity ++ // then build a prepared statement ++ // this needs to be fixed ++ $filter = str_replace('<','<', $filter); ++ $filter = str_replace('>','>', $filter); ++ // build parameters for prepared statement ++ $qp2_params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; ++ // find whatever is enclosed in single ticks and replace with $ ++ $exploded=explode("'",$filter); ++ $filtervar=$exploded[1]; ++ $compfilter = str_replace($filtervar, '$', $filter); ++ // retrieve all valid filters from database ++ $statement="SELECT UNHEX(filter) from filters where type='filter';"; ++ $query = $dbpdo->prepare("$statement"); ++ $query->execute(); ++ $rows = $query->fetchAll(PDO::FETCH_BOTH); ++ // search for user filter in list of valid filters ++ $newfilter = ""; ++ $filter = ""; ++ // "signature LIKE" is a special case ++ if ( "$compfilter" == "(signature LIKE '$' OR signature LIKE '$')" ) { ++ $filter = "AND (signature LIKE :filtervar1 OR signature LIKE :filtervar2)"; ++ $qp2_params[":filtervar1"] = "%$filtervar%"; ++ $qp2_params[":filtervar2"] = "%$filtervar%"; ++ } else { ++ foreach ($rows as $row) { ++ if ( "$compfilter" == "$row[0]" ) { ++ $newfilter = $row[0]; ++ $i=0; ++ while (strpos($newfilter, "'\$'") !== false) { ++ $newfilter = preg_replace('/\'\$\'/', ":filtervar$i", "$newfilter", 1); ++ $qp2_params[":filtervar$i"] = $filtervar; ++ $i++; ++ } ++ $filter = "AND " . $newfilter; ++ } ++ } ++ } ++ $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') ++ $sensors ++ $filter ++ $rt"; ++ } + } else { +- $rt = ""; ++ // filter box was empty so we'll just build a prepared statement using sensors and rt values ++ $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') ++ $sensors ++ $rt"; ++ // build parameters for prepared statement ++ $qp2_params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset"]; + } + } + +@@ -119,7 +191,7 @@ if (!$type) { + + function ec() { + // This function returns event count grouped by status. +- // This is used to populate the numbers in the Classification section on the left side of the Events tab. ++ // This is used to populate the numbers in the Classification section on the left side of the EVENTS tab. + // This function has been updated to use PDO prepared statements. + global $sdatetime, $edatetime, $offset, $sensors, $sensor_params, $dbpdo; + +@@ -212,73 +284,9 @@ function signatures() { + } + + function level0() { ++ // This function returns the aggegrated event data in the main section of the EVENTS tab. + // This function has been updated to use PDO prepared statements. +- global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensorsclean, $sensor_params, $dbpdo; +- // $sv is for sorting. For example: DESC +- // this cannot be done via prepared statement, so we use a whitelist approach +- $sv = mysql_real_escape_string($_REQUEST['sv']) == 'DESC' ? 'DESC' : 'ASC'; +- $filter = hextostr($_REQUEST['filter']); +- // $filter comes from the filter box in the upper right corner of the Events tab. Default: empty +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- // user entered cmt into the filter box +- // pull their filter out and place it into the prepared statement array +- $comment = explode('cmt ', $filter); +- $filtercmt = mysql_real_escape_string($comment[1]); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = :filtercmt"; +- // build parameters for prepared statement +- $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset", ":filtercmt" => "$filtercmt"]; +- } else { +- // if the user didn't enter cmt, then they may be using one of the built-in filters +- // for example, if the user wants to search for alerts with src or dst ip in US: +- // cc us +- // we'll then receive the following: +- // (msrc.cc = 'us' OR mdst.cc = 'us') +- // the general strategy is to try to match this with one of the built-in filters to ensure validity +- // then build a prepared statement +- // this needs to be fixed +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- // build parameters for prepared statement +- $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset"]; +- // find whatever is enclosed in single ticks and replace with $ +- $exploded=explode("'",$filter); +- $filtervar=$exploded[1]; +- $compfilter = str_replace($filtervar, '$', $filter); +- // retrieve all valid filters from database +- $statement="SELECT UNHEX(filter) from filters where type='filter';"; +- $query = $dbpdo->prepare("$statement"); +- $query->execute(); +- $rows = $query->fetchAll(PDO::FETCH_BOTH); +- // search for user filter in list of valid filters +- $newfilter = ""; +- foreach ($rows as $row) { +- if ( "$compfilter" == "$row[0]" ) { +- $newfilter = $row[0]; +- $i=0; +- while (strpos($newfilter, "'\$'") !== false) { +- $newfilter = preg_replace('/\'\$\'/', ":filtervar$i", "$newfilter", 1); +- $params[":filtervar$i"] = $filtervar; +- $i++; +- } +- $filter = "AND " . $newfilter; +- } +- } +- $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') +- $sensors +- $filter +- $rt"; +- } +- } else { +- // filter box was empty so we'll just build a prepared statement using sensors and rt values +- $qp2 = "WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime,:soffset,'+00:00') AND CONVERT_TZ(:edatetime,:eoffset,'+00:00') +- $sensors +- $rt"; +- // build parameters for prepared statement +- $params = [":sdatetime" => "$sdatetime", ":edatetime" => "$edatetime", ":soffset" => "$offset", ":eoffset" => "$offset", ":maxoffset" => "$offset", ":groupoffset" => "$offset"]; +- } +- ++ global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensor_params, $dbpdo, $qp2, $qp2_params, $sv; + // build statement + $statement="SELECT COUNT(event.signature) AS f1, + event.signature AS f2, +@@ -303,12 +311,18 @@ function level0() { + $qp2 + GROUP BY f3 + ORDER BY f5 $sv"; +- // debug +- //error_log("$statement"); ++ // add params for local part of statement ++ $local_params[':maxoffset'] = "$offset"; ++ $local_params[':groupoffset'] = "$offset"; + // prepare statement + $query = $dbpdo->prepare("$statement"); +- // execute the prepared statement and pass it the local params array and the sensor_params array +- $query->execute(array_merge($params,$sensor_params)); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); +@@ -316,39 +330,18 @@ function level0() { + } + + function level1() { +- +- global $offset, $when, $sensors, $rt; +- $sid = mysql_real_escape_string($_REQUEST['object']); +- $sv = mysql_real_escape_string($_REQUEST['sv']); +- $filter = hextostr($_REQUEST['filter']); +- +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' +- AND event.signature_id = '$sid'"; +- } else { +- // this needs to be fixed +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- AND event.signature_id = '$sid' +- $filter +- $rt"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors +- AND event.signature_id = '$sid' +- $rt"; +- } +- +- // LEVEL 1 +- $query = "SELECT COUNT(event.signature) AS count, +- MAX(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS maxTime, ++ // This function is called when the user clicks a number in the Queue column to drill into a group of aggregated events. ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $when, $sensors, $rt, $sdatetime, $edatetime, $sensor_params, $dbpdo, $qp2, $qp2_params, $sv; ++ // sid is signature_id (snort/suricata ID, OSSEC rule ID, etc.) ++ $sid = $_REQUEST['object']; ++ // add sid to $qp2 and $qp2_params ++ $qp2 = "$qp2 ++ AND event.signature_id = :sid"; ++ $qp2_params[':sid'] = "$sid"; ++ // build statement ++ $statement = "SELECT COUNT(event.signature) AS count, ++ MAX(CONVERT_TZ(event.timestamp,'+00:00', :maxoffset)) AS maxTime, + INET_NTOA(event.src_ip) AS src_ip, + msrc.c_long AS src_cc, + INET_NTOA(event.dst_ip) AS dst_ip, +@@ -360,8 +353,8 @@ function level1() { + GROUP_CONCAT(event.sid) AS c_sid, + GROUP_CONCAT(event.cid) AS c_cid, + GROUP_CONCAT(event.status) AS c_status, +- GROUP_CONCAT(SUBSTR(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5)) AS c_ts, +- GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', '$offset'),12,2)) AS f12, ++ GROUP_CONCAT(SUBSTR(CONVERT_TZ(event.timestamp,'+00:00', :groupoffset1),12,5)) AS c_ts, ++ GROUP_CONCAT(SUBSTRING(CONVERT_TZ(event.timestamp, '+00:00', :groupoffset2),12,2)) AS f12, + event.priority AS f13, + msrc.age AS src_age, + mdst.age AS dst_age, +@@ -377,58 +370,46 @@ function level1() { + $qp2 + GROUP BY event.src_ip, event.dst_ip + ORDER BY maxTime $sv"; +- +- $result = mysql_query($query); +- +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // add params for local part of statement ++ $local_params[':maxoffset'] = "$offset"; ++ $local_params[':groupoffset1'] = "$offset"; ++ $local_params[':groupoffset2'] = "$offset"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function level2() { +- +- global $offset, $when, $sensors, $rt; +- $comp = mysql_real_escape_string($_REQUEST['object']); +- $filter = hextostr($_REQUEST['filter']); +- $sv = mysql_real_escape_string($_REQUEST['sv']); +- $adqp = mysql_real_escape_string(hextostr($_REQUEST['adqp'])); ++ // This function is called when the user clicks a number in the Queue column in the second level of aggregation. ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $when, $sensors, $rt, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; ++ $comp = $_REQUEST['object']; + list($ln,$sid,$src_ip,$dst_ip) = explode("-", $comp); + $src_ip = sprintf("%u", ip2long($src_ip)); + $dst_ip = sprintf("%u", ip2long($dst_ip)); + +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' +- AND (event.signature_id = '$sid' +- AND event.src_ip = '$src_ip' +- AND event.dst_ip = '$dst_ip')"; +- } else { +- $qp2 = "WHERE $when +- $sensors +- AND (event.signature_id = '$sid' +- AND event.src_ip = '$src_ip' +- AND event.dst_ip = '$dst_ip')"; +- } +- } else { +- if ($adqp === "empty") { +- $adqp = ""; +- } +- $qp2 = "WHERE $when +- $sensors +- $adqp +- AND (event.signature_id = '$sid' +- AND event.src_ip = '$src_ip' +- AND event.dst_ip = '$dst_ip')"; +- } +- +- $query = "SELECT event.status AS f1, +- CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00','$offset'),event.timestamp) AS f2, ++ // add sid, src_ip, and dst_ip to $qp2 and $qp2_params ++ $qp2 = "$qp2 ++ AND (event.signature_id = :sid ++ AND event.src_ip = :src_ip ++ AND event.dst_ip = :dst_ip)"; ++ $qp2_params[':sid'] = "$sid"; ++ $qp2_params[':src_ip'] = "$src_ip"; ++ $qp2_params[':dst_ip'] = "$dst_ip"; ++ ++ // build statement using $qp2 ++ $statement = "SELECT event.status AS f1, ++ CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00',:concatoffset),event.timestamp) AS f2, + INET_NTOA(event.src_ip) AS f3, + event.src_port AS f4, + INET_NTOA(event.dst_ip) AS f5, +@@ -445,50 +426,34 @@ function level2() { + LEFT JOIN object_mappings AS src_tag ON event.src_ip = src_tag.object AND src_tag.type = 'tag' + LEFT JOIN object_mappings AS dst_tag ON event.dst_ip = dst_tag.object AND dst_tag.type = 'tag' + $qp2 +- $rt + GROUP BY event.sid,event.cid + ORDER BY event.timestamp $sv"; + +- $result = mysql_query($query); +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // add params for local part of statement ++ $local_params[':concatoffset'] = "$offset"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + + } + + function level2a() { +- +- global $offset, $when, $sensors, $rt; +- $sv = mysql_real_escape_string($_REQUEST['sv']); +- $filter = hextostr($_REQUEST['filter']); +- +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "'"; +- } else { +- // this needs to be fixed... +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter +- $rt"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors +- $rt"; +- } +- +- $query = "SELECT event.status AS f1, +- CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00','$offset'),event.timestamp) AS f2, ++ // This function is called when grouping is turned off. ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $when, $sensors, $rt, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; ++ // build statement ++ $statement = "SELECT event.status AS f1, ++ CONCAT_WS(',',CONVERT_TZ(event.timestamp,'+00:00',:concatoffset),event.timestamp) AS f2, + INET_NTOA(event.src_ip) AS f3, + event.src_port AS f4, + msrc.c_long AS f5, +@@ -516,30 +481,39 @@ function level2a() { + $qp2 + GROUP BY event.sid, event.cid + ORDER BY event.timestamp $sv"; +- +- $result = mysql_query($query); +- $rows = array(); +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // add params for local part of statement ++ $local_params[':concatoffset'] = "$offset"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function payload() { ++ // This function retrieves the payload of the event. ++ // This function has been updated to use PDO prepared statements. + +- global $offset; +- $comp = mysql_real_escape_string($_REQUEST['object']); ++ global $offset, $dbpdo; ++ $comp = $_REQUEST['object']; + list($sid,$cid) = explode("-", $comp); + +- $query = "SELECT INET_NTOA(event.src_ip), ++ $statement = "SELECT INET_NTOA(event.src_ip), + INET_NTOA(event.dst_ip), + event.ip_ver, event.ip_hlen, event.ip_tos, + event.ip_len, event.ip_id, event.ip_flags, + event.ip_off, event.ip_ttl, event.ip_csum, + event.src_port, event.dst_port, event.ip_proto, + event.signature, event.signature_id, +- CONVERT_TZ(event.timestamp,'+00:00','$offset'), event.sid, event.cid, ++ CONVERT_TZ(event.timestamp,'+00:00', :offset), event.sid, event.cid, + GROUP_CONCAT(history.comment SEPARATOR ' || ') AS comment, + GROUP_CONCAT(src_tag.value) AS srctag, + GROUP_CONCAT(dst_tag.value) AS dsttag +@@ -547,21 +521,28 @@ function payload() { + LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid + LEFT JOIN object_mappings AS src_tag ON event.src_ip = src_tag.object AND src_tag.type = 'tag' + LEFT JOIN object_mappings AS dst_tag ON event.dst_ip = dst_tag.object AND dst_tag.type = 'tag' +- WHERE event.sid='$sid' AND event.cid='$cid'"; +- +- $result = mysql_query($query); +- ++ WHERE event.sid=:sid AND event.cid=:cid"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":offset" => "$offset", ":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data ++ $row = $query->fetchall(PDO::FETCH_ASSOC); + $rows = array(); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; +- $ipp = $row["ip_proto"]; ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } ++ $ipp = $row[0]["ip_proto"]; + + // Protocol + switch ($ipp) { + + case 1: +- $query = "SELECT event.icmp_type AS icmp_type, ++ $statement = "SELECT event.icmp_type AS icmp_type, + event.icmp_code AS icmp_code, + icmphdr.icmp_csum AS icmp_csum, + icmphdr.icmp_id AS icmp_id, +@@ -569,54 +550,78 @@ function payload() { + FROM event, icmphdr + WHERE event.sid=icmphdr.sid + AND event.cid=icmphdr.cid +- AND event.sid='$sid' +- AND event.cid='$cid'"; +- +- $result = mysql_query($query); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; ++ AND event.sid=:sid ++ AND event.cid=:cid"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data ++ $row = $query->fetchall(PDO::FETCH_ASSOC); ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } + break; + + case 6: +- $query = "SELECT tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_urp, tcp_csum ++ $statement = "SELECT tcp_seq, tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_urp, tcp_csum + FROM tcphdr +- WHERE sid='$sid' AND cid='$cid'"; +- +- $result = mysql_query($query); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; ++ WHERE sid=:sid AND cid=:cid"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data ++ $row = $query->fetchall(PDO::FETCH_ASSOC); ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } + break; + + case 17: +- $query = "SELECT udp_len, udp_csum ++ $statement = "SELECT udp_len, udp_csum + FROM udphdr +- WHERE sid='$sid' AND cid='$cid'"; +- +- $result = mysql_query($query); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; ++ WHERE sid=:sid AND cid=:cid"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data ++ $row = $query->fetchall(PDO::FETCH_ASSOC); ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } + break; + default: + $result = array(0 => 0); + $rows[] = $row; + break; + } +- + // Data +- $query = "SELECT data_payload ++ $statement = "SELECT data_payload + FROM data +- WHERE sid='$sid' AND cid='$cid'"; +- +- $result = mysql_query($query); +- +- $row = mysql_fetch_assoc($result); +- $rows[] = $row; ++ WHERE sid=:sid AND cid=:cid"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":sid" => "$sid", ":cid" => "$cid"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // fetch the data and encode to json ++ $row = $query->fetchall(PDO::FETCH_ASSOC); ++ if (array_key_exists(0, $row)) { ++ $rows[] = $row[0]; ++ } + $theJSON = json_encode($rows); + echo $theJSON; +- + } + + function tab() { +@@ -630,21 +635,28 @@ function transcript() { + } + + function filters() { ++ // This function queries and updates the filters table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; + $user = $_SESSION['sUser']; +- $mode = mysql_real_escape_string($_REQUEST['mode']); ++ $mode = $_REQUEST['mode']; + + switch ($mode) { + case "query" : +- $query = "SELECT type, UNHEX(name) AS name, alias, filter, UNHEX(notes) as notes, age, global, username ++ $statement = "SELECT type, UNHEX(name) AS name, alias, filter, UNHEX(notes) as notes, age, global, username + FROM filters + ORDER BY global,name ASC"; + +- $result = mysql_query($query); +- + $rows = array(); + ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement with params ++ $query->execute(); + # iterate through each row of the filter table +- while ($row = mysql_fetch_assoc($result)) { ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + # for each field in that row, we need to sanitize before output + foreach ($row as &$value) { + # https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know +@@ -670,23 +682,50 @@ function filters() { + $filter = str_ireplace($remove, "", $filter); + $filter = strtohex($filter); + +- $query = "INSERT INTO filters (type,name,alias,username,filter,notes) +- VALUES ('$type','$name','$alias','$user','$filter','$notes') ++ $statement = "INSERT INTO filters (type,name,alias,username,filter,notes) ++ VALUES (:type1,:name1,:alias1,:user1,:filter1,:notes1) + ON DUPLICATE KEY UPDATE +- type='$type',name='$name',alias='$alias',filter='$filter',notes='$notes'"; ++ type=:type2,name=:name2,alias=:alias2,filter=:filter2,notes=:notes2"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":type1" => "$type", ":name1" => "$name", ":alias1" => "$alias", ":user1" => "$user", ":filter1" => "$filter", ":notes1" => "$notes", ":type2" => "$type", ":name2" => "$name", ":alias2" => "$alias", ":filter2" => "$filter", ":notes2" => "$notes"]; ++ // execute the prepared statement with params ++ $query->execute(array_merge($params)); ++ // check for errors ++ $error = $query->errorInfo(); ++ $result = ""; ++ // if there was no error, then $error[2] should be null ++ if ( ! is_null($error[2]) ) { ++ $result = $error[2]; ++ } + +- mysql_query($query); +- $result = mysql_error(); + $return = array("msg" => $result); + $theJSON = json_encode($return); + + break; + + case "remove" : +- $alias = mysql_real_escape_string($_REQUEST['data']); +- $query = "DELETE FROM filters WHERE username = '$user' AND (alias = '$alias' AND global = 0)"; +- mysql_query($query); +- $result = mysql_error(); ++ $alias = $_REQUEST['data']; ++ $statement = "DELETE FROM filters WHERE username = :user AND (alias = :alias AND global = 0)"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":user" => "$user", ":alias" => "$alias"]; ++ // execute the prepared statement with the params ++ $query->execute(array_merge($params)); ++ // check for errors ++ $error = $query->errorInfo(); ++ $result = ""; ++ // if there was no error, then $error[2] should be null ++ if ( ! is_null($error[2]) ) { ++ $result = $error[2]; ++ } ++ + $return = array("msg" => $result); + $theJSON = json_encode($return); + +@@ -732,7 +771,10 @@ function cat() { + } + + function comments() { +- $query = "SELECT COUNT(comment) AS f1, ++ // This function retrieves comments from the history table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; ++ $statement = "SELECT COUNT(comment) AS f1, + comment AS f2, + u.username AS f3, + MIN(timestamp) AS f4, +@@ -745,53 +787,52 @@ function comments() { + AND (comment NOT IN('NULL','Auto Update','') AND comment NOT LIKE ('autoid %')) + GROUP BY comment + ORDER BY f5 DESC"; +- +- $result = mysql_query($query); +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement ++ $query->execute(); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function remove_comment() { ++ // This function removes a comment from the history table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; + $user = $_SESSION['sUser']; + $comment = hextostr($_REQUEST['comment']); +- $comment = mysql_real_escape_string($comment); +- $query = "DELETE FROM history WHERE comment = '$comment'"; +- mysql_query($query); +- $result = mysql_error(); ++ $comment = $comment; ++ $statement = "DELETE FROM history WHERE comment = :comment"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":comment" => "$comment"]; ++ // execute the prepared statement with the params ++ $query->execute(array_merge($params)); ++ // check for errors ++ $error = $query->errorInfo(); ++ $result = ""; ++ // if there was no error, then $error[2] should be null ++ if ( ! is_null($error[2]) ) { ++ $result = $error[2]; ++ } + $return = array("msg" => $result); +- + $theJSON = json_encode($return); + echo $theJSON; + } + + function map() { +- global $when, $sensors; +- $filter = hextostr($_REQUEST['filter']); +- +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '$comment[1]'"; +- } else { +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors"; +- } ++ // This function is called when the user clicks the SUMMARY tab. ++ // This function has been updated to use PDO prepared statements. + +- $srcq = "SELECT COUNT(src_ip) AS c, msrc.cc ++ global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; ++ $srcstatement = "SELECT COUNT(src_ip) AS c, msrc.cc + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip +@@ -803,7 +844,7 @@ function map() { + GROUP BY msrc.cc + ORDER BY c DESC"; + +- $dstq = "SELECT COUNT(dst_ip) AS c, mdst.cc ++ $dststatement = "SELECT COUNT(dst_ip) AS c, mdst.cc + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip +@@ -814,16 +855,23 @@ function map() { + AND mdst.cc IS NOT NULL + GROUP BY mdst.cc + ORDER BY c DESC"; +- +- $srcr = mysql_query($srcq); +- $dstr = mysql_query($dstq); ++ // prepare statements ++ $srcquery = $dbpdo->prepare("$srcstatement"); ++ // merge params ++ $merged_params = array_merge($sensor_params, $qp2_params); ++ // debug ++ //error_log("srcstatement: $srcstatement"); ++ //error_log("dststatement: $dststatement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $srcquery->execute($merged_params); + + // A => src, B=> dst, C=> cumulative + $a1 = $a2 = $b1 = $b2 = array(); + $aHit = $bHit = $cHit = 'no'; + + // Source countries and count +- while ($row = mysql_fetch_row($srcr)) { ++ while ($row = $srcquery->fetch(PDO::FETCH_NUM)) { + $a1[] = $row[0]; + $a2[] = $row[1]; + $c1[] = $row[0]; +@@ -832,10 +880,12 @@ function map() { + $cHit = 'yes'; + } + ++ $dstquery = $dbpdo->prepare("$dststatement"); ++ $dstquery->execute($merged_params); + // Destination countries and count + // As we loop through we check to see if we hit a country + // that we already processed so that we can derive a sum +- while ($row = mysql_fetch_row($dstr)) { ++ while ($row = $dstquery->fetch(PDO::FETCH_NUM)) { + $b1[] = $row[0]; + $b2[] = $row[1]; + if ($aHit == 'yes') { +@@ -909,7 +959,11 @@ function map() { + } + + function sensors() { +- $query = "SELECT net_name AS f1, ++ // This function gets the list of sensors. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; ++ //$query = "SELECT net_name AS f1, ++ $statement = "SELECT net_name AS f1, + hostname AS f2, + agent_type AS f3, + sensor.sid AS f4 +@@ -917,26 +971,44 @@ function sensors() { + WHERE agent_type != 'pcap' + AND active = 'Y' + ORDER BY net_name ASC"; +- +- $result = mysql_query($query); +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement ++ $query->execute(); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function user_profile() { ++ // This function updates the timezone offset in the user profile. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; + $user = $_SESSION['sUser']; + $tz = hextostr($_REQUEST['tz']); + $validtz = "/^(-12:00|-11:00|-10:00|-09:30|-09:00|-08:00|-07:00|-06:00|-05:00|-04:30|-04:00|-03:30|-03:00|-02:00|-01:00|\+00:00|\+01:00|\+02:00|\+03:00|\+03:30|\+04:00|\+04:30|\+05:00|\+05:30|\+05:45|\+06:00|\+06:30|\+07:00|\+08:00|\+08:45|\+09:00|\+09:30|\+10:00|\+10:30|\+11:00|\+11:30|\+12:00|\+12:45|\+13:00|\+14:00)$/"; + + if (preg_match($validtz, $tz)) { +- $query = "UPDATE user_info SET tzoffset = '$tz' WHERE username = '$user'"; +- mysql_query($query); +- $result = mysql_error(); ++ // prepare statement ++ $statement = "UPDATE user_info SET tzoffset = :tz WHERE username = :user"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":tz" => "$tz", ":user" => "$user"]; ++ // execute the prepared statement with the params ++ $query->execute($params); ++ // check for errors ++ $error = $query->errorInfo(); ++ $result = ""; ++ // if there was no error, then $error[2] should be null ++ if ( ! is_null($error[2]) ) { ++ $result = $error[2]; ++ } + // Update session offset + $_SESSION['tzoffset'] = $tz; + } else { +@@ -948,56 +1020,54 @@ function user_profile() { + } + + function summary() { +- global $when, $sensors; ++ // This function is called when the user clicks the SUMMARY tab. ++ // This function has been updated to use PDO prepared statements. ++ ++ global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + $limit = $_REQUEST['limit']; + $qargs = $_REQUEST['qargs']; + $filter = hextostr($_REQUEST['filter']); + list($type,$subtype) = explode("-", $qargs); + $oppip = "src"; +- if ($subtype == "src") { $oppip = "dst"; } +- +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '$comment[1]'"; +- } else { +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors"; +- } ++ // subtype is controlled by user, don't trust it ++ $cleansubtype = ""; ++ switch ($subtype) { ++ case "src": ++ $cleansubtype = "src"; ++ $oppip = "dst"; ++ break; ++ case "dst": ++ $cleansubtype = "dst"; ++ break; ++ case "sig": ++ $cleansubtype = "sig"; ++ break; ++ } + + switch ($type) { + case "ip": +- $query = "SELECT COUNT(event.{$subtype}_ip) AS f1, ++ $statement = "SELECT COUNT(event.{$cleansubtype}_ip) AS f1, + COUNT(DISTINCT(event.signature)) AS f2, + COUNT(DISTINCT(event.{$oppip}_ip)) AS f3, +- m{$subtype}.cc AS f4, +- m{$subtype}.c_long AS f5, +- INET_NTOA(event.{$subtype}_ip) AS f6, +- o{$subtype}.value AS f7 ++ m{$cleansubtype}.cc AS f4, ++ m{$cleansubtype}.c_long AS f5, ++ INET_NTOA(event.{$cleansubtype}_ip) AS f6, ++ o{$cleansubtype}.value AS f7 + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip +- LEFT JOIN object_mappings AS o{$subtype} ON event.{$subtype}_ip = o{$subtype}.object +- AND o{$subtype}.type = 'ip_c' ++ LEFT JOIN object_mappings AS o{$cleansubtype} ON event.{$cleansubtype}_ip = o{$cleansubtype}.object ++ AND o{$cleansubtype}.type = 'ip_c' + $qp2 + GROUP BY f6 + ORDER BY f1 DESC"; + break; + case "pt": +- $query = "SELECT COUNT(event.{$subtype}_port) AS f1, ++ $statement = "SELECT COUNT(event.{$cleansubtype}_port) AS f1, + COUNT(DISTINCT(event.signature)) AS f2, + COUNT(DISTINCT(event.src_ip)) AS f3, + COUNT(DISTINCT(event.dst_ip)) AS f4, +- event.{$subtype}_port AS f5 ++ event.{$cleansubtype}_port AS f5 + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip +@@ -1006,7 +1076,7 @@ function summary() { + ORDER BY f1 DESC"; + break; + case "sig": +- $query = "SELECT COUNT(event.signature) AS f1, ++ $statement = "SELECT COUNT(event.signature) AS f1, + COUNT(DISTINCT(event.src_ip)) AS f2, + COUNT(DISTINCT(event.dst_ip)) AS f3, + event.signature_id AS f4, +@@ -1019,64 +1089,62 @@ function summary() { + ORDER BY f1 DESC"; + break; + case "cc": +- $query = "SELECT COUNT(event.{$subtype}_ip) AS f1, ++ $statement = "SELECT COUNT(event.{$cleansubtype}_ip) AS f1, + COUNT(DISTINCT(event.signature)) AS f2, + COUNT(DISTINCT(event.{$oppip}_ip)) AS f3, +- m{$subtype}.cc AS f4, +- m{$subtype}.c_long AS f5, +- COUNT(DISTINCT(event.{$subtype}_ip)) AS f6 ++ m{$cleansubtype}.cc AS f4, ++ m{$cleansubtype}.c_long AS f5, ++ COUNT(DISTINCT(event.{$cleansubtype}_ip)) AS f6 + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip + LEFT JOIN mappings AS mdst ON event.dst_ip = mdst.ip + $qp2 +- AND event.{$subtype}_ip NOT BETWEEN 167772160 AND 184549375 +- AND event.{$subtype}_ip NOT BETWEEN 2886729728 AND 2886795263 +- AND event.{$subtype}_ip NOT BETWEEN 3232235520 AND 3232301055 +- AND m{$subtype}.cc IS NOT NULL GROUP BY m{$subtype}.cc ORDER BY f1 DESC"; ++ AND event.{$cleansubtype}_ip NOT BETWEEN 167772160 AND 184549375 ++ AND event.{$cleansubtype}_ip NOT BETWEEN 2886729728 AND 2886795263 ++ AND event.{$cleansubtype}_ip NOT BETWEEN 3232235520 AND 3232301055 ++ AND m{$cleansubtype}.cc IS NOT NULL GROUP BY m{$cleansubtype}.cc ORDER BY f1 DESC"; + break; + } +- $result = mysql_query($query); ++ ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ + $rows = array(); + $i = 0; + $n = 0; +- $r = mysql_num_rows($result); +- while ($row = mysql_fetch_assoc($result)) { ++ // unbuffered query can't do rowCount, replacing with $i below ++ //$r = $query->rowCount(); ++ ++ # iterate through each row of the filter table ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + $n += $row["f1"]; + $i++; + if ($i <= $limit) $rows[] = $row; + } +- $rows[] = array("n" => $n, "r" => $r); ++ $rows[] = array("n" => $n, "r" => $i); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function view() { +- global $when, $sensors; ++ // This function is called when the user clicks the VIEWS tab. ++ // This function has been updated to use PDO prepared statements. ++ ++ global $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; + $qargs = $_REQUEST['qargs']; + $filter = hextostr($_REQUEST['filter']); + list($type,$subtype) = explode("-", $qargs); + +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '$comment[1]'"; +- } else { +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors"; +- } +- + switch ($type) { + case "ip": +- $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, ++ $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, + CONCAT_WS('|', INET_NTOA(event.dst_ip), mdst.cc, mdst.c_long) AS target, + COUNT(event.src_ip) AS value + FROM event +@@ -1087,7 +1155,7 @@ function view() { + GROUP BY source,target"; + break; + case "ips": +- $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, ++ $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc, msrc.c_long) AS source, + event.signature AS sig, + CONCAT_WS('|', INET_NTOA(event.dst_ip), mdst.cc, mdst.c_long) AS target, + COUNT(event.src_ip) AS value +@@ -1099,7 +1167,7 @@ function view() { + GROUP BY source,target"; + break; + case "sc": +- $query = "SELECT CONCAT_WS('|' ,msrc.c_long, msrc.cc) AS source, ++ $statement = "SELECT CONCAT_WS('|' ,msrc.c_long, msrc.cc) AS source, + CONCAT_WS('|',INET_NTOA(event.dst_ip), mdst.cc) AS target, + COUNT(event.src_ip) AS value + FROM event +@@ -1113,7 +1181,7 @@ function view() { + GROUP BY source,target"; + break; + case "dc": +- $query = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc) AS source, ++ $statement = "SELECT CONCAT_WS('|', INET_NTOA(event.src_ip), msrc.cc) AS source, + CONCAT_WS('|', mdst.c_long, mdst.cc) AS target, + COUNT(event.dst_ip) AS value + FROM event +@@ -1127,18 +1195,23 @@ function view() { + GROUP BY source,target"; + break; + } +- $result = mysql_query($query); +- $rc = mysql_num_rows($result); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ ++ // unbuffered query can't do rowCount, replacing with $records below ++ //$rc = $query->rowCount(); + $records = 0; + $rows = $srcs = $tgts = $vals = $skip = $names = $_names = array(); +- +- if ($rc == 0) { +- $theJSON = json_encode(array("nodes" => $names, "links" => $rows, "records" => $records)); +- echo $theJSON; +- exit(); +- } +- +- while ($row = mysql_fetch_assoc($result)) { ++/* ++*/ ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + if ($type == "ips") { + $srcs[] = $row["source"]; + $tgts[] = $row["sig"]; +@@ -1154,6 +1227,12 @@ function view() { + $sads[] = 0; + $records++; + } ++ ++ if ($records == 0) { ++ $theJSON = json_encode(array("nodes" => $names, "links" => $rows, "records" => $records)); ++ echo $theJSON; ++ exit(); ++ } + // Value counts + $src_c = array_count_values($srcs); + $tgt_c = array_count_values($tgts); +@@ -1163,33 +1242,33 @@ function view() { + foreach ($srcs as $index => $src) { + // Find the target + if (in_array($index, $skip)) { continue; } +- $tgt = $tgts[$index]; +- // Find the keys for all instances of the target as a source +- $tgt_keys = array_keys($srcs,$tgt); +- // Now see if any have the source as a target +- foreach ($tgt_keys as $pos) { +- if ($tgts[$pos] == $src) { +- $sads_val = $vals[$pos]; +- unset($srcs[$pos]); +- unset($tgts[$pos]); +- unset($vals[$pos]); +- unset($sads[$pos]); +- // Add offset to be skipped +- $skip[] = $pos; +- // By setting this we flag that this source is also a target +- $sads[$index] = $sads_val; ++ $tgt = $tgts[$index]; ++ // Find the keys for all instances of the target as a source ++ $tgt_keys = array_keys($srcs,$tgt); ++ // Now see if any have the source as a target ++ foreach ($tgt_keys as $pos) { ++ if ($tgts[$pos] == $src) { ++ $sads_val = $vals[$pos]; ++ unset($srcs[$pos]); ++ unset($tgts[$pos]); ++ unset($vals[$pos]); ++ unset($sads[$pos]); ++ // Add offset to be skipped ++ $skip[] = $pos; ++ // By setting this we flag that this source is also a target ++ $sads[$index] = $sads_val; ++ } + } +- } + +- // If there is no filter, remove 1:1s with a count of 1 +- if ($filter == 'empty') { +- if ($vals[$index] == 1 && $sads[$index] == 0 && $src_c[$src] == 1) { +- unset($srcs[$index]); +- unset($tgts[$index]); +- unset($vals[$index]); +- unset($sads[$index]); +- } +- } ++ // If there is no filter, remove 1:1s with a count of 1 ++ if ($filter == 'empty') { ++ if ( isset($vals[$index]) && $vals[$index] == 1 && isset($sads[$index]) && $sads[$index] == 0 && isset($src_c[$src]) && $src_c[$src] == 1) { ++ unset($srcs[$index]); ++ unset($tgts[$index]); ++ unset($vals[$index]); ++ unset($sads[$index]); ++ } ++ } + } + + // We have probably truncated these so realign the indexes +@@ -1234,29 +1313,34 @@ function view() { + } + + function autocat() { ++ // This function queries and updates sguild's list of autocats. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; + $usr = $_SESSION['sUser']; + $pwd = $_SESSION['sPass']; + $offset = $_SESSION['tzoffset']; +- $mode = mysql_real_escape_string($_REQUEST['mode']); ++ $mode = $_REQUEST['mode']; + + switch ($mode) { + case "query" : +- $query = "SELECT autoid, CONVERT_TZ(erase,'+00:00','$offset') AS erase, sensorname, ++ // build statement ++ $statement = "SELECT autoid, CONVERT_TZ(erase,'+00:00', :offset1) AS erase, sensorname, + src_ip, src_port, dst_ip, dst_port, ip_proto, +- signature, status, active, CONVERT_TZ(timestamp,'+00:00','$offset') AS ts, ++ signature, status, active, CONVERT_TZ(timestamp,'+00:00', :offset2) AS ts, + u.username AS user, comment + FROM autocat + LEFT JOIN user_info AS u ON autocat.uid = u.uid + ORDER BY ts DESC"; +- +- $result = mysql_query($query); +- +- $rows = array(); +- +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } +- ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":offset1" => "$offset", ":offset2" => "$offset"]; ++ // execute the prepared statement with the params ++ $query->execute($params); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + break; + +@@ -1323,10 +1407,22 @@ function autocat() { + } + + if ($rm == 1) { +- $query = "DELETE FROM autocat WHERE autoid = $id"; ++ $statement = "DELETE FROM autocat WHERE autoid = :id"; ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":id" => "$id"]; ++ // execute the prepared statement with the params ++ $query->execute($params); ++ $result = $query->errorInfo(); ++ $err = ""; ++ // if there was no error, then $result[2] should be null ++ if ( ! is_null($result[2]) ) { ++ $err = $result[2]; ++ } + +- mysql_query($query); +- $err = mysql_error(); + } + + $result = array("dbg" => htmlspecialchars($debug), +@@ -1416,11 +1512,13 @@ echo $theJSON; + } + + function addremoveobject() { +- $user = $_SESSION['sUser']; +- $obtype = mysql_real_escape_string($_REQUEST['obtype']); +- $object = mysql_real_escape_string(hextostr($_REQUEST['object'])); +- $value = mysql_real_escape_string($_REQUEST['value']); +- $op = mysql_real_escape_string($_REQUEST['op']); ++ // This function adds objects to and removes objects from the object_mappings table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; ++ $obtype = $_REQUEST['obtype']; ++ $object = hextostr($_REQUEST['object']); ++ $value = $_REQUEST['value']; ++ $op = $_REQUEST['op']; + + // For everything but tags we want to replace the existing value + $hash = md5($obtype . $object); +@@ -1434,48 +1532,70 @@ function addremoveobject() { + break; + } + ++ // Are we adding or removing? + switch ($op) { + case "add": +- $query = "INSERT INTO object_mappings (type,object,value,hash) +- VALUES ('$obtype','$object','$value','$hash') ++ // If adding object, insert into table. ++ $statement = "INSERT INTO object_mappings (type,object,value,hash) ++ VALUES (:obtype1,:object1,:value1,:hash1) + ON DUPLICATE KEY UPDATE +- type='$obtype',object='$object',value='$value',hash='$hash'"; ++ type=:obtype2,object=:object2,value=:value2,hash=:hash2"; ++ // build parameters for prepared statement ++ $params = [":obtype1" => "$obtype", ":object1" => "$object", ":value1" => "$value", ":hash1" => "$hash", ":obtype2" => "$obtype", ":object2" => "$object", ":value2" => "$value", ":hash2" => "$hash"]; + break; + case "rm": +- $query = "DELETE FROM object_mappings WHERE hash = '$hash'"; ++ // If removing object, delete from table. ++ $statement = "DELETE FROM object_mappings WHERE hash = :hash"; ++ // build parameters for prepared statement ++ $params = [":hash" => "$hash"]; + break; + } +- +- mysql_query($query); +- $result = mysql_error(); +- $return = array("msg" => $result); +- ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement with the params ++ $query->execute($params); ++ // check for errors ++ $result = $query->errorInfo(); ++ $error = ""; ++ // if there was no error, then $result[2] should be null ++ if ( ! is_null($result[2]) ) { ++ $error = $result[2]; ++ } ++ $return = array("msg" => $error); + $theJSON = json_encode($return); + echo $theJSON; + } + + function getcolour() { +- $user = $_SESSION['sUser']; +- +- $query = "SELECT object, value AS colour ++ // This function gets the color mappings from the object_mappings table. ++ // This function has been updated to use PDO prepared statements. ++ global $dbpdo; ++ // build statement ++ $statement = "SELECT object, value AS colour + FROM object_mappings + WHERE type = 'el_c'"; +- +- $result = mysql_query($query); +- $rows = array(); +- while ($row = mysql_fetch_assoc($result)) { +- $rows[] = $row; +- } ++ // debug ++ //error_log("$statement"); ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // execute the prepared statement ++ $query->execute(); ++ // fetch the data and encode to json ++ $rows = $query->fetchAll(PDO::FETCH_ASSOC); + $theJSON = json_encode($rows); + echo $theJSON; + } + + function objhistory () { +- global $offset, $start, $sdate; ++ // This function returns the history for an object over the last 7 days. ++ // This function has been updated to use PDO prepared statements. ++ global $offset, $start, $sdate, $sdatetime, $offset, $dbpdo; + $object = hextostr($_REQUEST['object']); + $object = str_replace("aa", "", $object); + +- // Plant, animal or mineral? ++ // Is object an IP address? + $re = '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/'; + $obtype = 0; + if (preg_match($re, $object)) { +@@ -1483,45 +1603,66 @@ function objhistory () { + } + + switch ($obtype) { +- case 0: $subject = "signature_id = '$object'"; break; +- case 1: $subject = "(src_ip = INET_ATON('$object') OR dst_ip = INET_ATON('$object'))"; break; +- } ++ case 0: ++ $subject = "signature_id = :object"; ++ $statement = "SELECT ++ DATE(CONVERT_TZ(event.timestamp,'+00:00', :offset1)) AS day, ++ HOUR(CONVERT_TZ(event.timestamp,'+00:00', :offset2)) AS hour, ++ COUNT(event.timestamp) AS value ++ FROM event ++ WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset3,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset4,'+00:00') + INTERVAL 1 DAY ++ AND signature_id = :object ++ GROUP BY day,hour ++ ORDER BY day ASC"; ++ $params = [":offset1" => "$offset", ":offset2" => "$offset", ":sdatetime1" => "$sdatetime", ":offset3" => "$offset", ":sdatetime2" => "$sdatetime", ":offset4" => "$offset", ":object" => "$object"]; ++ break; + +- $query = "SELECT +- DATE(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS day, +- HOUR(CONVERT_TZ(event.timestamp,'+00:00','$offset')) AS hour, ++ case 1: ++ $subject = "(src_ip = INET_ATON('$object') OR dst_ip = INET_ATON('$object'))"; ++ $statement = "SELECT ++ DATE(CONVERT_TZ(event.timestamp,'+00:00', :offset1)) AS day, ++ HOUR(CONVERT_TZ(event.timestamp,'+00:00', :offset2)) AS hour, + COUNT(event.timestamp) AS value + FROM event +- WHERE event.timestamp BETWEEN $start - INTERVAL 6 DAY AND $start + INTERVAL 1 DAY +- AND $subject ++ WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset3,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset4,'+00:00') + INTERVAL 1 DAY ++ AND (src_ip = INET_ATON(:object1) OR dst_ip = INET_ATON(:object2)) + GROUP BY day,hour + ORDER BY day ASC"; ++ $params = [":offset1" => "$offset", ":offset2" => "$offset", ":sdatetime1" => "$sdatetime", ":offset3" => "$offset", ":sdatetime2" => "$sdatetime", ":offset4" => "$offset", ":object1" => "$object", ":object2" => "$object"]; ++ break; ++ } ++ $query = $dbpdo->prepare("$statement"); ++ // original used unbuffered query, but that doesn't seem to work with PDO? ++ //$result = mysql_unbuffered_query($query); ++ //$query->setAttribute( PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, False ); ++ $query->execute(array_merge($params)); + + $rows1 = $rows2 = array(); + $r1 = $r2 = 0; +- +- $result = mysql_unbuffered_query($query); +- +- while ($row = mysql_fetch_assoc($result)) { ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + $rows1[] = $row; + $r1++; + } +- + $result = ""; + + if ($r1 != 0 && $obtype == 1) { +- $query = "SELECT ++ $statement = "SELECT + COUNT(signature_id) AS value, + signature AS label, + signature_id AS sid + FROM event +- WHERE event.timestamp BETWEEN $start - INTERVAL 6 DAY AND $start + INTERVAL 1 DAY +- AND $subject ++ WHERE event.timestamp BETWEEN CONVERT_TZ(:sdatetime1,:offset1,'+00:00') - INTERVAL 6 DAY AND CONVERT_TZ(:sdatetime2,:offset2,'+00:00') + INTERVAL 1 DAY ++ AND (src_ip = INET_ATON(:object1) OR dst_ip = INET_ATON(:object2)) + GROUP BY signature_id + ORDER BY value DESC"; + +- $result = mysql_unbuffered_query($query); +- while ($row = mysql_fetch_assoc($result)) { ++ $params = [":sdatetime1" => "$sdatetime", ":offset1" => "$offset", ":sdatetime2" => "$sdatetime", ":offset2" => "$offset", ":object1" => "$object", ":object2" => "$object"]; ++ // original used unbuffered query, but that doesn't seem to work with PDO? ++ //$result = mysql_unbuffered_query($query); ++ //$query->setAttribute( PDO::MYSQL_ATTR_USE_BUFFERED_QUERY, False ); ++ $query = $dbpdo->prepare("$statement"); ++ $query->execute(array_merge($params)); ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + $rows2[] = $row; + $r2++; + } +@@ -1532,30 +1673,12 @@ function objhistory () { + } + + function times() { +- global $offset, $when, $sensors; +- $filter = hextostr($_REQUEST['filter']); +- if ($filter != 'empty') { +- if (substr($filter, 0,4) == 'cmt ') { +- $comment = explode('cmt ', $filter); +- $qp2 = "LEFT JOIN history ON event.sid = history.sid AND event.cid = history.cid +- WHERE history.comment = '" . mysql_real_escape_string($comment[1]) . "' +- AND $when $sensors"; +- } else { +- // this needs to be fixed +- $filter = str_replace('<','<', $filter); +- $filter = str_replace('>','>', $filter); +- $filter = "AND " . $filter; +- $qp2 = "WHERE $when +- $sensors +- $filter"; +- } +- } else { +- $qp2 = "WHERE $when +- $sensors"; +- } ++ // This function returns data to the times visualization on the EVENTS tab. ++ // This function has been updated to use PDO prepared statements. + +- $query = "SELECT +- SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00','$offset'),12,5) AS time, ++ global $offset, $when, $sensors, $qp2, $qp2_params, $sensor_params, $sv, $dbpdo; ++ $statement = "SELECT ++ SUBSTRING(CONVERT_TZ(event.timestamp,'+00:00',:substringoffset),12,5) AS time, + COUNT(signature) AS count + FROM event + LEFT JOIN mappings AS msrc ON event.src_ip = msrc.ip +@@ -1563,11 +1686,22 @@ function times() { + $qp2 + GROUP BY time + ORDER BY event.timestamp"; +- $result = mysql_query($query); ++ // add params for local part of statement ++ $local_params[':substringoffset'] = "$offset"; ++ // prepare statement ++ $query = $dbpdo->prepare("$statement"); ++ // merge params ++ $merged_params = array_merge($local_params, $sensor_params, $qp2_params); ++ // debug ++ //error_log("statement: $statement"); ++ //error_log("merged_params: " . print_r($merged_params,1)); ++ // execute the prepared statement with the params ++ $query->execute($merged_params); ++ + $rows = array(); + $r = $m = 0; + +- while ($row = mysql_fetch_assoc($result)) { ++ while ($row = $query->fetch(PDO::FETCH_ASSOC)) { + $rows[] = $row; + $cnts[] = $row['count']; + $r++; +--- securityonion-squert-20161212.orig/.scripts/securityonion_update.sql ++++ securityonion-squert-20161212/.scripts/securityonion_update.sql +@@ -133,6 +133,8 @@ VALUES ('url','','1','4d616c77617265446f + + GRANT INSERT,UPDATE,DELETE ON filters TO 'readonly'@'localhost'; + ++GRANT DELETE on autocat to 'readonly'@'localhost'; ++ + GRANT DELETE on history to 'readonly'@'localhost'; + + GRANT UPDATE on user_info TO 'readonly'@'localhost'; diff --git a/debian/patches/improve-calls-to-clicat b/debian/patches/improve-calls-to-clicat new file mode 100644 index 0000000..2befb49 --- /dev/null +++ b/debian/patches/improve-calls-to-clicat @@ -0,0 +1,10413 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion17) trusty; urgency=medium + . + * improve calls to clicat +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.auth/squert/login.php +@@ -0,0 +1,138 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ $username = $_REQUEST['username']; ++ $password = $_REQUEST['password']; ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.7©2016 Paul Halliday
++
++
++ ++ ++ +--- /dev/null ++++ securityonion-squert-20161212/.auth/squert/squertMain.js +@@ -0,0 +1,3275 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ $.get("index.php?id=0", function(){location.reload()}); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/.auth/sso/login.php +@@ -0,0 +1,141 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ //$username = $_REQUEST['username']; ++ //$password = $_REQUEST['password']; ++ $username = $_SERVER['PHP_AUTH_USER']; ++ $password = $_SERVER['PHP_AUTH_PW']; ++ ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++//} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.4©2016 Paul Halliday
++
++
++ ++ ++ +--- /dev/null ++++ securityonion-squert-20161212/.auth/sso/squertMain.js +@@ -0,0 +1,3276 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ //$.get("/logout.html", function(){location.reload()}); ++ location.replace("/logout.html"); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -537,74 +537,8 @@ function tab() { + } + + function transcript() { +- +- global $offset; +- $txdata = hextostr($_REQUEST['txdata']); +- $usr = $_SESSION['sUser']; +- $pwd = $_SESSION['sPass']; +- list($sid, $timestamp, $sip, $spt, $dip, $dpt) = explode("|", $txdata); +- $sqlsid = mysql_real_escape_string($sid); +- // Lookup sensorname +- $query = "SELECT hostname FROM sensor +- WHERE sid = '$sqlsid'"; +- +- $qResult = mysql_query($query); +- +- $sensorName = mysql_result($qResult, 0); +- $cmdsid = escapeshellarg($sid); +- $cmdsip = escapeshellarg($sip); +- $cmddip = escapeshellarg($dip); +- $cmdspt = escapeshellarg($spt); +- $cmddpt = escapeshellarg($dpt); +- +- $cmd = "../.scripts/cliscript.tcl \"$usr\" \"$sensorName\" \"$timestamp\" $cmdsid $cmdsip $cmddip $cmdspt $cmddpt"; +- $descspec = array( +- 0 => array("pipe", "r"), +- 1 => array("pipe", "w"), +- 2 => array("pipe", "w") +- ); +- +- $proc = proc_open($cmd, $descspec, $pipes); +- $debug = "Process execution failed"; +- $_raw = $fmtd = ""; +- if (is_resource($proc)) { +- fwrite($pipes[0], $pwd); +- fclose($pipes[0]); +- $_raw = stream_get_contents($pipes[1]); +- fclose($pipes[1]); +- $debug = fgets($pipes[2]); +- fclose($pipes[2]); +- } +- +- $raw = explode("\n", $_raw); +- foreach ($raw as $line) { +- +- $line = htmlspecialchars($line); +- $type = substr($line, 0,3); +- +- switch ($type) { +- case "DEB": $debug .= preg_replace('/^DEBUG:.*$/', "$0", $line) . "
"; $line = ''; break; +- case "HDR": $line = preg_replace('/(^HDR:)(.*$)/', "$2", $line); break; +- case "DST": $line = preg_replace('/^DST:.*$/', "$0", $line); break; +- case "SRC": $line = preg_replace('/^SRC:.*$/', "$0", $line); break; +- default: $line = ""; break; +- } +- +- if (strlen($line) > 0) { +- $fmtd .= $line . "
"; +- } +- } +- +- if (strlen($fmtd) > 0) { +- $fmtd .= "
" . $debug; +- } +- +- $result = array("tx" => "$fmtd", +- "dbg" => "$_raw", +- "cmd" => "$cmd"); +- +- $theJSON = json_encode($result); +- echo $theJSON; ++ # We no longer use Squert's native transcript functionality. ++ # Squert now pivots to CapMe for transcripts. + } + + function filters() { +@@ -684,7 +618,12 @@ function cat() { + list($cat, $msg, $lst) = explode("|||", $catdata); + $msg = htmlentities($msg); + +- $cmd = "../.scripts/clicat.tcl 0 \"$usr\" \"$cat\" \"$msg\" \"$lst\""; ++ $cmdusr = escapeshellarg($usr); ++ $cmdcat = escapeshellarg($cat); ++ $cmdmsg = escapeshellarg($msg); ++ $cmdlst = escapeshellarg($lst); ++ ++ $cmd = "../.scripts/clicat.tcl 0 $cmdusr $cmdcat $cmdmsg $cmdlst"; + $descspec = array( + 0 => array("pipe", "r"), + 1 => array("pipe", "w") +@@ -1243,7 +1182,19 @@ function autocat() { + $expires = gmdate("Y-m-d H:i:s", strtotime("+ $expires")); + } + +- $cmd = "../.scripts/clicat.tcl 1 \"$usr\" \"$expires\" \"$v[sensor]\" \"$v[src_ip]\" \"$v[src_port]\" \"$v[dst_ip]\" \"$v[dst_port]\" \"$v[proto]\" \"$v[signature]\" \"$v[status]\" \"$v[comment]\""; ++ $cmdusr = escapeshellarg($usr); ++ $cmdexpires = escapeshellarg($expires); ++ $cmdsensor = escapeshellarg($v['sensor']); ++ $cmdsrcip = escapeshellarg($v['src_ip']); ++ $cmdsrcport = escapeshellarg($v['src_port']); ++ $cmddstip = escapeshellarg($v['dst_ip']); ++ $cmddstport = escapeshellarg($v['dst_port']); ++ $cmdproto = escapeshellarg($v['proto']); ++ $cmdsignature = escapeshellarg($v['signature']); ++ $cmdstatus = escapeshellarg($v['status']); ++ $cmdcomment = escapeshellarg($v['comment']); ++ ++ $cmd = "../.scripts/clicat.tcl 1 $cmdusr $cmdexpires $cmdsensor $cmdsrcip $cmdsrcport $cmddstip $cmddstport $cmdproto $cmdsignature $cmdstatus $cmdcomment"; + $descspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); + $proc = proc_open($cmd, $descspec, $pipes); + $debug = "Process execution failed"; +@@ -1267,7 +1218,11 @@ function autocat() { + $type = 3; + } + +- $cmd = "../.scripts/clicat.tcl $type \"$usr\" $id"; ++ $cmdtype = escapeshellarg($type); ++ $cmdusr = escapeshellarg($usr); ++ $cmdid = escapeshellarg($id); ++ ++ $cmd = "../.scripts/clicat.tcl $cmdtype $cmdusr $cmdid"; + $descspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w")); + $proc = proc_open($cmd, $descspec, $pipes); + $debug = "Process execution failed"; +--- securityonion-squert-20161212.orig/.js/squertMain.js ++++ /dev/null +@@ -1,3275 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- $.get("index.php?id=0", function(){location.reload()}); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/login.php ++++ /dev/null +@@ -1,138 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- $username = $_REQUEST['username']; +- $password = $_REQUEST['password']; +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.7©2016 Paul Halliday
+-
+-
+- +- +- diff --git a/debian/patches/improve-postinst b/debian/patches/improve-postinst new file mode 100644 index 0000000..901e911 --- /dev/null +++ b/debian/patches/improve-postinst @@ -0,0 +1,13709 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion19) trusty; urgency=medium + . + * improve postinst +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.auth/native/squert/.js/squertMain.js +@@ -0,0 +1,3275 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ $.get("index.php?id=0", function(){location.reload()}); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/.auth/native/squert/login.php +@@ -0,0 +1,138 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ $username = $_REQUEST['username']; ++ $password = $_REQUEST['password']; ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.7©2016 Paul Halliday
++
++
++ ++ ++ +--- securityonion-squert-20161212.orig/.auth/squert/login.php ++++ /dev/null +@@ -1,138 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- $username = $_REQUEST['username']; +- $password = $_REQUEST['password']; +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.7©2016 Paul Halliday
+-
+-
+- +- +- +--- securityonion-squert-20161212.orig/.auth/squert/squertMain.js ++++ /dev/null +@@ -1,3275 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- $.get("index.php?id=0", function(){location.reload()}); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/.auth/sso/login.php ++++ /dev/null +@@ -1,141 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- //$username = $_REQUEST['username']; +- //$password = $_REQUEST['password']; +- $username = $_SERVER['PHP_AUTH_USER']; +- $password = $_SERVER['PHP_AUTH_PW']; +- +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-//} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.4©2016 Paul Halliday
+-
+-
+- +- +- +--- /dev/null ++++ securityonion-squert-20161212/.auth/sso/squert/.js/squertMain.js +@@ -0,0 +1,3276 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ //$.get("/logout.html", function(){location.reload()}); ++ location.replace("/logout.html"); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/.auth/sso/squert/login.php +@@ -0,0 +1,141 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ //$username = $_REQUEST['username']; ++ //$password = $_REQUEST['password']; ++ $username = $_SERVER['PHP_AUTH_USER']; ++ $password = $_SERVER['PHP_AUTH_PW']; ++ ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++//} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.4©2016 Paul Halliday
++
++
++ ++ ++ +--- securityonion-squert-20161212.orig/.auth/sso/squertMain.js ++++ /dev/null +@@ -1,3276 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- //$.get("/logout.html", function(){location.reload()}); +- location.replace("/logout.html"); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); diff --git a/debian/patches/migrate-login.php-to-prepared-statements b/debian/patches/migrate-login.php-to-prepared-statements new file mode 100644 index 0000000..37db050 --- /dev/null +++ b/debian/patches/migrate-login.php-to-prepared-statements @@ -0,0 +1,150 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion26) trusty; urgency=medium + . + * migrate login.php to prepared statements +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/auth/native/squert/login.php ++++ securityonion-squert-20161212/auth/native/squert/login.php +@@ -36,6 +36,10 @@ function cleanUp($string) { + if ($_SERVER['REQUEST_METHOD'] == 'POST'){ + $username = $_REQUEST['username']; + $password = $_REQUEST['password']; ++ // sso ++ //$username = $_SERVER['PHP_AUTH_USER']; ++ //$password = $_SERVER['PHP_AUTH_PW']; ++ + $ua = $_SERVER['HTTP_USER_AGENT']; + $rqt = $_SERVER['REQUEST_TIME']; + $rqaddr = $_SERVER['REMOTE_ADDR']; +@@ -45,16 +49,29 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' + $ua .= mt_rand(0,$max); + $cmpid = $rqt . $rqaddr . $ua; + $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); ++ // PDO prepared statements ++ try { ++ // first connect to database with the PDO object. ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ ++ PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, ++ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ++ ]); ++ } catch(PDOException $e){ ++ // if connection fails, log PDO error. ++ error_log("Error connecting to mysql: ". $e->getMessage()); ++ } + +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { ++ if (isset($dbpdo)) { ++ // prepare statement ++ $statement = "SELECT * FROM user_info WHERE username = :user"; ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":user" => "$username"]; ++ // execute the prepared statement and pass it params ++ $query->execute($params); ++ // fetch the data ++ while ($row = $query->fetch(PDO::FETCH_NUM)) { + $userName = $row[1]; + $lastLogin = $row[2]; + $userHash = $row[3]; +@@ -62,7 +79,10 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' + $userType = $row[5]; + $userTime = $row[6]; + $tzoffset = $row[7]; +- } ++ } ++ ++ // if $username was found in database, then check password ++ if ( isset($userName) && $username == $userName) { + // The first 2 chars are the salt + $theSalt = substr($userHash, 0,2); + +--- securityonion-squert-20161212.orig/auth/sso/squert/login.php ++++ securityonion-squert-20161212/auth/sso/squert/login.php +@@ -36,6 +36,7 @@ function cleanUp($string) { + //if ($_SERVER['REQUEST_METHOD'] == 'POST'){ + //$username = $_REQUEST['username']; + //$password = $_REQUEST['password']; ++ // sso + $username = $_SERVER['PHP_AUTH_USER']; + $password = $_SERVER['PHP_AUTH_PW']; + +@@ -48,16 +49,29 @@ function cleanUp($string) { + $ua .= mt_rand(0,$max); + $cmpid = $rqt . $rqaddr . $ua; + $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); ++ // PDO prepared statements ++ try { ++ // first connect to database with the PDO object. ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ ++ PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, ++ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ++ ]); ++ } catch(PDOException $e){ ++ // if connection fails, log PDO error. ++ error_log("Error connecting to mysql: ". $e->getMessage()); ++ } + +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { ++ if (isset($dbpdo)) { ++ // prepare statement ++ $statement = "SELECT * FROM user_info WHERE username = :user"; ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":user" => "$username"]; ++ // execute the prepared statement and pass it params ++ $query->execute($params); ++ // fetch the data ++ while ($row = $query->fetch(PDO::FETCH_NUM)) { + $userName = $row[1]; + $lastLogin = $row[2]; + $userHash = $row[3]; +@@ -65,7 +79,10 @@ function cleanUp($string) { + $userType = $row[5]; + $userTime = $row[6]; + $tzoffset = $row[7]; +- } ++ } ++ ++ // if $username was found in database, then check password ++ if ( isset($userName) && $username == $userName) { + // The first 2 chars are the salt + $theSalt = substr($userHash, 0,2); + diff --git a/debian/patches/move-auth-to-optsquert b/debian/patches/move-auth-to-optsquert new file mode 100644 index 0000000..4d0f247 --- /dev/null +++ b/debian/patches/move-auth-to-optsquert @@ -0,0 +1,13709 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion21) trusty; urgency=medium + . + * move auth files to /opt/squert +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.auth/native/squert/.js/squertMain.js ++++ /dev/null +@@ -1,3275 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- $.get("index.php?id=0", function(){location.reload()}); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/.auth/native/squert/login.php ++++ /dev/null +@@ -1,138 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- $username = $_REQUEST['username']; +- $password = $_REQUEST['password']; +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.7©2016 Paul Halliday
+-
+-
+- +- +- +--- securityonion-squert-20161212.orig/.auth/sso/squert/.js/squertMain.js ++++ /dev/null +@@ -1,3276 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- //$.get("/logout.html", function(){location.reload()}); +- location.replace("/logout.html"); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/.auth/sso/squert/login.php ++++ /dev/null +@@ -1,141 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- //$username = $_REQUEST['username']; +- //$password = $_REQUEST['password']; +- $username = $_SERVER['PHP_AUTH_USER']; +- $password = $_SERVER['PHP_AUTH_PW']; +- +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- $db = mysql_connect($dbHost,$dbUser,$dbPass); +- $link = mysql_select_db($dbName, $db); +- if ($link) { +- $user = cleanUp($username); +- $query = "SELECT * FROM user_info WHERE username = '$user'"; +- $result = mysql_query($query); +- $numRows = mysql_num_rows($result); +- +- if ($numRows > 0) { +- while ($row = mysql_fetch_row($result)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-//} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.6.4©2016 Paul Halliday
+-
+-
+- +- +- +--- /dev/null ++++ securityonion-squert-20161212/auth/native/squert/.js/squertMain.js +@@ -0,0 +1,3275 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ $.get("index.php?id=0", function(){location.reload()}); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/auth/native/squert/login.php +@@ -0,0 +1,138 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ $username = $_REQUEST['username']; ++ $password = $_REQUEST['password']; ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.7©2016 Paul Halliday
++
++
++ ++ ++ +--- /dev/null ++++ securityonion-squert-20161212/auth/sso/squert/.js/squertMain.js +@@ -0,0 +1,3276 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ //$.get("/logout.html", function(){location.reload()}); ++ location.replace("/logout.html"); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/auth/sso/squert/login.php +@@ -0,0 +1,141 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ //$username = $_REQUEST['username']; ++ //$password = $_REQUEST['password']; ++ $username = $_SERVER['PHP_AUTH_USER']; ++ $password = $_SERVER['PHP_AUTH_PW']; ++ ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $user = cleanUp($username); ++ $query = "SELECT * FROM user_info WHERE username = '$user'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++//} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.6.4©2016 Paul Halliday
++
++
++ ++ ++ diff --git a/debian/patches/series b/debian/patches/series index 7434cb0..2cac8e4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -15,3 +15,11 @@ Squert:-comment-search-not-working-#1119 fix-error-in-times-function improve-input-validation-and-output-filtering merge-and-adjust-comment +improve-calls-to-clicat +improve-postinst +move-auth-to-optsquert +set-version-to-1.7.0 +begin-transition-to-pdo-prepared-statements +improve-callback.php-and-grant-permission-to-autocat-table +allow-pivot-to-elsa-or-elastic +migrate-login.php-to-prepared-statements diff --git a/debian/patches/set-version-to-1.7.0 b/debian/patches/set-version-to-1.7.0 new file mode 100644 index 0000000..7a859f4 --- /dev/null +++ b/debian/patches/set-version-to-1.7.0 @@ -0,0 +1,47 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion22) trusty; urgency=medium + . + * set version to 1.7.0 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/auth/native/squert/login.php ++++ securityonion-squert-20161212/auth/native/squert/login.php +@@ -130,7 +130,7 @@ Password
+

