OSSIM open source security information management system

Keywords: Operation & Maintenance network security Web Security


1, Web part source code analysis

1. Brief description

The most users contact the OSSIM platform is the Web UI. They can easily obtain various security analysis charts through the web. As ordinary operation and maintenance personnel or monitoring personnel, most operations are completed through the Web UI.

The Web UI interface and the corresponding functions of each part have been explained in detail in the previous blog post, which will not be repeated in this blog post

2. Source code directory structure corresponding to Web UI

php is the main programming language of Web UI, and the source code directory corresponding to each part of the function is shown in the following table:

First level menuSecondary menuCall interface
Deployment status./deployment/index.php
Risk Maps./risk maps/view.php
AnalysisAlarms Group View./alarm/alarm_console.php ./alarm/alarm_group_console.php
Security Events (SIEM) Real Time./forensics/base_ary_main.php ./control_ panel/event_panel.php
Raw Logs./sem/index.php
ENVIRONMENTAssets Asset Discovery./assets/index.php ./netscan/index.php
Groups&Networks Network Groups./assets/list_view.php ./netgroup/netgroup.php
VulnerabilitiesOverview : ./vulnmeter/index.php ScanJobs : ./vulnmeter/manage_jobs.php Settings : ./vulnmeter/webconfig.php Threat Database : ./vulnmeter/threats-db.php
Traffic capture./pcap/index.php
Detection./ossec/status.php Agents : ./ossec/agent.php Agentless : ./ossec/agentless.php Edit Rules : ./ossec/index.php Config : ./ossec/config.php Ossec control : ./ossec/ossec_control.php Wireles IDS : ./wireless/index.php
REPORTSAlarms Report generation file:. / report / OS_ Reports / alarms / general.php Business & compliance ISO PCI report generation file:. / report/os_reports/BussinessAndComplianceISOPCI/general.php Tickets Status Report generated file:. / report/os_reports/Tickets/general.php SIEM Events generation file:. / reports / OS_ Reports / Siem / general.php vulnerability report generation file:. / vulnmeter/lr_respdf.php
CONFIGURATIONAdministrationUSERS ./session/users.php Activity : ./conf/userlog.php
MAIN ./conf/index.php
BACKUP ./backup/index.php
DeploymentAlienvault Center : ./av_center/index.php Sensors : ./server/sensor.php Servers : ./server/server.php Scheduler : ./av_inventory/index.php Locations : ./sensor/locations.php
Threat IntelligencePolicy : ./policy/policy.php Edit pPolicy Groups : ./policy/policygroup.php
Actions : ./action/action.php
Ports : ./porUport.php Port Groups : ./port/portgroup.php
Directives : ./directives/index.php
ComplianceMapping : ./compliance/iso27001.php PCIDSS2.0 : ./compliance/pci-dss.php Run Scripts : ./compliance/mod scripts.php
Cross Correlation : ./conf/pluginref.php
Data Source : ./conf/plugin.php Data Source Groups : ./policy/plugingroups.php
Taxonomy : ./conficategory.php
Knowledge Base : ./repository/index.php
SETTINGSMy Profile./session/user_form.php
Current Sessions./userlogopened_sessions.php
User Activity./userlog/user_ action _log.php

3. security.php source code analysis

This section will make a preliminary analysis of the source code of security.php, an important code file in the event module of the dashboard module.

Source address: alienvault OSSIM \ OS SIM \ www \ dashboard \ sections \ widgets \ data \ security.php

//First, reference relevant files in the file header to initialize the function library

require_once 'av_init.php';
require_once 'sensor_filter.php';
require_once '../widget_common.php';
require_once 'common.php';

The main functions of importing related documents are as follows:

av_init.php: AlienVault initialization file, which completes some initialization operations by referencing other files, such as creating session, setting class path, DB management, obtaining global configuration, setting language, etc.

sensor_filter.php: it mainly implements related filtering functions. It includes asset filtering, sensor filtering, classification filtering, etc.

widget_common.php: control related operations. It is mainly related to the dashboard in the database_ widget_ The config table interacts with each other to rearrange controls, obtain order, obtain data, etc.

common.php: get the trend of some data, and get the SIEM trend in hours and weeks

//Check whether the current login user has access to the menu through Session

Session::logcheck("dashboard-menu", "ControlPanelExecutive");
Session::logcheck("analysis-menu", "EventsForensics");

