2021SC@SDUSC
1, Web part source code analysis
1. Brief description
The most users contact the OSSIM platform is the Web UI. They can easily obtain various security analysis charts through the web. As ordinary operation and maintenance personnel or monitoring personnel, most operations are completed through the Web UI.
The Web UI interface and the corresponding functions of each part have been explained in detail in the previous blog post, which will not be repeated in this blog post
2. Source code directory structure corresponding to Web UI
php is the main programming language of Web UI, and the source code directory corresponding to each part of the function is shown in the following table:
| First level menu | Secondary menu | Call interface |
|---|---|---|
| DASHBOARDS | Overview | ./dashboard/index.php |
| Deployment status | ./deployment/index.php | |
| Risk Maps | ./risk maps/view.php | |
| OTX | ./reputation/index.php | |
| Analysis | Alarms Group View | ./alarm/alarm_console.php ./alarm/alarm_group_console.php |
| Security Events (SIEM) Real Time | ./forensics/base_ary_main.php ./control_ panel/event_panel.php | |
| Raw Logs | ./sem/index.php | |
| Tickets | ./incidents/index.php | |
| ENVIRONMENT | Assets Asset Discovery | ./assets/index.php ./netscan/index.php |
| Groups&Networks Network Groups | ./assets/list_view.php ./netgroup/netgroup.php | |
| Vulnerabilities | Overview : ./vulnmeter/index.php ScanJobs : ./vulnmeter/manage_jobs.php Settings : ./vulnmeter/webconfig.php Threat Database : ./vulnmeter/threats-db.php | |
| Profiles | ./ntop/index.php | |
| NetFlow | ./nfsen/nfsen.php | |
| Traffic capture | ./pcap/index.php | |
| Availability | ./nagios/index.php | |
| Detection | ./ossec/status.php Agents : ./ossec/agent.php Agentless : ./ossec/agentless.php Edit Rules : ./ossec/index.php Config : ./ossec/config.php Ossec control : ./ossec/ossec_control.php Wireles IDS : ./wireless/index.php | |
| REPORTS | Alarms Report generation file:. / report / OS_ Reports / alarms / general.php Business & compliance ISO PCI report generation file:. / report/os_reports/BussinessAndComplianceISOPCI/general.php Tickets Status Report generated file:. / report/os_reports/Tickets/general.php SIEM Events generation file:. / reports / OS_ Reports / Siem / general.php vulnerability report generation file:. / vulnmeter/lr_respdf.php | |
| CONFIGURATION | Administration | USERS ./session/users.php Activity : ./conf/userlog.php |
| MAIN ./conf/index.php | ||
| BACKUP ./backup/index.php | ||
| Deployment | Alienvault Center : ./av_center/index.php Sensors : ./server/sensor.php Servers : ./server/server.php Scheduler : ./av_inventory/index.php Locations : ./sensor/locations.php | |
| Threat Intelligence | Policy : ./policy/policy.php Edit pPolicy Groups : ./policy/policygroup.php | |
| Actions : ./action/action.php | ||
| Ports : ./porUport.php Port Groups : ./port/portgroup.php | ||
| Directives : ./directives/index.php | ||
| ComplianceMapping : ./compliance/iso27001.php PCIDSS2.0 : ./compliance/pci-dss.php Run Scripts : ./compliance/mod scripts.php | ||
| Cross Correlation : ./conf/pluginref.php | ||
| Data Source : ./conf/plugin.php Data Source Groups : ./policy/plugingroups.php | ||
| Taxonomy : ./conficategory.php | ||
| Knowledge Base : ./repository/index.php | ||
| SETTINGS | My Profile | ./session/user_form.php |
| Current Sessions | ./userlogopened_sessions.php | |
| User Activity | ./userlog/user_ action _log.php | |
| Support | Help | ./help/index.php |
| Downloads | ./downloads/index.php |
3. security.php source code analysis
This section will make a preliminary analysis of the source code of security.php, an important code file in the event module of the dashboard module.