+ + +-
Version 1.6.7©2016 Paul Halliday
++
Version 1.7.0©2016 Paul Halliday
+ + + +--- securityonion-squert-20161212.orig/auth/sso/squert/login.php ++++ securityonion-squert-20161212/auth/sso/squert/login.php +@@ -133,7 +133,7 @@ Password
+

+ + +-
Version 1.6.4©2016 Paul Halliday
++
Version 1.7.0©2016 Paul Halliday
+ + + diff --git a/debian/postinst b/debian/postinst index 7758897..c3d28d0 100644 --- a/debian/postinst +++ b/debian/postinst @@ -19,27 +19,24 @@ case "$1" in fi fi - # Originally, Squert had its own authentication. - # We've moved to SSO for the Elastic integration. - # Two files need to be updated for Squert or SSO auth: - LOGIN="/var/www/so/squert/login.php" - JS="/var/www/so/squert/.js/squertMain.js" - # Default to Squert auth. - # If SSO is configured, copy SSO files. - # Otherwise, copy Squert auth files. - FROM="/var/www/so/squert/.auth/squert" - if ! [ -f ${LOGIN} ]; then - echo "${LOGIN} does not exist. Configuring for Squert authentication." + # Squert has its own native authentication, but we're moving to SSO for the Elastic integration. + # If Apache is configured for SSO, then configure Squert for SSO. + # Otherwise, configure Squert for native authentication. + AUTH="native" + SO="/var/www/so/" + SQUERT="${SO}/squert" + CONF="/etc/apache2/sites-enabled/securityonion.conf" + if ! [ -f ${CONF} ]; then + echo "${CONF} does not exist. Configuring for Squert authentication." else - if grep -q PHP_AUTH_USER ${LOGIN} ; then - echo "${LOGIN} is configured for SSO authentication. Updating SSO auth files." - FROM="/var/www/so/squert/.auth/sso" + if grep -q "" ${CONF} ; then + echo "${CONF} is configured for SSO authentication. Updating SSO auth files." + AUTH="sso" else - echo "${LOGIN} is configured for Squert authentication. Updating Squert auth files." + echo "${CONF} is configured for Squert authentication. Updating Squert auth files." fi fi - cp ${FROM}/login.php ${LOGIN} || echo "Error copying ${FROM}/login.php to ${LOGIN}." - cp ${FROM}/squertMain.js ${JS} || echo "Error copying ${FROM}/squertMain.js to ${JS}." + cp -av /opt/squert/auth/${AUTH}/squert ${SO} || echo "Error copying from /opt/squert/auth/${AUTH}/squert to ${SO}." apache2ctl restart || echo "Error restarting Apache." From f0bd9bb9294e0eda09644530ddc3ae409fbda656 Mon Sep 17 00:00:00 2001 From: doug Date: Thu, 8 Feb 2018 19:49:33 -0500 Subject: [PATCH 27/34] add row for Bro agent --- .inc/callback.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.inc/callback.php b/.inc/callback.php index e93e945..80c151d 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -619,6 +619,8 @@ function payload() { $row = $query->fetchall(PDO::FETCH_ASSOC); if (array_key_exists(0, $row)) { $rows[] = $row[0]; + // Add the row again for Bro agent + $rows[] = $row[0]; } $theJSON = json_encode($rows); echo $theJSON; From 406f1e9cded21d73c4556876436c1ca1b998ac7c Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 9 Feb 2018 06:13:08 -0500 Subject: [PATCH 28/34] version 1.7.1 --- auth/native/squert/login.php | 2 +- auth/sso/squert/login.php | 2 +- debian/changelog | 6 +++++ debian/patches/add-row-for-Bro-agent | 36 ++++++++++++++++++++++++++++ debian/patches/series | 1 + 5 files changed, 45 insertions(+), 2 deletions(-) create mode 100644 debian/patches/add-row-for-Bro-agent diff --git a/auth/native/squert/login.php b/auth/native/squert/login.php index 7de8547..89aedee 100644 --- a/auth/native/squert/login.php +++ b/auth/native/squert/login.php @@ -150,7 +150,7 @@ function cleanUp($string) {

-
Version 1.7.0©2016 Paul Halliday
+
Version 1.7.1©2016 Paul Halliday
diff --git a/auth/sso/squert/login.php b/auth/sso/squert/login.php index 83d6042..5e3d620 100644 --- a/auth/sso/squert/login.php +++ b/auth/sso/squert/login.php @@ -150,7 +150,7 @@ function cleanUp($string) {

-
Version 1.7.0©2016 Paul Halliday
+
Version 1.7.1©2016 Paul Halliday
diff --git a/debian/changelog b/debian/changelog index 4d854bf..0ae0561 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion27) trusty; urgency=medium + + * add row for Bro agent + + -- Doug Burks Thu, 08 Feb 2018 19:57:56 -0500 + securityonion-squert (20161212-1ubuntu1securityonion26) trusty; urgency=medium * migrate login.php to prepared statements diff --git a/debian/patches/add-row-for-Bro-agent b/debian/patches/add-row-for-Bro-agent new file mode 100644 index 0000000..113a747 --- /dev/null +++ b/debian/patches/add-row-for-Bro-agent @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion27) trusty; urgency=medium + . + * add row for Bro agent +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -619,6 +619,8 @@ function payload() { + $row = $query->fetchall(PDO::FETCH_ASSOC); + if (array_key_exists(0, $row)) { + $rows[] = $row[0]; ++ // Add the row again for Bro agent ++ $rows[] = $row[0]; + } + $theJSON = json_encode($rows); + echo $theJSON; diff --git a/debian/patches/series b/debian/patches/series index 2cac8e4..c4d3939 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -23,3 +23,4 @@ begin-transition-to-pdo-prepared-statements improve-callback.php-and-grant-permission-to-autocat-table allow-pivot-to-elsa-or-elastic migrate-login.php-to-prepared-statements +add-row-for-Bro-agent From 763c983ea06d13207a219328564c70d795541c5b Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 25 May 2018 08:16:26 -0400 Subject: [PATCH 29/34] 1.8.0 - update for 16.04 --- .inc/callback.php | 4 + .inc/functions.php | 4 +- .inc/ip2c.php | 117 +- {auth/sso/squert/.js => .js}/squertMain.js | 0 .scripts/securityonion-squert.cnf | 1 + auth/native/squert/.js/squertMain.js | 3275 -------- auth/native/squert/login.php | 158 - debian/changelog | 72 + debian/control | 2 +- debian/install | 2 +- debian/patches/disable-mysql-strict-mode | 35 + debian/patches/fix-auth | 6915 +++++++++++++++++ debian/patches/fix-for-loop | 36 + .../frontend-expects-all-values-to-be-strings | 36 + ...te-over-all-arrays-when-converting-strings | 38 + .../patches/move-files-from-elastic-package | 3465 +++++++++ ...ove-unnecessary-code-from-ip2c.php\033:wq" | 161 + debian/patches/series | 10 + debian/patches/update-mysql-calls-and-config | 52 + .../update-mysql-function-calls-in-ip2c.php | 113 + debian/patches/version-1.7.1 | 47 + debian/postinst | 21 +- auth/sso/squert/login.php => login.php | 2 +- 23 files changed, 11023 insertions(+), 3543 deletions(-) rename {auth/sso/squert/.js => .js}/squertMain.js (100%) delete mode 100644 auth/native/squert/.js/squertMain.js delete mode 100644 auth/native/squert/login.php create mode 100644 debian/patches/disable-mysql-strict-mode create mode 100644 debian/patches/fix-auth create mode 100644 debian/patches/fix-for-loop create mode 100644 debian/patches/frontend-expects-all-values-to-be-strings create mode 100644 debian/patches/iterate-over-all-arrays-when-converting-strings create mode 100644 debian/patches/move-files-from-elastic-package create mode 100644 "debian/patches/remove-unnecessary-code-from-ip2c.php\033:wq" create mode 100644 debian/patches/update-mysql-calls-and-config create mode 100644 debian/patches/update-mysql-function-calls-in-ip2c.php create mode 100644 debian/patches/version-1.7.1 rename auth/sso/squert/login.php => login.php (98%) diff --git a/.inc/callback.php b/.inc/callback.php index 80c151d..0053c85 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -442,6 +442,10 @@ function level2() { $query->execute($merged_params); // fetch the data and encode to json $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$i=start_ip AND $ip <= end_ip LIMIT 1"); - $result = mysql_fetch_array($ipLookup); + $result = mysqli_fetch_array($ipLookup); if ($result) { $registry = $result[0]; @@ -63,7 +60,7 @@ function lookup($list) { $date = $result[4]; $status = $result[5]; - mysql_query("REPLACE INTO mappings (registry,cc,c_long,type,ip,date,status) + mysqli_query($db,"REPLACE INTO mappings (registry,cc,c_long,type,ip,date,status) VALUES (\"$registry\",\"$cc\",\"$c_long\",\"$type\",\"$ip\",\"$date\",\"$status\")"); echo "-- Mapped $dot ($ip) to $cc ($c_long)\n"; } @@ -71,52 +68,39 @@ function lookup($list) { } } - // DB Connect - $db = mysql_connect($dbHost,$dbUser,$dbPass) or die(mysql_error()); - mysql_select_db($dbName,$db) or die(mysql_error()); - // Start timing $st = microtime(true); - $sipList = mysql_query("SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip + + // DB Connect + global $db; + $sipList = mysqli_query($db,"SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip WHERE (m.ip IS NULL OR m.cc = '01')"); - $dipList = mysql_query("SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip + $dipList = mysqli_query($db,"SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip WHERE (m.ip IS NULL OR m.cc = '01')"); $sipCount = $dipCount = 0; if ($sipList) { - $sipCount = mysql_num_rows($sipList); + $sipCount = mysqli_num_rows($sipList); if ($sipCount > 0) { lookup($sipList); } } if ($dipList) { - $dipCount = mysql_num_rows($dipList); + $dipCount = mysqli_num_rows($dipList); if ($dipCount > 0) { lookup($dipList); } } - $allRecs = mysql_query("SELECT COUNT(*) FROM mappings"); - $allCount = mysql_fetch_row($allRecs); + $allRecs = mysqli_query($db,"SELECT COUNT(*) FROM mappings"); + $allCount = mysqli_fetch_row($allRecs); // Stop Timing $et = microtime(true); $time = $et - $st; $rt = sprintf("%01.3f",$time); - if ($isCLI == 'NO') { - - $html = "\r - \r - \r - \r - \r - \r
 -> Query Time: $rt seconds
 -> Source Count: $sipCount
 -> Destination Count: $dipCount
 -> Total Mapped: $allCount[0]
"; - - return $html; - } - - if ($isCLI == 'YES' && $string == 0) { + if ($string == 0) { echo "\n-> Query Time: $rt seconds \r-> Source Count: $sipCount \r-> Destination Count: $dipCount @@ -125,30 +109,6 @@ function lookup($list) { } -/* - -Commenting out the following function per -https://github.com/int13h/squert/issues/76 - -function TheHTML($string) { - - echo "\r - \r - \r - \r - \r - \r - \r
- \r
- \r - \r