//Next, connect to the database

$db    = new ossim_db(TRUE);
$conn  = $db->connect();

//Get current user information

$user = Session::get_session_user();

//get the control type and set the type of the security control

$type = GET("type");

//get control ID

$id = GET("id");

//Validate the control type and ID

ossim_valid($type,	OSS_TEXT, 					'illegal:' . _("type"));
ossim_valid($id, 	OSS_DIGIT, OSS_NULLABLE, 	'illegal:' . _("Widget ID"));

if (ossim_error()) 

//Control array information, chart information, label cloud information, etc

$winfo		= array();

$chart_info = array();

Next, determine the ID

//If the ID is empty, it means that it is currently in the pre visualization of the wizard. The system can get all the information from the get parameter.

if (!isset($id) || empty($id)){
    //Define control height
    $winfo['height'] = GET("height");
    //Definition type: chart, label, cloud, etc
    $winfo['wtype'] = GET("wtype"); 
    //Define assets
    $winfo['asset'] = GET("asset"); 
    //Chart type, legend parameters, etc
    $chart_info = json_decode(GET("value"),true); 


//If the ID is not empty, the control is normally loaded from the dashboard. In this case, the system obtains relevant information from the database.

    $winfo = get_widget_data($conn, $id); 
    //Chart type, legend parameters
    $chart_info = $winfo['params']; 

//Validity test

ossim_valid($winfo['wtype'], 	OSS_TEXT, 								'illegal:' . _("Type"));
ossim_valid($winfo['height'],	OSS_DIGIT, 								'illegal:' . _("Widget ID"));
ossim_valid($winfo['asset'], 	OSS_HEX,OSS_SCORE,OSS_ALPHA,OSS_USER, 	'illegal:' . _("Asset/User/Entity"));

if (is_array($chart_info) && !empty($chart_info))
	$validation = get_array_validation();
	foreach($chart_info as $key=>$val)
    	if ($validation[$key] == '')
		eval("ossim_valid(\"\$val\", ".$validation[$key].", 'illegal:" . _($key)."');");

if (ossim_error()) 

//Variables that store chart information

//Define an array of the control itself
$data  = array();	
//Control, such as legend in chart, title in label cloud, etc
$label = array();	
//Defines a linked array for each element
$links = array();	

//switch case calculates the data of the control according to the type of the control

	case "tcp":

//Asset filter

$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//The maximum number of attacks displayed in the control.	
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
		//SQL query
		//Use parameters in queries
		$sql   = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=6 $query_where group by port order by num desc limit $limit";
		//Echo $sql;
		$rs = $conn->CacheExecute($sql);
		if (!$rs)
		    print $conn->ErrorMsg();
			$array_aux = array();
		    while (!$rs->EOF) 
				$array_aux[$rs->fields["port"]] = $rs->fields["num"];
				$link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?tcp_port[0][0]=&tcp_port[0][1]=layer4_dport&tcp_port[0][2]==&tcp_port[0][3]='.$rs->fields["port"].'&tcp_port[0][4]=&tcp_port[0][5]=&tcp_flags[0]=&layer4=TCP&num_result_rows=-1&current_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
				$links[$rs->fields["port"]] = $link; 
			//The results are sorted by the name of the port, not the number of attacks.
			$data   = array_values($array_aux);
			$label  = array_keys($array_aux);
			//serie name
			$serie  = 'Amount of Attacks';
			//color setting
			$colors = "#333333";



case "promiscuous":
		//Date range
		$range          = ($chart_info['range']  > 0)? ($chart_info['range'] * 86400) : 432000;
		//Asset filtering
		$query_where    = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
		//Sets the limits that the host displays in the control.
		$limit          = ($chart_info['top'] != '')? $chart_info['top'] : 10;
		//Connect to SIEM console page
		$forensic_link  = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');

		//SQL query
		//Use parameters in query, user parameter query
		$sqlgraph       = "select count(distinct(ip_dst)) as num_events,ip_src as name from alienvault_siem.po_acid_event AS acid_event WHERE 1=1 $query_where group by ip_src having ip_src>0x00000000000000000000000000000000 order by num_events desc limit $limit";

        $rg = $conn->CacheExecute($sqlgraph);

		if (!$rg)
		    print $conn->ErrorMsg();
		    while (!$rg->EOF) 
		        $data[]  = $rg->fields["num_events"];
				$label[] = inet_ntop($rg->fields["name"]);
				$links[] = $forensic_link . '&ip_addr[0][0]=+&ip_addr[0][1]=ip_src&ip_addr[0][2]=%3D&ip_addr[0][3]=' . inet_ntop($rg->fields["name"]) . '&ip_addr[0][8]=+&ip_addr[0][9]=+&ip_addr_cnt=1';