Source address: alienvault OSSIM \ OS SIM \ www \ dashboard \ sections \ widgets \ data \ security.php
//First, reference relevant files in the file header to initialize the function library
require_once 'av_init.php'; require_once 'sensor_filter.php'; require_once '../widget_common.php'; require_once 'common.php';
The main functions of importing related documents are as follows:
av_init.php: AlienVault initialization file, which completes some initialization operations by referencing other files, such as creating session, setting class path, DB management, obtaining global configuration, setting language, etc.
sensor_filter.php: it mainly implements related filtering functions. It includes asset filtering, sensor filtering, classification filtering, etc.
widget_common.php: control related operations. It is mainly related to the dashboard in the database_ widget_ The config table interacts with each other to rearrange controls, obtain order, obtain data, etc.
common.php: get the trend of some data, and get the SIEM trend in hours and weeks
//Check whether the current login user has access to the menu through Session
Session::logcheck("dashboard-menu", "ControlPanelExecutive");
Session::logcheck("analysis-menu", "EventsForensics");
//Next, connect to the database
$db = new ossim_db(TRUE); $conn = $db->connect();
//Get current user information
$user = Session::get_session_user();
//get the control type and set the type of the security control
$type = GET("type");
//get control ID
$id = GET("id");
//Validate the control type and ID
ossim_valid($type, OSS_TEXT, 'illegal:' . _("type"));
ossim_valid($id, OSS_DIGIT, OSS_NULLABLE, 'illegal:' . _("Widget ID"));
if (ossim_error())
{
die(ossim_error());
}
//Control array information, chart information, label cloud information, etc
$winfo = array(); $chart_info = array();
Next, determine the ID
//If the ID is empty, it means that it is currently in the pre visualization of the wizard. The system can get all the information from the get parameter.
if (!isset($id) || empty($id)){
//Define control height
$winfo['height'] = GET("height");
//Definition type: chart, label, cloud, etc
$winfo['wtype'] = GET("wtype");
//Define assets
$winfo['asset'] = GET("asset");
//Chart type, legend parameters, etc
$chart_info = json_decode(GET("value"),true);
}
//If the ID is not empty, the control is normally loaded from the dashboard. In this case, the system obtains relevant information from the database.
else
{
$winfo = get_widget_data($conn, $id);
//Chart type, legend parameters
$chart_info = $winfo['params'];
}
//Validity test
ossim_valid($winfo['wtype'], OSS_TEXT, 'illegal:' . _("Type"));
ossim_valid($winfo['height'], OSS_DIGIT, 'illegal:' . _("Widget ID"));
ossim_valid($winfo['asset'], OSS_HEX,OSS_SCORE,OSS_ALPHA,OSS_USER, 'illegal:' . _("Asset/User/Entity"));
if (is_array($chart_info) && !empty($chart_info))
{
$validation = get_array_validation();
foreach($chart_info as $key=>$val)
{
if ($validation[$key] == '')
{
continue;
}
eval("ossim_valid(\"\$val\", ".$validation[$key].", 'illegal:" . _($key)."');");
}
}
if (ossim_error())
{
die(ossim_error());
}
//Variables that store chart information
//Define an array of the control itself $data = array(); //Control, such as legend in chart, title in label cloud, etc $label = array(); //Defines a linked array for each element $links = array();
//switch case calculates the data of the control according to the type of the control
//type="tcp"
switch($type)
{
case "tcp":
//Asset filter
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//The maximum number of attacks displayed in the control.
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
//SQL query
//Use parameters in queries
$sql = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=6 $query_where group by port order by num desc limit $limit";
//Echo $sql;
$rs = $conn->CacheExecute($sql);
if (!$rs)
{
print $conn->ErrorMsg();
}
else
{
$array_aux = array();
while (!$rs->EOF)
{
$array_aux[$rs->fields["port"]] = $rs->fields["num"];
$link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?tcp_port[0][0]=&tcp_port[0][1]=layer4_dport&tcp_port[0][2]==&tcp_port[0][3]='.$rs->fields["port"].'&tcp_port[0][4]=&tcp_port[0][5]=&tcp_flags[0]=&layer4=TCP&num_result_rows=-1¤t_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
$links[$rs->fields["port"]] = $link;
$rs->MoveNext();
}
//The results are sorted by the name of the port, not the number of attacks.
ksort($array_aux);
$data = array_values($array_aux);
$label = array_keys($array_aux);
//serie name
$serie = 'Amount of Attacks';
//color setting
$colors = "#333333";
}
break;
//type="promiscuous"
case "promiscuous":
//Date range
$range = ($chart_info['range'] > 0)? ($chart_info['range'] * 86400) : 432000;
//Asset filtering
$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//Sets the limits that the host displays in the control.