- \r - \r
- \r - \r"; -} -*/ - if (isset($argc)) { if ($argc == 1 || $argc > 2 || $argv[1] > 1 || !is_numeric($argv[1])) { @@ -159,21 +119,8 @@ function TheHTML($string) { \r1 - Update. This is intended to be called via Cron\n\n"; exit; } else { - IP2C($argv[1],'YES'); - } - -} else { - - $html = ''; - - if(!isset($_REQUEST['qText'])) { $string = $_REQUEST['qp']; } else { $string = $_REQUEST['qText']; } - - if (@$_REQUEST['csync']) { - $string = $_REQUEST['qText']; - $html = IP2C($string,'NO'); + IP2C($argv[1]); } - TheHTML($string); - echo $html; } ?> diff --git a/auth/sso/squert/.js/squertMain.js b/.js/squertMain.js similarity index 100% rename from auth/sso/squert/.js/squertMain.js rename to .js/squertMain.js diff --git a/.scripts/securityonion-squert.cnf b/.scripts/securityonion-squert.cnf index fe81ad9..1db2bd4 100644 --- a/.scripts/securityonion-squert.cnf +++ b/.scripts/securityonion-squert.cnf @@ -1,5 +1,6 @@ [mysqld] group_concat_max_len = 100000 +sql_mode=NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION [mysqltcl] local-infile=1 diff --git a/auth/native/squert/.js/squertMain.js b/auth/native/squert/.js/squertMain.js deleted file mode 100644 index 913fc54..0000000 --- a/auth/native/squert/.js/squertMain.js +++ /dev/null @@ -1,3275 +0,0 @@ -/* Copyright (C) 2012 Paul Halliday */ - -$(document).ready(function(){ - - $(document).on('click', '[class*="bpr"]', function() { - // We disallow filtering if any events have already been selected - // or if we stray from the event tab - if ($('.d_row_active')[0]) return; - if ($(".chk_event:checked").length > 0) return; - if ($(".tab_active").attr('id') != 't_sum') return; - - var prClass = $(this).attr('class').split('b')[1]; - var prOld = $(this).data('pr'); - - function flipIt(pattern) { - $(pattern).closest('tr').hide(); - $(pattern).closest('tr').attr('class','hidden'); - if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); - } - if ($('.b' + prClass).attr('class') == 'bprA') { - $('.b' + prClass).attr('class', 'bpr' + prOld); - $('.hidden').attr('class','d_row'); - $('.d_row').show(); - if ($('#gr').text() == 'on') { - $('.chk_event').prop("disabled",false); - $('.chk_all').prop("checked",false); - $('.chk_event').css("background-color", "#fafafa"); - } - } else { - // See if we are already filtered - if ($('.bprA')[0]) { - $('.hidden').attr('class','d_row'); - $('.d_row').show(); - if ($('#gr').text() == 'on') { - $('.chk_event').prop("disabled",false); - $('.chk_all').prop("checked",false); - $('.chk_event').css("background-color", "#fafafa"); - } - var prPrev = $('.bprA').data('pr'); - $('.bprA').attr('class', 'bpr' + prPrev); - } - $('.b' + prClass).attr('class','bprA'); - switch (prClass) { - case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; - case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; - case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; - case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; - } - flipIt(ptrn); - } - }); - - // - // Load main content - // - - // Keep track of context - thisUser = $('#t_usr').data('c_usr'); - thisTZ = $('#user_tz').val(); - rtbit = 0; - eventList("0-aaa-00"); - $("#loader").show(); - lastclasscount = 0; - - $(document).on("click", "#dt_savetz", function(event) { - if ($('.dt_error').data('err') == 0) { - var newOffset = $('#ts_offset').val(); - profileUpdate("tz", s2h(newOffset)); - $('#user_tz').val(newOffset); - } - }); - - // Depending on context a 'No result' may be confusing - // so we turn off active queue and show everything - $(document).on('click', '#retry', function() { - $('#rt').attr('class','tvalue_off'); - $('#rt').text('off'); - rtbit = 0; - $('.b_update').click(); - }); - - // Get event statuses - var eTotal = 0, qTotal = 0; - function statusPoll(caller) { - // See if we are filtering by sensor - var theSensors = s2h('empty'); - if ($('.chk_sen:checked').length > 0) { - var active_sensors = "AND event.sid IN("; - var iter = $('.chk_sen:checked').length; - $('.chk_sen:checked').each(function() { - active_sensors += "'" + $(this).val() + "',"; - }); - active_sensors = active_sensors.replace(/,+$/,''); - active_sensors += ")"; - theSensors = s2h(active_sensors); - } - - var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); - }); - - function cb(data){ - // Check to make sure we still have a valid session. If we don't - // let the user know and return them to the login page. - if (data[0] == "<") { - $("span.class_msg").text("Your session has expired!"); - $("span.class_msg").css("background-color", "#cc0000"); - $("span.class_msg").css("color", "#fff"); - $("span.class_msg").show(); - var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); - if (sessionDead) { - $("#logout").click(); - } - } - eval("ec=" + data); - - var esum = 0; - - for (var i=0; i 0) { - var p = parseFloat(ecount/esum*100).toFixed(1); - var w = parseInt(p*2); - } - if (eclass == 0) { - qTotal = ecount; - } - $("#c-" + eclass).text(ecount); - $("#c-" + eclass).append("(" + p + "%)"); - } - - var lastcount = $("#cat_sum").val(); - var newcount = esum; - $("#cat_sum").val(esum); - eTotal = esum; - $("#event_sum").val(eTotal); - - if (caller == 0) { // Fresh load - lastcount = newcount; - } - - // Last RT value - var lastQ = Number($("#qtotal").html()); - if (lastcount < newcount) { - $("#etotal").html(eTotal); - } - - if (lastQ < qTotal) { - if (caller != 0) { - if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); - } - $("#etotal").html(eTotal); - $("#qtotal").html(qTotal); - } - - $("#title").html("squert (" + qTotal + ") - " + thisUser); - - } - - } - - // - // Event monitor (how often we poll for new events) - // - - var emTimeout = 30000; - window.setInterval(function(){ - if ($('#search').val().length == 0) { - statusPoll(1); - } - }, emTimeout); - - $(document).on("click", '[class*="cl_"]', function(event) { - var nc = $(this).attr('class').split("_"); - var ct = $(this).parents('table').data('comment'); - $(".cat_msg_txt").val(ct); - $('#b_class-' + nc[1]).click(); - }); - - // Tabs - var tab_cached = $("#sel_tab").val(); - - switch (tab_cached) { - case "t_sum": - $('.content-right').show(); - break; - case "t_ovr": - $('.content-right').hide(); - $('.content-left').hide(); - if ($('#ovestat').text().length == 0) loadSummary(); - break; - case "t_view": - $('.content-right').hide(); - $('.content-left').hide(); - loadViews(); - default: - $('.content-right').hide(); - $('.content-left').hide(); - break; - } - - $('#' + tab_cached).attr('class','tab_active'); - $("#" + tab_cached + "_content").attr('class','content_active'); - - $(".tab,.tab_active").click(function(event) { - var active = $(".tab_active").attr('id'); - var content = $(".content_active").attr('id'); - if ($(".fl_val_on")[0]) { - $('.b_update').click(); - } - - if ( this.id != active ) { - $("#" + active).removeClass('tab_active'); - $("#" + active).addClass('tab'); - $(this).attr('class','tab_active'); - $("#" + content).attr('class','content'); - $("#" + this.id + "_content").attr('class','content_active'); - activeTab = $(".tab_active").attr('id'); - $('.pin').hide(); - - switch (activeTab) { - case "t_sum": - $('.content-right').show(); - if (Number($('.botog').data('val')) == 1) $('.content-left').show(); - $('.t_pbar').css('opacity',1); - $('.db_links').hide(); - $('.pin').show(); - break; - case "t_ovr": - $('.content-right').hide(); - $('.content-left').hide(); - if ($('#ovestat').text().length == 0) loadSummary(); - $('.t_pbar').css('opacity',.1); - $('.db_links').hide(); - break; - case "t_view": - $('.content-right').hide(); - $('.content-left').hide(); - $('.t_pbar').css('opacity',.1); - loadViews(); - break; - default: - $('.content-right').hide(); - $('.content-left').hide(); - $('.t_pbar').css('opacity',.1); - $('.db_links').hide(); - break; - } - - $('#sel_tab').val(activeTab); - var ctab = $('#sel_tab').val(); - var urArgs = "type=" + 5 + "&tab=" + ctab; - $.get(".inc/callback.php?" + urArgs); - } - }); - - // Sub tab groups - $(".tsg").click(function(event) { - var nc = Number($(this).attr('class').split(/\s/).length); - var ct = $(this).data('tab'); - $('.tsg_active').attr('class','tsg'); - $(this).attr('class','tsg tsg_active'); - }); - - // Toggle and update views - function newView(req) { - // No racing please - var bail = $("#loader").css('display'); - if (bail != 'none') return; - // Remove any stale views - $("#tl0,#tl1,#tl3a,#tl3b").remove(); - var f = "0-aaa-00"; - var s = "2a-aaa-00"; - var cv = $("#gr").text(); - - switch (cv) { - case "on": - eventList(f); - $("#loader").show(); - break; - case "off": - eventList(s); - $("#loader").show(); - break; - } - } - - // Group and ungroup - $(document).on("click", "#gr", function(event) { - var bail = $("#loader").css('display'); - if (bail != 'none') return; - var cv = $('#gr').text(); - switch (cv) { - case 'on': - $('#gr').attr('class','tvalue_off'); - $('#gr').text('off'); - break; - case 'off': - $('#gr').attr('class','tvalue_on'); - $('#gr').text('on'); - $("#event_sort").val("DESC"); - break; - } - }); - - // RT check/uncheck - $(document).on("click", "#rt", function(event) { - var bail = $("#loader").css('display'); - if (bail != 'none') return; - var cv = $('#rt').text(); - switch (cv) { - case 'on': - $('#rt').attr('class','tvalue_off'); - $('#rt').text('off'); - rtbit = 0; - break; - case 'off': - $('#rt').attr('class','tvalue_on'); - $('#rt').text('on'); - rtbit = 1; - break; - } - }); - - // Toggle side/lower bars - $(document).on("click", ".botog", function(event) { - if ($('.tab_active').attr('id') != 't_sum') return; - var n = Number($('.botog').data("val")); - switch (n) { - case 1: - $('.botog').data("val","0"); - $('.content-right').css("width","100%"); - $('.botog').attr('src','.css/layout0.png'); - break; - case 0: - $('.botog').data("val","1"); - $('.content-right').css("width","82%"); - $('.botog').attr('src','.css/layout1.png'); - break; - } - $('.bottom').animate({height: 'toggle'}); - $('.content-left').animate({width: 'toggle'}); - }); - - // Section show and hide - $(".st").click(function() { - var thisSec = $(this).data("sec"); - var thisSecID = "#sec_" + thisSec; - var thisSecVis = $(thisSecID).css("display"); - var lastSection = "h"; - switch (thisSecVis) { - case "none": - $(this).attr("src", ".css/uarr.png"); - $(thisSecID).slideDown(); - break; - default: - $(this).attr("src", ".css/darr.png"); - $(thisSecID).slideUp(); - break; - } - }); - - // If search is in focus, update on enter - $('#search').keypress(function(e) { - if (!e) e=window.event; - key = e.keyCode ? e.keyCode : e.which; - if (key == 13) { - // Close comment box if it is open - if ($('#cat_box').css('display') != 'none') { - $('#ico01').click(); - } - $('.b_update').click(); - } - }); - - // Sort ASC/DESC - $(document).on("click", ".event_time", function(event) { - var csv = $(".event_time").text(); - switch (csv) { - case "show oldest first": - $("#event_sort").val("ASC"); - break; - case "show newest first": - $("#event_sort").val("DESC"); - break; - } - newView("u"); - }); - - // Update page - $(document).on("click", ".b_update", function(event) { - $(".icon_notifier").fadeToggle(); - $(".tag").remove(); - $(".tag_empty").show(); - // Remove any supplementary results - if ($("#extresult")[0]) $("#extresult").remove(); - // Where are we? - var curTab = $('.tab_active').attr('id'); - switch (curTab) { - case 't_ovr': - loadSummary(); - break; - case 't_view': - mkView(); - break; - default: - $(".b_update_note").hide(); - newView("u"); - break; - } - }); - - // Clear search and refresh - $('#clear_search').click(function() { - if ($('#search').val() != '') { - $('#search').val(''); - $("#search").focus(); - if ($(".fl_val_on")[0]) { - $('.b_update').click(); - } - } - }); - - // Logout - $("#logout").click(function(event) { - $.get("index.php?id=0", function(){location.reload()}); - }); - - // Toggle filters - $(document).on('click', '.fl_val_on', function(event) { - var wF = $(this).data("ft"); - switch (wF) { - case "tl": - - break; - case "ob": - $('#clear_search').click(); - break; - case "sn": - $(".chk_sen").each(function() { - $(this).prop("checked",false); - }); - $('.b_update').click(); - break; - } - }); - - function clearTags() { - //$(".tag").remove(); - //$(".tag_empty").show(); - $(".tag").removeClass('tag_active'); - } - - // - // Rows - // - - function closeRow() { - $("#active_eview").remove(); - $("#" + this.id).attr('class','d_row'); - $(".d_row").css('opacity','1'); - ltCol = $(".d_row_active").find('td.lt').html(); - $(".d_row_active").find('td.lt').css('background', ltCol); - $(".d_row_active").attr('class','d_row'); - // Update class_count - $("#class_count").text(lastclasscount); - // Get rid of any crashed loaders - $("#loader").hide(); - // Reset checkbox - $(".chk_all").prop("checked",false); - // Clear Tags - clearTags(); - } - function closeSubRow() { - $("#eview_sub1").remove(); - $("#" + this.id).attr('class','d_row_sub'); - $(".d_row_sub").css('opacity','1'); - $(".d_row_sub_active").attr('class','d_row_sub'); - // Update class_count - $("#class_count").text(lastclasscount); - curclasscount = lastclasscount; - $("#loader").hide(); - // Reset and show checkbox - $(".chk_all").prop("checked",false); - $("#ca0").show(); - // Remove any open externals - if ($("#extresult")[0]) $("#extresult").remove(); - // Clear Tags - clearTags(); - } - function closeSubRow1() { - $("#eview_sub2").remove(); - $("#" + this.id).attr('class','d_row_sub1'); - if (!$("#eview_sub3")[0]) { - $(".d_row_sub1").css('opacity','1'); - $(".d_row_sub_active1").attr('class','d_row_sub1'); - } - $("#loader").hide(); - // Reset checkbox - $(".chk_all").prop("checked",false); - // Remove any open externals - if ($("#extresult")[0]) $("#extresult").remove(); - // Clear Tags - clearTags(); - } - function closeSubRow2() { - $("#eview_sub3").remove(); - $("#" + this.id).attr('class','d_row_sub1'); - if (!$("#eview_sub2")[0]) { - $(".d_row_sub1").css('opacity','1'); - $(".d_row_sub1_active").attr('class','d_row_sub1'); - } - $("#loader").hide(); - // Clear Tags - clearTags(); - } - - // - // Level 1 - // - - $(document).on("click", ".row_active", function(event) { - var curID = $(this).parent('tr').attr('id'); - // What type of row are we? - rowType = curID.substr(0,3); - - // Make sure no other instances are open - if (!$(".d_row_active")[0] && rowType == 'sid') { - $("#loader").show(); - // This leaves us with sid-gid - var rowValue = curID.replace("sid-",""); - var sigID = rowValue.split("-")[0]; - - $(".d_row_active").attr('class', 'd_row'); - $("#active_eview").attr('class','d_row'); - - // This is now the active row - $("#" + curID).attr('class','d_row_active'); - $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); - // History - var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); - hItemAdd(itemToAdd); - // Set the class count (counted again after load) - curclasscount = $('.d_row_active').data('event_count'); - var cols = $('th.sort').length; - var tbl = ''; - tbl += ""; - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += ""; - tbl += "CATEGORIZE"; - tbl += curclasscount + "EVENT(S)  "; - tbl += "    "; - tbl += "CREATE FILTER: "; - tbl += "src  "; - tbl += "dst  "; - tbl += "both"; - tbl += "
"; - $("#" + curID).after(tbl); - - // Lookup signature - sigLookup(rowValue); - - // Fetch results - eventList("1-" + rowValue); - - $("#eview").show(); - $(".d_row").fadeTo('0','0.2'); - } else { - closeRow(); - } - }); - - // - // Level 2 - // - - $(document).on("click", ".sub_active", function() { - if (!$(".d_row_sub_active")[0]) { - var callerID = $(this).parent('tr').attr('id'); - - // Reset checkbox - $(".chk_all").prop("checked",false); - - // RT or ALL? - switch (rtbit) { - case 1: adqp = s2h("AND event.status = 0"); break; - case 0: adqp = s2h("empty"); break; - } - // We are now the active row - $("#" + callerID).attr('class','d_row_sub_active'); - - // Populate search times - var bt = $("#" + callerID).find('[class*="timestamp"]').html(); - var est = mkStamp(bt,"-",3600000,thisTZ); - var eet = mkStamp(bt,"+",3600000,thisTZ); - - $('#el_start').val(est); - $('#el_end').val(eet); - - // Clear search terms - $("#srchterms").html(''); - $(".srch_txt").val(''); - - // History and search - $("#" + callerID).find('[class*="sub_filter"]').each(function() { - if ($(this).data('type') == 'cc') { - var itemToAdd = $(this).data('value'); - } else { - var itemToAdd = $(this).text(); - // Add search terms - $("#srchterms").append("" + itemToAdd + "  "); - } - hItemAdd(itemToAdd); - }); - - $("#loader").show(); - eventList("2-" + callerID + "-" + adqp); - } else { - closeSubRow(); - } - }); - - // - // Level 3 (a or b) request payload - // - - $(document).on("click", ".sub1_active", function() { - // Close transcript if it is open - if ($(".eview_sub3")[0]) closeSubRow2(); - if (!$(".d_row_sub_active1")[0]) { - var callerID = $(this).parent('tr').attr('id'); - $("#" + callerID).attr('class','d_row_sub_active1'); - - // Populate search times - var bt = $("#" + callerID).find('[class*="timestamp"]').html(); - var est = mkStamp(bt,"-",1800000,thisTZ); - var eet = mkStamp(bt,"+",1800000,thisTZ); - - $('#el_start').val(est); - $('#el_end').val(eet); - - // Clear search terms - $("#srchterms").html(''); - $(".srch_txt").val(''); - - // History - $("#" + callerID).find('[class*="sub_filter"]').each(function() { - if ($(this).data('type') == 'cc') { - var itemToAdd = $(this).data('value'); - } else { - var itemToAdd = $(this).text(); - } - if ($(this).data('type') == 'ip') { - // Add search terms - $("#srchterms").append("" + itemToAdd + "  "); - } - hItemAdd(itemToAdd); - }); - $("#loader").show(); - eventList("3-" + callerID); - } else { - closeSubRow1() - } - }); - - // - // Level 3 (a or b) request transcript - // - - $(document).on("click", ".sub2_active", function(event) { - // Close payload if it is open - if ($(".eview_sub2")[0]) closeSubRow1(); - var bail = $("#loader").css('display'); - if (bail != 'none') return; - if (!$(".eview_sub3")[0]) { - $("#loader").show(); - composite = $(this).data('tx').split("-"); - rowLoke = composite[0]; - $("#" + rowLoke).attr('class','d_row_sub1_active'); - nCols = $("#" + rowLoke).find('td').length; - cid = composite[1]; - txdata = composite[2]; - - // See if a transcript is available - var urArgs = "type=" + 7 + "&txdata=" + txdata; - $(function(){ - $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); - }); - - function cb5(data){ - eval("txRaw=" + data); - txCMD = txRaw.cmd; - txResult = txRaw.tx; - txDebug = txRaw.dbg; - if (txResult == "DEBUG:") txResult += " No data was returned."; - if (!txResult) { - txResult = "Transcript request failed!

"; - txResult += "The command was:
" + txCMD + "

"; - txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); - } - - var row = '',tbl = ''; - row += ""; - row += ""; - row += "
"; - row += txResult; - row += "
"; - - tbl += ""; - tbl += row; - tbl += ""; - $("#" + rowLoke).after(tbl); - - // Turn off fade effect for large results - var rC = $(".d_row_sub1").length; - if ( rC <= 399 ) { - $(".d_row_sub1").fadeTo('fast','0.2'); - } - - $("#loader").hide(); - } - } else { - closeSubRow2(); - } - }); - - // Toggle RT depending on entry point - $(document).on("click", ".b_ec_hot", function() { - rtbit = 1; - }); - $(document).on("click", ".b_ec_total", function() { - rtbit = 0; - }); - - // Filter constructor - function mkFilter() { - if ($('#search').val().length > 0) { - - var srchVal = $('#search').val(); - var fParts = ""; - - // If no term is supplied default to a string, IP or wildcard IP search - chkVal: - if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { - var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; - if (re.exec(srchVal)) { - srchVal = "ip " + srchVal; - break chkVal; - } - - var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; - if (re.exec(srchVal)) { - srchVal = "wip " + srchVal; - break chkVal; - } - - srchVal = "sig " + srchVal; - } - - fParts = srchVal.replace(/^!/,"").split(" "); - if (fParts[0] == 'cmt') { - var theFilter = s2h($('#search').val()); - rtbit = 0; - } else { - // Now see if the requested filter exists - if ($("#tr_" + fParts[0]).length > 0) { - tmpFilter = $("#tr_" + fParts[0]).data('filter'); - // Now see if we need to modify the query - if (fParts[1]) { - // This is the base filter - preFilter = h2s(tmpFilter); - // This is the user supplied text. - var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); - theQuestion = fParts.join(' ').replace(re, ""); - // We will accept multiple questions if they are comma delimited - questionParts = theQuestion.split(","); - if (questionParts.length > 1) { - var f = '('; - for (var i = 0; i < questionParts.length; i++) { - f += preFilter.replace(/\$/g, questionParts[i]); - if (i != (questionParts.length - 1)) { - f += " OR "; - } - } - f += ')'; - theFilter = s2h(f); - } else { - var newFilter = preFilter.replace(/\$/g, questionParts[0]); - theFilter = s2h(newFilter); - } - } else { - theFilter = tmpFilter; - } - } else { // The filter does not exist - theFilter = s2h('empty'); - } - } - } else { // No filter supplied - theFilter = s2h('empty'); - } - return theFilter; - } - - // - // This creates the views for each level - // - - function eventList (type) { - theWhen = getTimestamp(); - statusPoll(0); - var parts = type.split("-"); - var filterMsg = ''; - var rt = 0; - var theSensors = s2h('empty'); - var theFilter = mkFilter(); - - // See if we are just RT events - if ($('#rt').text() == 'on' || rtbit == 1) { - rt = 1; - rtbit = 1; - } - // How are we sorting? - var sortval = $("#event_sort").val(), sorttxt; - switch (sortval) { - case "DESC": sorttxt = "show oldest first"; break; - case "ASC": sorttxt = "show newest first"; break; - } - - // See if we are filtering by sensor - if ($('.chk_sen:checked').length > 0) { - var active_sensors = "AND event.sid IN("; - var iter = $('.chk_sen:checked').length; - $('.chk_sen:checked').each(function() { - active_sensors += "'" + $(this).val() + "',"; - }); - active_sensors = active_sensors.replace(/,+$/,''); - active_sensors += ")"; - theSensors = s2h(active_sensors); - } - - // Check for any filters - if (h2s(theFilter) != 'empty') { - $('.fl_val').text('YES'); - } else { - $('.fl_val').text('NO'); - } - - switch (parts[0]) { - - // Level 0 view - Grouped by Signature - case "0": - $('.value').text('-'); - - // Times Chart - var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; - $(function(){ - $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); - }); - - function cb22(data){ - eval("chartData=" + data); - var r = chartData.r; - if (r > 0) { - mkLine(".times",chartData.rows,chartData.m); - } - } - - var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); - }); - function cb1(data){ - eval("d0=" + data); - var tbl = ''; - var head = ''; - var row = ''; - var cols = 11; - - if (rt == 0) cols = 12; - head += ""; - head += ""; - head += "QUEUE"; - if (rt == 0) head += "ALL"; - head += ""; - head += "SC"; - head += "DC"; - if (rt == 0) head += "CLASS"; - head += "ACTIVITY"; - head += "LAST EVENT"; - head += "SIGNATURE"; - head += "ID"; - head += "PROTO"; - head += "% TOTAL"; - head += ""; - - var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; - - if (d0.length > 0) { - // Sums for boxes - for (var i=0; i"; - row += "No result. If this is unexpected try this"; - } - - if (rt == 1) { - sumSC = "-"; - sumDC = "-"; - sumEC = eTotal; - } - - var sumRT = 0; - - // Tag Array - var tags = new Array(); - - for (var i=0; i 0 ) { - rtClass = "b_ec_hot"; - sumRT += parseInt(unClass); - } else { - rtClass = "b_ec_cold"; - } - - // Sum priorities - var prC = Number(d0[i].f1); - switch (d0[i].f13) { - case "1": spr1 += prC; break; - case "2": spr2 += prC; break; - case "3": spr3 += prC; break; - default: spr4 += prC; break; - } - - rid = "r" + i + "-" + parts[1]; - var cells = mkGrid(d0[i].f12); - if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); - row += ""; - row += "
" + unClass + "
"; - if (rt == 0) row += "
" + d0[i].f1 + "
"; - row += "
" + d0[i].f13 + "
"; - row += "" +d0[i].f6+ ""; - row += "" +d0[i].f7+ ""; - if (rt == 0) row += "" + catCells + ""; - - timeParts = d0[i].f5.split(" "); - timeStamp = timeParts[1]; - - if ( sumEC > 0) { - rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); - } else { - rowPer = "0.000"; - } - - row += "" + cells + ""; - row += "" + timeStamp + ""; - row += ""; - //row += "
" + d0[i].f2 + "
"; - row += d0[i].f2 + ""; - row += "" + d0[i].f3 + ""; - row += "" + d0[i].f8 + ""; - - - row += "" + rowPer + "%"; - row += ""; - } - - // Populate event summary - $('#qtotal').text(sumRT); - $('#etotal').text(sumEC); - $('#esignature').text(sumSI); - - // Populate tags - for (var i=0; i < tags.length; i++) { - addTag(tags[i]); - } - - tbl += ""; - tbl += head; - tbl += row; - tbl += "
"; - - $('#' + parts[1] + '-' + parts[2]).append(tbl); - - if (d0.length > 0) { - var prVals = [spr1,spr2,spr3,spr4]; - var pryBar = mkPribar(prVals); - } else { - var pryBar = mkPribar([0]); - } - $('#tl1').fadeIn('slow'); - $("#tl1").tablesorter(); - $("#loader").hide(); - } - break; - - // Level 1 view - Grouped by signature, source, destination - - case "1": - var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); - }); - - function cb2(data){ - eval("theData=" + data); - tbl = ''; - head = ''; - row = ''; - head += "QUEUE"; - if (rt == 0) head += "TOTAL"; - if (rt == 0) head += "CLASS"; - head += "ACTIVITY"; - head += "LAST EVENT"; - head += "SOURCE"; - head += "AGE"; - head += "COUNTRY"; - head += "DESTINATION"; - head += "AGE"; - head += "COUNTRY"; - head += ""; - var curclasscount = 0, tlCount = 0, rtCount = 0; - var timeValues = "", scid = ""; - - // Tag array - var tags = new Array(); - - for (var i=0; i 0 ) { - rtClass = "b_ec_hot"; - isActive = "sub_active"; - } else { - rtClass = "b_ec_cold"; - isActive = "sub"; - } - - // Aggregate time values - timeValues += theData[i].c_ts + ","; - var cells = mkGrid(theData[i].f12); - if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); - - // Event sums - tlCount += parseInt(count,10); - rtCount += parseInt(unclass,10); - - rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; - row += ""; - row += "
" + unclass + "
"; - if (rt == 0) row += "
" + count + "
"; - if (rt == 0) row += "" + catCells + ""; - row += "" + cells + ""; - row += "" + max_time + ""; - row += "
" + src_ip + ""; - row += "" + src_age_n + ""; - row += ""; - row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; - row += "
" + dst_ip + ""; - row += "" + dst_age_n + ""; - row += ""; - row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; - row += ""; - } - - // Populate tags - for (var i=0; i < tags.length; i++) { - addTag(tags[i]); - } - - // Add scid's to checkbox - $("#ca0").data("scid", scid.replace(/,$/, "")); - - // If queue is empty provide event sums in case the user - // intends to reclass anything - if (rtbit == 1) { - curclasscount = rtCount; - } else { - curclasscount = tlCount; - } - - // update class_count - $("#class_count").html(curclasscount); - lastclasscount = $("#class_count").html(); - - // While in grouped events (RT) we remove rows as - // they are classed and subtract the values from "Total Events" - // This keeps etotal up to date so the math doesn't get silly - var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); - var oldec = Number($("#etotal").text()); - if (oldrt < rtCount) { - newrtcount = parseInt((rtCount - oldrt) + oldec); - $("#etotal").text(newrtcount); - } - - // Update parent counts - $(".d_row_active").find(".b_ec_hot").text(rtCount); - if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); - - tbl += "
"; - tbl += head; - tbl += row; - tbl += "
"; - $("#eview").after(tbl); - $("#tl2").tablesorter({ - headers: { - 4: {sorter:'ipv4'}, - 6: {sorter:'ipv4'} - } - }); - $("#loader").hide(); - } - break; - - // Level 2 view - No grouping, individual events - - case "2": - var rowLoke = parts[1]; - var filter = $('#' + parts[1]).data('filter'); - var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); - }); - - function cb3(data){ - eval("d2=" + data); - tbl = ''; - head = ''; - row = ''; - head += ""; - head += ""; - head += "ST"; - head += "TIMESTAMP"; - head += "EVENT ID"; - head += "SOURCE"; - head += "PORT"; - head += "DESTINATION"; - head += "PORT"; - head += "SIGNATURE"; - head += ""; - - // Update class_count - $("#class_count").html(0); - var tlCount=0, rtCount=0; - - // Tag array - var tags= new Array(); - - for (var i=0; i"; - tclass = "c" + eclass; - cv = classifications.class[tclass][0].short; - - // Populate tags array - if (src_tag != "-") { - var src_tags = src_tag.split(","); - $.each(src_tags, function(n,tag) { - var t = tags.indexOf(tag); - if (t < 0) tags.push(tag); - }); - } - - if (dst_tag != "-") { - var dst_tags = dst_tag.split(","); - $.each(dst_tags, function(n,tag) { - var t = tags.indexOf(tag); - if (t < 0) tags.push(tag); - }); - } - - // Timestamp - var compts = d2[i].f2.split(",") || "--"; - var timestamp = compts[0]; - var utctimestamp = compts[1]; - - // Event sums - tlCount += parseInt(1,10); - if (cv == "RT") { - rtCount += parseInt(1,10); - } - - // Transcript link - // original Squert native pivot: - //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); - //txBit = "" + sid + "." + cid + "
"; - //if (src_port != "-" && dst_port != "-") { - // txBit = "" + sid + "." + cid + ""; - //} - // new pivot to CapMe: - txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); - txBit = "" + sid + "." + cid + ""; - if (src_port != "-" && dst_port != "-") { - var startDate = new Date(utctimestamp); - var start_tz_offset = (startDate.getTimezoneOffset()); - var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; - var endDate = new Date(utctimestamp); - var end_tz_offset = (endDate.getTimezoneOffset()); - var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; - txBit = " " + sid + "." + cid + ""; - } - - row += ""; - row += "
"; - row += cv + "
"; - row += "" + timestamp + ""; - row += txBit; - row += "" + src_ip + ""; - row += "" + src_port + ""; - row += "" + dst_ip + ""; - row += "" + dst_port + ""; - row += "" + signature + ""; - row += ""; - } - - // Update parent counts - $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); - if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { - $(".d_row_sub_active").find(".b_ec_total").text(tlCount); - } - - var cols = $('th.sort').length; - - // Populate tags - clearTags(); - for (var i=0; i < tags.length; i++) { - addTag(tags[i]); - } - - tbl += ""; - tbl += ""; - tbl += head; - tbl += row; - tbl += "
"; - $("#" + rowLoke).after(tbl); - $(".d_row_sub").fadeTo('0','0.2'); - $("#loader").hide(); - $("#tl3").tablesorter({ - headers: { - 0:{sorter:false}, - 4:{sorter:'ipv4'}, - 6:{sorter:'ipv4'} - }, - cancelSelection:false - }); - $("#ca0").hide(); - } - break; - - // Level 2a view - No grouping, individual events - - case "2a": - $('.value').text('-'); - var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); - }); - - function cb3a(data){ - eval("d2a=" + data); - var tbl = ''; - var head = ''; - var row = ''; - var disabled = ''; - if (d2a.length == 0) { - disabled = "disabled"; - row += ""; - row += "No result. If this is unexpected try this"; - } - - head += ""; - head += ""; - head += ""; - head += "ST"; - head += ""; - head += "TIMESTAMP"; - head += "ID"; - head += "SOURCE"; - head += "PORT"; - head += "AGE"; - head += "CC"; - head += "DESTINATION"; - head += "PORT"; - head += "AGE"; - head += "CC"; - head += "SIGNATURE"; - head += ""; - - // Aggregate time values - var timeValues = ""; - for (var ts=0; ts" + sid + "." + cid + ""; - //if (src_port != "-" && dst_port != "-") { - // txBit = "" + sid + "." + cid + ""; - //} - // new pivot to CapMe: - txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); - txBit = "" + sid + "." + cid + ""; - if (src_port != "-" && dst_port != "-") { - var startDate = new Date(utctimestamp); - var start_tz_offset = (startDate.getTimezoneOffset()); - var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; - var endDate = new Date(utctimestamp); - var end_tz_offset = (endDate.getTimezoneOffset()); - var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; - txBit = " " + sid + "." + cid + ""; - } - - row += ""; - row += ""; - row += "
"; - row += cv + "
"; - row += "
" + d2a[i].f16 + "
"; - row += "" + timestamp + ""; - row += txBit; - row += "
" + src_ip + ""; - row += "" + src_port + ""; - row += "" + src_age_n + ""; - row += "" + cs[1] + ""; - row += "
" + dst_ip + ""; - row += "" + dst_port + ""; - row += "" + dst_age_n + "" - row += "" + cd[1] + ""; - row += "" + signature + ""; - } - - var sumED = 0, sumEC = 0, cmsg = ""; - - if (d2a.length > 0) { - sumED = i; - sumEC = d2a.length; - } - - if (d2a.length >= maxI) { - sumRE = sumEC - maxI; - cmsg = " / " + sumRE + " not shown"; - } - - $("#qtotal").html(rsumRT); - - // Populate tags - clearTags(); - for (var i=0; i < tags.length; i++) { - addTag(tags[i]); - } - - // Draw - tbl += ""; - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += "categorize " + 0 + ""; - tbl += " of " + sumED + " event(s)" + cmsg; - tbl += "
"; - tbl += "
" + sorttxt + "
"; - tbl += "
"; - tbl += "
"; - tbl += ""; - tbl += head; - tbl += row; - tbl += "
"; - $('#' + parts[1] + '-' + parts[2]).after(tbl); - - if (d2a.length > 0) { - var prVals = [spr1,spr2,spr3,spr4]; - var pryBar = mkPribar(prVals); - } else { - var pryBar = mkPribar([0]); - } - $("#tl3a,#tl3b").fadeIn('slow'); - $("#tl3b").tablesorter({ - headers: { - 0:{sorter:false}, - 1:{sorter:false}, - 5:{sorter:'ipv4'}, - 8:{sorter:'ipv4'} - }, - cancelSelection:false - }); - $("#loader").hide(); - } - break; - - // Level 3 view - Packet Data - - case "3": - var rowLoke = parts[1]; - var nCols = $('#' + parts[1]).data('cols'); - var filter = $('#' + parts[1]).data('filter'); - var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; - var sg = $('#' + parts[1]).data('sg'); - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); - }); - - function cb4(data){ - eval("theData=" + data); - - var tbl = '', head = '', row = ''; - - // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) - if (theData[0].ip_ver != 0) { - - var PDATA = 0; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - head += ""; - - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; - - switch (theData[0].ip_proto) { - case "1": - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; - break; - - case "6": - // TCP flags - var tmpFlags = theData[1].tcp_flags || 'z'; - switch (tmpFlags) { - case 'z': var tcpFlags = '--------'; break; - default: - var binFlags = Number(theData[1].tcp_flags).toString(2); - var binPad = 8 - binFlags.length; - var tcpFlags = "00000000".substring(0,binPad) + binFlags; - break; - } - var tcp_seq = theData[1].tcp_seq || '-'; - var tcp_ack = theData[1].tcp_ack || '-'; - var tcp_off = theData[1].tcp_off || '-'; - var tcp_res = theData[1].tcp_res || '-'; - var tcp_win = theData[1].tcp_win || '-'; - var tcp_urp = theData[1].tcp_urp || '-'; - var tcp_csum = theData[1].tcp_csum || '-'; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; - break; - - case "17": - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; - break; - } - - var p_hex = '', p_ascii = '', p_ascii_l = ''; - - // Data - if (!theData[2]) { - p_hex = "No Data Sent."; - p_ascii = "No Data Sent."; - } else { - p_pl = theData[2].data_payload; - p_length = theData[2].data_payload.length; - var b0 = 0; - - for(var i=0; i < p_length; i+=2) { - b0++; - t_hex = p_pl.substr(i,2); - t_int = parseInt(t_hex,16); - - if ((t_int < 32) || (t_int > 126)) { - p_hex += t_hex + " "; - p_ascii += "."; - p_ascii_l += "."; - } else if (t_int == 60) { - p_hex += t_hex + " "; - p_ascii += "<"; - p_ascii_l += "<"; - } else if (t_int == 62) { - p_hex += t_hex + " "; - p_ascii += ">"; - p_ascii_l += ">"; - } else { - p_hex += t_hex + " "; - p_ascii += String.fromCharCode(parseInt(t_hex, 16)); - p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); - } - - if ((b0 == 16) && (i < p_length)) { - p_hex += "
"; - p_ascii += "
"; - b0 = 0; - } - } - } - - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += ""; - row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; - - } else { - - head += ""; - var p_ascii = "No Data Sent."; - // This needs to be more robust. - if (theData[2]) { - var tmp = h2s(theData[2].data_payload).split("\n"); - p_ascii = ''; - for (var i in tmp) { - p_ascii += "
" + tmp[i] + "
"; - } - - } - row += ""; - row += ""; - row += "
" + p_ascii + "
"; - } - - tbl += ""; - - // If we are not grouped we show the signature text - if ( sg != 0 ) { - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += "
"; - tbl += "
"; - sigLookup(sg); - } - - // Comments and tags are done here - var tags = new Array(); - var eventTag = 'None.'; - var eventComment = theData[0].comment || 'None.'; - var src_tag = theData[0].srctag || '-'; - var dst_tag = theData[0].dsttag || '-'; - - // Populate tags array - if (src_tag != "-") { - var src_tags = src_tag.split(","); - $.each(src_tags, function(n,tag) { - var t = tags.indexOf(tag + ",s"); - if (t < 0) tags.push(tag + ",s"); - }); - } - - if (dst_tag != "-") { - var dst_tags = dst_tag.split(","); - $.each(dst_tags, function(n,tag) { - var t = tags.indexOf(tag + ",d"); - if (t < 0) tags.push(tag + ",d"); - }); - } - - if (tags.length > 0) eventTag = ''; - - tbl += "
COMMENTS
"; - tbl += "
" + eventComment + "
"; - tbl += "
TAGS
"; - tbl += "
" + eventTag + "
"; - if (PDATA != 0) { - tbl += "
DETAILS
"; - } else { - tbl += "
PAYLOAD
"; - } - tbl += head; - tbl += row; - tbl += ""; - $("#" + rowLoke).after(tbl); - $("#loader").hide(); - - // Turn off fade effect for large results - var rC = $(".d_row_sub1").length; - if ( rC <= 499 ) { - $(".d_row_sub1").fadeTo('fast','0.2'); - } - - // Populate tags - clearTags(); - for (var i=0; i < tags.length; i++) { - addTag(tags[i]); - } - - } - break; - } - // If event queue is off we need to reset this after load if b_ec_hot was - // the entry point - if ($('#rt').text() == 'off') rtbit = 0; - } - - // - // Object click handlers - // - - $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { - // Check if we are coming from a legit object - var prefix = $(this).data('type'); - if (prefix == "none") return; - - // Check if we are coming from a sane selection - var selLen = window.getSelection().toString().length; - if (selLen > 4) { - if (selLen < 255) { // Might need to change these based on how people use this - prefix = "zz"; - var suffix = window.getSelection().toString(); - var re = /\s/g; - var NOK = re.exec(suffix); - if (NOK) return; - } else { - return; - } - } else { - var suffix = $(this).text(); - } - - var mX = e.pageX; - var mY = e.pageY; - - var colour = $(this).data('col') || "FFFFFF"; - var tfocus = "#search"; - switch (prefix) { - case 'ip': - hItemAdd(suffix); - var sord = $(this).data('sord'); - mkPickBox(prefix,suffix,sord,colour,mX,mY); - break; - case 'spt': - case 'dpt': - hItemAdd(suffix); - mkPickBox(prefix,suffix,0,colour,mX,mY); - break; - case 'cc': - case 'scc': - case 'dcc': - var cc = $(this).data('value'); - hItemAdd(cc); - mkPickBox(prefix,cc,suffix,colour,mX,mY); - break; - case 'cmt': - suffix = $(this).data('comment'); - $("#rt").text("off"); - $("#rt").attr('class','tvalue_off'); - $('#search').val(prefix + " " + suffix); - hItemAdd(suffix); - if ($('#cat_box').css('display') != 'none') { - $('#ico01').click(); - } - $('.b_update').click(); - break; - case 'cmt_c': - $('.cat_msg_txt').val(suffix); - hItemAdd(suffix); - tfocus = ".cat_msg_txt"; - break; - case 'fil': - var fil = $(this).data('value'); - $('#search').val(fil); - hItemAdd(fil); - if ($('#fltr_box').css('display') != 'none') { - $('#ico04').click(); - } - $('.b_update').click(); - break; - case 'sid': - var value = $(this).data('value'); - hItemAdd(suffix); - mkPickBox(prefix,value,suffix,colour,mX,mY); - break; - case 'st': - var suffix = $(this).attr('id').split('-')[1]; - $('#search').val(prefix + " " + suffix); - // RT must be off to return anything - $('#rt').attr('class','tvalue_off'); - $('#rt').text('off'); - rtbit = 0; - $('.b_update').click(); - break; - case 'el': - var suffix = $(this).data('value'); - mkPickBox(prefix,suffix,0,colour,mX,mY); - break; - case 'zz': - hItemAdd(suffix); - mkPickBox(prefix,suffix,0,colour,mX,mY); - break; - } - }); - - // - // Picker Box - // - - function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { - var doexternals = "yes"; - var objhex = s2h(suffix); - var tbl = '', row = ''; - // Local stuff first - switch (prefix[prefix.length - 1]) { - case "c": - row += ":: SRC or DST"; - row += ":: SRC"; - row += ":: DST"; - row += ":: SEARCH"; - break; - case "p": - row += ":: SRC or DST"; - row += ":: SRC"; - row += ":: DST"; - row += ":: ADD / REMOVE TAG"; - if ($('.sigtxt')[0]) { - row += ":: HISTORY"; - } - row += ":: SEARCH"; - row += ":: COLOUR  "; - row += ""; - row += "apply"; - row += "apply all"; - row += ""; - break; - case "t": - row += ":: SRC"; - row += ":: DST"; - row += ":: SEARCH"; - break; - case "d": - row += ":: SIGNATURE"; - if ($('.sigtxt')[0]) { - row += ":: HISTORY"; - } - row += ":: SEARCH"; - break; - case "l": - row += ":: COLOUR  "; - row += ""; - row += "update"; - doexternals = "no"; - break; - case "z": - row += ":: SEARCH"; - break; - } - - // If applicable populate externals - if (doexternals == "yes") { - $('.f_row').each(function() { - var ct = $(this).data('type'); - if (ct == 'url') { - var alias = $(this).data('alias'); - var name = $(this).data('name'); - var url = $(this).data('filter'); - row += ""; - row += "" + name + ""; - row += ""; - } - }); - } - - tbl += ""; - tbl += row; - tbl += "
"; - - var boxlabel = suffix; - - // Use more descriptive names where possible - var re = /(sid|cc|scc|dcc)/; - var OK = re.exec(prefix); - if (OK) { - var boxlabel = rsuffix; - } - - if (boxlabel.length > 24) { - boxlabel = boxlabel.substring(0,24); - boxlabel += ".."; - } - - $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); - - if ($('#tlpick')[0]) $('#tlpick').remove(); - $(".pickbox_tbl").append(tbl); - $('.pickbox').fadeIn('fast'); - - // Colour Picker - $("#menucol").spectrum({ - showInput: true, - className: "full-spectrum", - showInitial: true, - showPalette: true, - showSelectionPalette: true, - maxPaletteSize: 6, - preferredFormat: "hex", - localStorageKey: "spectrum.demo", - move: function (color) {}, - show: function () {}, - beforeShow: function () {}, - hide: function () {}, - change: function() {}, - palette: [ - ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], - ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], - ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], - ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], - ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] - ] - }); - } - - // Pickbox click events - $(document).on('click', '.p_row', function() { - if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); - var ctype = $(this).data('type'); - var alias = $(this).data('alias'); - var args = $('#tlpick').data('val'); - switch(ctype) { - case "l": - $('.pickbox').fadeOut('fast'); - $('#search').val(alias + " " + args); - $('.b_update').click(); - break; - case "r": - $('.pickbox').fadeOut('fast'); - var url = h2s($(this).data('url')).replace("${var}", args); - window.open(url); - break; - case "t": - $('.tagbox').fadeIn('fast'); - $('.taginput').focus(); - break; - case "s": - $('.pickbox').fadeOut('fast', function() {; - $('#ico05').click(); - }); - $('.srch_txt').val(args); - break; - case "h": - doHistory(args); - $('.pickbox').fadeOut('fast'); - break; - default: return; - } - }); - - // - // Tags - // - - // Truncate - function truncTag(tag,len) { - if (tag.length > len) tag = tag.substring(0,len) + ".."; - return tag; - } - - // Filter results or add as new - $(document).on('click', '.tag', function() { - var tag = $(this).data('val'); - if($('.taginput').is(":visible")) { - $('.taginput').val(tag); - $('.taginput').focus(); - } else { - $('#search').val('tag ' + tag); - $('.b_update').click(); - } - }); - - // Remove individual tags on "(X)" click via payload area - $(document).on('mouseenter', '.tag_d, .tag_s', function() { - var tag = $(this).data('val'); - if ($(".tag_x")[0]) return; - var dw = $(this).width() - 5 + "px"; - $(this).append("
X
"); - $(".tag_x").css("margin-left", dw); - $(".tag_x").fadeIn("slow"); - - }); - - $(document).on('mouseleave', '.tag_d, .tag_s', function() { - $('.tag_x').remove(); - }); - - $(document).on('click', '.tag_x', function() { - var tag = $(this).parent().data("val"); - var obj = $(this).parent().data("obj"); - $(this).parent().remove(); - var len = $("#tag_area").text().length; - if (len == 0) $("#tag_area").append("None."); - //doTag(s2h(obj),tag,'rm'); - }); - - // Fire tag add on enter - $('.taginput').keypress(function(e) { - if (!e) e=window.event; - key = e.keyCode ? e.keyCode : e.which; - if (key == 13) $('.tagok').click(); - }); - - // Close tag entry - $(document).on('click', '.tagcancel', function() { - $('.taginput').val(''); - $('.tagbox').fadeOut('fast'); - }); - - // Add a tag - $(document).on('click', '.tagok', function() { - var tag = $('.taginput').val(); - var obj = $('#pickbox_label').text(); - var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; - var OK = re.exec(tag); - if (OK) doTag(s2h(obj),tag,'add'); - }); - - // Remove a tag - $(document).on('click', '.tagrm', function() { - var tag = truncTag($('.taginput').val(),20); - var obj = $('#pickbox_label').text(); - doTag(s2h(obj),tag,'rm'); - $(".tag" + ":contains('" + tag + "')").remove(); - $('.tagcancel').click(); - }); - - // Display or Toggle tags - function addTag(tag) { - // If we entered from payload we have some additional info - if ($('#eview_sub2')[0]) { - var longTag = tag.split(",")[0]; - var theClass = tag.split(",")[1]; - var t_tag = truncTag(longTag,20); - } else { - var t_tag = truncTag(tag,20); - } - - // Hide empty - $('.tag_empty').hide(); - - // Check if tag exists - var tag_exists = 0; - $('.tag').each(function() { - if ($(this).text() == t_tag) { - $(this).addClass('tag_active'); - tag_exists = 1; - } - }); - - // Add tag to left pane - if (tag_exists == 0) { - var newTag = "
" + t_tag + "
"; - $('#tg_box').prepend(newTag); - } - - // If we have the payload open, add here as well - if ($('#eview_sub2')[0]) { - if($('#pickbox_label').is(":visible")) { - theClass = $('#pickbox_label').data('sord')[0]; - } - // Remove placeholder - if ($('#tag_none')[0]) $('#tag_none').remove(); - var newTag = "
" + t_tag + "
"; - $('#tag_area').prepend(newTag); - } - - } - - function doTag(obj,tag,op) { - var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; - $(function(){ - $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); - }); - - function cb22(data){ - eval("theData=" + data); - if (theData.msg != '') { - alert(theData.msg); - } else { - if (op != 'rm') addTag(tag); - $('.tagcancel').click(); - } - } - } - - // Colours - $(document).on('click', '.csave', function() { - var obtype = $(this).data('obtype'); - var object = $(this).data('object'); - var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); - var op = "add"; - var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; - var OK = re.exec(colour); - if (!OK) return; - // Single or multiple? - if (obtype == "src" || obtype == "dst") { - var vr = new Array(); - $("." + obtype).each(function() { - var v = $(this).text(); - var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; - var OK = re.exec(v); - if (OK) { - var t = vr.indexOf(v); - if (t < 0) vr.push(v); - } - }); - object = vr.toString(); - } - - var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; - $(function(){ - $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); - }); - - function cb22(data){ - eval("theData=" + data); - if (theData.msg != '') { - alert(theData.msg); - } else { // We should be good.. - var curObject = $('#pickbox_label').text(); - if (obtype == "el") { - var html = "
" + colour; - $('#el_' + curObject).html(html); - $('#el_' + curObject).data('col', colour); - } else { - $(".sub_filter:contains(" + curObject + ")").each(function() { - $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); - }); - } - $('.pickbox').fadeOut('fast'); - } - } - }); - - $(document).on('click', '.pickbox_close', function() { - $('.tagcancel').click(); - $('.pickbox').fadeOut('fast'); - }); - - // - // Object History - // - - function hItemAdd(item) { - var itemTitle = item; - // Truncate - if (item.length > 33) { - itemTitle = item.substring(0,33) + ".."; - } - // Remove empty message - $('.history_empty').hide(); - - // If the item doesn't exist, add it. Otherwise, we start counting. - if ($(".h_item:contains('" + itemTitle + "')").length > 0) { - var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); - var nc = Number(oc) + 1; - var bg = '#c9c9c9'; - var fn = 'normal'; - if (nc <= 3) { - bg = '#000'; - } else if (nc > 3) { - bg = '#cc0000'; - fn = 'bold'; - } - - $(".h_item:contains('" + itemTitle + "')").css('color', bg); - $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); - $(".h_item:contains('" + itemTitle + "')").data('n',nc); - $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); - } else { - var toAdd = " " + itemTitle + ""; - $('#h_box').prepend(toAdd); - } - } - - if (!$('.h_item')[0]) { - $('.history_empty').show(); - } - - // Alt mappings for icons - - $.alt('1', function() { - $("#ico01").click(); - }); - $.alt('2', function() { - $("#ico02").click(); - }); - $.alt('3', function() { - $("#ico03").click(); - }); - $.alt('4', function() { - $("#ico05").click(); - }); - $.alt('5', function() { - $("#ico04").click(); - }); - - // - // Event classification - // - - // Use function keys to trigger status buttons - $(document).keydown(function(event){ - - function stopOthers() { - event.originalEvent.keyCode = 0; - event.preventDefault(); - event.stopPropagation(); - } - - switch (event.keyCode) { - case 112: stopOthers(); $('#b_class-11').click(); break; - case 113: stopOthers(); $('#b_class-12').click(); break; - case 114: stopOthers(); $('#b_class-13').click(); break; - case 115: stopOthers(); $('#b_class-14').click(); break; - case 116: stopOthers(); $('#b_class-15').click(); break; - case 117: stopOthers(); $('#b_class-16').click(); break; - case 118: stopOthers(); $('#b_class-17').click(); break; - case 119: stopOthers(); $('#b_class-1').click(); break; - case 120: stopOthers(); $('#b_class-2').click(); break; - } - }); - - // Comment window status buttons - $(document).on("click", "#cw_buttons", function(event) { - var newclass = $(event.target).data('n'); - if (newclass == 0) { - $('#b_class-' + newclass).click(); - } else { - $('#b_class-' + newclass).click(); - } - }); - - // Highlight colour for selected events - var hlcol = "#FFFFE0"; - var hlhov = "#FDFDD6"; - - // Individual selects - var clickOne = 0, clck1 = 0, clck2 = 0; - $(document).on("click", ".chk_event", function(event) { - $("#tl3b").trigger('update'); - var clickTwo = this.id.split("_"); - if (Number(clickOne[1]) > Number(clickTwo[1])) { - clck1 = clickTwo[1]; - clck2 = clickOne[1]; - } else { - clck1 = clickOne[1]; - clck2 = clickTwo[1]; - } - - if (event.shiftKey) { - if (clck1 != clck2) { - $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); - $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); - $("#s" + clck1).nextUntil("#s" + clck2).hover( - function(){$(this).css("background-color", hlhov)}, - function(){$(this).css("background-color", hlcol)}); - clickOne = 0, clck1 = 0, clck2 = 0; - } - } - - // Update class_count - $("#class_count").html($(".chk_event:checked").length); - if ($("#ca1:checked").length > 0) { - $("#ca1").prop("checked",false); - } - clickOne = this.id.split("_"); - - if ($(this).prop("checked") == true) { - $("#s" + clickTwo[1]).css("background-color", hlcol); - $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, - function(){$(this).css("background-color", hlcol)}); - } else { - $("#s" + clickTwo[1]).css("background-color", "transparent"); - $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, - function(){$(this).css("background-color", "transparent")}); - } - }); - - // Select all (2) - $(document).on("click", "#ca1", function(event) { - var chkLen = $("#ca1:checked").length; - switch(chkLen) { - case 0: - $(".chk_event").prop("checked",false); - $("#ca0").prop("checked",false); - $(".d_row_sub1").css("background-color", "transparent"); - $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, - function(){$(this).css("background-color", "transparent")}); - break; - default: - $(".chk_event").each(function() { - if ($(this).prop("disabled") == false) { - $(this).prop("checked",true); - } - }); - $(".d_row_sub1").css("background-color", hlcol); - $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, - function(){$(this).css("background-color", hlcol)}); - $("#ca0").prop("checked",true); - break; - } - - if ($(".eview_sub1")[0]) { - // Update class_count - $("#class_count").html($(".chk_event:checked").length); - } - - }); - - // Select all (2a) - clean this up, the above is almost identical - $(document).on("click", "#ca2", function(event) { - var chkLen = $("#ca2:checked").length; - switch(chkLen) { - case 0: - $(".chk_event").prop("checked",false); - $("#ca2").prop("checked",false); - $(".d_row_sub1").css("background-color", "transparent"); - $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, - function(){$(this).css("background-color", "transparent")}); - break; - default: - $(".chk_event").each(function() { - if ($(this).prop("disabled") == false) { - $(this).prop("checked",true); - } - }); - $(".d_row_sub1").css("background-color", hlcol); - $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, - function(){$(this).css("background-color", hlcol)}); - $("#ca2").prop("checked",true); - break; - } - // Update class_count - $("#class_count").html($(".chk_event:checked").length); - }); - - // Class button click - $(document).on("click", "[id*=\"b_class-\"]", function() { - // We only fire if something is selected - var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); - var intclass = $(this).attr('id').split("-"); - if (chkLen > 0 && intclass[1] != 0) { - eClass(this,intclass[1]); - } - }); - - function eClass(caller,intclass) { - // The sid.cid values - var scid= "", scidlist = "", ecls = 0; - if ($(".eview_sub1")[0] || $("#ca2")[0]) { - $(".chk_event:checked").each(function() { - if ($(this).data('eclass') == 0) { - ecls++; - } - scid += $(this).val() + ","; - }); - scidlist = scid.replace(/,$/, ""); - } else { - ecls = $(".d_row_active").find(".b_ec_hot").text(); - scidlist = $("#ca0").data("scid"); - } - - // Was there a message? - var msg = "none"; - if ($(".cat_msg_txt").val().length != 0) { - msg = $(".cat_msg_txt").val(); - } - - if ($('#cat_box').css('display') != 'none') { - $('#ico01').click(); - } - - // We are now ready to class - var catdata = intclass + "|||" + msg + "|||" + scidlist; - var urArgs = "type=" + 9; - $(function(){ - $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); - }); - - function cb9(data){ - eval("catRaw=" + data); - catDbg = catRaw.dbg; - if (catDbg == "0") { - - var curtotalrtcount = Number(ecls); - // Working on grouped events - if ($("#gr").text() == "on") { - curclasscount = Number($("#class_count").text()); - var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); - // Do we have queued events? - if (curtotalparentcount > 0) { - - // Are we working on queued events? - if (curtotalrtcount > 0) { - curclasscount = curtotalrtcount; - } else { - curclasscount = 0; - } - // Adjust the parent count - newparentcount = parseInt(curtotalparentcount - curclasscount,10); - $(".d_row_active").find(".b_ec_hot").text(newparentcount); - - if (newparentcount == 0) { - $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); - $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); - } - - // If we are working within the child, adjust accordingly - if ($(".eview_sub1")[0]) { - // How many are in the child - curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); - - // Adjust the child count - newchildcount = parseInt(curtotalchildcount - curclasscount,10); - $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); - if (newchildcount == 0) { - $("#ca1").prop("disabled",true); - $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); - $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); - } - // Otherwise we were called from the parent - } else { - $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); - $(".d_row_sub").find(".b_ec_hot").text(0); - $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); - $("#ca0").prop("disabled",true); - } - lastclasscount = newparentcount; - } - - // Lastly, update class_count - if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { - $("#class_count").html(0); - } else { - $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); - } - - // Working on ungrouped events - } else { - $("#class_count").html(lastclasscount); - } - - // What the new classification is - selClass = $(caller).data("cn"); - newClass = "a_" + selClass; - - // Change visible class and disable if RT - // If we are RT ungrouped, we just remove - if ($('#rt').text() == 'on' && $("#ca2")[0]) { - $(".chk_event:checked").each(function() { - var pid = $(this).attr("id").split("_"); - var nid = parseInt(Number(pid[1]) + 1); - // Remove any open payload or TX panes - if ($("[id^=eview_]")[0]) { - $("[id^=eview_]").remove(); - $(".d_row_sub1").css('opacity','1'); - } - // Remove the row - $("#s" + pid[1]).fadeOut('fast', function() { - $("#s" + pid[1]).remove(); - }); - }); - - // Update table (for sorter) - $("#tl3b").trigger('update'); - } else { - // If we are RT and all events are classed we just remove - if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { - $("#active_eview").remove(); - $(".d_row_active").fadeOut('slow', function (event) { - $(".d_row_active").remove(); - var newsigtotal = "-"; - var sigtotal = $("#esignature").text(); - if (sigtotal > 0) { - newsigtotal = parseInt(sigtotal - 1); - } - $("#esignature").text(newsigtotal); - }); - $(".d_row").css('opacity','1'); - } else { - $(".chk_event:checked").each(function() { - var n = this.id.split("_"); - $("#class_box_" + n[1]).attr('class', newClass); - $("#class_box_" + n[1]).text(selClass); - if (curtotalparentcount > 0) { - $(this).prop("disabled",true); - } - }); - } - $(".d_row_sub1").css("background-color", "#fafafa"); - $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, - function(){$(this).css("background-color", "#fafafa")}); - } - - // Uncheck everything - $(".chk_event").prop("checked", false); - $(".chk_all").prop("checked", false); - // Remove these scids from the L1 scidlist - if ($("#ca0")[0] && rtbit == 1) { - var cur_scidlist = scidlist.split(','); - var active_scidlist = $("#ca0").data("scid"); - for (var i = 0; i < cur_scidlist.length; i++) { - active_scidlist = active_scidlist.replace(cur_scidlist[i],''); - } - active_scidlist = active_scidlist.replace(/,{2,}/g,','); - active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); - $("#ca0").data("scid", active_scidlist); - } - catMsg(scidlist.split(',').length, curtotalrtcount); - } else { - catMsg(0); - } - } - } - - function catMsg(count, rtcount) { - switch (count) { - default: - var ess = ''; - if ( count > 1 ) ess = 's'; - - var numrows = Number($('.d_row').length + $('.d_row_sub1').length); - var newboxtotal = 0, newcatcount = 0; - newboxtotal = parseInt($("#qtotal").text() - rtcount); - $("#qtotal").text(newboxtotal); - - // If we are just rt update Total boxes as we go - if ($("#ca2")[0]) { // We are ungrouped - newcatcount = parseInt($("#cat_count").text() - count); - if (newcatcount == 0) { - newView("u"); - } else { - $("#cat_count").text(newcatcount); - } - } - - if (numrows == 0) { - newView("u"); - } - - var msg = count + " event" + ess + " categorized"; - clearTags(); - break; - } - - $("span.class_msg").text(msg); - $("span.class_msg").fadeIn('slow', function() { - setTimeout(function(){ - $(".class_msg").fadeOut('slow'); - }, 3000); - }); - } - - // Load summary tab - function loadSummary() { - var limit = 10; - if ($('#wm0')[0]) { - doMap("redraw"); - } else { - doMap("draw"); - } - mkSummary("signature",limit); - mkSummary("srcip",limit); - mkSummary("dstip",limit); - mkSummary("srcpt",limit); - mkSummary("dstpt",limit); - mkSummary("srccc",limit); - mkSummary("dstcc",limit); - } - - // Toggle summary section - $(document).on("click", ".hidepane", function(e) { - $('#topsignature').toggle(); - }); - - // Summary tab - function mkSummary(box,limit) { - var theWhen = getTimestamp(); - var theSensors = s2h('empty'); - var theFilter = mkFilter(); - // See if we are filtering by sensor - if ($('.chk_sen:checked').length > 0) { - var active_sensors = "AND event.sid IN("; - var iter = $('.chk_sen:checked').length; - $('.chk_sen:checked').each(function() { - active_sensors += "'" + $(this).val() + "',"; - }); - active_sensors = active_sensors.replace(/,+$/,''); - active_sensors += ")"; - theSensors = s2h(active_sensors); - } - - var ldr = "
"; - $('#ov_' + box + '_sl').prepend(ldr); - $('#top' + box).fadeTo('fast', 0.2); - switch (box) { - case "srcip": - var cbArgs = "srcip"; - var qargs = "ip-src"; - var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); - }); - break; - case "dstip": - var cbArgs = "dstip"; - var qargs = "ip-dst"; - var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); - }); - break; - case "srcpt": - var cbArgs = "srcpt"; - var qargs = "pt-src"; - var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); - }); - break; - case "dstpt": - var cbArgs = "dstpt"; - var qargs = "pt-dst"; - var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); - }); - break; - case "signature": - var qargs = "sig-sig"; - var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); - }); - break; - case "srccc": - var cbArgs = "srccc"; - var qargs = "cc-src"; - var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); - }); - break; - case "dstcc": - var cbArgs = "dstcc"; - var qargs = "cc-dst"; - var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); - }); - break; - } - - // IP and Country - function cb15(data,cbArgs){ - var ch = "SRC"; - var wip = "d"; - if (cbArgs[0] == "s") ch = "DST", wip = "s"; - eval("raw=" + data); - var tbl = '', head = '', row = ''; - head += ""; - head += "COUNT"; - head += "%TOTAL"; - head += "#SIG"; - head += "#" + ch + ""; - if (cbArgs[3] == "c") { - head += "COUNTRY"; - head += "#IP"; - } else { - head += "IP"; - head += "COUNTRY"; - } - head += ""; - - var eventsum = raw[raw.length - 1].n || 0; - var records = raw[raw.length - 1].r || 0; - if (records == 0) { - row = "No result."; - $("#ov_" + cbArgs + "_sl").text(""); - } - for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); - row += ""; - row += "" + cnt + ""; - row += "" + per + "%"; - row += "" + sigs + ""; - row += "" + ip2 + ""; - - if (cbArgs[3] == "c") { - row += ""; - row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; - row += "" + ip + ""; - } else { - row += "
" + ip + ""; - row += ""; - row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; - } - row += ""; - row += "
"; - } - tbl += ""; - tbl += head; - tbl += row; - tbl += "
"; - if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); - $("#ov_" + cbArgs + "_sl").after(tbl); - $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); - mkSlider("ov_" + cbArgs + "_sl", i, records); - } - - // Ports - function cb17(data,cbArgs){ - eval("raw=" + data); - var tbl = '', head = '', row = ''; - head += ""; - head += "COUNT"; - head += "%TOTAL"; - head += "#SIG"; - head += "#SRC" - head += "#DST"; - head += "PORT"; - head += ""; - - var eventsum = raw[raw.length - 1].n || 0; - var records = raw[raw.length - 1].r || 0; - if (records == 0) { - row = "No result."; - $("#ov_" + cbArgs + "_sl").text(""); - } - for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); - row += ""; - row += "" + cnt + ""; - row += "" + per + "%"; - row += "" + sigs + ""; - row += "" + src + ""; - row += "" + dst + ""; - row += "" + port + ""; - row += ""; - row += "
"; - } - tbl += ""; - tbl += head; - tbl += row; - tbl += "
"; - if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); - $("#ov_" + cbArgs + "_sl").after(tbl); - $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); - mkSlider("ov_" + cbArgs + "_sl", i, records); - } - // Signature - function cb16(data){ - eval("raw=" + data); - var tbl = '', head = '', row = ''; - head += ""; - head += "COUNT"; - head += "%TOTAL"; - head += "#SRC"; - head += "#DST"; - head += "SIGNATURE"; - head += "ID"; - head += ""; - - var eventsum = raw[raw.length - 1].n || 0; - var records = raw[raw.length - 1].r || 0; - if (records == 0) { - row = "No result."; - $("#ov_signature_sl").text(""); - $("#ovestat").html("(No events)"); - } else { - $("#ovestat").html("(" + eventsum + " events)"); - } - for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); - row += ""; - row += "" + cnt + ""; - row += "" + per + "%"; - row += "" + src + ""; - row += "" + dst + ""; - row += "" + sig + ""; - row += "" + sid + ""; - row += ""; - row += "
"; - } - - tbl += ""; - tbl += head; - tbl += row; - tbl += "
"; - if ($('#topsignature')[0]) $('#topsignature').remove(); - $("#ov_signature_sl").after(tbl); - $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); - mkSlider("ov_signature_sl", i, records); - } - } - - $(".ovsl").mouseup(function() { - var section = $(this).attr('id'); - var base = section.split("_")[1]; - var limit = Number($("#" + section + "_lbl").text()); - if (limit > 0) mkSummary(base, limit); - }); - - // - // Views tab - // - - function loadViews() { - $('.db_links').show(); - if (!$("#db_view_cont")[0]) mkView(); - } - - // Link handlers - $(document).on('click', '.db_link', function() { - $('.db_link').each(function() { - if ($(this).data('state') == '1') { - $(this).removeClass('db_link_active'); - $(this).data('state', '0'); - } - }); - $(this).data('state', '1'); - mkView(); - }); - - $(document).on('click', '.db_type', function() { - $('.db_type').each(function() { - if ($(this).data('state') == '1') { - $(this).removeClass('db_type_active'); - $(this).data('state', '0'); - } - }); - $(this).data('state', '1'); - mkView(); - }); - - $(document).on('click','.db_save', function() { - - }); - - // Create the view - function mkView() { - $('#db_view_cont,#hp_info').remove(); - if (!$("#db_view_ldr")[0]) { - var view = 'ip'; - $('.db_link').each(function() { - if ($(this).data('state') == '1') { - $(this).addClass('db_link_active'); - view = $(this).data('val'); - } - }); - - var type = 'sk'; - $('.db_type').each(function() { - if ($(this).data('state') == '1') { - $(this).addClass('db_type_active'); - type = $(this).data('type'); - } - }); - - var theWhen = getTimestamp(); - var theSensors = s2h('empty'); - var theFilter = mkFilter(); - // See if we are filtering by sensor - if ($('.chk_sen:checked').length > 0) { - var active_sensors = "AND event.sid IN("; - var iter = $('.chk_sen:checked').length; - $('.chk_sen:checked').each(function() { - active_sensors += "'" + $(this).val() + "',"; - }); - active_sensors = active_sensors.replace(/,+$/,''); - active_sensors += ")"; - theSensors = s2h(active_sensors); - } - - var ldr = "
"; - $('.db_view').after(ldr); - var qargs = view + "-" + type; - var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); - }); - - function cb17(data,type) { - eval("viewData=" + data); - var records = viewData.records; - if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); - if (records > 0) { - $('.db_view').after("
"); - switch (type) { - case 'sk': - var w = $(window).width(); - var h = viewData.links.length * 12; - if (h < 100) h = 100; - mkSankey("db_view_cont",viewData,w,h); - break; - } - } else { - $('.db_view').after("
The query returned no results.
"); - } - $('#db_view_ldr').remove(); - } - } - } - - // Make a map - function doMap() { - theWhen = getTimestamp(); - var theFilter = mkFilter(); - var working = "Working
"; - - $('#wm0').html(working); - - var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); - }); - - function cb10(data){ - eval("mapRaw=" + data); - try { - var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); - var srcc = mapRaw.srcc; - var srce = mapRaw.srce; - var dstc = mapRaw.dstc; - var dste = mapRaw.dste; - var allc = mapRaw.allc; - var alle = mapRaw.alle; - } - catch(e) { - var mapDetail = "{\"\"}"; - } - - // What is our current event total? - var esum = $('#event_sum').val(); - var w = $(window).width() - 72; - var h = w / 2.7 ; - $("#ov_map").html("
"); - $('#wm0').vectorMap({ - map: 'world_mill_en', - color: '#f4f3f0', - backgroundColor: '#CFE1FC', - zoomOnScroll: false, - onRegionClick: function(event, code){ - hItemAdd(code); - $('#search').val("cc" + " " + code); - $('#search').focus(); - }, - series: { - regions: [{ - values: mapDetail, - scale: ['#ffffff', '#000000'], - normalizeFunction: 'polynomial' - }] - }, - onRegionLabelShow: function(e, el, code){ - if (mapDetail[code]) { - var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); - el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); - } else { - el.html(el.html()); - } - } - }); - - var stats = "("; - stats += allc + " distinct countries)"; - $("#ovmapstat").html(stats); - } - } - - // Redraw map - $(document).on("click", "#map_src, #map_dst", function() { - doMap($(this).attr('id').split("_")[1]); - }); - - // - // History - // - - function doHistory(object) { - $('#loader').show(); - var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; - $(function(){ - $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); - }); - - function cb21(data){ - eval("chartData=" + data); - var r1 = chartData.r1; - var r2 = chartData.r2; - var sum = 0; - if (r1 > 0) { - mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); - $('#obhist_sig').remove(); - if (r2 > 0) { - - for (var i=0; i < r2; i++) { - sum += Number(chartData.rows2[i].value); - } - - var tbl = '', head = '', row = ''; - head += ""; - head += "COUNT"; - head += "%TOTAL"; - head += "SIGNATURE"; - head += ""; - row += ""; - - for (var i=0; i < r2; i++) { - - var cnt = chartData.rows2[i].value || "-"; - var sig = chartData.rows2[i].label || "-"; - var sid = chartData.rows2[i].sid || "-"; - var per = 0; - if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); - var tsg = truncTag(sig,60); - - row += ""; - row += "" + cnt + ""; - row += "" + per + "%"; - row += "" + tsg + ""; - row += "" - row += "
"; - } - - row += ""; - tbl += ""; - tbl += head; - tbl += row; - tbl += "
"; - if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); - $(".ev_py").append(tbl); - } - } else { - return; - } - if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); - $("#loader").hide(); - } - } -// The End. -}); diff --git a/auth/native/squert/login.php b/auth/native/squert/login.php deleted file mode 100644 index 89aedee..0000000 --- a/auth/native/squert/login.php +++ /dev/null @@ -1,158 +0,0 @@ - -// -// This program is free software: you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation, either version 3 of the License, or -// (at your option) any later version. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License -// along with this program. If not, see . -// -// - -include_once '.inc/config.php'; - -$username = $password = $err = ''; -$focus = 'username'; -session_set_cookie_params(0, NULL, NULL, NULL, TRUE); - -function cleanUp($string) { - if (get_magic_quotes_gpc()) { - $string = stripslashes($string); - } - $string = mysql_real_escape_string($string); - return $string; -} - -if ($_SERVER['REQUEST_METHOD'] == 'POST'){ - $username = $_REQUEST['username']; - $password = $_REQUEST['password']; - // sso - //$username = $_SERVER['PHP_AUTH_USER']; - //$password = $_SERVER['PHP_AUTH_PW']; - - $ua = $_SERVER['HTTP_USER_AGENT']; - $rqt = $_SERVER['REQUEST_TIME']; - $rqaddr = $_SERVER['REMOTE_ADDR']; - $max = mt_getrandmax(); - $rqt .= mt_rand(0,$max); - $rqaddr .= mt_rand(0,$max); - $ua .= mt_rand(0,$max); - $cmpid = $rqt . $rqaddr . $ua; - $id = md5($cmpid); - // PDO prepared statements - try { - // first connect to database with the PDO object. - $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ - PDO::ATTR_EMULATE_PREPARES => false, - PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, - PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION - ]); - } catch(PDOException $e){ - // if connection fails, log PDO error. - error_log("Error connecting to mysql: ". $e->getMessage()); - } - - if (isset($dbpdo)) { - // prepare statement - $statement = "SELECT * FROM user_info WHERE username = :user"; - $query = $dbpdo->prepare("$statement"); - // build parameters for prepared statement - $params = [":user" => "$username"]; - // execute the prepared statement and pass it params - $query->execute($params); - // fetch the data - while ($row = $query->fetch(PDO::FETCH_NUM)) { - $userName = $row[1]; - $lastLogin = $row[2]; - $userHash = $row[3]; - $userEmail = $row[4]; - $userType = $row[5]; - $userTime = $row[6]; - $tzoffset = $row[7]; - } - - // if $username was found in database, then check password - if ( isset($userName) && $username == $userName) { - // The first 2 chars are the salt - $theSalt = substr($userHash, 0,2); - - // The remainder is the hash - $theHash = substr($userHash, 2); - - // Now we hash the users input - $testHash = sha1($password . $theSalt); - - // Does it match? If yes, start the session. - if ($testHash === $theHash) { - session_start(); - - // Protect against session fixation attack - if (!isset($_SESSION['initiated'])) { - session_regenerate_id(); - $_SESSION['initiated'] = true; - } - - $_SESSION['sLogin'] = 1; - $_SESSION['sUser'] = $userName; - $_SESSION['sPass'] = $password; - $_SESSION['sEmail'] = $userEmail; - $_SESSION['sType'] = $userType; - $_SESSION['sTime'] = $userTime; - $_SESSION['tzoffset'] = $tzoffset; - $_SESSION['sTab'] = 't_sum'; - $_SESSION['id'] = $id; - - header ("Location: index.php?id=$id"); - } else { - $err = 'The user name or password is incorrect.'; - $focus = 'username'; - } - } else { - $err = 'The user name or password is incorrect.'; - $focus = 'username'; - } - } else { - $err = 'Connection Failed'; - } -} -?> - - - -Please login to continue - - - - - -
- - - - - - -
-squert - Please login to continue
-Username
-
-Password
-
-