		$colors = get_widget_colors(count($data));


case 'siemhours':
		//The number of hours displayed in the control.
		$max = ($chart_info['range'] == '')? 16 : $chart_info['range'];
		//Retrieve data for the widget
		$js     = "analytics";
		$fdate  = gmdate("Y-m-d H",$timetz-(3600*($max-1)));
		$values = SIEM_trends($max, $assets_filters, $fdate);

		//Formats the information in a format that is valid for the handler.
		for ($i=$max-1; $i>=0; $i--) 
			$tref    = $timetz-(3600*$i);
			$h       = gmdate("j G",$tref)."h";
			$label[] = preg_replace("/\d+ /","",$h);
			$data[]  = ($values[$h]!="") ? $values[$h] : 0;

			$link    = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time[0][0]=+&time[0][1]=>%3D&time[0][2]=".gmdate("m",$tref)."&time[0][3]=".gmdate("d",$tref)."&time[0][4]=".gmdate("Y",$tref)."&time[0][5]=".gmdate("H",$tref)."&time[0][6]=00&time[0][7]=00&time[0][8]=+&time[0][9]=AND&time[1][0]=+&time[1][1]=<%3D&time[1][2]=".gmdate("m",$tref)."&time[1][3]=".gmdate("d",$tref)."&time[1][4]=".gmdate("Y",$tref)."&time[1][5]=".gmdate("H",$tref)."&time[1][6]=59&time[1][7]=59&time[1][8]=+&time[1][9]=+&submit=Query+DB&num_result_rows=-1&time_cnt=2&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
			$key = preg_replace('/^0/', '', gmdate("H",$tref) . 'h');
			$links[$key] = $link;
		$siem_url    = $links;
		$colors      = "'#444444'";
		//Message when part is empty.
		$nodata_text = "No data available yet";

/ / finally, call the handler to draw the appropriate widget, that is, any type of chart, tag_cloud et al

require 'handler.php';

4. Overview source code analysis

index.php is mainly PHP code with a small part of HTML code, which mainly realizes the functions of obtaining the basic contents of the current menu and judging permissions.

//Reference file

require_once 'av_init.php';

//Check if you have permission to get the current menu

Session::logcheck("dashboard-menu", "ControlPanelExecutive");

//Get current user information

$login = Session::get_session_user();
$pro   = Session::is_pro();

//Get default tab

/*If the default tab is stored in the user session, it is directly assigned to default_tab*/
if (!empty($_SESSION['default_tab']))
    $default_tab = $_SESSION['default_tab'];
/*If the default tab is not set, create a new user configuration and store the default configuration*/
    $config_aux  = new User_config($conn);
    $default_tab = $config_aux->get($login, 'panel_default', 'simple', "main");
    $default_tab = ($default_tab > 0) ? $default_tab : 1;

    //Save tabs in session
    $_SESSION['default_tab'] = $default_tab;

//Get current panel

$panel_id = $default_tab;
//Judge whether it is empty
if (GET('panel_id') != "")
    $panel_id = GET('panel_id');
elseif ($_SESSION['_db_panel_selected'] != "")
    $panel_id = $_SESSION['_db_panel_selected'];

//Get tab list

$tab_list = Dashboard_tab::get_tabs_by_user($login, $edit);

//Determine whether the tab list is empty

if (empty($tab_list))
    //tab_list is empty
    $config_nt = array(
        'content' => _('No tabs have been found').".",
        'options' => array (
            'type'          => 'nf_warning',
            'cancel_button' => ''
        //Front end css code
        'style'   => ' margin:25px auto 0 auto;text-align:center;padding:3px 30px;'
    $nt = new Notification('nt_panel', $config_nt);


tabs.php is HTML+php code, which mainly realizes the front-end code of tab related operations such as tab addition, deletion and sorting

<div class='dashboard_tab_add'>
    <a href='<?php echo $add_url ?>' title="<?php echo _('New Tab') ?>" class='coolbox_add'>+</a>

Previous (Architecture Analysis): OSSIM open source security information management system (III)
Next (code analysis):

Posted by lordrt on Fri, 08 Oct 2021 02:49:51 -0700