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 10;
//Connect to SIEM console page
$forensic_link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
//SQL query
//Use parameters in query, user parameter query
$sqlgraph = "select count(distinct(ip_dst)) as num_events,ip_src as name from alienvault_siem.po_acid_event AS acid_event WHERE 1=1 $query_where group by ip_src having ip_src>0x00000000000000000000000000000000 order by num_events desc limit $limit";
$rg = $conn->CacheExecute($sqlgraph);
if (!$rg)
{
print $conn->ErrorMsg();
}
else
{
while (!$rg->EOF)
{
$data[] = $rg->fields["num_events"];
$label[] = inet_ntop($rg->fields["name"]);
$links[] = $forensic_link . '&ip_addr[0][0]=+&ip_addr[0][1]=ip_src&ip_addr[0][2]=%3D&ip_addr[0][3]=' . inet_ntop($rg->fields["name"]) . '&ip_addr[0][8]=+&ip_addr[0][9]=+&ip_addr_cnt=1';
$rg->MoveNext();
}
}
$colors = get_widget_colors(count($data));
break;
//type="siemhours"
case 'siemhours':
//The number of hours displayed in the control.
$max = ($chart_info['range'] == '')? 16 : $chart_info['range'];
//Retrieve data for the widget
$js = "analytics";
$fdate = gmdate("Y-m-d H",$timetz-(3600*($max-1)));
$values = SIEM_trends($max, $assets_filters, $fdate);
//Formats the information in a format that is valid for the handler.
for ($i=$max-1; $i>=0; $i--)
{
$tref = $timetz-(3600*$i);
$h = gmdate("j G",$tref)."h";
$label[] = preg_replace("/\d+ /","",$h);
$data[] = ($values[$h]!="") ? $values[$h] : 0;
$link = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time[0][0]=+&time[0][1]=>%3D&time[0][2]=".gmdate("m",$tref)."&time[0][3]=".gmdate("d",$tref)."&time[0][4]=".gmdate("Y",$tref)."&time[0][5]=".gmdate("H",$tref)."&time[0][6]=00&time[0][7]=00&time[0][8]=+&time[0][9]=AND&time[1][0]=+&time[1][1]=<%3D&time[1][2]=".gmdate("m",$tref)."&time[1][3]=".gmdate("d",$tref)."&time[1][4]=".gmdate("Y",$tref)."&time[1][5]=".gmdate("H",$tref)."&time[1][6]=59&time[1][7]=59&time[1][8]=+&time[1][9]=+&submit=Query+DB&num_result_rows=-1&time_cnt=2&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
$key = preg_replace('/^0/', '', gmdate("H",$tref) . 'h');
$links[$key] = $link;
}
$siem_url = $links;
$colors = "'#444444'";
//Message when part is empty.
$nodata_text = "No data available yet";
break;
/ / finally, call the handler to draw the appropriate widget, that is, any type of chart, tag_cloud et al
require 'handler.php';
4. Overview source code analysis
index.php is mainly PHP code with a small part of HTML code, which mainly realizes the functions of obtaining the basic contents of the current menu and judging permissions.
//Reference file
require_once 'av_init.php';
//Check if you have permission to get the current menu
Session::logcheck("dashboard-menu", "ControlPanelExecutive");
//Get current user information
$login = Session::get_session_user(); $pro = Session::is_pro();
//Get default tab
/*If the default tab is stored in the user session, it is directly assigned to default_tab*/
if (!empty($_SESSION['default_tab']))
{
$default_tab = $_SESSION['default_tab'];
}
/*If the default tab is not set, create a new user configuration and store the default configuration*/
else
{
$config_aux = new User_config($conn);
$default_tab = $config_aux->get($login, 'panel_default', 'simple', "main");
$default_tab = ($default_tab > 0) ? $default_tab : 1;
//Save tabs in session
$_SESSION['default_tab'] = $default_tab;
}
//Get current panel
$panel_id = $default_tab;
//Judge whether it is empty
if (GET('panel_id') != "")
{
$panel_id = GET('panel_id');
}
elseif ($_SESSION['_db_panel_selected'] != "")
{
$panel_id = $_SESSION['_db_panel_selected'];
}
//Get tab list
$tab_list = Dashboard_tab::get_tabs_by_user($login, $edit);
//Determine whether the tab list is empty
if (empty($tab_list))
{
//tab_list is empty
$config_nt = array(
'content' => _('No tabs have been found').".",
'options' => array (
'type' => 'nf_warning',
'cancel_button' => ''
),
//Front end css code
'style' => ' margin:25px auto 0 auto;text-align:center;padding:3px 30px;'
);
$nt = new Notification('nt_panel', $config_nt);
$nt->show();
die();
}
tabs.php is HTML+php code, which mainly realizes the front-end code of tab related operations such as tab addition, deletion and sorting
<div class='dashboard_tab_add'>
<a href='<?php echo $add_url ?>' title="<?php echo _('New Tab') ?>" class='coolbox_add'>+</a>
</div>
Previous (Architecture Analysis): OSSIM open source security information management system (III)
Next (code analysis):