-
Version 1.7.1©2016 Paul Halliday
-
- - - - diff --git a/debian/changelog b/debian/changelog index 0ae0561..bbb827a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,75 @@ +securityonion-squert (20161212-1ubuntu1securityonion39) xenial; urgency=medium + + * remove unnecessary code from ip2c.php + + -- Doug Burks Sat, 05 May 2018 06:28:57 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion38) xenial; urgency=medium + + * update mysql function calls in ip2c.php + + -- Doug Burks Fri, 04 May 2018 17:04:11 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion37) xenial; urgency=medium + + * fix for loop + + -- Doug Burks Thu, 03 May 2018 11:01:09 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion36) xenial; urgency=medium + + * iterate over all arrays when converting strings + + -- Doug Burks Thu, 03 May 2018 10:05:19 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion35) xenial; urgency=medium + + * frontend expects all values to be strings + + -- Doug Burks Thu, 03 May 2018 09:34:58 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion34) xenial; urgency=medium + + * disable mysql strict mode + + -- Doug Burks Wed, 02 May 2018 16:46:37 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion33) xenial; urgency=medium + + * fix auth + + -- Doug Burks Wed, 02 May 2018 14:56:49 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion32) xenial; urgency=medium + + * move files from elastic package + + -- Doug Burks Wed, 02 May 2018 13:42:37 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion31) xenial; urgency=medium + + * force disable autoindex + + -- Doug Burks Wed, 02 May 2018 09:14:41 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion30) xenial; urgency=medium + + * update mysql calls and config + + -- Doug Burks Tue, 01 May 2018 18:04:07 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion29) xenial; urgency=medium + + * change php5 to php + + -- Doug Burks Fri, 27 Apr 2018 15:39:16 -0400 + +securityonion-squert (20161212-1ubuntu1securityonion28) trusty; urgency=medium + + * version 1.7.1 + + -- Doug Burks Fri, 09 Feb 2018 06:14:16 -0500 + securityonion-squert (20161212-1ubuntu1securityonion27) trusty; urgency=medium * add row for Bro agent diff --git a/debian/control b/debian/control index a59ed3f..be27171 100644 --- a/debian/control +++ b/debian/control @@ -10,6 +10,6 @@ Homepage: http://www.squertproject.org/ Package: securityonion-squert Architecture: all -Depends: ${misc:Depends}, apache2, patch, php5, libapache2-mod-php5, php5-mysql, php5-cli, php5-gd, mysqltcl, mysql-server, mysql-client, graphviz, libtext-csv-perl, tclcurl +Depends: ${misc:Depends}, apache2, patch, php, libapache2-mod-php, php-mysql, php-cli, php-gd, mysqltcl, mysql-server, mysql-client, graphviz, libtext-csv-perl, tclcurl Description: squert Squert is a web interface for the Sguil database. diff --git a/debian/install b/debian/install index 7a17818..19c9401 100644 --- a/debian/install +++ b/debian/install @@ -1,8 +1,8 @@ -auth opt/squert/ .css var/www/so/squert/ .flags var/www/so/squert/ .inc var/www/so/squert/ index.php var/www/so/squert/ +login.php var/www/so/squert/ .js var/www/so/squert/ .scripts var/www/so/squert/ .scripts/securityonion-squert.cnf etc/mysql/conf.d/ diff --git a/debian/patches/disable-mysql-strict-mode b/debian/patches/disable-mysql-strict-mode new file mode 100644 index 0000000..7bd4458 --- /dev/null +++ b/debian/patches/disable-mysql-strict-mode @@ -0,0 +1,35 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion34) xenial; urgency=medium + . + * disable mysql strict mode +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion-squert.cnf ++++ securityonion-squert-20161212/.scripts/securityonion-squert.cnf +@@ -1,6 +1,6 @@ + [mysqld] + group_concat_max_len = 100000 +-sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION ++sql_mode=NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + + [mysqltcl] + local-infile=1 diff --git a/debian/patches/fix-auth b/debian/patches/fix-auth new file mode 100644 index 0000000..5bd6dde --- /dev/null +++ b/debian/patches/fix-auth @@ -0,0 +1,6915 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion33) xenial; urgency=medium + . + * fix auth +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/auth/native/squert/.js/squertMain.js ++++ /dev/null +@@ -1,3275 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- $.get("index.php?id=0", function(){location.reload()}); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/auth/native/squert/login.php ++++ /dev/null +@@ -1,158 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- $username = $_REQUEST['username']; +- $password = $_REQUEST['password']; +- // sso +- //$username = $_SERVER['PHP_AUTH_USER']; +- //$password = $_SERVER['PHP_AUTH_PW']; +- +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- // PDO prepared statements +- try { +- // first connect to database with the PDO object. +- $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ +- PDO::ATTR_EMULATE_PREPARES => false, +- PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, +- PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION +- ]); +- } catch(PDOException $e){ +- // if connection fails, log PDO error. +- error_log("Error connecting to mysql: ". $e->getMessage()); +- } +- +- if (isset($dbpdo)) { +- // prepare statement +- $statement = "SELECT * FROM user_info WHERE username = :user"; +- $query = $dbpdo->prepare("$statement"); +- // build parameters for prepared statement +- $params = [":user" => "$username"]; +- // execute the prepared statement and pass it params +- $query->execute($params); +- // fetch the data +- while ($row = $query->fetch(PDO::FETCH_NUM)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- +- // if $username was found in database, then check password +- if ( isset($userName) && $username == $userName) { +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.7.1©2016 Paul Halliday
+-
+-
+- +- +- +--- securityonion-squert-20161212.orig/auth/sso/squert/.js/squertMain.js ++++ /dev/null +@@ -1,3276 +0,0 @@ +-/* Copyright (C) 2012 Paul Halliday */ +- +-$(document).ready(function(){ +- +- $(document).on('click', '[class*="bpr"]', function() { +- // We disallow filtering if any events have already been selected +- // or if we stray from the event tab +- if ($('.d_row_active')[0]) return; +- if ($(".chk_event:checked").length > 0) return; +- if ($(".tab_active").attr('id') != 't_sum') return; +- +- var prClass = $(this).attr('class').split('b')[1]; +- var prOld = $(this).data('pr'); +- +- function flipIt(pattern) { +- $(pattern).closest('tr').hide(); +- $(pattern).closest('tr').attr('class','hidden'); +- if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); +- } +- if ($('.b' + prClass).attr('class') == 'bprA') { +- $('.b' + prClass).attr('class', 'bpr' + prOld); +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- } else { +- // See if we are already filtered +- if ($('.bprA')[0]) { +- $('.hidden').attr('class','d_row'); +- $('.d_row').show(); +- if ($('#gr').text() == 'on') { +- $('.chk_event').prop("disabled",false); +- $('.chk_all').prop("checked",false); +- $('.chk_event').css("background-color", "#fafafa"); +- } +- var prPrev = $('.bprA').data('pr'); +- $('.bprA').attr('class', 'bpr' + prPrev); +- } +- $('.b' + prClass).attr('class','bprA'); +- switch (prClass) { +- case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; +- case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; +- case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; +- case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; +- } +- flipIt(ptrn); +- } +- }); +- +- // +- // Load main content +- // +- +- // Keep track of context +- thisUser = $('#t_usr').data('c_usr'); +- thisTZ = $('#user_tz').val(); +- rtbit = 0; +- eventList("0-aaa-00"); +- $("#loader").show(); +- lastclasscount = 0; +- +- $(document).on("click", "#dt_savetz", function(event) { +- if ($('.dt_error').data('err') == 0) { +- var newOffset = $('#ts_offset').val(); +- profileUpdate("tz", s2h(newOffset)); +- $('#user_tz').val(newOffset); +- } +- }); +- +- // Depending on context a 'No result' may be confusing +- // so we turn off active queue and show everything +- $(document).on('click', '#retry', function() { +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- }); +- +- // Get event statuses +- var eTotal = 0, qTotal = 0; +- function statusPoll(caller) { +- // See if we are filtering by sensor +- var theSensors = s2h('empty'); +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); +- }); +- +- function cb(data){ +- // Check to make sure we still have a valid session. If we don't +- // let the user know and return them to the login page. +- if (data[0] == "<") { +- $("span.class_msg").text("Your session has expired!"); +- $("span.class_msg").css("background-color", "#cc0000"); +- $("span.class_msg").css("color", "#fff"); +- $("span.class_msg").show(); +- var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); +- if (sessionDead) { +- $("#logout").click(); +- } +- } +- eval("ec=" + data); +- +- var esum = 0; +- +- for (var i=0; i 0) { +- var p = parseFloat(ecount/esum*100).toFixed(1); +- var w = parseInt(p*2); +- } +- if (eclass == 0) { +- qTotal = ecount; +- } +- $("#c-" + eclass).text(ecount); +- $("#c-" + eclass).append("(" + p + "%)"); +- } +- +- var lastcount = $("#cat_sum").val(); +- var newcount = esum; +- $("#cat_sum").val(esum); +- eTotal = esum; +- $("#event_sum").val(eTotal); +- +- if (caller == 0) { // Fresh load +- lastcount = newcount; +- } +- +- // Last RT value +- var lastQ = Number($("#qtotal").html()); +- if (lastcount < newcount) { +- $("#etotal").html(eTotal); +- } +- +- if (lastQ < qTotal) { +- if (caller != 0) { +- if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); +- } +- $("#etotal").html(eTotal); +- $("#qtotal").html(qTotal); +- } +- +- $("#title").html("squert (" + qTotal + ") - " + thisUser); +- +- } +- +- } +- +- // +- // Event monitor (how often we poll for new events) +- // +- +- var emTimeout = 30000; +- window.setInterval(function(){ +- if ($('#search').val().length == 0) { +- statusPoll(1); +- } +- }, emTimeout); +- +- $(document).on("click", '[class*="cl_"]', function(event) { +- var nc = $(this).attr('class').split("_"); +- var ct = $(this).parents('table').data('comment'); +- $(".cat_msg_txt").val(ct); +- $('#b_class-' + nc[1]).click(); +- }); +- +- // Tabs +- var tab_cached = $("#sel_tab").val(); +- +- switch (tab_cached) { +- case "t_sum": +- $('.content-right').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- loadViews(); +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- break; +- } +- +- $('#' + tab_cached).attr('class','tab_active'); +- $("#" + tab_cached + "_content").attr('class','content_active'); +- +- $(".tab,.tab_active").click(function(event) { +- var active = $(".tab_active").attr('id'); +- var content = $(".content_active").attr('id'); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- +- if ( this.id != active ) { +- $("#" + active).removeClass('tab_active'); +- $("#" + active).addClass('tab'); +- $(this).attr('class','tab_active'); +- $("#" + content).attr('class','content'); +- $("#" + this.id + "_content").attr('class','content_active'); +- activeTab = $(".tab_active").attr('id'); +- $('.pin').hide(); +- +- switch (activeTab) { +- case "t_sum": +- $('.content-right').show(); +- if (Number($('.botog').data('val')) == 1) $('.content-left').show(); +- $('.t_pbar').css('opacity',1); +- $('.db_links').hide(); +- $('.pin').show(); +- break; +- case "t_ovr": +- $('.content-right').hide(); +- $('.content-left').hide(); +- if ($('#ovestat').text().length == 0) loadSummary(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- case "t_view": +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- loadViews(); +- break; +- default: +- $('.content-right').hide(); +- $('.content-left').hide(); +- $('.t_pbar').css('opacity',.1); +- $('.db_links').hide(); +- break; +- } +- +- $('#sel_tab').val(activeTab); +- var ctab = $('#sel_tab').val(); +- var urArgs = "type=" + 5 + "&tab=" + ctab; +- $.get(".inc/callback.php?" + urArgs); +- } +- }); +- +- // Sub tab groups +- $(".tsg").click(function(event) { +- var nc = Number($(this).attr('class').split(/\s/).length); +- var ct = $(this).data('tab'); +- $('.tsg_active').attr('class','tsg'); +- $(this).attr('class','tsg tsg_active'); +- }); +- +- // Toggle and update views +- function newView(req) { +- // No racing please +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- // Remove any stale views +- $("#tl0,#tl1,#tl3a,#tl3b").remove(); +- var f = "0-aaa-00"; +- var s = "2a-aaa-00"; +- var cv = $("#gr").text(); +- +- switch (cv) { +- case "on": +- eventList(f); +- $("#loader").show(); +- break; +- case "off": +- eventList(s); +- $("#loader").show(); +- break; +- } +- } +- +- // Group and ungroup +- $(document).on("click", "#gr", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#gr').text(); +- switch (cv) { +- case 'on': +- $('#gr').attr('class','tvalue_off'); +- $('#gr').text('off'); +- break; +- case 'off': +- $('#gr').attr('class','tvalue_on'); +- $('#gr').text('on'); +- $("#event_sort").val("DESC"); +- break; +- } +- }); +- +- // RT check/uncheck +- $(document).on("click", "#rt", function(event) { +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- var cv = $('#rt').text(); +- switch (cv) { +- case 'on': +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- break; +- case 'off': +- $('#rt').attr('class','tvalue_on'); +- $('#rt').text('on'); +- rtbit = 1; +- break; +- } +- }); +- +- // Toggle side/lower bars +- $(document).on("click", ".botog", function(event) { +- if ($('.tab_active').attr('id') != 't_sum') return; +- var n = Number($('.botog').data("val")); +- switch (n) { +- case 1: +- $('.botog').data("val","0"); +- $('.content-right').css("width","100%"); +- $('.botog').attr('src','.css/layout0.png'); +- break; +- case 0: +- $('.botog').data("val","1"); +- $('.content-right').css("width","82%"); +- $('.botog').attr('src','.css/layout1.png'); +- break; +- } +- $('.bottom').animate({height: 'toggle'}); +- $('.content-left').animate({width: 'toggle'}); +- }); +- +- // Section show and hide +- $(".st").click(function() { +- var thisSec = $(this).data("sec"); +- var thisSecID = "#sec_" + thisSec; +- var thisSecVis = $(thisSecID).css("display"); +- var lastSection = "h"; +- switch (thisSecVis) { +- case "none": +- $(this).attr("src", ".css/uarr.png"); +- $(thisSecID).slideDown(); +- break; +- default: +- $(this).attr("src", ".css/darr.png"); +- $(thisSecID).slideUp(); +- break; +- } +- }); +- +- // If search is in focus, update on enter +- $('#search').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) { +- // Close comment box if it is open +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- } +- }); +- +- // Sort ASC/DESC +- $(document).on("click", ".event_time", function(event) { +- var csv = $(".event_time").text(); +- switch (csv) { +- case "show oldest first": +- $("#event_sort").val("ASC"); +- break; +- case "show newest first": +- $("#event_sort").val("DESC"); +- break; +- } +- newView("u"); +- }); +- +- // Update page +- $(document).on("click", ".b_update", function(event) { +- $(".icon_notifier").fadeToggle(); +- $(".tag").remove(); +- $(".tag_empty").show(); +- // Remove any supplementary results +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Where are we? +- var curTab = $('.tab_active').attr('id'); +- switch (curTab) { +- case 't_ovr': +- loadSummary(); +- break; +- case 't_view': +- mkView(); +- break; +- default: +- $(".b_update_note").hide(); +- newView("u"); +- break; +- } +- }); +- +- // Clear search and refresh +- $('#clear_search').click(function() { +- if ($('#search').val() != '') { +- $('#search').val(''); +- $("#search").focus(); +- if ($(".fl_val_on")[0]) { +- $('.b_update').click(); +- } +- } +- }); +- +- // Logout +- $("#logout").click(function(event) { +- //$.get("/logout.html", function(){location.reload()}); +- location.replace("/logout.html"); +- }); +- +- // Toggle filters +- $(document).on('click', '.fl_val_on', function(event) { +- var wF = $(this).data("ft"); +- switch (wF) { +- case "tl": +- +- break; +- case "ob": +- $('#clear_search').click(); +- break; +- case "sn": +- $(".chk_sen").each(function() { +- $(this).prop("checked",false); +- }); +- $('.b_update').click(); +- break; +- } +- }); +- +- function clearTags() { +- //$(".tag").remove(); +- //$(".tag_empty").show(); +- $(".tag").removeClass('tag_active'); +- } +- +- // +- // Rows +- // +- +- function closeRow() { +- $("#active_eview").remove(); +- $("#" + this.id).attr('class','d_row'); +- $(".d_row").css('opacity','1'); +- ltCol = $(".d_row_active").find('td.lt').html(); +- $(".d_row_active").find('td.lt').css('background', ltCol); +- $(".d_row_active").attr('class','d_row'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- // Get rid of any crashed loaders +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow() { +- $("#eview_sub1").remove(); +- $("#" + this.id).attr('class','d_row_sub'); +- $(".d_row_sub").css('opacity','1'); +- $(".d_row_sub_active").attr('class','d_row_sub'); +- // Update class_count +- $("#class_count").text(lastclasscount); +- curclasscount = lastclasscount; +- $("#loader").hide(); +- // Reset and show checkbox +- $(".chk_all").prop("checked",false); +- $("#ca0").show(); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow1() { +- $("#eview_sub2").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub3")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub_active1").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- // Remove any open externals +- if ($("#extresult")[0]) $("#extresult").remove(); +- // Clear Tags +- clearTags(); +- } +- function closeSubRow2() { +- $("#eview_sub3").remove(); +- $("#" + this.id).attr('class','d_row_sub1'); +- if (!$("#eview_sub2")[0]) { +- $(".d_row_sub1").css('opacity','1'); +- $(".d_row_sub1_active").attr('class','d_row_sub1'); +- } +- $("#loader").hide(); +- // Clear Tags +- clearTags(); +- } +- +- // +- // Level 1 +- // +- +- $(document).on("click", ".row_active", function(event) { +- var curID = $(this).parent('tr').attr('id'); +- // What type of row are we? +- rowType = curID.substr(0,3); +- +- // Make sure no other instances are open +- if (!$(".d_row_active")[0] && rowType == 'sid') { +- $("#loader").show(); +- // This leaves us with sid-gid +- var rowValue = curID.replace("sid-",""); +- var sigID = rowValue.split("-")[0]; +- +- $(".d_row_active").attr('class', 'd_row'); +- $("#active_eview").attr('class','d_row'); +- +- // This is now the active row +- $("#" + curID).attr('class','d_row_active'); +- $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); +- // History +- var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); +- hItemAdd(itemToAdd); +- // Set the class count (counted again after load) +- curclasscount = $('.d_row_active').data('event_count'); +- var cols = $('th.sort').length; +- var tbl = ''; +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += "CATEGORIZE"; +- tbl += curclasscount + "EVENT(S)  "; +- tbl += "    "; +- tbl += "CREATE FILTER: "; +- tbl += "src  "; +- tbl += "dst  "; +- tbl += "both"; +- tbl += "
"; +- $("#" + curID).after(tbl); +- +- // Lookup signature +- sigLookup(rowValue); +- +- // Fetch results +- eventList("1-" + rowValue); +- +- $("#eview").show(); +- $(".d_row").fadeTo('0','0.2'); +- } else { +- closeRow(); +- } +- }); +- +- // +- // Level 2 +- // +- +- $(document).on("click", ".sub_active", function() { +- if (!$(".d_row_sub_active")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- +- // Reset checkbox +- $(".chk_all").prop("checked",false); +- +- // RT or ALL? +- switch (rtbit) { +- case 1: adqp = s2h("AND event.status = 0"); break; +- case 0: adqp = s2h("empty"); break; +- } +- // We are now the active row +- $("#" + callerID).attr('class','d_row_sub_active'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",3600000,thisTZ); +- var eet = mkStamp(bt,"+",3600000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History and search +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- +- $("#loader").show(); +- eventList("2-" + callerID + "-" + adqp); +- } else { +- closeSubRow(); +- } +- }); +- +- // +- // Level 3 (a or b) request payload +- // +- +- $(document).on("click", ".sub1_active", function() { +- // Close transcript if it is open +- if ($(".eview_sub3")[0]) closeSubRow2(); +- if (!$(".d_row_sub_active1")[0]) { +- var callerID = $(this).parent('tr').attr('id'); +- $("#" + callerID).attr('class','d_row_sub_active1'); +- +- // Populate search times +- var bt = $("#" + callerID).find('[class*="timestamp"]').html(); +- var est = mkStamp(bt,"-",1800000,thisTZ); +- var eet = mkStamp(bt,"+",1800000,thisTZ); +- +- $('#el_start').val(est); +- $('#el_end').val(eet); +- +- // Clear search terms +- $("#srchterms").html(''); +- $(".srch_txt").val(''); +- +- // History +- $("#" + callerID).find('[class*="sub_filter"]').each(function() { +- if ($(this).data('type') == 'cc') { +- var itemToAdd = $(this).data('value'); +- } else { +- var itemToAdd = $(this).text(); +- } +- if ($(this).data('type') == 'ip') { +- // Add search terms +- $("#srchterms").append("" + itemToAdd + "  "); +- } +- hItemAdd(itemToAdd); +- }); +- $("#loader").show(); +- eventList("3-" + callerID); +- } else { +- closeSubRow1() +- } +- }); +- +- // +- // Level 3 (a or b) request transcript +- // +- +- $(document).on("click", ".sub2_active", function(event) { +- // Close payload if it is open +- if ($(".eview_sub2")[0]) closeSubRow1(); +- var bail = $("#loader").css('display'); +- if (bail != 'none') return; +- if (!$(".eview_sub3")[0]) { +- $("#loader").show(); +- composite = $(this).data('tx').split("-"); +- rowLoke = composite[0]; +- $("#" + rowLoke).attr('class','d_row_sub1_active'); +- nCols = $("#" + rowLoke).find('td').length; +- cid = composite[1]; +- txdata = composite[2]; +- +- // See if a transcript is available +- var urArgs = "type=" + 7 + "&txdata=" + txdata; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); +- }); +- +- function cb5(data){ +- eval("txRaw=" + data); +- txCMD = txRaw.cmd; +- txResult = txRaw.tx; +- txDebug = txRaw.dbg; +- if (txResult == "DEBUG:") txResult += " No data was returned."; +- if (!txResult) { +- txResult = "Transcript request failed!

"; +- txResult += "The command was:
" + txCMD + "

"; +- txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); +- } +- +- var row = '',tbl = ''; +- row += ""; +- row += ""; +- row += "
"; +- row += txResult; +- row += "
"; +- +- tbl += ""; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 399 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- $("#loader").hide(); +- } +- } else { +- closeSubRow2(); +- } +- }); +- +- // Toggle RT depending on entry point +- $(document).on("click", ".b_ec_hot", function() { +- rtbit = 1; +- }); +- $(document).on("click", ".b_ec_total", function() { +- rtbit = 0; +- }); +- +- // Filter constructor +- function mkFilter() { +- if ($('#search').val().length > 0) { +- +- var srchVal = $('#search').val(); +- var fParts = ""; +- +- // If no term is supplied default to a string, IP or wildcard IP search +- chkVal: +- if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { +- var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- if (re.exec(srchVal)) { +- srchVal = "ip " + srchVal; +- break chkVal; +- } +- +- var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; +- if (re.exec(srchVal)) { +- srchVal = "wip " + srchVal; +- break chkVal; +- } +- +- srchVal = "sig " + srchVal; +- } +- +- fParts = srchVal.replace(/^!/,"").split(" "); +- if (fParts[0] == 'cmt') { +- var theFilter = s2h($('#search').val()); +- rtbit = 0; +- } else { +- // Now see if the requested filter exists +- if ($("#tr_" + fParts[0]).length > 0) { +- tmpFilter = $("#tr_" + fParts[0]).data('filter'); +- // Now see if we need to modify the query +- if (fParts[1]) { +- // This is the base filter +- preFilter = h2s(tmpFilter); +- // This is the user supplied text. +- var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); +- theQuestion = fParts.join(' ').replace(re, ""); +- // We will accept multiple questions if they are comma delimited +- questionParts = theQuestion.split(","); +- if (questionParts.length > 1) { +- var f = '('; +- for (var i = 0; i < questionParts.length; i++) { +- f += preFilter.replace(/\$/g, questionParts[i]); +- if (i != (questionParts.length - 1)) { +- f += " OR "; +- } +- } +- f += ')'; +- theFilter = s2h(f); +- } else { +- var newFilter = preFilter.replace(/\$/g, questionParts[0]); +- theFilter = s2h(newFilter); +- } +- } else { +- theFilter = tmpFilter; +- } +- } else { // The filter does not exist +- theFilter = s2h('empty'); +- } +- } +- } else { // No filter supplied +- theFilter = s2h('empty'); +- } +- return theFilter; +- } +- +- // +- // This creates the views for each level +- // +- +- function eventList (type) { +- theWhen = getTimestamp(); +- statusPoll(0); +- var parts = type.split("-"); +- var filterMsg = ''; +- var rt = 0; +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- +- // See if we are just RT events +- if ($('#rt').text() == 'on' || rtbit == 1) { +- rt = 1; +- rtbit = 1; +- } +- // How are we sorting? +- var sortval = $("#event_sort").val(), sorttxt; +- switch (sortval) { +- case "DESC": sorttxt = "show oldest first"; break; +- case "ASC": sorttxt = "show newest first"; break; +- } +- +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- // Check for any filters +- if (h2s(theFilter) != 'empty') { +- $('.fl_val').text('YES'); +- } else { +- $('.fl_val').text('NO'); +- } +- +- switch (parts[0]) { +- +- // Level 0 view - Grouped by Signature +- case "0": +- $('.value').text('-'); +- +- // Times Chart +- var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; +- $(function(){ +- $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("chartData=" + data); +- var r = chartData.r; +- if (r > 0) { +- mkLine(".times",chartData.rows,chartData.m); +- } +- } +- +- var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); +- }); +- function cb1(data){ +- eval("d0=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var cols = 11; +- +- if (rt == 0) cols = 12; +- head += ""; +- head += ""; +- head += "QUEUE"; +- if (rt == 0) head += "ALL"; +- head += ""; +- head += "SC"; +- head += "DC"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SIGNATURE"; +- head += "ID"; +- head += "PROTO"; +- head += "% TOTAL"; +- head += ""; +- +- var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; +- +- if (d0.length > 0) { +- // Sums for boxes +- for (var i=0; i"; +- row += "No result. If this is unexpected try this"; +- } +- +- if (rt == 1) { +- sumSC = "-"; +- sumDC = "-"; +- sumEC = eTotal; +- } +- +- var sumRT = 0; +- +- // Tag Array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- sumRT += parseInt(unClass); +- } else { +- rtClass = "b_ec_cold"; +- } +- +- // Sum priorities +- var prC = Number(d0[i].f1); +- switch (d0[i].f13) { +- case "1": spr1 += prC; break; +- case "2": spr2 += prC; break; +- case "3": spr3 += prC; break; +- default: spr4 += prC; break; +- } +- +- rid = "r" + i + "-" + parts[1]; +- var cells = mkGrid(d0[i].f12); +- if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); +- row += ""; +- row += "
" + unClass + "
"; +- if (rt == 0) row += "
" + d0[i].f1 + "
"; +- row += "
" + d0[i].f13 + "
"; +- row += "" +d0[i].f6+ ""; +- row += "" +d0[i].f7+ ""; +- if (rt == 0) row += "" + catCells + ""; +- +- timeParts = d0[i].f5.split(" "); +- timeStamp = timeParts[1]; +- +- if ( sumEC > 0) { +- rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); +- } else { +- rowPer = "0.000"; +- } +- +- row += "" + cells + ""; +- row += "" + timeStamp + ""; +- row += ""; +- //row += "
" + d0[i].f2 + "
"; +- row += d0[i].f2 + ""; +- row += "" + d0[i].f3 + ""; +- row += "" + d0[i].f8 + ""; +- +- +- row += "" + rowPer + "%"; +- row += ""; +- } +- +- // Populate event summary +- $('#qtotal').text(sumRT); +- $('#etotal').text(sumEC); +- $('#esignature').text(sumSI); +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- +- $('#' + parts[1] + '-' + parts[2]).append(tbl); +- +- if (d0.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $('#tl1').fadeIn('slow'); +- $("#tl1").tablesorter(); +- $("#loader").hide(); +- } +- break; +- +- // Level 1 view - Grouped by signature, source, destination +- +- case "1": +- var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); +- }); +- +- function cb2(data){ +- eval("theData=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += "QUEUE"; +- if (rt == 0) head += "TOTAL"; +- if (rt == 0) head += "CLASS"; +- head += "ACTIVITY"; +- head += "LAST EVENT"; +- head += "SOURCE"; +- head += "AGE"; +- head += "COUNTRY"; +- head += "DESTINATION"; +- head += "AGE"; +- head += "COUNTRY"; +- head += ""; +- var curclasscount = 0, tlCount = 0, rtCount = 0; +- var timeValues = "", scid = ""; +- +- // Tag array +- var tags = new Array(); +- +- for (var i=0; i 0 ) { +- rtClass = "b_ec_hot"; +- isActive = "sub_active"; +- } else { +- rtClass = "b_ec_cold"; +- isActive = "sub"; +- } +- +- // Aggregate time values +- timeValues += theData[i].c_ts + ","; +- var cells = mkGrid(theData[i].f12); +- if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); +- +- // Event sums +- tlCount += parseInt(count,10); +- rtCount += parseInt(unclass,10); +- +- rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; +- row += ""; +- row += "
" + unclass + "
"; +- if (rt == 0) row += "
" + count + "
"; +- if (rt == 0) row += "" + catCells + ""; +- row += "" + cells + ""; +- row += "" + max_time + ""; +- row += "
" + src_ip + ""; +- row += "" + src_age_n + ""; +- row += ""; +- row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_age_n + ""; +- row += ""; +- row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; +- row += ""; +- } +- +- // Populate tags +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Add scid's to checkbox +- $("#ca0").data("scid", scid.replace(/,$/, "")); +- +- // If queue is empty provide event sums in case the user +- // intends to reclass anything +- if (rtbit == 1) { +- curclasscount = rtCount; +- } else { +- curclasscount = tlCount; +- } +- +- // update class_count +- $("#class_count").html(curclasscount); +- lastclasscount = $("#class_count").html(); +- +- // While in grouped events (RT) we remove rows as +- // they are classed and subtract the values from "Total Events" +- // This keeps etotal up to date so the math doesn't get silly +- var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); +- var oldec = Number($("#etotal").text()); +- if (oldrt < rtCount) { +- newrtcount = parseInt((rtCount - oldrt) + oldec); +- $("#etotal").text(newrtcount); +- } +- +- // Update parent counts +- $(".d_row_active").find(".b_ec_hot").text(rtCount); +- if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); +- +- tbl += "
"; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#eview").after(tbl); +- $("#tl2").tablesorter({ +- headers: { +- 4: {sorter:'ipv4'}, +- 6: {sorter:'ipv4'} +- } +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 2 view - No grouping, individual events +- +- case "2": +- var rowLoke = parts[1]; +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); +- }); +- +- function cb3(data){ +- eval("d2=" + data); +- tbl = ''; +- head = ''; +- row = ''; +- head += ""; +- head += ""; +- head += "ST"; +- head += "TIMESTAMP"; +- head += "EVENT ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "SIGNATURE"; +- head += ""; +- +- // Update class_count +- $("#class_count").html(0); +- var tlCount=0, rtCount=0; +- +- // Tag array +- var tags= new Array(); +- +- for (var i=0; i"; +- tclass = "c" + eclass; +- cv = classifications.class[tclass][0].short; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag); +- if (t < 0) tags.push(tag); +- }); +- } +- +- // Timestamp +- var compts = d2[i].f2.split(",") || "--"; +- var timestamp = compts[0]; +- var utctimestamp = compts[1]; +- +- // Event sums +- tlCount += parseInt(1,10); +- if (cv == "RT") { +- rtCount += parseInt(1,10); +- } +- +- // Transcript link +- // original Squert native pivot: +- //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- //txBit = "" + sid + "." + cid + "
"; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + signature + ""; +- row += ""; +- } +- +- // Update parent counts +- $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); +- if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { +- $(".d_row_sub_active").find(".b_ec_total").text(tlCount); +- } +- +- var cols = $('th.sort').length; +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- tbl += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $("#" + rowLoke).after(tbl); +- $(".d_row_sub").fadeTo('0','0.2'); +- $("#loader").hide(); +- $("#tl3").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 4:{sorter:'ipv4'}, +- 6:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#ca0").hide(); +- } +- break; +- +- // Level 2a view - No grouping, individual events +- +- case "2a": +- $('.value').text('-'); +- var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); +- }); +- +- function cb3a(data){ +- eval("d2a=" + data); +- var tbl = ''; +- var head = ''; +- var row = ''; +- var disabled = ''; +- if (d2a.length == 0) { +- disabled = "disabled"; +- row += ""; +- row += "No result. If this is unexpected try this"; +- } +- +- head += ""; +- head += ""; +- head += ""; +- head += "ST"; +- head += ""; +- head += "TIMESTAMP"; +- head += "ID"; +- head += "SOURCE"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "DESTINATION"; +- head += "PORT"; +- head += "AGE"; +- head += "CC"; +- head += "SIGNATURE"; +- head += ""; +- +- // Aggregate time values +- var timeValues = ""; +- for (var ts=0; ts" + sid + "." + cid + ""; +- //if (src_port != "-" && dst_port != "-") { +- // txBit = "" + sid + "." + cid + ""; +- //} +- // new pivot to CapMe: +- txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); +- txBit = "" + sid + "." + cid + ""; +- if (src_port != "-" && dst_port != "-") { +- var startDate = new Date(utctimestamp); +- var start_tz_offset = (startDate.getTimezoneOffset()); +- var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; +- var endDate = new Date(utctimestamp); +- var end_tz_offset = (endDate.getTimezoneOffset()); +- var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; +- txBit = " " + sid + "." + cid + ""; +- } +- +- row += ""; +- row += ""; +- row += "
"; +- row += cv + "
"; +- row += "
" + d2a[i].f16 + "
"; +- row += "" + timestamp + ""; +- row += txBit; +- row += "
" + src_ip + ""; +- row += "" + src_port + ""; +- row += "" + src_age_n + ""; +- row += "" + cs[1] + ""; +- row += "
" + dst_ip + ""; +- row += "" + dst_port + ""; +- row += "" + dst_age_n + "" +- row += "" + cd[1] + ""; +- row += "" + signature + ""; +- } +- +- var sumED = 0, sumEC = 0, cmsg = ""; +- +- if (d2a.length > 0) { +- sumED = i; +- sumEC = d2a.length; +- } +- +- if (d2a.length >= maxI) { +- sumRE = sumEC - maxI; +- cmsg = " / " + sumRE + " not shown"; +- } +- +- $("#qtotal").html(rsumRT); +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- // Draw +- tbl += ""; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "categorize " + 0 + ""; +- tbl += " of " + sumED + " event(s)" + cmsg; +- tbl += "
"; +- tbl += "
" + sorttxt + "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- $('#' + parts[1] + '-' + parts[2]).after(tbl); +- +- if (d2a.length > 0) { +- var prVals = [spr1,spr2,spr3,spr4]; +- var pryBar = mkPribar(prVals); +- } else { +- var pryBar = mkPribar([0]); +- } +- $("#tl3a,#tl3b").fadeIn('slow'); +- $("#tl3b").tablesorter({ +- headers: { +- 0:{sorter:false}, +- 1:{sorter:false}, +- 5:{sorter:'ipv4'}, +- 8:{sorter:'ipv4'} +- }, +- cancelSelection:false +- }); +- $("#loader").hide(); +- } +- break; +- +- // Level 3 view - Packet Data +- +- case "3": +- var rowLoke = parts[1]; +- var nCols = $('#' + parts[1]).data('cols'); +- var filter = $('#' + parts[1]).data('filter'); +- var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; +- var sg = $('#' + parts[1]).data('sg'); +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); +- }); +- +- function cb4(data){ +- eval("theData=" + data); +- +- var tbl = '', head = '', row = ''; +- +- // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) +- if (theData[0].ip_ver != 0) { +- +- var PDATA = 0; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- head += ""; +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; +- +- switch (theData[0].ip_proto) { +- case "1": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; +- break; +- +- case "6": +- // TCP flags +- var tmpFlags = theData[1].tcp_flags || 'z'; +- switch (tmpFlags) { +- case 'z': var tcpFlags = '--------'; break; +- default: +- var binFlags = Number(theData[1].tcp_flags).toString(2); +- var binPad = 8 - binFlags.length; +- var tcpFlags = "00000000".substring(0,binPad) + binFlags; +- break; +- } +- var tcp_seq = theData[1].tcp_seq || '-'; +- var tcp_ack = theData[1].tcp_ack || '-'; +- var tcp_off = theData[1].tcp_off || '-'; +- var tcp_res = theData[1].tcp_res || '-'; +- var tcp_win = theData[1].tcp_win || '-'; +- var tcp_urp = theData[1].tcp_urp || '-'; +- var tcp_csum = theData[1].tcp_csum || '-'; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; +- break; +- +- case "17": +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; +- break; +- } +- +- var p_hex = '', p_ascii = '', p_ascii_l = ''; +- +- // Data +- if (!theData[2]) { +- p_hex = "No Data Sent."; +- p_ascii = "No Data Sent."; +- } else { +- p_pl = theData[2].data_payload; +- p_length = theData[2].data_payload.length; +- var b0 = 0; +- +- for(var i=0; i < p_length; i+=2) { +- b0++; +- t_hex = p_pl.substr(i,2); +- t_int = parseInt(t_hex,16); +- +- if ((t_int < 32) || (t_int > 126)) { +- p_hex += t_hex + " "; +- p_ascii += "."; +- p_ascii_l += "."; +- } else if (t_int == 60) { +- p_hex += t_hex + " "; +- p_ascii += "<"; +- p_ascii_l += "<"; +- } else if (t_int == 62) { +- p_hex += t_hex + " "; +- p_ascii += ">"; +- p_ascii_l += ">"; +- } else { +- p_hex += t_hex + " "; +- p_ascii += String.fromCharCode(parseInt(t_hex, 16)); +- p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); +- } +- +- if ((b0 == 16) && (i < p_length)) { +- p_hex += "
"; +- p_ascii += "
"; +- b0 = 0; +- } +- } +- } +- +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += ""; +- row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; +- +- } else { +- +- head += ""; +- var p_ascii = "No Data Sent."; +- // This needs to be more robust. +- if (theData[2]) { +- var tmp = h2s(theData[2].data_payload).split("\n"); +- p_ascii = ''; +- for (var i in tmp) { +- p_ascii += "
" + tmp[i] + "
"; +- } +- +- } +- row += ""; +- row += ""; +- row += "
" + p_ascii + "
"; +- } +- +- tbl += ""; +- +- // If we are not grouped we show the signature text +- if ( sg != 0 ) { +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- tbl += "
"; +- sigLookup(sg); +- } +- +- // Comments and tags are done here +- var tags = new Array(); +- var eventTag = 'None.'; +- var eventComment = theData[0].comment || 'None.'; +- var src_tag = theData[0].srctag || '-'; +- var dst_tag = theData[0].dsttag || '-'; +- +- // Populate tags array +- if (src_tag != "-") { +- var src_tags = src_tag.split(","); +- $.each(src_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",s"); +- if (t < 0) tags.push(tag + ",s"); +- }); +- } +- +- if (dst_tag != "-") { +- var dst_tags = dst_tag.split(","); +- $.each(dst_tags, function(n,tag) { +- var t = tags.indexOf(tag + ",d"); +- if (t < 0) tags.push(tag + ",d"); +- }); +- } +- +- if (tags.length > 0) eventTag = ''; +- +- tbl += "
COMMENTS
"; +- tbl += "
" + eventComment + "
"; +- tbl += "
TAGS
"; +- tbl += "
" + eventTag + "
"; +- if (PDATA != 0) { +- tbl += "
DETAILS
"; +- } else { +- tbl += "
PAYLOAD
"; +- } +- tbl += head; +- tbl += row; +- tbl += ""; +- $("#" + rowLoke).after(tbl); +- $("#loader").hide(); +- +- // Turn off fade effect for large results +- var rC = $(".d_row_sub1").length; +- if ( rC <= 499 ) { +- $(".d_row_sub1").fadeTo('fast','0.2'); +- } +- +- // Populate tags +- clearTags(); +- for (var i=0; i < tags.length; i++) { +- addTag(tags[i]); +- } +- +- } +- break; +- } +- // If event queue is off we need to reset this after load if b_ec_hot was +- // the entry point +- if ($('#rt').text() == 'off') rtbit = 0; +- } +- +- // +- // Object click handlers +- // +- +- $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { +- // Check if we are coming from a legit object +- var prefix = $(this).data('type'); +- if (prefix == "none") return; +- +- // Check if we are coming from a sane selection +- var selLen = window.getSelection().toString().length; +- if (selLen > 4) { +- if (selLen < 255) { // Might need to change these based on how people use this +- prefix = "zz"; +- var suffix = window.getSelection().toString(); +- var re = /\s/g; +- var NOK = re.exec(suffix); +- if (NOK) return; +- } else { +- return; +- } +- } else { +- var suffix = $(this).text(); +- } +- +- var mX = e.pageX; +- var mY = e.pageY; +- +- var colour = $(this).data('col') || "FFFFFF"; +- var tfocus = "#search"; +- switch (prefix) { +- case 'ip': +- hItemAdd(suffix); +- var sord = $(this).data('sord'); +- mkPickBox(prefix,suffix,sord,colour,mX,mY); +- break; +- case 'spt': +- case 'dpt': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'cc': +- case 'scc': +- case 'dcc': +- var cc = $(this).data('value'); +- hItemAdd(cc); +- mkPickBox(prefix,cc,suffix,colour,mX,mY); +- break; +- case 'cmt': +- suffix = $(this).data('comment'); +- $("#rt").text("off"); +- $("#rt").attr('class','tvalue_off'); +- $('#search').val(prefix + " " + suffix); +- hItemAdd(suffix); +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- $('.b_update').click(); +- break; +- case 'cmt_c': +- $('.cat_msg_txt').val(suffix); +- hItemAdd(suffix); +- tfocus = ".cat_msg_txt"; +- break; +- case 'fil': +- var fil = $(this).data('value'); +- $('#search').val(fil); +- hItemAdd(fil); +- if ($('#fltr_box').css('display') != 'none') { +- $('#ico04').click(); +- } +- $('.b_update').click(); +- break; +- case 'sid': +- var value = $(this).data('value'); +- hItemAdd(suffix); +- mkPickBox(prefix,value,suffix,colour,mX,mY); +- break; +- case 'st': +- var suffix = $(this).attr('id').split('-')[1]; +- $('#search').val(prefix + " " + suffix); +- // RT must be off to return anything +- $('#rt').attr('class','tvalue_off'); +- $('#rt').text('off'); +- rtbit = 0; +- $('.b_update').click(); +- break; +- case 'el': +- var suffix = $(this).data('value'); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- case 'zz': +- hItemAdd(suffix); +- mkPickBox(prefix,suffix,0,colour,mX,mY); +- break; +- } +- }); +- +- // +- // Picker Box +- // +- +- function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { +- var doexternals = "yes"; +- var objhex = s2h(suffix); +- var tbl = '', row = ''; +- // Local stuff first +- switch (prefix[prefix.length - 1]) { +- case "c": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "p": +- row += ":: SRC or DST"; +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: ADD / REMOVE TAG"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- row += ":: COLOUR  "; +- row += ""; +- row += "apply"; +- row += "apply all"; +- row += ""; +- break; +- case "t": +- row += ":: SRC"; +- row += ":: DST"; +- row += ":: SEARCH"; +- break; +- case "d": +- row += ":: SIGNATURE"; +- if ($('.sigtxt')[0]) { +- row += ":: HISTORY"; +- } +- row += ":: SEARCH"; +- break; +- case "l": +- row += ":: COLOUR  "; +- row += ""; +- row += "update"; +- doexternals = "no"; +- break; +- case "z": +- row += ":: SEARCH"; +- break; +- } +- +- // If applicable populate externals +- if (doexternals == "yes") { +- $('.f_row').each(function() { +- var ct = $(this).data('type'); +- if (ct == 'url') { +- var alias = $(this).data('alias'); +- var name = $(this).data('name'); +- var url = $(this).data('filter'); +- row += ""; +- row += "" + name + ""; +- row += ""; +- } +- }); +- } +- +- tbl += ""; +- tbl += row; +- tbl += "
"; +- +- var boxlabel = suffix; +- +- // Use more descriptive names where possible +- var re = /(sid|cc|scc|dcc)/; +- var OK = re.exec(prefix); +- if (OK) { +- var boxlabel = rsuffix; +- } +- +- if (boxlabel.length > 24) { +- boxlabel = boxlabel.substring(0,24); +- boxlabel += ".."; +- } +- +- $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); +- +- if ($('#tlpick')[0]) $('#tlpick').remove(); +- $(".pickbox_tbl").append(tbl); +- $('.pickbox').fadeIn('fast'); +- +- // Colour Picker +- $("#menucol").spectrum({ +- showInput: true, +- className: "full-spectrum", +- showInitial: true, +- showPalette: true, +- showSelectionPalette: true, +- maxPaletteSize: 6, +- preferredFormat: "hex", +- localStorageKey: "spectrum.demo", +- move: function (color) {}, +- show: function () {}, +- beforeShow: function () {}, +- hide: function () {}, +- change: function() {}, +- palette: [ +- ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], +- ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], +- ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], +- ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], +- ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] +- ] +- }); +- } +- +- // Pickbox click events +- $(document).on('click', '.p_row', function() { +- if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); +- var ctype = $(this).data('type'); +- var alias = $(this).data('alias'); +- var args = $('#tlpick').data('val'); +- switch(ctype) { +- case "l": +- $('.pickbox').fadeOut('fast'); +- $('#search').val(alias + " " + args); +- $('.b_update').click(); +- break; +- case "r": +- $('.pickbox').fadeOut('fast'); +- var url = h2s($(this).data('url')).replace("${var}", args); +- window.open(url); +- break; +- case "t": +- $('.tagbox').fadeIn('fast'); +- $('.taginput').focus(); +- break; +- case "s": +- $('.pickbox').fadeOut('fast', function() {; +- $('#ico05').click(); +- }); +- $('.srch_txt').val(args); +- break; +- case "h": +- doHistory(args); +- $('.pickbox').fadeOut('fast'); +- break; +- default: return; +- } +- }); +- +- // +- // Tags +- // +- +- // Truncate +- function truncTag(tag,len) { +- if (tag.length > len) tag = tag.substring(0,len) + ".."; +- return tag; +- } +- +- // Filter results or add as new +- $(document).on('click', '.tag', function() { +- var tag = $(this).data('val'); +- if($('.taginput').is(":visible")) { +- $('.taginput').val(tag); +- $('.taginput').focus(); +- } else { +- $('#search').val('tag ' + tag); +- $('.b_update').click(); +- } +- }); +- +- // Remove individual tags on "(X)" click via payload area +- $(document).on('mouseenter', '.tag_d, .tag_s', function() { +- var tag = $(this).data('val'); +- if ($(".tag_x")[0]) return; +- var dw = $(this).width() - 5 + "px"; +- $(this).append("
X
"); +- $(".tag_x").css("margin-left", dw); +- $(".tag_x").fadeIn("slow"); +- +- }); +- +- $(document).on('mouseleave', '.tag_d, .tag_s', function() { +- $('.tag_x').remove(); +- }); +- +- $(document).on('click', '.tag_x', function() { +- var tag = $(this).parent().data("val"); +- var obj = $(this).parent().data("obj"); +- $(this).parent().remove(); +- var len = $("#tag_area").text().length; +- if (len == 0) $("#tag_area").append("None."); +- //doTag(s2h(obj),tag,'rm'); +- }); +- +- // Fire tag add on enter +- $('.taginput').keypress(function(e) { +- if (!e) e=window.event; +- key = e.keyCode ? e.keyCode : e.which; +- if (key == 13) $('.tagok').click(); +- }); +- +- // Close tag entry +- $(document).on('click', '.tagcancel', function() { +- $('.taginput').val(''); +- $('.tagbox').fadeOut('fast'); +- }); +- +- // Add a tag +- $(document).on('click', '.tagok', function() { +- var tag = $('.taginput').val(); +- var obj = $('#pickbox_label').text(); +- var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; +- var OK = re.exec(tag); +- if (OK) doTag(s2h(obj),tag,'add'); +- }); +- +- // Remove a tag +- $(document).on('click', '.tagrm', function() { +- var tag = truncTag($('.taginput').val(),20); +- var obj = $('#pickbox_label').text(); +- doTag(s2h(obj),tag,'rm'); +- $(".tag" + ":contains('" + tag + "')").remove(); +- $('.tagcancel').click(); +- }); +- +- // Display or Toggle tags +- function addTag(tag) { +- // If we entered from payload we have some additional info +- if ($('#eview_sub2')[0]) { +- var longTag = tag.split(",")[0]; +- var theClass = tag.split(",")[1]; +- var t_tag = truncTag(longTag,20); +- } else { +- var t_tag = truncTag(tag,20); +- } +- +- // Hide empty +- $('.tag_empty').hide(); +- +- // Check if tag exists +- var tag_exists = 0; +- $('.tag').each(function() { +- if ($(this).text() == t_tag) { +- $(this).addClass('tag_active'); +- tag_exists = 1; +- } +- }); +- +- // Add tag to left pane +- if (tag_exists == 0) { +- var newTag = "
" + t_tag + "
"; +- $('#tg_box').prepend(newTag); +- } +- +- // If we have the payload open, add here as well +- if ($('#eview_sub2')[0]) { +- if($('#pickbox_label').is(":visible")) { +- theClass = $('#pickbox_label').data('sord')[0]; +- } +- // Remove placeholder +- if ($('#tag_none')[0]) $('#tag_none').remove(); +- var newTag = "
" + t_tag + "
"; +- $('#tag_area').prepend(newTag); +- } +- +- } +- +- function doTag(obj,tag,op) { +- var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { +- if (op != 'rm') addTag(tag); +- $('.tagcancel').click(); +- } +- } +- } +- +- // Colours +- $(document).on('click', '.csave', function() { +- var obtype = $(this).data('obtype'); +- var object = $(this).data('object'); +- var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); +- var op = "add"; +- var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; +- var OK = re.exec(colour); +- if (!OK) return; +- // Single or multiple? +- if (obtype == "src" || obtype == "dst") { +- var vr = new Array(); +- $("." + obtype).each(function() { +- var v = $(this).text(); +- var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; +- var OK = re.exec(v); +- if (OK) { +- var t = vr.indexOf(v); +- if (t < 0) vr.push(v); +- } +- }); +- object = vr.toString(); +- } +- +- var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); +- }); +- +- function cb22(data){ +- eval("theData=" + data); +- if (theData.msg != '') { +- alert(theData.msg); +- } else { // We should be good.. +- var curObject = $('#pickbox_label').text(); +- if (obtype == "el") { +- var html = "
" + colour; +- $('#el_' + curObject).html(html); +- $('#el_' + curObject).data('col', colour); +- } else { +- $(".sub_filter:contains(" + curObject + ")").each(function() { +- $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); +- }); +- } +- $('.pickbox').fadeOut('fast'); +- } +- } +- }); +- +- $(document).on('click', '.pickbox_close', function() { +- $('.tagcancel').click(); +- $('.pickbox').fadeOut('fast'); +- }); +- +- // +- // Object History +- // +- +- function hItemAdd(item) { +- var itemTitle = item; +- // Truncate +- if (item.length > 33) { +- itemTitle = item.substring(0,33) + ".."; +- } +- // Remove empty message +- $('.history_empty').hide(); +- +- // If the item doesn't exist, add it. Otherwise, we start counting. +- if ($(".h_item:contains('" + itemTitle + "')").length > 0) { +- var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); +- var nc = Number(oc) + 1; +- var bg = '#c9c9c9'; +- var fn = 'normal'; +- if (nc <= 3) { +- bg = '#000'; +- } else if (nc > 3) { +- bg = '#cc0000'; +- fn = 'bold'; +- } +- +- $(".h_item:contains('" + itemTitle + "')").css('color', bg); +- $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); +- $(".h_item:contains('" + itemTitle + "')").data('n',nc); +- $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); +- } else { +- var toAdd = " " + itemTitle + ""; +- $('#h_box').prepend(toAdd); +- } +- } +- +- if (!$('.h_item')[0]) { +- $('.history_empty').show(); +- } +- +- // Alt mappings for icons +- +- $.alt('1', function() { +- $("#ico01").click(); +- }); +- $.alt('2', function() { +- $("#ico02").click(); +- }); +- $.alt('3', function() { +- $("#ico03").click(); +- }); +- $.alt('4', function() { +- $("#ico05").click(); +- }); +- $.alt('5', function() { +- $("#ico04").click(); +- }); +- +- // +- // Event classification +- // +- +- // Use function keys to trigger status buttons +- $(document).keydown(function(event){ +- +- function stopOthers() { +- event.originalEvent.keyCode = 0; +- event.preventDefault(); +- event.stopPropagation(); +- } +- +- switch (event.keyCode) { +- case 112: stopOthers(); $('#b_class-11').click(); break; +- case 113: stopOthers(); $('#b_class-12').click(); break; +- case 114: stopOthers(); $('#b_class-13').click(); break; +- case 115: stopOthers(); $('#b_class-14').click(); break; +- case 116: stopOthers(); $('#b_class-15').click(); break; +- case 117: stopOthers(); $('#b_class-16').click(); break; +- case 118: stopOthers(); $('#b_class-17').click(); break; +- case 119: stopOthers(); $('#b_class-1').click(); break; +- case 120: stopOthers(); $('#b_class-2').click(); break; +- } +- }); +- +- // Comment window status buttons +- $(document).on("click", "#cw_buttons", function(event) { +- var newclass = $(event.target).data('n'); +- if (newclass == 0) { +- $('#b_class-' + newclass).click(); +- } else { +- $('#b_class-' + newclass).click(); +- } +- }); +- +- // Highlight colour for selected events +- var hlcol = "#FFFFE0"; +- var hlhov = "#FDFDD6"; +- +- // Individual selects +- var clickOne = 0, clck1 = 0, clck2 = 0; +- $(document).on("click", ".chk_event", function(event) { +- $("#tl3b").trigger('update'); +- var clickTwo = this.id.split("_"); +- if (Number(clickOne[1]) > Number(clickTwo[1])) { +- clck1 = clickTwo[1]; +- clck2 = clickOne[1]; +- } else { +- clck1 = clickOne[1]; +- clck2 = clickTwo[1]; +- } +- +- if (event.shiftKey) { +- if (clck1 != clck2) { +- $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); +- $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); +- $("#s" + clck1).nextUntil("#s" + clck2).hover( +- function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- clickOne = 0, clck1 = 0, clck2 = 0; +- } +- } +- +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- if ($("#ca1:checked").length > 0) { +- $("#ca1").prop("checked",false); +- } +- clickOne = this.id.split("_"); +- +- if ($(this).prop("checked") == true) { +- $("#s" + clickTwo[1]).css("background-color", hlcol); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- } else { +- $("#s" + clickTwo[1]).css("background-color", "transparent"); +- $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- } +- }); +- +- // Select all (2) +- $(document).on("click", "#ca1", function(event) { +- var chkLen = $("#ca1:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca0").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca0").prop("checked",true); +- break; +- } +- +- if ($(".eview_sub1")[0]) { +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- } +- +- }); +- +- // Select all (2a) - clean this up, the above is almost identical +- $(document).on("click", "#ca2", function(event) { +- var chkLen = $("#ca2:checked").length; +- switch(chkLen) { +- case 0: +- $(".chk_event").prop("checked",false); +- $("#ca2").prop("checked",false); +- $(".d_row_sub1").css("background-color", "transparent"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "transparent")}); +- break; +- default: +- $(".chk_event").each(function() { +- if ($(this).prop("disabled") == false) { +- $(this).prop("checked",true); +- } +- }); +- $(".d_row_sub1").css("background-color", hlcol); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, +- function(){$(this).css("background-color", hlcol)}); +- $("#ca2").prop("checked",true); +- break; +- } +- // Update class_count +- $("#class_count").html($(".chk_event:checked").length); +- }); +- +- // Class button click +- $(document).on("click", "[id*=\"b_class-\"]", function() { +- // We only fire if something is selected +- var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); +- var intclass = $(this).attr('id').split("-"); +- if (chkLen > 0 && intclass[1] != 0) { +- eClass(this,intclass[1]); +- } +- }); +- +- function eClass(caller,intclass) { +- // The sid.cid values +- var scid= "", scidlist = "", ecls = 0; +- if ($(".eview_sub1")[0] || $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- if ($(this).data('eclass') == 0) { +- ecls++; +- } +- scid += $(this).val() + ","; +- }); +- scidlist = scid.replace(/,$/, ""); +- } else { +- ecls = $(".d_row_active").find(".b_ec_hot").text(); +- scidlist = $("#ca0").data("scid"); +- } +- +- // Was there a message? +- var msg = "none"; +- if ($(".cat_msg_txt").val().length != 0) { +- msg = $(".cat_msg_txt").val(); +- } +- +- if ($('#cat_box').css('display') != 'none') { +- $('#ico01').click(); +- } +- +- // We are now ready to class +- var catdata = intclass + "|||" + msg + "|||" + scidlist; +- var urArgs = "type=" + 9; +- $(function(){ +- $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); +- }); +- +- function cb9(data){ +- eval("catRaw=" + data); +- catDbg = catRaw.dbg; +- if (catDbg == "0") { +- +- var curtotalrtcount = Number(ecls); +- // Working on grouped events +- if ($("#gr").text() == "on") { +- curclasscount = Number($("#class_count").text()); +- var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); +- // Do we have queued events? +- if (curtotalparentcount > 0) { +- +- // Are we working on queued events? +- if (curtotalrtcount > 0) { +- curclasscount = curtotalrtcount; +- } else { +- curclasscount = 0; +- } +- // Adjust the parent count +- newparentcount = parseInt(curtotalparentcount - curclasscount,10); +- $(".d_row_active").find(".b_ec_hot").text(newparentcount); +- +- if (newparentcount == 0) { +- $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); +- $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- +- // If we are working within the child, adjust accordingly +- if ($(".eview_sub1")[0]) { +- // How many are in the child +- curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); +- +- // Adjust the child count +- newchildcount = parseInt(curtotalchildcount - curclasscount,10); +- $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); +- if (newchildcount == 0) { +- $("#ca1").prop("disabled",true); +- $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); +- } +- // Otherwise we were called from the parent +- } else { +- $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); +- $(".d_row_sub").find(".b_ec_hot").text(0); +- $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); +- $("#ca0").prop("disabled",true); +- } +- lastclasscount = newparentcount; +- } +- +- // Lastly, update class_count +- if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { +- $("#class_count").html(0); +- } else { +- $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); +- } +- +- // Working on ungrouped events +- } else { +- $("#class_count").html(lastclasscount); +- } +- +- // What the new classification is +- selClass = $(caller).data("cn"); +- newClass = "a_" + selClass; +- +- // Change visible class and disable if RT +- // If we are RT ungrouped, we just remove +- if ($('#rt').text() == 'on' && $("#ca2")[0]) { +- $(".chk_event:checked").each(function() { +- var pid = $(this).attr("id").split("_"); +- var nid = parseInt(Number(pid[1]) + 1); +- // Remove any open payload or TX panes +- if ($("[id^=eview_]")[0]) { +- $("[id^=eview_]").remove(); +- $(".d_row_sub1").css('opacity','1'); +- } +- // Remove the row +- $("#s" + pid[1]).fadeOut('fast', function() { +- $("#s" + pid[1]).remove(); +- }); +- }); +- +- // Update table (for sorter) +- $("#tl3b").trigger('update'); +- } else { +- // If we are RT and all events are classed we just remove +- if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { +- $("#active_eview").remove(); +- $(".d_row_active").fadeOut('slow', function (event) { +- $(".d_row_active").remove(); +- var newsigtotal = "-"; +- var sigtotal = $("#esignature").text(); +- if (sigtotal > 0) { +- newsigtotal = parseInt(sigtotal - 1); +- } +- $("#esignature").text(newsigtotal); +- }); +- $(".d_row").css('opacity','1'); +- } else { +- $(".chk_event:checked").each(function() { +- var n = this.id.split("_"); +- $("#class_box_" + n[1]).attr('class', newClass); +- $("#class_box_" + n[1]).text(selClass); +- if (curtotalparentcount > 0) { +- $(this).prop("disabled",true); +- } +- }); +- } +- $(".d_row_sub1").css("background-color", "#fafafa"); +- $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, +- function(){$(this).css("background-color", "#fafafa")}); +- } +- +- // Uncheck everything +- $(".chk_event").prop("checked", false); +- $(".chk_all").prop("checked", false); +- // Remove these scids from the L1 scidlist +- if ($("#ca0")[0] && rtbit == 1) { +- var cur_scidlist = scidlist.split(','); +- var active_scidlist = $("#ca0").data("scid"); +- for (var i = 0; i < cur_scidlist.length; i++) { +- active_scidlist = active_scidlist.replace(cur_scidlist[i],''); +- } +- active_scidlist = active_scidlist.replace(/,{2,}/g,','); +- active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); +- $("#ca0").data("scid", active_scidlist); +- } +- catMsg(scidlist.split(',').length, curtotalrtcount); +- } else { +- catMsg(0); +- } +- } +- } +- +- function catMsg(count, rtcount) { +- switch (count) { +- default: +- var ess = ''; +- if ( count > 1 ) ess = 's'; +- +- var numrows = Number($('.d_row').length + $('.d_row_sub1').length); +- var newboxtotal = 0, newcatcount = 0; +- newboxtotal = parseInt($("#qtotal").text() - rtcount); +- $("#qtotal").text(newboxtotal); +- +- // If we are just rt update Total boxes as we go +- if ($("#ca2")[0]) { // We are ungrouped +- newcatcount = parseInt($("#cat_count").text() - count); +- if (newcatcount == 0) { +- newView("u"); +- } else { +- $("#cat_count").text(newcatcount); +- } +- } +- +- if (numrows == 0) { +- newView("u"); +- } +- +- var msg = count + " event" + ess + " categorized"; +- clearTags(); +- break; +- } +- +- $("span.class_msg").text(msg); +- $("span.class_msg").fadeIn('slow', function() { +- setTimeout(function(){ +- $(".class_msg").fadeOut('slow'); +- }, 3000); +- }); +- } +- +- // Load summary tab +- function loadSummary() { +- var limit = 10; +- if ($('#wm0')[0]) { +- doMap("redraw"); +- } else { +- doMap("draw"); +- } +- mkSummary("signature",limit); +- mkSummary("srcip",limit); +- mkSummary("dstip",limit); +- mkSummary("srcpt",limit); +- mkSummary("dstpt",limit); +- mkSummary("srccc",limit); +- mkSummary("dstcc",limit); +- } +- +- // Toggle summary section +- $(document).on("click", ".hidepane", function(e) { +- $('#topsignature').toggle(); +- }); +- +- // Summary tab +- function mkSummary(box,limit) { +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('#ov_' + box + '_sl').prepend(ldr); +- $('#top' + box).fadeTo('fast', 0.2); +- switch (box) { +- case "srcip": +- var cbArgs = "srcip"; +- var qargs = "ip-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstip": +- var cbArgs = "dstip"; +- var qargs = "ip-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "srcpt": +- var cbArgs = "srcpt"; +- var qargs = "pt-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "dstpt": +- var cbArgs = "dstpt"; +- var qargs = "pt-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); +- }); +- break; +- case "signature": +- var qargs = "sig-sig"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); +- }); +- break; +- case "srccc": +- var cbArgs = "srccc"; +- var qargs = "cc-src"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- case "dstcc": +- var cbArgs = "dstcc"; +- var qargs = "cc-dst"; +- var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); +- }); +- break; +- } +- +- // IP and Country +- function cb15(data,cbArgs){ +- var ch = "SRC"; +- var wip = "d"; +- if (cbArgs[0] == "s") ch = "DST", wip = "s"; +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#" + ch + ""; +- if (cbArgs[3] == "c") { +- head += "COUNTRY"; +- head += "#IP"; +- } else { +- head += "IP"; +- head += "COUNTRY"; +- } +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + ip2 + ""; +- +- if (cbArgs[3] == "c") { +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- row += "" + ip + ""; +- } else { +- row += "
" + ip + ""; +- row += ""; +- row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; +- } +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- +- // Ports +- function cb17(data,cbArgs){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SIG"; +- head += "#SRC" +- head += "#DST"; +- head += "PORT"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_" + cbArgs + "_sl").text(""); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + sigs + ""; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + port + ""; +- row += ""; +- row += "
"; +- } +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); +- $("#ov_" + cbArgs + "_sl").after(tbl); +- $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_" + cbArgs + "_sl", i, records); +- } +- // Signature +- function cb16(data){ +- eval("raw=" + data); +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "#SRC"; +- head += "#DST"; +- head += "SIGNATURE"; +- head += "ID"; +- head += ""; +- +- var eventsum = raw[raw.length - 1].n || 0; +- var records = raw[raw.length - 1].r || 0; +- if (records == 0) { +- row = "No result."; +- $("#ov_signature_sl").text(""); +- $("#ovestat").html("(No events)"); +- } else { +- $("#ovestat").html("(" + eventsum + " events)"); +- } +- for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + src + ""; +- row += "" + dst + ""; +- row += "" + sig + ""; +- row += "" + sid + ""; +- row += ""; +- row += "
"; +- } +- +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#topsignature')[0]) $('#topsignature').remove(); +- $("#ov_signature_sl").after(tbl); +- $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); +- mkSlider("ov_signature_sl", i, records); +- } +- } +- +- $(".ovsl").mouseup(function() { +- var section = $(this).attr('id'); +- var base = section.split("_")[1]; +- var limit = Number($("#" + section + "_lbl").text()); +- if (limit > 0) mkSummary(base, limit); +- }); +- +- // +- // Views tab +- // +- +- function loadViews() { +- $('.db_links').show(); +- if (!$("#db_view_cont")[0]) mkView(); +- } +- +- // Link handlers +- $(document).on('click', '.db_link', function() { +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_link_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click', '.db_type', function() { +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).removeClass('db_type_active'); +- $(this).data('state', '0'); +- } +- }); +- $(this).data('state', '1'); +- mkView(); +- }); +- +- $(document).on('click','.db_save', function() { +- +- }); +- +- // Create the view +- function mkView() { +- $('#db_view_cont,#hp_info').remove(); +- if (!$("#db_view_ldr")[0]) { +- var view = 'ip'; +- $('.db_link').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_link_active'); +- view = $(this).data('val'); +- } +- }); +- +- var type = 'sk'; +- $('.db_type').each(function() { +- if ($(this).data('state') == '1') { +- $(this).addClass('db_type_active'); +- type = $(this).data('type'); +- } +- }); +- +- var theWhen = getTimestamp(); +- var theSensors = s2h('empty'); +- var theFilter = mkFilter(); +- // See if we are filtering by sensor +- if ($('.chk_sen:checked').length > 0) { +- var active_sensors = "AND event.sid IN("; +- var iter = $('.chk_sen:checked').length; +- $('.chk_sen:checked').each(function() { +- active_sensors += "'" + $(this).val() + "',"; +- }); +- active_sensors = active_sensors.replace(/,+$/,''); +- active_sensors += ")"; +- theSensors = s2h(active_sensors); +- } +- +- var ldr = "
"; +- $('.db_view').after(ldr); +- var qargs = view + "-" + type; +- var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); +- }); +- +- function cb17(data,type) { +- eval("viewData=" + data); +- var records = viewData.records; +- if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); +- if (records > 0) { +- $('.db_view').after("
"); +- switch (type) { +- case 'sk': +- var w = $(window).width(); +- var h = viewData.links.length * 12; +- if (h < 100) h = 100; +- mkSankey("db_view_cont",viewData,w,h); +- break; +- } +- } else { +- $('.db_view').after("
The query returned no results.
"); +- } +- $('#db_view_ldr').remove(); +- } +- } +- } +- +- // Make a map +- function doMap() { +- theWhen = getTimestamp(); +- var theFilter = mkFilter(); +- var working = "Working
"; +- +- $('#wm0').html(working); +- +- var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); +- }); +- +- function cb10(data){ +- eval("mapRaw=" + data); +- try { +- var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); +- var srcc = mapRaw.srcc; +- var srce = mapRaw.srce; +- var dstc = mapRaw.dstc; +- var dste = mapRaw.dste; +- var allc = mapRaw.allc; +- var alle = mapRaw.alle; +- } +- catch(e) { +- var mapDetail = "{\"\"}"; +- } +- +- // What is our current event total? +- var esum = $('#event_sum').val(); +- var w = $(window).width() - 72; +- var h = w / 2.7 ; +- $("#ov_map").html("
"); +- $('#wm0').vectorMap({ +- map: 'world_mill_en', +- color: '#f4f3f0', +- backgroundColor: '#CFE1FC', +- zoomOnScroll: false, +- onRegionClick: function(event, code){ +- hItemAdd(code); +- $('#search').val("cc" + " " + code); +- $('#search').focus(); +- }, +- series: { +- regions: [{ +- values: mapDetail, +- scale: ['#ffffff', '#000000'], +- normalizeFunction: 'polynomial' +- }] +- }, +- onRegionLabelShow: function(e, el, code){ +- if (mapDetail[code]) { +- var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); +- el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); +- } else { +- el.html(el.html()); +- } +- } +- }); +- +- var stats = "("; +- stats += allc + " distinct countries)"; +- $("#ovmapstat").html(stats); +- } +- } +- +- // Redraw map +- $(document).on("click", "#map_src, #map_dst", function() { +- doMap($(this).attr('id').split("_")[1]); +- }); +- +- // +- // History +- // +- +- function doHistory(object) { +- $('#loader').show(); +- var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; +- $(function(){ +- $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); +- }); +- +- function cb21(data){ +- eval("chartData=" + data); +- var r1 = chartData.r1; +- var r2 = chartData.r2; +- var sum = 0; +- if (r1 > 0) { +- mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); +- $('#obhist_sig').remove(); +- if (r2 > 0) { +- +- for (var i=0; i < r2; i++) { +- sum += Number(chartData.rows2[i].value); +- } +- +- var tbl = '', head = '', row = ''; +- head += ""; +- head += "COUNT"; +- head += "%TOTAL"; +- head += "SIGNATURE"; +- head += ""; +- row += ""; +- +- for (var i=0; i < r2; i++) { +- +- var cnt = chartData.rows2[i].value || "-"; +- var sig = chartData.rows2[i].label || "-"; +- var sid = chartData.rows2[i].sid || "-"; +- var per = 0; +- if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); +- var tsg = truncTag(sig,60); +- +- row += ""; +- row += "" + cnt + ""; +- row += "" + per + "%"; +- row += "" + tsg + ""; +- row += "" +- row += "
"; +- } +- +- row += ""; +- tbl += ""; +- tbl += head; +- tbl += row; +- tbl += "
"; +- if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); +- $(".ev_py").append(tbl); +- } +- } else { +- return; +- } +- if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); +- $("#loader").hide(); +- } +- } +-// The End. +-}); +--- securityonion-squert-20161212.orig/auth/sso/squert/login.php ++++ /dev/null +@@ -1,158 +0,0 @@ +- +-// +-// This program is free software: you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation, either version 3 of the License, or +-// (at your option) any later version. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License +-// along with this program. If not, see . +-// +-// +- +-include_once '.inc/config.php'; +- +-$username = $password = $err = ''; +-$focus = 'username'; +-session_set_cookie_params(0, NULL, NULL, NULL, TRUE); +- +-function cleanUp($string) { +- if (get_magic_quotes_gpc()) { +- $string = stripslashes($string); +- } +- $string = mysql_real_escape_string($string); +- return $string; +-} +- +-//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ +- //$username = $_REQUEST['username']; +- //$password = $_REQUEST['password']; +- // sso +- $username = $_SERVER['PHP_AUTH_USER']; +- $password = $_SERVER['PHP_AUTH_PW']; +- +- $ua = $_SERVER['HTTP_USER_AGENT']; +- $rqt = $_SERVER['REQUEST_TIME']; +- $rqaddr = $_SERVER['REMOTE_ADDR']; +- $max = mt_getrandmax(); +- $rqt .= mt_rand(0,$max); +- $rqaddr .= mt_rand(0,$max); +- $ua .= mt_rand(0,$max); +- $cmpid = $rqt . $rqaddr . $ua; +- $id = md5($cmpid); +- // PDO prepared statements +- try { +- // first connect to database with the PDO object. +- $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ +- PDO::ATTR_EMULATE_PREPARES => false, +- PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, +- PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION +- ]); +- } catch(PDOException $e){ +- // if connection fails, log PDO error. +- error_log("Error connecting to mysql: ". $e->getMessage()); +- } +- +- if (isset($dbpdo)) { +- // prepare statement +- $statement = "SELECT * FROM user_info WHERE username = :user"; +- $query = $dbpdo->prepare("$statement"); +- // build parameters for prepared statement +- $params = [":user" => "$username"]; +- // execute the prepared statement and pass it params +- $query->execute($params); +- // fetch the data +- while ($row = $query->fetch(PDO::FETCH_NUM)) { +- $userName = $row[1]; +- $lastLogin = $row[2]; +- $userHash = $row[3]; +- $userEmail = $row[4]; +- $userType = $row[5]; +- $userTime = $row[6]; +- $tzoffset = $row[7]; +- } +- +- // if $username was found in database, then check password +- if ( isset($userName) && $username == $userName) { +- // The first 2 chars are the salt +- $theSalt = substr($userHash, 0,2); +- +- // The remainder is the hash +- $theHash = substr($userHash, 2); +- +- // Now we hash the users input +- $testHash = sha1($password . $theSalt); +- +- // Does it match? If yes, start the session. +- if ($testHash === $theHash) { +- session_start(); +- +- // Protect against session fixation attack +- if (!isset($_SESSION['initiated'])) { +- session_regenerate_id(); +- $_SESSION['initiated'] = true; +- } +- +- $_SESSION['sLogin'] = 1; +- $_SESSION['sUser'] = $userName; +- $_SESSION['sPass'] = $password; +- $_SESSION['sEmail'] = $userEmail; +- $_SESSION['sType'] = $userType; +- $_SESSION['sTime'] = $userTime; +- $_SESSION['tzoffset'] = $tzoffset; +- $_SESSION['sTab'] = 't_sum'; +- $_SESSION['id'] = $id; +- +- header ("Location: index.php?id=$id"); +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'The user name or password is incorrect.'; +- $focus = 'username'; +- } +- } else { +- $err = 'Connection Failed'; +- } +-//} +-?> +- +- +- +-Please login to continue +- +- +- +- +-
+-
+- +- +- +- +- +- +-
+-squert - Please login to continue
+-Username
+-
+-Password
+-
+-

+-
Version 1.7.1©2016 Paul Halliday
+-
+-
+- +- +- +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.7.0©2016 Paul Halliday
++
Version 1.7.1©2016 Paul Halliday
+ + + diff --git a/debian/patches/fix-for-loop b/debian/patches/fix-for-loop new file mode 100644 index 0000000..d49a09b --- /dev/null +++ b/debian/patches/fix-for-loop @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion37) xenial; urgency=medium + . + * fix for loop +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -444,7 +444,7 @@ function level2() { + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$i + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion35) xenial; urgency=medium + . + * frontend expects all values to be strings +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -442,6 +442,8 @@ function level2() { + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); ++ // the frontend expects all values to be strings ++ $rows[0] = array_map('strval', $rows[0]); + $theJSON = json_encode($rows); + echo $theJSON; + diff --git a/debian/patches/iterate-over-all-arrays-when-converting-strings b/debian/patches/iterate-over-all-arrays-when-converting-strings new file mode 100644 index 0000000..0411e40 --- /dev/null +++ b/debian/patches/iterate-over-all-arrays-when-converting-strings @@ -0,0 +1,38 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion36) xenial; urgency=medium + . + * iterate over all arrays when converting strings +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -443,7 +443,9 @@ function level2() { + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings +- $rows[0] = array_map('strval', $rows[0]); ++ for ($i=0;$i + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion32) xenial; urgency=medium + . + * move files from elastic package +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-squert-20161212/.js/squertMain.js +@@ -0,0 +1,3276 @@ ++/* Copyright (C) 2012 Paul Halliday */ ++ ++$(document).ready(function(){ ++ ++ $(document).on('click', '[class*="bpr"]', function() { ++ // We disallow filtering if any events have already been selected ++ // or if we stray from the event tab ++ if ($('.d_row_active')[0]) return; ++ if ($(".chk_event:checked").length > 0) return; ++ if ($(".tab_active").attr('id') != 't_sum') return; ++ ++ var prClass = $(this).attr('class').split('b')[1]; ++ var prOld = $(this).data('pr'); ++ ++ function flipIt(pattern) { ++ $(pattern).closest('tr').hide(); ++ $(pattern).closest('tr').attr('class','hidden'); ++ if ($('#gr').text() == 'on') $(pattern).closest('tr').find('.chk_event').prop("disabled",true); ++ } ++ if ($('.b' + prClass).attr('class') == 'bprA') { ++ $('.b' + prClass).attr('class', 'bpr' + prOld); ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ } else { ++ // See if we are already filtered ++ if ($('.bprA')[0]) { ++ $('.hidden').attr('class','d_row'); ++ $('.d_row').show(); ++ if ($('#gr').text() == 'on') { ++ $('.chk_event').prop("disabled",false); ++ $('.chk_all').prop("checked",false); ++ $('.chk_event').css("background-color", "#fafafa"); ++ } ++ var prPrev = $('.bprA').data('pr'); ++ $('.bprA').attr('class', 'bpr' + prPrev); ++ } ++ $('.b' + prClass).attr('class','bprA'); ++ switch (prClass) { ++ case "pr1": ptrn = ".pr2,.pr3,.pr4"; break; ++ case "pr2": ptrn = ".pr1,.pr3,.pr4"; break; ++ case "pr3": ptrn = ".pr1,.pr2,.pr4"; break; ++ case "pr4": ptrn = ".pr1,.pr2,.pr3"; break; ++ } ++ flipIt(ptrn); ++ } ++ }); ++ ++ // ++ // Load main content ++ // ++ ++ // Keep track of context ++ thisUser = $('#t_usr').data('c_usr'); ++ thisTZ = $('#user_tz').val(); ++ rtbit = 0; ++ eventList("0-aaa-00"); ++ $("#loader").show(); ++ lastclasscount = 0; ++ ++ $(document).on("click", "#dt_savetz", function(event) { ++ if ($('.dt_error').data('err') == 0) { ++ var newOffset = $('#ts_offset').val(); ++ profileUpdate("tz", s2h(newOffset)); ++ $('#user_tz').val(newOffset); ++ } ++ }); ++ ++ // Depending on context a 'No result' may be confusing ++ // so we turn off active queue and show everything ++ $(document).on('click', '#retry', function() { ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ }); ++ ++ // Get event statuses ++ var eTotal = 0, qTotal = 0; ++ function statusPoll(caller) { ++ // See if we are filtering by sensor ++ var theSensors = s2h('empty'); ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var urArgs = "type=" + 6 + "&ts=" + theWhen + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb(data)}); ++ }); ++ ++ function cb(data){ ++ // Check to make sure we still have a valid session. If we don't ++ // let the user know and return them to the login page. ++ if (data[0] == "<") { ++ $("span.class_msg").text("Your session has expired!"); ++ $("span.class_msg").css("background-color", "#cc0000"); ++ $("span.class_msg").css("color", "#fff"); ++ $("span.class_msg").show(); ++ var sessionDead = confirm("Your session has expired. Press \"OK\" to return to the login page. If you aren't finished with what you were looking at click 'Cancel'. Note: you won't be able to perform any actions."); ++ if (sessionDead) { ++ $("#logout").click(); ++ } ++ } ++ eval("ec=" + data); ++ ++ var esum = 0; ++ ++ for (var i=0; i 0) { ++ var p = parseFloat(ecount/esum*100).toFixed(1); ++ var w = parseInt(p*2); ++ } ++ if (eclass == 0) { ++ qTotal = ecount; ++ } ++ $("#c-" + eclass).text(ecount); ++ $("#c-" + eclass).append("(" + p + "%)"); ++ } ++ ++ var lastcount = $("#cat_sum").val(); ++ var newcount = esum; ++ $("#cat_sum").val(esum); ++ eTotal = esum; ++ $("#event_sum").val(eTotal); ++ ++ if (caller == 0) { // Fresh load ++ lastcount = newcount; ++ } ++ ++ // Last RT value ++ var lastQ = Number($("#qtotal").html()); ++ if (lastcount < newcount) { ++ $("#etotal").html(eTotal); ++ } ++ ++ if (lastQ < qTotal) { ++ if (caller != 0) { ++ if ($(".icon_notifier").css('display') == 'none') $(".icon_notifier").fadeToggle(); ++ } ++ $("#etotal").html(eTotal); ++ $("#qtotal").html(qTotal); ++ } ++ ++ $("#title").html("squert (" + qTotal + ") - " + thisUser); ++ ++ } ++ ++ } ++ ++ // ++ // Event monitor (how often we poll for new events) ++ // ++ ++ var emTimeout = 30000; ++ window.setInterval(function(){ ++ if ($('#search').val().length == 0) { ++ statusPoll(1); ++ } ++ }, emTimeout); ++ ++ $(document).on("click", '[class*="cl_"]', function(event) { ++ var nc = $(this).attr('class').split("_"); ++ var ct = $(this).parents('table').data('comment'); ++ $(".cat_msg_txt").val(ct); ++ $('#b_class-' + nc[1]).click(); ++ }); ++ ++ // Tabs ++ var tab_cached = $("#sel_tab").val(); ++ ++ switch (tab_cached) { ++ case "t_sum": ++ $('.content-right').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ loadViews(); ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ break; ++ } ++ ++ $('#' + tab_cached).attr('class','tab_active'); ++ $("#" + tab_cached + "_content").attr('class','content_active'); ++ ++ $(".tab,.tab_active").click(function(event) { ++ var active = $(".tab_active").attr('id'); ++ var content = $(".content_active").attr('id'); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ ++ if ( this.id != active ) { ++ $("#" + active).removeClass('tab_active'); ++ $("#" + active).addClass('tab'); ++ $(this).attr('class','tab_active'); ++ $("#" + content).attr('class','content'); ++ $("#" + this.id + "_content").attr('class','content_active'); ++ activeTab = $(".tab_active").attr('id'); ++ $('.pin').hide(); ++ ++ switch (activeTab) { ++ case "t_sum": ++ $('.content-right').show(); ++ if (Number($('.botog').data('val')) == 1) $('.content-left').show(); ++ $('.t_pbar').css('opacity',1); ++ $('.db_links').hide(); ++ $('.pin').show(); ++ break; ++ case "t_ovr": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ if ($('#ovestat').text().length == 0) loadSummary(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ case "t_view": ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ loadViews(); ++ break; ++ default: ++ $('.content-right').hide(); ++ $('.content-left').hide(); ++ $('.t_pbar').css('opacity',.1); ++ $('.db_links').hide(); ++ break; ++ } ++ ++ $('#sel_tab').val(activeTab); ++ var ctab = $('#sel_tab').val(); ++ var urArgs = "type=" + 5 + "&tab=" + ctab; ++ $.get(".inc/callback.php?" + urArgs); ++ } ++ }); ++ ++ // Sub tab groups ++ $(".tsg").click(function(event) { ++ var nc = Number($(this).attr('class').split(/\s/).length); ++ var ct = $(this).data('tab'); ++ $('.tsg_active').attr('class','tsg'); ++ $(this).attr('class','tsg tsg_active'); ++ }); ++ ++ // Toggle and update views ++ function newView(req) { ++ // No racing please ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ // Remove any stale views ++ $("#tl0,#tl1,#tl3a,#tl3b").remove(); ++ var f = "0-aaa-00"; ++ var s = "2a-aaa-00"; ++ var cv = $("#gr").text(); ++ ++ switch (cv) { ++ case "on": ++ eventList(f); ++ $("#loader").show(); ++ break; ++ case "off": ++ eventList(s); ++ $("#loader").show(); ++ break; ++ } ++ } ++ ++ // Group and ungroup ++ $(document).on("click", "#gr", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#gr').text(); ++ switch (cv) { ++ case 'on': ++ $('#gr').attr('class','tvalue_off'); ++ $('#gr').text('off'); ++ break; ++ case 'off': ++ $('#gr').attr('class','tvalue_on'); ++ $('#gr').text('on'); ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ }); ++ ++ // RT check/uncheck ++ $(document).on("click", "#rt", function(event) { ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ var cv = $('#rt').text(); ++ switch (cv) { ++ case 'on': ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ break; ++ case 'off': ++ $('#rt').attr('class','tvalue_on'); ++ $('#rt').text('on'); ++ rtbit = 1; ++ break; ++ } ++ }); ++ ++ // Toggle side/lower bars ++ $(document).on("click", ".botog", function(event) { ++ if ($('.tab_active').attr('id') != 't_sum') return; ++ var n = Number($('.botog').data("val")); ++ switch (n) { ++ case 1: ++ $('.botog').data("val","0"); ++ $('.content-right').css("width","100%"); ++ $('.botog').attr('src','.css/layout0.png'); ++ break; ++ case 0: ++ $('.botog').data("val","1"); ++ $('.content-right').css("width","82%"); ++ $('.botog').attr('src','.css/layout1.png'); ++ break; ++ } ++ $('.bottom').animate({height: 'toggle'}); ++ $('.content-left').animate({width: 'toggle'}); ++ }); ++ ++ // Section show and hide ++ $(".st").click(function() { ++ var thisSec = $(this).data("sec"); ++ var thisSecID = "#sec_" + thisSec; ++ var thisSecVis = $(thisSecID).css("display"); ++ var lastSection = "h"; ++ switch (thisSecVis) { ++ case "none": ++ $(this).attr("src", ".css/uarr.png"); ++ $(thisSecID).slideDown(); ++ break; ++ default: ++ $(this).attr("src", ".css/darr.png"); ++ $(thisSecID).slideUp(); ++ break; ++ } ++ }); ++ ++ // If search is in focus, update on enter ++ $('#search').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) { ++ // Close comment box if it is open ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Sort ASC/DESC ++ $(document).on("click", ".event_time", function(event) { ++ var csv = $(".event_time").text(); ++ switch (csv) { ++ case "show oldest first": ++ $("#event_sort").val("ASC"); ++ break; ++ case "show newest first": ++ $("#event_sort").val("DESC"); ++ break; ++ } ++ newView("u"); ++ }); ++ ++ // Update page ++ $(document).on("click", ".b_update", function(event) { ++ $(".icon_notifier").fadeToggle(); ++ $(".tag").remove(); ++ $(".tag_empty").show(); ++ // Remove any supplementary results ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Where are we? ++ var curTab = $('.tab_active').attr('id'); ++ switch (curTab) { ++ case 't_ovr': ++ loadSummary(); ++ break; ++ case 't_view': ++ mkView(); ++ break; ++ default: ++ $(".b_update_note").hide(); ++ newView("u"); ++ break; ++ } ++ }); ++ ++ // Clear search and refresh ++ $('#clear_search').click(function() { ++ if ($('#search').val() != '') { ++ $('#search').val(''); ++ $("#search").focus(); ++ if ($(".fl_val_on")[0]) { ++ $('.b_update').click(); ++ } ++ } ++ }); ++ ++ // Logout ++ $("#logout").click(function(event) { ++ //$.get("/logout.html", function(){location.reload()}); ++ location.replace("/logout.html"); ++ }); ++ ++ // Toggle filters ++ $(document).on('click', '.fl_val_on', function(event) { ++ var wF = $(this).data("ft"); ++ switch (wF) { ++ case "tl": ++ ++ break; ++ case "ob": ++ $('#clear_search').click(); ++ break; ++ case "sn": ++ $(".chk_sen").each(function() { ++ $(this).prop("checked",false); ++ }); ++ $('.b_update').click(); ++ break; ++ } ++ }); ++ ++ function clearTags() { ++ //$(".tag").remove(); ++ //$(".tag_empty").show(); ++ $(".tag").removeClass('tag_active'); ++ } ++ ++ // ++ // Rows ++ // ++ ++ function closeRow() { ++ $("#active_eview").remove(); ++ $("#" + this.id).attr('class','d_row'); ++ $(".d_row").css('opacity','1'); ++ ltCol = $(".d_row_active").find('td.lt').html(); ++ $(".d_row_active").find('td.lt').css('background', ltCol); ++ $(".d_row_active").attr('class','d_row'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ // Get rid of any crashed loaders ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow() { ++ $("#eview_sub1").remove(); ++ $("#" + this.id).attr('class','d_row_sub'); ++ $(".d_row_sub").css('opacity','1'); ++ $(".d_row_sub_active").attr('class','d_row_sub'); ++ // Update class_count ++ $("#class_count").text(lastclasscount); ++ curclasscount = lastclasscount; ++ $("#loader").hide(); ++ // Reset and show checkbox ++ $(".chk_all").prop("checked",false); ++ $("#ca0").show(); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow1() { ++ $("#eview_sub2").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub3")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub_active1").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ // Remove any open externals ++ if ($("#extresult")[0]) $("#extresult").remove(); ++ // Clear Tags ++ clearTags(); ++ } ++ function closeSubRow2() { ++ $("#eview_sub3").remove(); ++ $("#" + this.id).attr('class','d_row_sub1'); ++ if (!$("#eview_sub2")[0]) { ++ $(".d_row_sub1").css('opacity','1'); ++ $(".d_row_sub1_active").attr('class','d_row_sub1'); ++ } ++ $("#loader").hide(); ++ // Clear Tags ++ clearTags(); ++ } ++ ++ // ++ // Level 1 ++ // ++ ++ $(document).on("click", ".row_active", function(event) { ++ var curID = $(this).parent('tr').attr('id'); ++ // What type of row are we? ++ rowType = curID.substr(0,3); ++ ++ // Make sure no other instances are open ++ if (!$(".d_row_active")[0] && rowType == 'sid') { ++ $("#loader").show(); ++ // This leaves us with sid-gid ++ var rowValue = curID.replace("sid-",""); ++ var sigID = rowValue.split("-")[0]; ++ ++ $(".d_row_active").attr('class', 'd_row'); ++ $("#active_eview").attr('class','d_row'); ++ ++ // This is now the active row ++ $("#" + curID).attr('class','d_row_active'); ++ $("html, body").animate({ scrollTop: $('.d_row_active').offset().top - 140 }, 20); ++ // History ++ var itemToAdd = $("#" + curID).find('[class*="row_filter"]').text(); ++ hItemAdd(itemToAdd); ++ // Set the class count (counted again after load) ++ curclasscount = $('.d_row_active').data('event_count'); ++ var cols = $('th.sort').length; ++ var tbl = ''; ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += "CATEGORIZE"; ++ tbl += curclasscount + "EVENT(S)  "; ++ tbl += "    "; ++ tbl += "CREATE FILTER: "; ++ tbl += "src  "; ++ tbl += "dst  "; ++ tbl += "both"; ++ tbl += "
"; ++ $("#" + curID).after(tbl); ++ ++ // Lookup signature ++ sigLookup(rowValue); ++ ++ // Fetch results ++ eventList("1-" + rowValue); ++ ++ $("#eview").show(); ++ $(".d_row").fadeTo('0','0.2'); ++ } else { ++ closeRow(); ++ } ++ }); ++ ++ // ++ // Level 2 ++ // ++ ++ $(document).on("click", ".sub_active", function() { ++ if (!$(".d_row_sub_active")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ ++ // Reset checkbox ++ $(".chk_all").prop("checked",false); ++ ++ // RT or ALL? ++ switch (rtbit) { ++ case 1: adqp = s2h("AND event.status = 0"); break; ++ case 0: adqp = s2h("empty"); break; ++ } ++ // We are now the active row ++ $("#" + callerID).attr('class','d_row_sub_active'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",3600000,thisTZ); ++ var eet = mkStamp(bt,"+",3600000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History and search ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ ++ $("#loader").show(); ++ eventList("2-" + callerID + "-" + adqp); ++ } else { ++ closeSubRow(); ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request payload ++ // ++ ++ $(document).on("click", ".sub1_active", function() { ++ // Close transcript if it is open ++ if ($(".eview_sub3")[0]) closeSubRow2(); ++ if (!$(".d_row_sub_active1")[0]) { ++ var callerID = $(this).parent('tr').attr('id'); ++ $("#" + callerID).attr('class','d_row_sub_active1'); ++ ++ // Populate search times ++ var bt = $("#" + callerID).find('[class*="timestamp"]').html(); ++ var est = mkStamp(bt,"-",1800000,thisTZ); ++ var eet = mkStamp(bt,"+",1800000,thisTZ); ++ ++ $('#el_start').val(est); ++ $('#el_end').val(eet); ++ ++ // Clear search terms ++ $("#srchterms").html(''); ++ $(".srch_txt").val(''); ++ ++ // History ++ $("#" + callerID).find('[class*="sub_filter"]').each(function() { ++ if ($(this).data('type') == 'cc') { ++ var itemToAdd = $(this).data('value'); ++ } else { ++ var itemToAdd = $(this).text(); ++ } ++ if ($(this).data('type') == 'ip') { ++ // Add search terms ++ $("#srchterms").append("" + itemToAdd + "  "); ++ } ++ hItemAdd(itemToAdd); ++ }); ++ $("#loader").show(); ++ eventList("3-" + callerID); ++ } else { ++ closeSubRow1() ++ } ++ }); ++ ++ // ++ // Level 3 (a or b) request transcript ++ // ++ ++ $(document).on("click", ".sub2_active", function(event) { ++ // Close payload if it is open ++ if ($(".eview_sub2")[0]) closeSubRow1(); ++ var bail = $("#loader").css('display'); ++ if (bail != 'none') return; ++ if (!$(".eview_sub3")[0]) { ++ $("#loader").show(); ++ composite = $(this).data('tx').split("-"); ++ rowLoke = composite[0]; ++ $("#" + rowLoke).attr('class','d_row_sub1_active'); ++ nCols = $("#" + rowLoke).find('td').length; ++ cid = composite[1]; ++ txdata = composite[2]; ++ ++ // See if a transcript is available ++ var urArgs = "type=" + 7 + "&txdata=" + txdata; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb5(data)}); ++ }); ++ ++ function cb5(data){ ++ eval("txRaw=" + data); ++ txCMD = txRaw.cmd; ++ txResult = txRaw.tx; ++ txDebug = txRaw.dbg; ++ if (txResult == "DEBUG:") txResult += " No data was returned."; ++ if (!txResult) { ++ txResult = "Transcript request failed!

"; ++ txResult += "The command was:
" + txCMD + "

"; ++ txResult += "The response was:" + txDebug.replace(/DEBUG:/g,"
"); ++ } ++ ++ var row = '',tbl = ''; ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += txResult; ++ row += "
"; ++ ++ tbl += ""; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 399 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ $("#loader").hide(); ++ } ++ } else { ++ closeSubRow2(); ++ } ++ }); ++ ++ // Toggle RT depending on entry point ++ $(document).on("click", ".b_ec_hot", function() { ++ rtbit = 1; ++ }); ++ $(document).on("click", ".b_ec_total", function() { ++ rtbit = 0; ++ }); ++ ++ // Filter constructor ++ function mkFilter() { ++ if ($('#search').val().length > 0) { ++ ++ var srchVal = $('#search').val(); ++ var fParts = ""; ++ ++ // If no term is supplied default to a string, IP or wildcard IP search ++ chkVal: ++ if (srchVal.indexOf(" ") == -1 && srchVal[0] != "!") { ++ var re = /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ if (re.exec(srchVal)) { ++ srchVal = "ip " + srchVal; ++ break chkVal; ++ } ++ ++ var re = /^(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)\.(\d{1,3}|%)/; ++ if (re.exec(srchVal)) { ++ srchVal = "wip " + srchVal; ++ break chkVal; ++ } ++ ++ srchVal = "sig " + srchVal; ++ } ++ ++ fParts = srchVal.replace(/^!/,"").split(" "); ++ if (fParts[0] == 'cmt') { ++ var theFilter = s2h($('#search').val()); ++ rtbit = 0; ++ } else { ++ // Now see if the requested filter exists ++ if ($("#tr_" + fParts[0]).length > 0) { ++ tmpFilter = $("#tr_" + fParts[0]).data('filter'); ++ // Now see if we need to modify the query ++ if (fParts[1]) { ++ // This is the base filter ++ preFilter = h2s(tmpFilter); ++ // This is the user supplied text. ++ var re = new RegExp("^" + fParts[0] + "\\s{1}|[';\\\`]","g"); ++ theQuestion = fParts.join(' ').replace(re, ""); ++ // We will accept multiple questions if they are comma delimited ++ questionParts = theQuestion.split(","); ++ if (questionParts.length > 1) { ++ var f = '('; ++ for (var i = 0; i < questionParts.length; i++) { ++ f += preFilter.replace(/\$/g, questionParts[i]); ++ if (i != (questionParts.length - 1)) { ++ f += " OR "; ++ } ++ } ++ f += ')'; ++ theFilter = s2h(f); ++ } else { ++ var newFilter = preFilter.replace(/\$/g, questionParts[0]); ++ theFilter = s2h(newFilter); ++ } ++ } else { ++ theFilter = tmpFilter; ++ } ++ } else { // The filter does not exist ++ theFilter = s2h('empty'); ++ } ++ } ++ } else { // No filter supplied ++ theFilter = s2h('empty'); ++ } ++ return theFilter; ++ } ++ ++ // ++ // This creates the views for each level ++ // ++ ++ function eventList (type) { ++ theWhen = getTimestamp(); ++ statusPoll(0); ++ var parts = type.split("-"); ++ var filterMsg = ''; ++ var rt = 0; ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ ++ // See if we are just RT events ++ if ($('#rt').text() == 'on' || rtbit == 1) { ++ rt = 1; ++ rtbit = 1; ++ } ++ // How are we sorting? ++ var sortval = $("#event_sort").val(), sorttxt; ++ switch (sortval) { ++ case "DESC": sorttxt = "show oldest first"; break; ++ case "ASC": sorttxt = "show newest first"; break; ++ } ++ ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ // Check for any filters ++ if (h2s(theFilter) != 'empty') { ++ $('.fl_val').text('YES'); ++ } else { ++ $('.fl_val').text('NO'); ++ } ++ ++ switch (parts[0]) { ++ ++ // Level 0 view - Grouped by Signature ++ case "0": ++ $('.value').text('-'); ++ ++ // Times Chart ++ var urChrtArgs = "type=22&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors; ++ $(function(){ ++ $.get(".inc/callback.php?" + urChrtArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("chartData=" + data); ++ var r = chartData.r; ++ if (r > 0) { ++ mkLine(".times",chartData.rows,chartData.m); ++ } ++ } ++ ++ var urArgs = "type=" + parts[0] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb1(data)}); ++ }); ++ function cb1(data){ ++ eval("d0=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var cols = 11; ++ ++ if (rt == 0) cols = 12; ++ head += ""; ++ head += ""; ++ head += "QUEUE"; ++ if (rt == 0) head += "ALL"; ++ head += ""; ++ head += "SC"; ++ head += "DC"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += "PROTO"; ++ head += "% TOTAL"; ++ head += ""; ++ ++ var sumEC = 0, sumSC = 0, sumDC = 0, sumSI = "-", spr1 = 0, spr2 = 0, spr3 = 0, spr4 = 0; ++ ++ if (d0.length > 0) { ++ // Sums for boxes ++ for (var i=0; i"; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ if (rt == 1) { ++ sumSC = "-"; ++ sumDC = "-"; ++ sumEC = eTotal; ++ } ++ ++ var sumRT = 0; ++ ++ // Tag Array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ sumRT += parseInt(unClass); ++ } else { ++ rtClass = "b_ec_cold"; ++ } ++ ++ // Sum priorities ++ var prC = Number(d0[i].f1); ++ switch (d0[i].f13) { ++ case "1": spr1 += prC; break; ++ case "2": spr2 += prC; break; ++ case "3": spr3 += prC; break; ++ default: spr4 += prC; break; ++ } ++ ++ rid = "r" + i + "-" + parts[1]; ++ var cells = mkGrid(d0[i].f12); ++ if (rt == 0) var catCells = catGrid(d0[i].f11,0,0); ++ row += ""; ++ row += "
" + unClass + "
"; ++ if (rt == 0) row += "
" + d0[i].f1 + "
"; ++ row += "
" + d0[i].f13 + "
"; ++ row += "" +d0[i].f6+ ""; ++ row += "" +d0[i].f7+ ""; ++ if (rt == 0) row += "" + catCells + ""; ++ ++ timeParts = d0[i].f5.split(" "); ++ timeStamp = timeParts[1]; ++ ++ if ( sumEC > 0) { ++ rowPer = Number(d0[i].f1/sumEC*100).toFixed(3); ++ } else { ++ rowPer = "0.000"; ++ } ++ ++ row += "" + cells + ""; ++ row += "" + timeStamp + ""; ++ row += ""; ++ //row += "
" + d0[i].f2 + "
"; ++ row += d0[i].f2 + ""; ++ row += "" + d0[i].f3 + ""; ++ row += "" + d0[i].f8 + ""; ++ ++ ++ row += "" + rowPer + "%"; ++ row += ""; ++ } ++ ++ // Populate event summary ++ $('#qtotal').text(sumRT); ++ $('#etotal').text(sumEC); ++ $('#esignature').text(sumSI); ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ ++ $('#' + parts[1] + '-' + parts[2]).append(tbl); ++ ++ if (d0.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $('#tl1').fadeIn('slow'); ++ $("#tl1").tablesorter(); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 1 view - Grouped by signature, source, destination ++ ++ case "1": ++ var urArgs = "type=" + parts[0] + "&object=" + parts[1] + "&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb2(data)}); ++ }); ++ ++ function cb2(data){ ++ eval("theData=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += "QUEUE"; ++ if (rt == 0) head += "TOTAL"; ++ if (rt == 0) head += "CLASS"; ++ head += "ACTIVITY"; ++ head += "LAST EVENT"; ++ head += "SOURCE"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += "DESTINATION"; ++ head += "AGE"; ++ head += "COUNTRY"; ++ head += ""; ++ var curclasscount = 0, tlCount = 0, rtCount = 0; ++ var timeValues = "", scid = ""; ++ ++ // Tag array ++ var tags = new Array(); ++ ++ for (var i=0; i 0 ) { ++ rtClass = "b_ec_hot"; ++ isActive = "sub_active"; ++ } else { ++ rtClass = "b_ec_cold"; ++ isActive = "sub"; ++ } ++ ++ // Aggregate time values ++ timeValues += theData[i].c_ts + ","; ++ var cells = mkGrid(theData[i].f12); ++ if (rt == 0) var catCells = catGrid(theData[i].c_status,0,0); ++ ++ // Event sums ++ tlCount += parseInt(count,10); ++ rtCount += parseInt(unclass,10); ++ ++ rid = "r" + i + "-" + parts[1] + "-" + src_ip + "-" + dst_ip; ++ row += ""; ++ row += "
" + unclass + "
"; ++ if (rt == 0) row += "
" + count + "
"; ++ if (rt == 0) row += "" + catCells + ""; ++ row += "" + cells + ""; ++ row += "" + max_time + ""; ++ row += "
" + src_ip + ""; ++ row += "" + src_age_n + ""; ++ row += ""; ++ row += cs[1] + src_clong + " (." + src_cc.toLowerCase() + ")" + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_age_n + ""; ++ row += ""; ++ row += cd[1] + dst_clong + " (." + dst_cc.toLowerCase() + ")" + ""; ++ row += ""; ++ } ++ ++ // Populate tags ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Add scid's to checkbox ++ $("#ca0").data("scid", scid.replace(/,$/, "")); ++ ++ // If queue is empty provide event sums in case the user ++ // intends to reclass anything ++ if (rtbit == 1) { ++ curclasscount = rtCount; ++ } else { ++ curclasscount = tlCount; ++ } ++ ++ // update class_count ++ $("#class_count").html(curclasscount); ++ lastclasscount = $("#class_count").html(); ++ ++ // While in grouped events (RT) we remove rows as ++ // they are classed and subtract the values from "Total Events" ++ // This keeps etotal up to date so the math doesn't get silly ++ var oldrt = Number($(".d_row_active").find(".b_ec_hot").text()); ++ var oldec = Number($("#etotal").text()); ++ if (oldrt < rtCount) { ++ newrtcount = parseInt((rtCount - oldrt) + oldec); ++ $("#etotal").text(newrtcount); ++ } ++ ++ // Update parent counts ++ $(".d_row_active").find(".b_ec_hot").text(rtCount); ++ if (rt == 0) $(".d_row_active").find(".b_ec_total").text(tlCount); ++ ++ tbl += "
"; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#eview").after(tbl); ++ $("#tl2").tablesorter({ ++ headers: { ++ 4: {sorter:'ipv4'}, ++ 6: {sorter:'ipv4'} ++ } ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 2 view - No grouping, individual events ++ ++ case "2": ++ var rowLoke = parts[1]; ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen + "&adqp=" + parts[2] + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3(data)}); ++ }); ++ ++ function cb3(data){ ++ eval("d2=" + data); ++ tbl = ''; ++ head = ''; ++ row = ''; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += "TIMESTAMP"; ++ head += "EVENT ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Update class_count ++ $("#class_count").html(0); ++ var tlCount=0, rtCount=0; ++ ++ // Tag array ++ var tags= new Array(); ++ ++ for (var i=0; i"; ++ tclass = "c" + eclass; ++ cv = classifications.class[tclass][0].short; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag); ++ if (t < 0) tags.push(tag); ++ }); ++ } ++ ++ // Timestamp ++ var compts = d2[i].f2.split(",") || "--"; ++ var timestamp = compts[0]; ++ var utctimestamp = compts[1]; ++ ++ // Event sums ++ tlCount += parseInt(1,10); ++ if (cv == "RT") { ++ rtCount += parseInt(1,10); ++ } ++ ++ // Transcript link ++ // original Squert native pivot: ++ //txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ //txBit = "" + sid + "." + cid + "
"; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + signature + ""; ++ row += ""; ++ } ++ ++ // Update parent counts ++ $(".d_row_sub_active").find(".b_ec_hot").text(rtCount); ++ if ($(".d_row_sub_active").find(".b_ec_total").text() < tlCount) { ++ $(".d_row_sub_active").find(".b_ec_total").text(tlCount); ++ } ++ ++ var cols = $('th.sort').length; ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ tbl += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $("#" + rowLoke).after(tbl); ++ $(".d_row_sub").fadeTo('0','0.2'); ++ $("#loader").hide(); ++ $("#tl3").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 4:{sorter:'ipv4'}, ++ 6:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#ca0").hide(); ++ } ++ break; ++ ++ // Level 2a view - No grouping, individual events ++ ++ case "2a": ++ $('.value').text('-'); ++ var urArgs = "type=2a&ts=" + theWhen + "&filter=" + theFilter + "&sensors=" + theSensors + "&rt=" + rt + "&sv=" + sortval; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb3a(data)}); ++ }); ++ ++ function cb3a(data){ ++ eval("d2a=" + data); ++ var tbl = ''; ++ var head = ''; ++ var row = ''; ++ var disabled = ''; ++ if (d2a.length == 0) { ++ disabled = "disabled"; ++ row += ""; ++ row += "No result. If this is unexpected try this"; ++ } ++ ++ head += ""; ++ head += ""; ++ head += ""; ++ head += "ST"; ++ head += ""; ++ head += "TIMESTAMP"; ++ head += "ID"; ++ head += "SOURCE"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "DESTINATION"; ++ head += "PORT"; ++ head += "AGE"; ++ head += "CC"; ++ head += "SIGNATURE"; ++ head += ""; ++ ++ // Aggregate time values ++ var timeValues = ""; ++ for (var ts=0; ts" + sid + "." + cid + ""; ++ //if (src_port != "-" && dst_port != "-") { ++ // txBit = "" + sid + "." + cid + ""; ++ //} ++ // new pivot to CapMe: ++ txdata = "s" + i + "-" + cid + "-" + s2h(sid + "|" + utctimestamp + "|" + src_ip + "|" + src_port + "|" + dst_ip + "|" + dst_port); ++ txBit = "" + sid + "." + cid + ""; ++ if (src_port != "-" && dst_port != "-") { ++ var startDate = new Date(utctimestamp); ++ var start_tz_offset = (startDate.getTimezoneOffset()); ++ var stime = startDate.setTime( startDate.getTime()/1000-(start_tz_offset*60) ) - 3600; ++ var endDate = new Date(utctimestamp); ++ var end_tz_offset = (endDate.getTimezoneOffset()); ++ var etime = endDate.setTime( endDate.getTime()/1000-(end_tz_offset*60) ) + 3600; ++ txBit = " " + sid + "." + cid + ""; ++ } ++ ++ row += ""; ++ row += ""; ++ row += "
"; ++ row += cv + "
"; ++ row += "
" + d2a[i].f16 + "
"; ++ row += "" + timestamp + ""; ++ row += txBit; ++ row += "
" + src_ip + ""; ++ row += "" + src_port + ""; ++ row += "" + src_age_n + ""; ++ row += "" + cs[1] + ""; ++ row += "
" + dst_ip + ""; ++ row += "" + dst_port + ""; ++ row += "" + dst_age_n + "" ++ row += "" + cd[1] + ""; ++ row += "" + signature + ""; ++ } ++ ++ var sumED = 0, sumEC = 0, cmsg = ""; ++ ++ if (d2a.length > 0) { ++ sumED = i; ++ sumEC = d2a.length; ++ } ++ ++ if (d2a.length >= maxI) { ++ sumRE = sumEC - maxI; ++ cmsg = " / " + sumRE + " not shown"; ++ } ++ ++ $("#qtotal").html(rsumRT); ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ // Draw ++ tbl += ""; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "categorize " + 0 + ""; ++ tbl += " of " + sumED + " event(s)" + cmsg; ++ tbl += "
"; ++ tbl += "
" + sorttxt + "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ $('#' + parts[1] + '-' + parts[2]).after(tbl); ++ ++ if (d2a.length > 0) { ++ var prVals = [spr1,spr2,spr3,spr4]; ++ var pryBar = mkPribar(prVals); ++ } else { ++ var pryBar = mkPribar([0]); ++ } ++ $("#tl3a,#tl3b").fadeIn('slow'); ++ $("#tl3b").tablesorter({ ++ headers: { ++ 0:{sorter:false}, ++ 1:{sorter:false}, ++ 5:{sorter:'ipv4'}, ++ 8:{sorter:'ipv4'} ++ }, ++ cancelSelection:false ++ }); ++ $("#loader").hide(); ++ } ++ break; ++ ++ // Level 3 view - Packet Data ++ ++ case "3": ++ var rowLoke = parts[1]; ++ var nCols = $('#' + parts[1]).data('cols'); ++ var filter = $('#' + parts[1]).data('filter'); ++ var urArgs = "type=" + parts[0] + "&object=" + filter + "&ts=" + theWhen; ++ var sg = $('#' + parts[1]).data('sg'); ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb4(data)}); ++ }); ++ ++ function cb4(data){ ++ eval("theData=" + data); ++ ++ var tbl = '', head = '', row = ''; ++ ++ // If IP version is 0 we can jump right to the payload (likely bro, http or ossec agent) ++ if (theData[0].ip_ver != 0) { ++ ++ var PDATA = 0; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ head += ""; ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
IPVERIHLTOSLENGTHIDFLAGSOFFSETTTLCHECKSUMPROTO
" + theData[0].ip_ver + "" + theData[0].ip_hlen + "" + theData[0].ip_tos + "" + theData[0].ip_len + "" + theData[0].ip_id + "" + theData[0].ip_flags + "" + theData[0].ip_off + "" + theData[0].ip_ttl + "" + theData[0].ip_csum + "" + theData[0].ip_proto + "
"; ++ ++ switch (theData[0].ip_proto) { ++ case "1": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
ICMPTYPECODECHECKSUMIDSEQ#
" + theData[1].icmp_type + "" + theData[1].icmp_code + "" + theData[1].icmp_csum + "" + theData[1].icmp_id + "" + theData[1].icmp_seq + "
"; ++ break; ++ ++ case "6": ++ // TCP flags ++ var tmpFlags = theData[1].tcp_flags || 'z'; ++ switch (tmpFlags) { ++ case 'z': var tcpFlags = '--------'; break; ++ default: ++ var binFlags = Number(theData[1].tcp_flags).toString(2); ++ var binPad = 8 - binFlags.length; ++ var tcpFlags = "00000000".substring(0,binPad) + binFlags; ++ break; ++ } ++ var tcp_seq = theData[1].tcp_seq || '-'; ++ var tcp_ack = theData[1].tcp_ack || '-'; ++ var tcp_off = theData[1].tcp_off || '-'; ++ var tcp_res = theData[1].tcp_res || '-'; ++ var tcp_win = theData[1].tcp_win || '-'; ++ var tcp_urp = theData[1].tcp_urp || '-'; ++ var tcp_csum = theData[1].tcp_csum || '-'; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
TCPR1R0URGACKPSHRSTSYNFINSEQ#ACK#OFFSETRESWINURPCHECKSUM
" + tcpFlags[0] + "" + tcpFlags[1] + "" + tcpFlags[2] + "" + tcpFlags[3] + "" + tcpFlags[4] + "" + tcpFlags[5] + "" + tcpFlags[6] + "" + tcpFlags[7] + "" + tcp_seq + "" + tcp_ack + "" + tcp_off + "" + tcp_res + "" + tcp_win + "" + tcp_urp + "" + tcp_csum + "
"; ++ break; ++ ++ case "17": ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
UDPLENGTHCHECKSUM
" + theData[1].udp_len + "" + theData[1].udp_csum + "
"; ++ break; ++ } ++ ++ var p_hex = '', p_ascii = '', p_ascii_l = ''; ++ ++ // Data ++ if (!theData[2]) { ++ p_hex = "No Data Sent."; ++ p_ascii = "No Data Sent."; ++ } else { ++ p_pl = theData[2].data_payload; ++ p_length = theData[2].data_payload.length; ++ var b0 = 0; ++ ++ for(var i=0; i < p_length; i+=2) { ++ b0++; ++ t_hex = p_pl.substr(i,2); ++ t_int = parseInt(t_hex,16); ++ ++ if ((t_int < 32) || (t_int > 126)) { ++ p_hex += t_hex + " "; ++ p_ascii += "."; ++ p_ascii_l += "."; ++ } else if (t_int == 60) { ++ p_hex += t_hex + " "; ++ p_ascii += "<"; ++ p_ascii_l += "<"; ++ } else if (t_int == 62) { ++ p_hex += t_hex + " "; ++ p_ascii += ">"; ++ p_ascii_l += ">"; ++ } else { ++ p_hex += t_hex + " "; ++ p_ascii += String.fromCharCode(parseInt(t_hex, 16)); ++ p_ascii_l += String.fromCharCode(parseInt(t_hex, 16)); ++ } ++ ++ if ((b0 == 16) && (i < p_length)) { ++ p_hex += "
"; ++ p_ascii += "
"; ++ b0 = 0; ++ } ++ } ++ } ++ ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += ""; ++ row += "
DATAHEXASCII
" + p_hex + "" + p_ascii + "
ASCII" + p_ascii_l + "
"; ++ ++ } else { ++ ++ head += ""; ++ var p_ascii = "No Data Sent."; ++ // This needs to be more robust. ++ if (theData[2]) { ++ var tmp = h2s(theData[2].data_payload).split("\n"); ++ p_ascii = ''; ++ for (var i in tmp) { ++ p_ascii += "
" + tmp[i] + "
"; ++ } ++ ++ } ++ row += ""; ++ row += ""; ++ row += "
" + p_ascii + "
"; ++ } ++ ++ tbl += ""; ++ ++ // If we are not grouped we show the signature text ++ if ( sg != 0 ) { ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ tbl += "
"; ++ sigLookup(sg); ++ } ++ ++ // Comments and tags are done here ++ var tags = new Array(); ++ var eventTag = 'None.'; ++ var eventComment = theData[0].comment || 'None.'; ++ var src_tag = theData[0].srctag || '-'; ++ var dst_tag = theData[0].dsttag || '-'; ++ ++ // Populate tags array ++ if (src_tag != "-") { ++ var src_tags = src_tag.split(","); ++ $.each(src_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",s"); ++ if (t < 0) tags.push(tag + ",s"); ++ }); ++ } ++ ++ if (dst_tag != "-") { ++ var dst_tags = dst_tag.split(","); ++ $.each(dst_tags, function(n,tag) { ++ var t = tags.indexOf(tag + ",d"); ++ if (t < 0) tags.push(tag + ",d"); ++ }); ++ } ++ ++ if (tags.length > 0) eventTag = ''; ++ ++ tbl += "
COMMENTS
"; ++ tbl += "
" + eventComment + "
"; ++ tbl += "
TAGS
"; ++ tbl += "
" + eventTag + "
"; ++ if (PDATA != 0) { ++ tbl += "
DETAILS
"; ++ } else { ++ tbl += "
PAYLOAD
"; ++ } ++ tbl += head; ++ tbl += row; ++ tbl += ""; ++ $("#" + rowLoke).after(tbl); ++ $("#loader").hide(); ++ ++ // Turn off fade effect for large results ++ var rC = $(".d_row_sub1").length; ++ if ( rC <= 499 ) { ++ $(".d_row_sub1").fadeTo('fast','0.2'); ++ } ++ ++ // Populate tags ++ clearTags(); ++ for (var i=0; i < tags.length; i++) { ++ addTag(tags[i]); ++ } ++ ++ } ++ break; ++ } ++ // If event queue is off we need to reset this after load if b_ec_hot was ++ // the entry point ++ if ($('#rt').text() == 'off') rtbit = 0; ++ } ++ ++ // ++ // Object click handlers ++ // ++ ++ $(document).on("click", ".select,.ex_val,.sub_filter,.row_filter,.tof,.value_link,.nr_f", function(e) { ++ // Check if we are coming from a legit object ++ var prefix = $(this).data('type'); ++ if (prefix == "none") return; ++ ++ // Check if we are coming from a sane selection ++ var selLen = window.getSelection().toString().length; ++ if (selLen > 4) { ++ if (selLen < 255) { // Might need to change these based on how people use this ++ prefix = "zz"; ++ var suffix = window.getSelection().toString(); ++ var re = /\s/g; ++ var NOK = re.exec(suffix); ++ if (NOK) return; ++ } else { ++ return; ++ } ++ } else { ++ var suffix = $(this).text(); ++ } ++ ++ var mX = e.pageX; ++ var mY = e.pageY; ++ ++ var colour = $(this).data('col') || "FFFFFF"; ++ var tfocus = "#search"; ++ switch (prefix) { ++ case 'ip': ++ hItemAdd(suffix); ++ var sord = $(this).data('sord'); ++ mkPickBox(prefix,suffix,sord,colour,mX,mY); ++ break; ++ case 'spt': ++ case 'dpt': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'cc': ++ case 'scc': ++ case 'dcc': ++ var cc = $(this).data('value'); ++ hItemAdd(cc); ++ mkPickBox(prefix,cc,suffix,colour,mX,mY); ++ break; ++ case 'cmt': ++ suffix = $(this).data('comment'); ++ $("#rt").text("off"); ++ $("#rt").attr('class','tvalue_off'); ++ $('#search').val(prefix + " " + suffix); ++ hItemAdd(suffix); ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'cmt_c': ++ $('.cat_msg_txt').val(suffix); ++ hItemAdd(suffix); ++ tfocus = ".cat_msg_txt"; ++ break; ++ case 'fil': ++ var fil = $(this).data('value'); ++ $('#search').val(fil); ++ hItemAdd(fil); ++ if ($('#fltr_box').css('display') != 'none') { ++ $('#ico04').click(); ++ } ++ $('.b_update').click(); ++ break; ++ case 'sid': ++ var value = $(this).data('value'); ++ hItemAdd(suffix); ++ mkPickBox(prefix,value,suffix,colour,mX,mY); ++ break; ++ case 'st': ++ var suffix = $(this).attr('id').split('-')[1]; ++ $('#search').val(prefix + " " + suffix); ++ // RT must be off to return anything ++ $('#rt').attr('class','tvalue_off'); ++ $('#rt').text('off'); ++ rtbit = 0; ++ $('.b_update').click(); ++ break; ++ case 'el': ++ var suffix = $(this).data('value'); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ case 'zz': ++ hItemAdd(suffix); ++ mkPickBox(prefix,suffix,0,colour,mX,mY); ++ break; ++ } ++ }); ++ ++ // ++ // Picker Box ++ // ++ ++ function mkPickBox(prefix,suffix,rsuffix,colour,mX,mY) { ++ var doexternals = "yes"; ++ var objhex = s2h(suffix); ++ var tbl = '', row = ''; ++ // Local stuff first ++ switch (prefix[prefix.length - 1]) { ++ case "c": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "p": ++ row += ":: SRC or DST"; ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: ADD / REMOVE TAG"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "apply"; ++ row += "apply all"; ++ row += ""; ++ break; ++ case "t": ++ row += ":: SRC"; ++ row += ":: DST"; ++ row += ":: SEARCH"; ++ break; ++ case "d": ++ row += ":: SIGNATURE"; ++ if ($('.sigtxt')[0]) { ++ row += ":: HISTORY"; ++ } ++ row += ":: SEARCH"; ++ break; ++ case "l": ++ row += ":: COLOUR  "; ++ row += ""; ++ row += "update"; ++ doexternals = "no"; ++ break; ++ case "z": ++ row += ":: SEARCH"; ++ break; ++ } ++ ++ // If applicable populate externals ++ if (doexternals == "yes") { ++ $('.f_row').each(function() { ++ var ct = $(this).data('type'); ++ if (ct == 'url') { ++ var alias = $(this).data('alias'); ++ var name = $(this).data('name'); ++ var url = $(this).data('filter'); ++ row += ""; ++ row += "" + name + ""; ++ row += ""; ++ } ++ }); ++ } ++ ++ tbl += ""; ++ tbl += row; ++ tbl += "
"; ++ ++ var boxlabel = suffix; ++ ++ // Use more descriptive names where possible ++ var re = /(sid|cc|scc|dcc)/; ++ var OK = re.exec(prefix); ++ if (OK) { ++ var boxlabel = rsuffix; ++ } ++ ++ if (boxlabel.length > 24) { ++ boxlabel = boxlabel.substring(0,24); ++ boxlabel += ".."; ++ } ++ ++ $('#pickbox_label').text(boxlabel).css('font-weight','normal').data('sord', rsuffix); ++ ++ if ($('#tlpick')[0]) $('#tlpick').remove(); ++ $(".pickbox_tbl").append(tbl); ++ $('.pickbox').fadeIn('fast'); ++ ++ // Colour Picker ++ $("#menucol").spectrum({ ++ showInput: true, ++ className: "full-spectrum", ++ showInitial: true, ++ showPalette: true, ++ showSelectionPalette: true, ++ maxPaletteSize: 6, ++ preferredFormat: "hex", ++ localStorageKey: "spectrum.demo", ++ move: function (color) {}, ++ show: function () {}, ++ beforeShow: function () {}, ++ hide: function () {}, ++ change: function() {}, ++ palette: [ ++ ['rgb(217,217,217)','rgb(189,189,189)','rgb(150,150,150)','rgb(99,99,99)','rgb(37,37,37)'], ++ ['rgb(199,233,192)','rgb(161,217,155)','rgb(116,196,118)','rgb(49,163,84)','rgb(0,109,44)'], ++ ['rgb(218,218,235)','rgb(188,189,220)','rgb(158,154,200)','rgb(117,107,177)','rgb(84,39,143)'], ++ ['rgb(198,219,239)','rgb(158,202,225)','rgb(107,174,214)','rgb(49,130,189)','rgb(8,81,156)'], ++ ['rgb(254,217,118)','rgb(254,178,76)','rgb(253,141,60)','rgb(240,59,32)','rgb(189,0,38)'] ++ ] ++ }); ++ } ++ ++ // Pickbox click events ++ $(document).on('click', '.p_row', function() { ++ if ($('.tagbox').css('display') != 'none') $('.tagcancel').click(); ++ var ctype = $(this).data('type'); ++ var alias = $(this).data('alias'); ++ var args = $('#tlpick').data('val'); ++ switch(ctype) { ++ case "l": ++ $('.pickbox').fadeOut('fast'); ++ $('#search').val(alias + " " + args); ++ $('.b_update').click(); ++ break; ++ case "r": ++ $('.pickbox').fadeOut('fast'); ++ var url = h2s($(this).data('url')).replace("${var}", args); ++ window.open(url); ++ break; ++ case "t": ++ $('.tagbox').fadeIn('fast'); ++ $('.taginput').focus(); ++ break; ++ case "s": ++ $('.pickbox').fadeOut('fast', function() {; ++ $('#ico05').click(); ++ }); ++ $('.srch_txt').val(args); ++ break; ++ case "h": ++ doHistory(args); ++ $('.pickbox').fadeOut('fast'); ++ break; ++ default: return; ++ } ++ }); ++ ++ // ++ // Tags ++ // ++ ++ // Truncate ++ function truncTag(tag,len) { ++ if (tag.length > len) tag = tag.substring(0,len) + ".."; ++ return tag; ++ } ++ ++ // Filter results or add as new ++ $(document).on('click', '.tag', function() { ++ var tag = $(this).data('val'); ++ if($('.taginput').is(":visible")) { ++ $('.taginput').val(tag); ++ $('.taginput').focus(); ++ } else { ++ $('#search').val('tag ' + tag); ++ $('.b_update').click(); ++ } ++ }); ++ ++ // Remove individual tags on "(X)" click via payload area ++ $(document).on('mouseenter', '.tag_d, .tag_s', function() { ++ var tag = $(this).data('val'); ++ if ($(".tag_x")[0]) return; ++ var dw = $(this).width() - 5 + "px"; ++ $(this).append("
X
"); ++ $(".tag_x").css("margin-left", dw); ++ $(".tag_x").fadeIn("slow"); ++ ++ }); ++ ++ $(document).on('mouseleave', '.tag_d, .tag_s', function() { ++ $('.tag_x').remove(); ++ }); ++ ++ $(document).on('click', '.tag_x', function() { ++ var tag = $(this).parent().data("val"); ++ var obj = $(this).parent().data("obj"); ++ $(this).parent().remove(); ++ var len = $("#tag_area").text().length; ++ if (len == 0) $("#tag_area").append("None."); ++ //doTag(s2h(obj),tag,'rm'); ++ }); ++ ++ // Fire tag add on enter ++ $('.taginput').keypress(function(e) { ++ if (!e) e=window.event; ++ key = e.keyCode ? e.keyCode : e.which; ++ if (key == 13) $('.tagok').click(); ++ }); ++ ++ // Close tag entry ++ $(document).on('click', '.tagcancel', function() { ++ $('.taginput').val(''); ++ $('.tagbox').fadeOut('fast'); ++ }); ++ ++ // Add a tag ++ $(document).on('click', '.tagok', function() { ++ var tag = $('.taginput').val(); ++ var obj = $('#pickbox_label').text(); ++ var re = /^[?a-zA-Z0-9][\s{1}\w-\.]*$/; ++ var OK = re.exec(tag); ++ if (OK) doTag(s2h(obj),tag,'add'); ++ }); ++ ++ // Remove a tag ++ $(document).on('click', '.tagrm', function() { ++ var tag = truncTag($('.taginput').val(),20); ++ var obj = $('#pickbox_label').text(); ++ doTag(s2h(obj),tag,'rm'); ++ $(".tag" + ":contains('" + tag + "')").remove(); ++ $('.tagcancel').click(); ++ }); ++ ++ // Display or Toggle tags ++ function addTag(tag) { ++ // If we entered from payload we have some additional info ++ if ($('#eview_sub2')[0]) { ++ var longTag = tag.split(",")[0]; ++ var theClass = tag.split(",")[1]; ++ var t_tag = truncTag(longTag,20); ++ } else { ++ var t_tag = truncTag(tag,20); ++ } ++ ++ // Hide empty ++ $('.tag_empty').hide(); ++ ++ // Check if tag exists ++ var tag_exists = 0; ++ $('.tag').each(function() { ++ if ($(this).text() == t_tag) { ++ $(this).addClass('tag_active'); ++ tag_exists = 1; ++ } ++ }); ++ ++ // Add tag to left pane ++ if (tag_exists == 0) { ++ var newTag = "
" + t_tag + "
"; ++ $('#tg_box').prepend(newTag); ++ } ++ ++ // If we have the payload open, add here as well ++ if ($('#eview_sub2')[0]) { ++ if($('#pickbox_label').is(":visible")) { ++ theClass = $('#pickbox_label').data('sord')[0]; ++ } ++ // Remove placeholder ++ if ($('#tag_none')[0]) $('#tag_none').remove(); ++ var newTag = "
" + t_tag + "
"; ++ $('#tag_area').prepend(newTag); ++ } ++ ++ } ++ ++ function doTag(obj,tag,op) { ++ var urArgs = "type=19&obtype=tag&object=" + obj + "&value=" + tag + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { ++ if (op != 'rm') addTag(tag); ++ $('.tagcancel').click(); ++ } ++ } ++ } ++ ++ // Colours ++ $(document).on('click', '.csave', function() { ++ var obtype = $(this).data('obtype'); ++ var object = $(this).data('object'); ++ var colour = $('#menucol').val().replace(/#/,"").toUpperCase(); ++ var op = "add"; ++ var re = /^([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/; ++ var OK = re.exec(colour); ++ if (!OK) return; ++ // Single or multiple? ++ if (obtype == "src" || obtype == "dst") { ++ var vr = new Array(); ++ $("." + obtype).each(function() { ++ var v = $(this).text(); ++ var re = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/; ++ var OK = re.exec(v); ++ if (OK) { ++ var t = vr.indexOf(v); ++ if (t < 0) vr.push(v); ++ } ++ }); ++ object = vr.toString(); ++ } ++ ++ var urArgs = "type=19&obtype=" + obtype + "_c&object=" + object + "&value=" + colour + "&op=" + op; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, function(data){cb22(data)}); ++ }); ++ ++ function cb22(data){ ++ eval("theData=" + data); ++ if (theData.msg != '') { ++ alert(theData.msg); ++ } else { // We should be good.. ++ var curObject = $('#pickbox_label').text(); ++ if (obtype == "el") { ++ var html = "
" + colour; ++ $('#el_' + curObject).html(html); ++ $('#el_' + curObject).data('col', colour); ++ } else { ++ $(".sub_filter:contains(" + curObject + ")").each(function() { ++ $(this).find('.object').css('background-color', '#' + colour).parent().data('col', colour); ++ }); ++ } ++ $('.pickbox').fadeOut('fast'); ++ } ++ } ++ }); ++ ++ $(document).on('click', '.pickbox_close', function() { ++ $('.tagcancel').click(); ++ $('.pickbox').fadeOut('fast'); ++ }); ++ ++ // ++ // Object History ++ // ++ ++ function hItemAdd(item) { ++ var itemTitle = item; ++ // Truncate ++ if (item.length > 33) { ++ itemTitle = item.substring(0,33) + ".."; ++ } ++ // Remove empty message ++ $('.history_empty').hide(); ++ ++ // If the item doesn't exist, add it. Otherwise, we start counting. ++ if ($(".h_item:contains('" + itemTitle + "')").length > 0) { ++ var oc = $(".h_item:contains('" + itemTitle + "')").data('n'); ++ var nc = Number(oc) + 1; ++ var bg = '#c9c9c9'; ++ var fn = 'normal'; ++ if (nc <= 3) { ++ bg = '#000'; ++ } else if (nc > 3) { ++ bg = '#cc0000'; ++ fn = 'bold'; ++ } ++ ++ $(".h_item:contains('" + itemTitle + "')").css('color', bg); ++ $(".h_item:contains('" + itemTitle + "')").css('font-weight', fn); ++ $(".h_item:contains('" + itemTitle + "')").data('n',nc); ++ $(".h_item:contains('" + itemTitle + "')").text(itemTitle + "(" + nc + ")"); ++ } else { ++ var toAdd = " " + itemTitle + ""; ++ $('#h_box').prepend(toAdd); ++ } ++ } ++ ++ if (!$('.h_item')[0]) { ++ $('.history_empty').show(); ++ } ++ ++ // Alt mappings for icons ++ ++ $.alt('1', function() { ++ $("#ico01").click(); ++ }); ++ $.alt('2', function() { ++ $("#ico02").click(); ++ }); ++ $.alt('3', function() { ++ $("#ico03").click(); ++ }); ++ $.alt('4', function() { ++ $("#ico05").click(); ++ }); ++ $.alt('5', function() { ++ $("#ico04").click(); ++ }); ++ ++ // ++ // Event classification ++ // ++ ++ // Use function keys to trigger status buttons ++ $(document).keydown(function(event){ ++ ++ function stopOthers() { ++ event.originalEvent.keyCode = 0; ++ event.preventDefault(); ++ event.stopPropagation(); ++ } ++ ++ switch (event.keyCode) { ++ case 112: stopOthers(); $('#b_class-11').click(); break; ++ case 113: stopOthers(); $('#b_class-12').click(); break; ++ case 114: stopOthers(); $('#b_class-13').click(); break; ++ case 115: stopOthers(); $('#b_class-14').click(); break; ++ case 116: stopOthers(); $('#b_class-15').click(); break; ++ case 117: stopOthers(); $('#b_class-16').click(); break; ++ case 118: stopOthers(); $('#b_class-17').click(); break; ++ case 119: stopOthers(); $('#b_class-1').click(); break; ++ case 120: stopOthers(); $('#b_class-2').click(); break; ++ } ++ }); ++ ++ // Comment window status buttons ++ $(document).on("click", "#cw_buttons", function(event) { ++ var newclass = $(event.target).data('n'); ++ if (newclass == 0) { ++ $('#b_class-' + newclass).click(); ++ } else { ++ $('#b_class-' + newclass).click(); ++ } ++ }); ++ ++ // Highlight colour for selected events ++ var hlcol = "#FFFFE0"; ++ var hlhov = "#FDFDD6"; ++ ++ // Individual selects ++ var clickOne = 0, clck1 = 0, clck2 = 0; ++ $(document).on("click", ".chk_event", function(event) { ++ $("#tl3b").trigger('update'); ++ var clickTwo = this.id.split("_"); ++ if (Number(clickOne[1]) > Number(clickTwo[1])) { ++ clck1 = clickTwo[1]; ++ clck2 = clickOne[1]; ++ } else { ++ clck1 = clickOne[1]; ++ clck2 = clickTwo[1]; ++ } ++ ++ if (event.shiftKey) { ++ if (clck1 != clck2) { ++ $("#s" + clck1).nextUntil("#s" + clck2).find(".chk_event").prop("checked", true); ++ $("#s" + clck1).nextUntil("#s" + clck2).css("background-color", hlcol); ++ $("#s" + clck1).nextUntil("#s" + clck2).hover( ++ function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ clickOne = 0, clck1 = 0, clck2 = 0; ++ } ++ } ++ ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ if ($("#ca1:checked").length > 0) { ++ $("#ca1").prop("checked",false); ++ } ++ clickOne = this.id.split("_"); ++ ++ if ($(this).prop("checked") == true) { ++ $("#s" + clickTwo[1]).css("background-color", hlcol); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ } else { ++ $("#s" + clickTwo[1]).css("background-color", "transparent"); ++ $("#s" + clickTwo[1]).hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ } ++ }); ++ ++ // Select all (2) ++ $(document).on("click", "#ca1", function(event) { ++ var chkLen = $("#ca1:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca0").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca0").prop("checked",true); ++ break; ++ } ++ ++ if ($(".eview_sub1")[0]) { ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ } ++ ++ }); ++ ++ // Select all (2a) - clean this up, the above is almost identical ++ $(document).on("click", "#ca2", function(event) { ++ var chkLen = $("#ca2:checked").length; ++ switch(chkLen) { ++ case 0: ++ $(".chk_event").prop("checked",false); ++ $("#ca2").prop("checked",false); ++ $(".d_row_sub1").css("background-color", "transparent"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "transparent")}); ++ break; ++ default: ++ $(".chk_event").each(function() { ++ if ($(this).prop("disabled") == false) { ++ $(this).prop("checked",true); ++ } ++ }); ++ $(".d_row_sub1").css("background-color", hlcol); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", hlhov)}, ++ function(){$(this).css("background-color", hlcol)}); ++ $("#ca2").prop("checked",true); ++ break; ++ } ++ // Update class_count ++ $("#class_count").html($(".chk_event:checked").length); ++ }); ++ ++ // Class button click ++ $(document).on("click", "[id*=\"b_class-\"]", function() { ++ // We only fire if something is selected ++ var chkLen = parseInt($(".chk_event:checked").length + $(".chk_all:checked").length); ++ var intclass = $(this).attr('id').split("-"); ++ if (chkLen > 0 && intclass[1] != 0) { ++ eClass(this,intclass[1]); ++ } ++ }); ++ ++ function eClass(caller,intclass) { ++ // The sid.cid values ++ var scid= "", scidlist = "", ecls = 0; ++ if ($(".eview_sub1")[0] || $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ if ($(this).data('eclass') == 0) { ++ ecls++; ++ } ++ scid += $(this).val() + ","; ++ }); ++ scidlist = scid.replace(/,$/, ""); ++ } else { ++ ecls = $(".d_row_active").find(".b_ec_hot").text(); ++ scidlist = $("#ca0").data("scid"); ++ } ++ ++ // Was there a message? ++ var msg = "none"; ++ if ($(".cat_msg_txt").val().length != 0) { ++ msg = $(".cat_msg_txt").val(); ++ } ++ ++ if ($('#cat_box').css('display') != 'none') { ++ $('#ico01').click(); ++ } ++ ++ // We are now ready to class ++ var catdata = intclass + "|||" + msg + "|||" + scidlist; ++ var urArgs = "type=" + 9; ++ $(function(){ ++ $.post(".inc/callback.php?" + urArgs, { catdata: catdata } ,function(data){cb9(data)}); ++ }); ++ ++ function cb9(data){ ++ eval("catRaw=" + data); ++ catDbg = catRaw.dbg; ++ if (catDbg == "0") { ++ ++ var curtotalrtcount = Number(ecls); ++ // Working on grouped events ++ if ($("#gr").text() == "on") { ++ curclasscount = Number($("#class_count").text()); ++ var curtotalparentcount = $(".d_row_active").find(".b_ec_hot").text(); ++ // Do we have queued events? ++ if (curtotalparentcount > 0) { ++ ++ // Are we working on queued events? ++ if (curtotalrtcount > 0) { ++ curclasscount = curtotalrtcount; ++ } else { ++ curclasscount = 0; ++ } ++ // Adjust the parent count ++ newparentcount = parseInt(curtotalparentcount - curclasscount,10); ++ $(".d_row_active").find(".b_ec_hot").text(newparentcount); ++ ++ if (newparentcount == 0) { ++ $(".d_row_active").find(".b_ec_hot").parent().attr('class','row'); ++ $(".d_row_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ ++ // If we are working within the child, adjust accordingly ++ if ($(".eview_sub1")[0]) { ++ // How many are in the child ++ curtotalchildcount = $(".d_row_sub_active").find(".b_ec_hot").text(); ++ ++ // Adjust the child count ++ newchildcount = parseInt(curtotalchildcount - curclasscount,10); ++ $(".d_row_sub_active").find(".b_ec_hot").text(newchildcount); ++ if (newchildcount == 0) { ++ $("#ca1").prop("disabled",true); ++ $(".d_row_sub_active").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub_active").find(".b_ec_hot").attr('class','b_ec_cold'); ++ } ++ // Otherwise we were called from the parent ++ } else { ++ $(".d_row_sub").find(".b_ec_hot").parent().attr('class','sub'); ++ $(".d_row_sub").find(".b_ec_hot").text(0); ++ $(".d_row_sub").find(".b_ec_hot").attr('class','b_ec_cold'); ++ $("#ca0").prop("disabled",true); ++ } ++ lastclasscount = newparentcount; ++ } ++ ++ // Lastly, update class_count ++ if (rtbit == 1 || curtotalrtcount > 0 || $("#eview_sub")[0]) { ++ $("#class_count").html(0); ++ } else { ++ $("#class_count").html($(".d_row_active").find(".b_ec_total").text()); ++ } ++ ++ // Working on ungrouped events ++ } else { ++ $("#class_count").html(lastclasscount); ++ } ++ ++ // What the new classification is ++ selClass = $(caller).data("cn"); ++ newClass = "a_" + selClass; ++ ++ // Change visible class and disable if RT ++ // If we are RT ungrouped, we just remove ++ if ($('#rt').text() == 'on' && $("#ca2")[0]) { ++ $(".chk_event:checked").each(function() { ++ var pid = $(this).attr("id").split("_"); ++ var nid = parseInt(Number(pid[1]) + 1); ++ // Remove any open payload or TX panes ++ if ($("[id^=eview_]")[0]) { ++ $("[id^=eview_]").remove(); ++ $(".d_row_sub1").css('opacity','1'); ++ } ++ // Remove the row ++ $("#s" + pid[1]).fadeOut('fast', function() { ++ $("#s" + pid[1]).remove(); ++ }); ++ }); ++ ++ // Update table (for sorter) ++ $("#tl3b").trigger('update'); ++ } else { ++ // If we are RT and all events are classed we just remove ++ if ($('#rt').text() == 'on' && $(".d_row_active").find(".b_ec_hot").text() == 0) { ++ $("#active_eview").remove(); ++ $(".d_row_active").fadeOut('slow', function (event) { ++ $(".d_row_active").remove(); ++ var newsigtotal = "-"; ++ var sigtotal = $("#esignature").text(); ++ if (sigtotal > 0) { ++ newsigtotal = parseInt(sigtotal - 1); ++ } ++ $("#esignature").text(newsigtotal); ++ }); ++ $(".d_row").css('opacity','1'); ++ } else { ++ $(".chk_event:checked").each(function() { ++ var n = this.id.split("_"); ++ $("#class_box_" + n[1]).attr('class', newClass); ++ $("#class_box_" + n[1]).text(selClass); ++ if (curtotalparentcount > 0) { ++ $(this).prop("disabled",true); ++ } ++ }); ++ } ++ $(".d_row_sub1").css("background-color", "#fafafa"); ++ $(".d_row_sub1").hover(function(){$(this).css("background-color", "#f4f4f4")}, ++ function(){$(this).css("background-color", "#fafafa")}); ++ } ++ ++ // Uncheck everything ++ $(".chk_event").prop("checked", false); ++ $(".chk_all").prop("checked", false); ++ // Remove these scids from the L1 scidlist ++ if ($("#ca0")[0] && rtbit == 1) { ++ var cur_scidlist = scidlist.split(','); ++ var active_scidlist = $("#ca0").data("scid"); ++ for (var i = 0; i < cur_scidlist.length; i++) { ++ active_scidlist = active_scidlist.replace(cur_scidlist[i],''); ++ } ++ active_scidlist = active_scidlist.replace(/,{2,}/g,','); ++ active_scidlist = active_scidlist.replace(/(^,|,$)/g,''); ++ $("#ca0").data("scid", active_scidlist); ++ } ++ catMsg(scidlist.split(',').length, curtotalrtcount); ++ } else { ++ catMsg(0); ++ } ++ } ++ } ++ ++ function catMsg(count, rtcount) { ++ switch (count) { ++ default: ++ var ess = ''; ++ if ( count > 1 ) ess = 's'; ++ ++ var numrows = Number($('.d_row').length + $('.d_row_sub1').length); ++ var newboxtotal = 0, newcatcount = 0; ++ newboxtotal = parseInt($("#qtotal").text() - rtcount); ++ $("#qtotal").text(newboxtotal); ++ ++ // If we are just rt update Total boxes as we go ++ if ($("#ca2")[0]) { // We are ungrouped ++ newcatcount = parseInt($("#cat_count").text() - count); ++ if (newcatcount == 0) { ++ newView("u"); ++ } else { ++ $("#cat_count").text(newcatcount); ++ } ++ } ++ ++ if (numrows == 0) { ++ newView("u"); ++ } ++ ++ var msg = count + " event" + ess + " categorized"; ++ clearTags(); ++ break; ++ } ++ ++ $("span.class_msg").text(msg); ++ $("span.class_msg").fadeIn('slow', function() { ++ setTimeout(function(){ ++ $(".class_msg").fadeOut('slow'); ++ }, 3000); ++ }); ++ } ++ ++ // Load summary tab ++ function loadSummary() { ++ var limit = 10; ++ if ($('#wm0')[0]) { ++ doMap("redraw"); ++ } else { ++ doMap("draw"); ++ } ++ mkSummary("signature",limit); ++ mkSummary("srcip",limit); ++ mkSummary("dstip",limit); ++ mkSummary("srcpt",limit); ++ mkSummary("dstpt",limit); ++ mkSummary("srccc",limit); ++ mkSummary("dstcc",limit); ++ } ++ ++ // Toggle summary section ++ $(document).on("click", ".hidepane", function(e) { ++ $('#topsignature').toggle(); ++ }); ++ ++ // Summary tab ++ function mkSummary(box,limit) { ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('#ov_' + box + '_sl').prepend(ldr); ++ $('#top' + box).fadeTo('fast', 0.2); ++ switch (box) { ++ case "srcip": ++ var cbArgs = "srcip"; ++ var qargs = "ip-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstip": ++ var cbArgs = "dstip"; ++ var qargs = "ip-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "srcpt": ++ var cbArgs = "srcpt"; ++ var qargs = "pt-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "dstpt": ++ var cbArgs = "dstpt"; ++ var qargs = "pt-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,cbArgs)}); ++ }); ++ break; ++ case "signature": ++ var qargs = "sig-sig"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb16(data)}); ++ }); ++ break; ++ case "srccc": ++ var cbArgs = "srccc"; ++ var qargs = "cc-src"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ case "dstcc": ++ var cbArgs = "dstcc"; ++ var qargs = "cc-dst"; ++ var urArgs = "type=15&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&limit=" + limit + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb15(data,cbArgs)}); ++ }); ++ break; ++ } ++ ++ // IP and Country ++ function cb15(data,cbArgs){ ++ var ch = "SRC"; ++ var wip = "d"; ++ if (cbArgs[0] == "s") ch = "DST", wip = "s"; ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#" + ch + ""; ++ if (cbArgs[3] == "c") { ++ head += "COUNTRY"; ++ head += "#IP"; ++ } else { ++ head += "IP"; ++ head += "COUNTRY"; ++ } ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + ip2 + ""; ++ ++ if (cbArgs[3] == "c") { ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ row += "" + ip + ""; ++ } else { ++ row += "
" + ip + ""; ++ row += ""; ++ row += cs[1] + clong + " (." + cc.toLowerCase() + ")" + ""; ++ } ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ ++ // Ports ++ function cb17(data,cbArgs){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SIG"; ++ head += "#SRC" ++ head += "#DST"; ++ head += "PORT"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_" + cbArgs + "_sl").text(""); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + sigs + ""; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + port + ""; ++ row += ""; ++ row += "
"; ++ } ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($("#top" + cbArgs)[0]) $("#top" + cbArgs).remove(); ++ $("#ov_" + cbArgs + "_sl").after(tbl); ++ $("#ov_" + cbArgs + "_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_" + cbArgs + "_sl", i, records); ++ } ++ // Signature ++ function cb16(data){ ++ eval("raw=" + data); ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "#SRC"; ++ head += "#DST"; ++ head += "SIGNATURE"; ++ head += "ID"; ++ head += ""; ++ ++ var eventsum = raw[raw.length - 1].n || 0; ++ var records = raw[raw.length - 1].r || 0; ++ if (records == 0) { ++ row = "No result."; ++ $("#ov_signature_sl").text(""); ++ $("#ovestat").html("(No events)"); ++ } else { ++ $("#ovestat").html("(" + eventsum + " events)"); ++ } ++ for (var i=0; i 0) per = parseFloat(cnt/eventsum*100).toFixed(2); ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + src + ""; ++ row += "" + dst + ""; ++ row += "" + sig + ""; ++ row += "" + sid + ""; ++ row += ""; ++ row += "
"; ++ } ++ ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#topsignature')[0]) $('#topsignature').remove(); ++ $("#ov_signature_sl").after(tbl); ++ $("#ov_signature_msg").html("viewing " + i + " of " + records + " results"); ++ mkSlider("ov_signature_sl", i, records); ++ } ++ } ++ ++ $(".ovsl").mouseup(function() { ++ var section = $(this).attr('id'); ++ var base = section.split("_")[1]; ++ var limit = Number($("#" + section + "_lbl").text()); ++ if (limit > 0) mkSummary(base, limit); ++ }); ++ ++ // ++ // Views tab ++ // ++ ++ function loadViews() { ++ $('.db_links').show(); ++ if (!$("#db_view_cont")[0]) mkView(); ++ } ++ ++ // Link handlers ++ $(document).on('click', '.db_link', function() { ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_link_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click', '.db_type', function() { ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).removeClass('db_type_active'); ++ $(this).data('state', '0'); ++ } ++ }); ++ $(this).data('state', '1'); ++ mkView(); ++ }); ++ ++ $(document).on('click','.db_save', function() { ++ ++ }); ++ ++ // Create the view ++ function mkView() { ++ $('#db_view_cont,#hp_info').remove(); ++ if (!$("#db_view_ldr")[0]) { ++ var view = 'ip'; ++ $('.db_link').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_link_active'); ++ view = $(this).data('val'); ++ } ++ }); ++ ++ var type = 'sk'; ++ $('.db_type').each(function() { ++ if ($(this).data('state') == '1') { ++ $(this).addClass('db_type_active'); ++ type = $(this).data('type'); ++ } ++ }); ++ ++ var theWhen = getTimestamp(); ++ var theSensors = s2h('empty'); ++ var theFilter = mkFilter(); ++ // See if we are filtering by sensor ++ if ($('.chk_sen:checked').length > 0) { ++ var active_sensors = "AND event.sid IN("; ++ var iter = $('.chk_sen:checked').length; ++ $('.chk_sen:checked').each(function() { ++ active_sensors += "'" + $(this).val() + "',"; ++ }); ++ active_sensors = active_sensors.replace(/,+$/,''); ++ active_sensors += ")"; ++ theSensors = s2h(active_sensors); ++ } ++ ++ var ldr = "
"; ++ $('.db_view').after(ldr); ++ var qargs = view + "-" + type; ++ var urArgs = "type=16&qargs=" + qargs + "&filter=" + theFilter + "&sensors=" + theSensors + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb17(data,type)}); ++ }); ++ ++ function cb17(data,type) { ++ eval("viewData=" + data); ++ var records = viewData.records; ++ if ($('#db_view_cont')[0]) $('#db_view_cont').remove(); ++ if (records > 0) { ++ $('.db_view').after("
"); ++ switch (type) { ++ case 'sk': ++ var w = $(window).width(); ++ var h = viewData.links.length * 12; ++ if (h < 100) h = 100; ++ mkSankey("db_view_cont",viewData,w,h); ++ break; ++ } ++ } else { ++ $('.db_view').after("
The query returned no results.
"); ++ } ++ $('#db_view_ldr').remove(); ++ } ++ } ++ } ++ ++ // Make a map ++ function doMap() { ++ theWhen = getTimestamp(); ++ var theFilter = mkFilter(); ++ var working = "Working
"; ++ ++ $('#wm0').html(working); ++ ++ var urArgs = "type=" + 10 + "&filter=" + theFilter + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb10(data)}); ++ }); ++ ++ function cb10(data){ ++ eval("mapRaw=" + data); ++ try { ++ var mapDetail = $.parseJSON("{" + mapRaw.all + "}"); ++ var srcc = mapRaw.srcc; ++ var srce = mapRaw.srce; ++ var dstc = mapRaw.dstc; ++ var dste = mapRaw.dste; ++ var allc = mapRaw.allc; ++ var alle = mapRaw.alle; ++ } ++ catch(e) { ++ var mapDetail = "{\"\"}"; ++ } ++ ++ // What is our current event total? ++ var esum = $('#event_sum').val(); ++ var w = $(window).width() - 72; ++ var h = w / 2.7 ; ++ $("#ov_map").html("
"); ++ $('#wm0').vectorMap({ ++ map: 'world_mill_en', ++ color: '#f4f3f0', ++ backgroundColor: '#CFE1FC', ++ zoomOnScroll: false, ++ onRegionClick: function(event, code){ ++ hItemAdd(code); ++ $('#search').val("cc" + " " + code); ++ $('#search').focus(); ++ }, ++ series: { ++ regions: [{ ++ values: mapDetail, ++ scale: ['#ffffff', '#000000'], ++ normalizeFunction: 'polynomial' ++ }] ++ }, ++ onRegionLabelShow: function(e, el, code){ ++ if (mapDetail[code]) { ++ var eper = parseFloat(mapDetail[code]/esum*100).toFixed(3); ++ el.html(el.html() + ' (' + mapDetail[code] + ' Events ' + eper + '% of Total)'); ++ } else { ++ el.html(el.html()); ++ } ++ } ++ }); ++ ++ var stats = "("; ++ stats += allc + " distinct countries)"; ++ $("#ovmapstat").html(stats); ++ } ++ } ++ ++ // Redraw map ++ $(document).on("click", "#map_src, #map_dst", function() { ++ doMap($(this).attr('id').split("_")[1]); ++ }); ++ ++ // ++ // History ++ // ++ ++ function doHistory(object) { ++ $('#loader').show(); ++ var urArgs = "type=" + 21 + "&object=" + s2h("aa" + object) + "&ts=" + theWhen; ++ $(function(){ ++ $.get(".inc/callback.php?" + urArgs, function(data){cb21(data)}); ++ }); ++ ++ function cb21(data){ ++ eval("chartData=" + data); ++ var r1 = chartData.r1; ++ var r2 = chartData.r2; ++ var sum = 0; ++ if (r1 > 0) { ++ mkHeatMap(".ev_hm",chartData.start,chartData.rows1,object); ++ $('#obhist_sig').remove(); ++ if (r2 > 0) { ++ ++ for (var i=0; i < r2; i++) { ++ sum += Number(chartData.rows2[i].value); ++ } ++ ++ var tbl = '', head = '', row = ''; ++ head += ""; ++ head += "COUNT"; ++ head += "%TOTAL"; ++ head += "SIGNATURE"; ++ head += ""; ++ row += ""; ++ ++ for (var i=0; i < r2; i++) { ++ ++ var cnt = chartData.rows2[i].value || "-"; ++ var sig = chartData.rows2[i].label || "-"; ++ var sid = chartData.rows2[i].sid || "-"; ++ var per = 0; ++ if (sum > 0) var per = parseFloat(cnt/sum*100).toFixed(2); ++ var tsg = truncTag(sig,60); ++ ++ row += ""; ++ row += "" + cnt + ""; ++ row += "" + per + "%"; ++ row += "" + tsg + ""; ++ row += "" ++ row += "
"; ++ } ++ ++ row += ""; ++ tbl += ""; ++ tbl += head; ++ tbl += row; ++ tbl += "
"; ++ if ($('#obhist_sig')[0]) $('#obhist_sig').remove(); ++ $(".ev_py").append(tbl); ++ } ++ } else { ++ return; ++ } ++ if ($(".eview_charts")[0]) $('.eview_charts').slideDown('slow'); ++ $("#loader").hide(); ++ } ++ } ++// The End. ++}); +--- /dev/null ++++ securityonion-squert-20161212/login.php +@@ -0,0 +1,158 @@ ++ ++// ++// This program is free software: you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation, either version 3 of the License, or ++// (at your option) any later version. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License ++// along with this program. If not, see . ++// ++// ++ ++include_once '.inc/config.php'; ++ ++$username = $password = $err = ''; ++$focus = 'username'; ++session_set_cookie_params(0, NULL, NULL, NULL, TRUE); ++ ++function cleanUp($string) { ++ if (get_magic_quotes_gpc()) { ++ $string = stripslashes($string); ++ } ++ $string = mysql_real_escape_string($string); ++ return $string; ++} ++ ++//if ($_SERVER['REQUEST_METHOD'] == 'POST'){ ++ //$username = $_REQUEST['username']; ++ //$password = $_REQUEST['password']; ++ // sso ++ $username = $_SERVER['PHP_AUTH_USER']; ++ $password = $_SERVER['PHP_AUTH_PW']; ++ ++ $ua = $_SERVER['HTTP_USER_AGENT']; ++ $rqt = $_SERVER['REQUEST_TIME']; ++ $rqaddr = $_SERVER['REMOTE_ADDR']; ++ $max = mt_getrandmax(); ++ $rqt .= mt_rand(0,$max); ++ $rqaddr .= mt_rand(0,$max); ++ $ua .= mt_rand(0,$max); ++ $cmpid = $rqt . $rqaddr . $ua; ++ $id = md5($cmpid); ++ // PDO prepared statements ++ try { ++ // first connect to database with the PDO object. ++ $dbpdo = new PDO("mysql:host=$dbHost;dbname=$dbName;charset=latin1", "$dbUser", "$dbPass", [ ++ PDO::ATTR_EMULATE_PREPARES => false, ++ PDO::MYSQL_ATTR_USE_BUFFERED_QUERY => false, ++ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION ++ ]); ++ } catch(PDOException $e){ ++ // if connection fails, log PDO error. ++ error_log("Error connecting to mysql: ". $e->getMessage()); ++ } ++ ++ if (isset($dbpdo)) { ++ // prepare statement ++ $statement = "SELECT * FROM user_info WHERE username = :user"; ++ $query = $dbpdo->prepare("$statement"); ++ // build parameters for prepared statement ++ $params = [":user" => "$username"]; ++ // execute the prepared statement and pass it params ++ $query->execute($params); ++ // fetch the data ++ while ($row = $query->fetch(PDO::FETCH_NUM)) { ++ $userName = $row[1]; ++ $lastLogin = $row[2]; ++ $userHash = $row[3]; ++ $userEmail = $row[4]; ++ $userType = $row[5]; ++ $userTime = $row[6]; ++ $tzoffset = $row[7]; ++ } ++ ++ // if $username was found in database, then check password ++ if ( isset($userName) && $username == $userName) { ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($password . $theSalt); ++ ++ // Does it match? If yes, start the session. ++ if ($testHash === $theHash) { ++ session_start(); ++ ++ // Protect against session fixation attack ++ if (!isset($_SESSION['initiated'])) { ++ session_regenerate_id(); ++ $_SESSION['initiated'] = true; ++ } ++ ++ $_SESSION['sLogin'] = 1; ++ $_SESSION['sUser'] = $userName; ++ $_SESSION['sPass'] = $password; ++ $_SESSION['sEmail'] = $userEmail; ++ $_SESSION['sType'] = $userType; ++ $_SESSION['sTime'] = $userTime; ++ $_SESSION['tzoffset'] = $tzoffset; ++ $_SESSION['sTab'] = 't_sum'; ++ $_SESSION['id'] = $id; ++ ++ header ("Location: index.php?id=$id"); ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'The user name or password is incorrect.'; ++ $focus = 'username'; ++ } ++ } else { ++ $err = 'Connection Failed'; ++ } ++//} ++?> ++ ++ ++ ++Please login to continue ++ ++ ++ ++ ++
++
++ ++ ++ ++ ++ ++ ++
++squert - Please login to continue
++Username
++
++Password
++
++

++
Version 1.7.0©2016 Paul Halliday
++
++
++ ++ ++ diff --git "a/debian/patches/remove-unnecessary-code-from-ip2c.php\033:wq" "b/debian/patches/remove-unnecessary-code-from-ip2c.php\033:wq" new file mode 100644 index 0000000..b2efc9e --- /dev/null +++ "b/debian/patches/remove-unnecessary-code-from-ip2c.php\033:wq" @@ -0,0 +1,161 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion39) xenial; urgency=medium + . + * remove unnecessary code from ip2c.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/ip2c.php ++++ securityonion-squert-20161212/.inc/ip2c.php +@@ -25,29 +25,22 @@ include_once "functions.php"; + $db = mysqli_connect($dbHost,$dbUser,$dbPass) or die(mysqli_error($db)); + mysqli_select_db($db,$dbName) or die(mysqli_error($db)); + +-function IP2C($string,$isCLI) { ++function IP2C($string) { + +- if ($isCLI == 'NO') { +- // Running from a browser +- $when = 'WHERE ' . hextostr($string) . ' AND '; +- } else { +- // Running from the command line +- if ($string == 0) { +- $when = "WHERE "; +- } +- +- if ($string == 1) { +- $startDate = gmdate("Y-m-d"); +- $startTime = "00:00:00"; +- $endDate = gmdate("Y-m-d",strtotime($startDate . "+1 day")); +- $endTime = "00:00:00"; +- $when = "WHERE e.timestamp BETWEEN '$startDate $startTime' AND '$endDate $endTime' AND"; +- } +- +- echo "Performing base queries (this can take a while)..\n\n"; ++ if ($string == 0) { ++ $when = "WHERE "; ++ } + ++ if ($string == 1) { ++ $startDate = gmdate("Y-m-d"); ++ $startTime = "00:00:00"; ++ $endDate = gmdate("Y-m-d",strtotime($startDate . "+1 day")); ++ $endTime = "00:00:00"; ++ $when = "WHERE e.timestamp BETWEEN '$startDate $startTime' AND '$endDate $endTime' AND"; + } + ++ echo "Performing base queries (this can take a while)..\n\n"; ++ + function lookup($list) { + + global $db; +@@ -75,13 +68,11 @@ function IP2C($string,$isCLI) { + } + } + +- // DB Connect +- global $dbHost, $dbUser, $dbPass, $dbName; +- $db = mysqli_connect($dbHost,$dbUser,$dbPass) or die(mysqli_error($db)); +- mysqli_select_db($db,$dbName) or die(mysqli_error($db)); +- + // Start timing + $st = microtime(true); ++ ++ // DB Connect ++ global $db; + $sipList = mysqli_query($db,"SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip + WHERE (m.ip IS NULL OR m.cc = '01')"); + $dipList = mysqli_query($db,"SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip +@@ -109,19 +100,7 @@ function IP2C($string,$isCLI) { + $time = $et - $st; + $rt = sprintf("%01.3f",$time); + +- if ($isCLI == 'NO') { +- +- $html = "\r +- \r +- \r +- \r +- \r +- \r
 -> Query Time: $rt seconds
 -> Source Count: $sipCount
 -> Destination Count: $dipCount
 -> Total Mapped: $allCount[0]
"; +- +- return $html; +- } +- +- if ($isCLI == 'YES' && $string == 0) { ++ if ($string == 0) { + echo "\n-> Query Time: $rt seconds + \r-> Source Count: $sipCount + \r-> Destination Count: $dipCount +@@ -130,30 +109,6 @@ function IP2C($string,$isCLI) { + + } + +-/* +- +-Commenting out the following function per +-https://github.com/int13h/squert/issues/76 +- +-function TheHTML($string) { +- +- echo "\r +- \r +- \r +- \r +- \r +- \r +- \r
+- \r
+- \r +- \r

+- \r +- \r
+- \r +- \r"; +-} +-*/ +- + if (isset($argc)) { + + if ($argc == 1 || $argc > 2 || $argv[1] > 1 || !is_numeric($argv[1])) { +@@ -164,21 +119,8 @@ if (isset($argc)) { + \r1 - Update. This is intended to be called via Cron\n\n"; + exit; + } else { +- IP2C($argv[1],'YES'); +- } +- +-} else { +- +- $html = ''; +- +- if(!isset($_REQUEST['qText'])) { $string = $_REQUEST['qp']; } else { $string = $_REQUEST['qText']; } +- +- if (@$_REQUEST['csync']) { +- $string = $_REQUEST['qText']; +- $html = IP2C($string,'NO'); ++ IP2C($argv[1]); + } + +- TheHTML($string); +- echo $html; + } + ?> diff --git a/debian/patches/series b/debian/patches/series index c4d3939..49ac6eb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -24,3 +24,13 @@ improve-callback.php-and-grant-permission-to-autocat-table allow-pivot-to-elsa-or-elastic migrate-login.php-to-prepared-statements add-row-for-Bro-agent +version-1.7.1 +update-mysql-calls-and-config +move-files-from-elastic-package +fix-auth +disable-mysql-strict-mode +frontend-expects-all-values-to-be-strings +iterate-over-all-arrays-when-converting-strings +fix-for-loop +update-mysql-function-calls-in-ip2c.php +remove-unnecessary-code-from-ip2c.php:wq diff --git a/debian/patches/update-mysql-calls-and-config b/debian/patches/update-mysql-calls-and-config new file mode 100644 index 0000000..87f8a4a --- /dev/null +++ b/debian/patches/update-mysql-calls-and-config @@ -0,0 +1,52 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion30) xenial; urgency=medium + . + * update mysql calls and config +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/functions.php ++++ securityonion-squert-20161212/.inc/functions.php +@@ -56,13 +56,13 @@ function retSD($x) { + function dbC() { + if (file_exists('.inc/config.php')) { + global $dbHost,$dbName,$dbUser,$dbPass; +- $link = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysqli_connect($dbHost,$dbUser,$dbPass); + + if (!$link) { + die('Connection failed: ' . mysql_error()); + } + +- $db = mysql_select_db($dbName,$link); ++ $db = mysqli_select_db($link,$dbName); + + if (!$db) { + die('Database selection failed: ' . mysql_error()); +--- securityonion-squert-20161212.orig/.scripts/securityonion-squert.cnf ++++ securityonion-squert-20161212/.scripts/securityonion-squert.cnf +@@ -1,5 +1,6 @@ + [mysqld] + group_concat_max_len = 100000 ++sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + + [mysqltcl] + local-infile=1 diff --git a/debian/patches/update-mysql-function-calls-in-ip2c.php b/debian/patches/update-mysql-function-calls-in-ip2c.php new file mode 100644 index 0000000..f3730b7 --- /dev/null +++ b/debian/patches/update-mysql-function-calls-in-ip2c.php @@ -0,0 +1,113 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion38) xenial; urgency=medium + . + * update mysql function calls in ip2c.php +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/ip2c.php ++++ securityonion-squert-20161212/.inc/ip2c.php +@@ -19,10 +19,13 @@ + // + // + +-function IP2C($string,$isCLI) { ++include_once "config.php"; ++include_once "functions.php"; ++ ++$db = mysqli_connect($dbHost,$dbUser,$dbPass) or die(mysqli_error($db)); ++mysqli_select_db($db,$dbName) or die(mysqli_error($db)); + +- include_once "config.php"; +- include_once "functions.php"; ++function IP2C($string,$isCLI) { + + if ($isCLI == 'NO') { + // Running from a browser +@@ -47,13 +50,14 @@ function IP2C($string,$isCLI) { + + function lookup($list) { + +- while ($row = mysql_fetch_row($list)) { ++ global $db; ++ while ($row = mysqli_fetch_row($list)) { + $ip = $row[0]; + $dot = long2ip((float)$ip); +- $ipLookup = mysql_query("SELECT registry, cc, c_long, type, date, status FROM ip2c WHERE ++ $ipLookup = mysqli_query($db,"SELECT registry, cc, c_long, type, date, status FROM ip2c WHERE + $ip >=start_ip AND $ip <= end_ip LIMIT 1"); + +- $result = mysql_fetch_array($ipLookup); ++ $result = mysqli_fetch_array($ipLookup); + + if ($result) { + $registry = $result[0]; +@@ -63,7 +67,7 @@ function IP2C($string,$isCLI) { + $date = $result[4]; + $status = $result[5]; + +- mysql_query("REPLACE INTO mappings (registry,cc,c_long,type,ip,date,status) ++ mysqli_query($db,"REPLACE INTO mappings (registry,cc,c_long,type,ip,date,status) + VALUES (\"$registry\",\"$cc\",\"$c_long\",\"$type\",\"$ip\",\"$date\",\"$status\")"); + echo "-- Mapped $dot ($ip) to $cc ($c_long)\n"; + } +@@ -72,32 +76,33 @@ function IP2C($string,$isCLI) { + } + + // DB Connect +- $db = mysql_connect($dbHost,$dbUser,$dbPass) or die(mysql_error()); +- mysql_select_db($dbName,$db) or die(mysql_error()); ++ global $dbHost, $dbUser, $dbPass, $dbName; ++ $db = mysqli_connect($dbHost,$dbUser,$dbPass) or die(mysqli_error($db)); ++ mysqli_select_db($db,$dbName) or die(mysqli_error($db)); + + // Start timing + $st = microtime(true); +- $sipList = mysql_query("SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip ++ $sipList = mysqli_query($db,"SELECT DISTINCT(e.src_ip) FROM event AS e LEFT JOIN mappings AS m ON e.src_ip=m.ip + WHERE (m.ip IS NULL OR m.cc = '01')"); +- $dipList = mysql_query("SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip ++ $dipList = mysqli_query($db,"SELECT DISTINCT(e.dst_ip) FROM event AS e LEFT JOIN mappings AS m ON e.dst_ip=m.ip + WHERE (m.ip IS NULL OR m.cc = '01')"); + $sipCount = $dipCount = 0; + if ($sipList) { +- $sipCount = mysql_num_rows($sipList); ++ $sipCount = mysqli_num_rows($sipList); + if ($sipCount > 0) { + lookup($sipList); + } + } + + if ($dipList) { +- $dipCount = mysql_num_rows($dipList); ++ $dipCount = mysqli_num_rows($dipList); + if ($dipCount > 0) { + lookup($dipList); + } + } + +- $allRecs = mysql_query("SELECT COUNT(*) FROM mappings"); +- $allCount = mysql_fetch_row($allRecs); ++ $allRecs = mysqli_query($db,"SELECT COUNT(*) FROM mappings"); ++ $allCount = mysqli_fetch_row($allRecs); + + // Stop Timing + $et = microtime(true); diff --git a/debian/patches/version-1.7.1 b/debian/patches/version-1.7.1 new file mode 100644 index 0000000..9cb997a --- /dev/null +++ b/debian/patches/version-1.7.1 @@ -0,0 +1,47 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion28) trusty; urgency=medium + . + * version 1.7.1 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/auth/native/squert/login.php ++++ securityonion-squert-20161212/auth/native/squert/login.php +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.7.0©2016 Paul Halliday
++
Version 1.7.1©2016 Paul Halliday
+ + + +--- securityonion-squert-20161212.orig/auth/sso/squert/login.php ++++ securityonion-squert-20161212/auth/sso/squert/login.php +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.7.0©2016 Paul Halliday
++
Version 1.7.1©2016 Paul Halliday
+ + + diff --git a/debian/postinst b/debian/postinst index c3d28d0..47dd814 100644 --- a/debian/postinst +++ b/debian/postinst @@ -6,7 +6,7 @@ case "$1" in configure) a2enmod ssl || echo "Error enabling Apache ssl module." - a2dismod autoindex || echo "Error disabling Apache autoindex module." + a2dismod autoindex -f || echo "Error disabling Apache autoindex module." a2dissite 000-default || echo "Error disabling Apache HTTP listener." a2ensite securityonion || echo "Error enabling Apache securityonion site." @@ -19,25 +19,6 @@ case "$1" in fi fi - # Squert has its own native authentication, but we're moving to SSO for the Elastic integration. - # If Apache is configured for SSO, then configure Squert for SSO. - # Otherwise, configure Squert for native authentication. - AUTH="native" - SO="/var/www/so/" - SQUERT="${SO}/squert" - CONF="/etc/apache2/sites-enabled/securityonion.conf" - if ! [ -f ${CONF} ]; then - echo "${CONF} does not exist. Configuring for Squert authentication." - else - if grep -q "" ${CONF} ; then - echo "${CONF} is configured for SSO authentication. Updating SSO auth files." - AUTH="sso" - else - echo "${CONF} is configured for Squert authentication. Updating Squert auth files." - fi - fi - cp -av /opt/squert/auth/${AUTH}/squert ${SO} || echo "Error copying from /opt/squert/auth/${AUTH}/squert to ${SO}." - apache2ctl restart || echo "Error restarting Apache." if ! grep "/var/www/so/squert/.scripts/Ip2c/results.txt" /etc/apparmor.d/local/usr.sbin.mysqld >/dev/null; then diff --git a/auth/sso/squert/login.php b/login.php similarity index 98% rename from auth/sso/squert/login.php rename to login.php index 5e3d620..a579456 100644 --- a/auth/sso/squert/login.php +++ b/login.php @@ -150,7 +150,7 @@ function cleanUp($string) {

-
Version 1.7.1©2016 Paul Halliday
+
Version 1.8.0©2016 Paul Halliday
From f8a69178ff0f58f200d47e0fcebeeb4df75e3162 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 25 May 2018 08:22:33 -0400 Subject: [PATCH 30/34] Issue 1169: Squert: remove search link from context menu --- .js/squertMain.js | 11 +-- debian/changelog | 6 ++ ...uert:-remove-search-link-from-context-menu | 88 +++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 101 insertions(+), 5 deletions(-) create mode 100644 debian/patches/Issue-1169:-Squert:-remove-search-link-from-context-menu diff --git a/.js/squertMain.js b/.js/squertMain.js index cf36819..3734873 100644 --- a/.js/squertMain.js +++ b/.js/squertMain.js @@ -2013,12 +2013,13 @@ $(document).ready(function(){ var objhex = s2h(suffix); var tbl = '', row = ''; // Local stuff first + // Commented out SEARCH row to reduce pivot switch (prefix[prefix.length - 1]) { case "c": row += ":: SRC or DST"; row += ":: SRC"; row += ":: DST"; - row += ":: SEARCH"; + //row += ":: SEARCH"; break; case "p": row += ":: SRC or DST"; @@ -2028,7 +2029,7 @@ $(document).ready(function(){ if ($('.sigtxt')[0]) { row += ":: HISTORY"; } - row += ":: SEARCH"; + //row += ":: SEARCH"; row += ":: COLOUR  "; row += ""; row += "apply"; @@ -2038,14 +2039,14 @@ $(document).ready(function(){ case "t": row += ":: SRC"; row += ":: DST"; - row += ":: SEARCH"; + //row += ":: SEARCH"; break; case "d": row += ":: SIGNATURE"; if ($('.sigtxt')[0]) { row += ":: HISTORY"; } - row += ":: SEARCH"; + //row += ":: SEARCH"; break; case "l": row += ":: COLOUR  "; @@ -2054,7 +2055,7 @@ $(document).ready(function(){ doexternals = "no"; break; case "z": - row += ":: SEARCH"; + //row += ":: SEARCH"; break; } diff --git a/debian/changelog b/debian/changelog index bbb827a..0def78b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion40) xenial; urgency=medium + + * Issue 1169: Squert: remove search link from context menu + + -- Doug Burks Fri, 25 May 2018 08:21:46 -0400 + securityonion-squert (20161212-1ubuntu1securityonion39) xenial; urgency=medium * remove unnecessary code from ip2c.php diff --git a/debian/patches/Issue-1169:-Squert:-remove-search-link-from-context-menu b/debian/patches/Issue-1169:-Squert:-remove-search-link-from-context-menu new file mode 100644 index 0000000..b66379b --- /dev/null +++ b/debian/patches/Issue-1169:-Squert:-remove-search-link-from-context-menu @@ -0,0 +1,88 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion40) xenial; urgency=medium + . + * Issue 1169: Squert: remove search link from context menu +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.js/squertMain.js ++++ securityonion-squert-20161212/.js/squertMain.js +@@ -2013,12 +2013,13 @@ $(document).ready(function(){ + var objhex = s2h(suffix); + var tbl = '', row = ''; + // Local stuff first ++ // Commented out SEARCH row to reduce pivot + switch (prefix[prefix.length - 1]) { + case "c": + row += ":: SRC or DST"; + row += ":: SRC"; + row += ":: DST"; +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + break; + case "p": + row += ":: SRC or DST"; +@@ -2028,7 +2029,7 @@ $(document).ready(function(){ + if ($('.sigtxt')[0]) { + row += ":: HISTORY"; + } +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + row += ":: COLOUR  "; + row += ""; + row += "apply"; +@@ -2038,14 +2039,14 @@ $(document).ready(function(){ + case "t": + row += ":: SRC"; + row += ":: DST"; +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + break; + case "d": + row += ":: SIGNATURE"; + if ($('.sigtxt')[0]) { + row += ":: HISTORY"; + } +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + break; + case "l": + row += ":: COLOUR  "; +@@ -2054,7 +2055,7 @@ $(document).ready(function(){ + doexternals = "no"; + break; + case "z": +- row += ":: SEARCH"; ++ //row += ":: SEARCH"; + break; + } + +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.7.1©2016 Paul Halliday
++
Version 1.8.0©2016 Paul Halliday
+ + + diff --git a/debian/patches/series b/debian/patches/series index 49ac6eb..16ca594 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -34,3 +34,4 @@ iterate-over-all-arrays-when-converting-strings fix-for-loop update-mysql-function-calls-in-ip2c.php remove-unnecessary-code-from-ip2c.php:wq +Issue-1169:-Squert:-remove-search-link-from-context-menu From b1d5fcb4081a96010b314578b3f36a631ccc7b7a Mon Sep 17 00:00:00 2001 From: doug Date: Thu, 14 Jun 2018 13:37:31 -0400 Subject: [PATCH 31/34] Issue 1259: Squert: turning grouping off results in no alerts --- .inc/callback.php | 4 ++ debian/changelog | 6 +++ ...-turning-grouping-off-results-in-no-alerts | 49 +++++++++++++++++++ debian/patches/series | 1 + login.php | 2 +- 5 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 debian/patches/Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts diff --git a/.inc/callback.php b/.inc/callback.php index 0053c85..216e50c 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -498,6 +498,10 @@ function level2a() { $query->execute($merged_params); // fetch the data and encode to json $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$i Thu, 14 Jun 2018 13:36:43 -0400 + securityonion-squert (20161212-1ubuntu1securityonion40) xenial; urgency=medium * Issue 1169: Squert: remove search link from context menu diff --git a/debian/patches/Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts b/debian/patches/Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts new file mode 100644 index 0000000..c806b48 --- /dev/null +++ b/debian/patches/Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts @@ -0,0 +1,49 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion41) xenial; urgency=medium + . + * Issue 1259: Squert: turning grouping off results in no alerts +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -498,6 +498,10 @@ function level2a() { + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); ++ // the frontend expects all values to be strings ++ for ($i=0;$i +

+ + +-
Version 1.8.0©2016 Paul Halliday
++
Version 1.8.1©2016 Paul Halliday
+ + + diff --git a/debian/patches/series b/debian/patches/series index 16ca594..53b8331 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -35,3 +35,4 @@ fix-for-loop update-mysql-function-calls-in-ip2c.php remove-unnecessary-code-from-ip2c.php:wq Issue-1169:-Squert:-remove-search-link-from-context-menu +Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts diff --git a/login.php b/login.php index a579456..2f1937f 100644 --- a/login.php +++ b/login.php @@ -150,7 +150,7 @@ function cleanUp($string) {

-
Version 1.8.0©2016 Paul Halliday
+
Version 1.8.1©2016 Paul Halliday
From 0fba4af68aef8407fac0bd226b8b4dbbe017c2c9 Mon Sep 17 00:00:00 2001 From: doug Date: Thu, 5 Jul 2018 07:07:33 -0400 Subject: [PATCH 32/34] Squert: Priority counts incorrect #1277 --- .inc/callback.php | 8 +++ debian/changelog | 6 +++ .../Squert:-Priority-counts-incorrect-#1277 | 49 +++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 64 insertions(+) create mode 100644 debian/patches/Squert:-Priority-counts-incorrect-#1277 diff --git a/.inc/callback.php b/.inc/callback.php index 216e50c..79915dc 100644 --- a/.inc/callback.php +++ b/.inc/callback.php @@ -325,6 +325,10 @@ function level0() { $query->execute($merged_params); // fetch the data and encode to json $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$iexecute($merged_params); // fetch the data and encode to json $rows = $query->fetchAll(PDO::FETCH_ASSOC); + // the frontend expects all values to be strings + for ($i=0;$i Thu, 05 Jul 2018 07:06:30 -0400 + securityonion-squert (20161212-1ubuntu1securityonion41) xenial; urgency=medium * Issue 1259: Squert: turning grouping off results in no alerts diff --git a/debian/patches/Squert:-Priority-counts-incorrect-#1277 b/debian/patches/Squert:-Priority-counts-incorrect-#1277 new file mode 100644 index 0000000..55bb366 --- /dev/null +++ b/debian/patches/Squert:-Priority-counts-incorrect-#1277 @@ -0,0 +1,49 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion42) xenial; urgency=medium + . + * Squert: Priority counts incorrect #1277 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.inc/callback.php ++++ securityonion-squert-20161212/.inc/callback.php +@@ -325,6 +325,10 @@ function level0() { + $query->execute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); ++ // the frontend expects all values to be strings ++ for ($i=0;$iexecute($merged_params); + // fetch the data and encode to json + $rows = $query->fetchAll(PDO::FETCH_ASSOC); ++ // the frontend expects all values to be strings ++ for ($i=0;$i Date: Wed, 7 Aug 2019 19:39:59 -0400 Subject: [PATCH 33/34] securityonion-squert: increase group_concat_max_len Security-Onion-Solutions/security-onion#1602 --- .scripts/securityonion-squert.cnf | 2 +- debian/changelog | 6 ++++ ...ecurity-Onion-Solutionssecurity-onion#1602 | 34 +++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 debian/patches/securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 diff --git a/.scripts/securityonion-squert.cnf b/.scripts/securityonion-squert.cnf index 1db2bd4..1872c5b 100644 --- a/.scripts/securityonion-squert.cnf +++ b/.scripts/securityonion-squert.cnf @@ -1,5 +1,5 @@ [mysqld] -group_concat_max_len = 100000 +group_concat_max_len = 1000000 sql_mode=NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION [mysqltcl] diff --git a/debian/changelog b/debian/changelog index 55a236a..b2e01de 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion43) xenial; urgency=medium + + * securityonion-squert: increase group_concat_max_len Security-Onion-Solutions/security-onion#1602 + + -- Doug Burks Wed, 07 Aug 2019 19:39:24 -0400 + securityonion-squert (20161212-1ubuntu1securityonion42) xenial; urgency=medium * Squert: Priority counts incorrect #1277 diff --git a/debian/patches/securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 b/debian/patches/securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 new file mode 100644 index 0000000..ad3d535 --- /dev/null +++ b/debian/patches/securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 @@ -0,0 +1,34 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion43) xenial; urgency=medium + . + * securityonion-squert: increase group_concat_max_len Security-Onion-Solutions/security-onion#1602 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/.scripts/securityonion-squert.cnf ++++ securityonion-squert-20161212/.scripts/securityonion-squert.cnf +@@ -1,5 +1,5 @@ + [mysqld] +-group_concat_max_len = 100000 ++group_concat_max_len = 1000000 + sql_mode=NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION + + [mysqltcl] diff --git a/debian/patches/series b/debian/patches/series index 551eef6..5e54cf1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -37,3 +37,4 @@ remove-unnecessary-code-from-ip2c.php:wq Issue-1169:-Squert:-remove-search-link-from-context-menu Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts Squert:-Priority-counts-incorrect-#1277 +securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 From e695ee17f2c7359944a876d7376fb124dd264b57 Mon Sep 17 00:00:00 2001 From: doug Date: Tue, 17 Sep 2019 16:08:31 -0400 Subject: [PATCH 34/34] Squert: improve consistency of username handling Security-Onion-Solutions/security-onion#1643 --- debian/changelog | 6 +++ ...ecurity-Onion-Solutionssecurity-onion#1643 | 45 +++++++++++++++++++ debian/patches/series | 1 + login.php | 4 +- 4 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 debian/patches/Squert:-improve-consistency-of-username-handling-Security-Onion-Solutionssecurity-onion#1643 diff --git a/debian/changelog b/debian/changelog index b2e01de..af9b5a2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-squert (20161212-1ubuntu1securityonion44) xenial; urgency=medium + + * Squert: improve consistency of username handling Security-Onion-Solutions/security-onion#1643 + + -- Doug Burks Tue, 17 Sep 2019 16:07:37 -0400 + securityonion-squert (20161212-1ubuntu1securityonion43) xenial; urgency=medium * securityonion-squert: increase group_concat_max_len Security-Onion-Solutions/security-onion#1602 diff --git a/debian/patches/Squert:-improve-consistency-of-username-handling-Security-Onion-Solutionssecurity-onion#1643 b/debian/patches/Squert:-improve-consistency-of-username-handling-Security-Onion-Solutionssecurity-onion#1643 new file mode 100644 index 0000000..7e53bcd --- /dev/null +++ b/debian/patches/Squert:-improve-consistency-of-username-handling-Security-Onion-Solutionssecurity-onion#1643 @@ -0,0 +1,45 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-squert (20161212-1ubuntu1securityonion44) xenial; urgency=medium + . + * Squert: improve consistency of username handling Security-Onion-Solutions/security-onion#1643 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: https://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-squert-20161212.orig/login.php ++++ securityonion-squert-20161212/login.php +@@ -82,7 +82,7 @@ function cleanUp($string) { + } + + // if $username was found in database, then check password +- if ( isset($userName) && $username == $userName) { ++ if ( isset($userName) && strtolower($username) == strtolower($userName) ) { + // The first 2 chars are the salt + $theSalt = substr($userHash, 0,2); + +@@ -150,7 +150,7 @@ Password
+

+ + +-
Version 1.8.1©2016 Paul Halliday
++
Version 1.8.2©2016 Paul Halliday
+ + + diff --git a/debian/patches/series b/debian/patches/series index 5e54cf1..dc1595c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -38,3 +38,4 @@ Issue-1169:-Squert:-remove-search-link-from-context-menu Issue-1259:-Squert:-turning-grouping-off-results-in-no-alerts Squert:-Priority-counts-incorrect-#1277 securityonion-squert:-increase-group_concat_max_len-Security-Onion-Solutionssecurity-onion#1602 +Squert:-improve-consistency-of-username-handling-Security-Onion-Solutionssecurity-onion#1643 diff --git a/login.php b/login.php index 2f1937f..5a6b2bf 100644 --- a/login.php +++ b/login.php @@ -82,7 +82,7 @@ function cleanUp($string) { } // if $username was found in database, then check password - if ( isset($userName) && $username == $userName) { + if ( isset($userName) && strtolower($username) == strtolower($userName) ) { // The first 2 chars are the salt $theSalt = substr($userHash, 0,2); @@ -150,7 +150,7 @@ function cleanUp($string) {

-
Version 1.8.1©2016 Paul Halliday
+
Version 1.8.2©2016 Paul Halliday