[Snort-users] postgresql php file

Jason Robertson jason at ...734...
Mon Oct 30 20:30:40 EST 2000


I also have a PHP file that does read this, and does convert both the binhex data, and the longip addresses

<HTML>
<HEAD><TITLE>Snort Entries</title>
</head><body><form>
<? 
        $connect = pg_connect ("host=host 
                                dbname=databasename
                                user=username
                                password=password")
        or die ("Couldn't make connection.");

        $sql = "
SELECT ip.ip_src, ip.ip_dst, e.signature, ip.sid, ip.cid, to_char(e.timestamp,
'Mon DD,YY HH12:MI:SSam'),ip.ip_proto, ip.ip_id, ip.ip_tos, ip.ip_ttl, ip.ip_off,
ip.ip_hlen, ip.ip_len 
from event e, iphdr ip
where ip.sid=e.sid and ip.cid=e.cid order by e.timestamp desc";

        $sql_result = pg_exec($connect,$sql) or die ("Couldn't exec");
        $num = pg_numrows($sql_result);
        $i = 0;
        print "<table width='95%' border=0 cellpadding=0 cellspacing=0>\n";
        for ($i = 0 ; $i < $num ; $i++) {
                $row = pg_fetch_array($sql_result, $i);
                switch ($row[6]) {
                case 1:
                        $sql_icmp = "select icmp_type, icmp_code, icmp_id, icmp_seq from icmphdr where sid=$row[3] and cid=$row[4];";
                        $sql_res_icmp = pg_exec($connect,$sql_icmp) or die ("Couldn't exec");
                        $num_icmp = pg_numrows($sql_res_icmp);
                        $row_icmp = pg_fetch_array($sql_res_icmp,0);
                        print "<tr>\n";
                        print "<td bgcolor=salmon colspan=2>".$row[2]."</td>\n";
                        print "<td bgcolor=salmon align=center> ICMP (". $row[6] .")</td>\n";
                        print "<td bgcolor=salmon>&nbsp</td>";
                        print "<td bgcolor=salmon align=right>".$row[5]."</td>\n";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>Src: ".gethostbyname($row[0])."</td>\n";
                        print "<td>Dst: ".gethostbyname($row[1])."</td>\n";
                        print "<td>hLen:".$row[11]."</td>";
                        print "<td>pLen:".$row[12]."</td>";
                        print "<td rowspan='3' align=right>\n";
                        print "</td>\n";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>Offset:".$row[10]."</td>\n";
                        print "<td>TTL:".$row[9]."</td>";
                        print "<td>TOS:".$row[8]."</td>";
                        print "<td>ID:".$row[7]."</td>";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>".$row_icmp[0]."/".$row_icmp[1]."</td>";
                        print "<td>ID:".$row_icmp[2]."</td>\n";
                        print "<td>Seq:".$row_icmp[3]."</td>\n";
                        print "<td>&nbsp</td>";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td colspan=5>\n";
                        print "<textarea rows=5 cols=80>\n";
                        $sql_data = "select data_payload from data where sid=$row[3] and cid=$row[4];";
                        $sql_res_data = pg_exec($connect,$sql_data) or die ("Couldn't exec");
                        $num_data = pg_numrows($sql_res_data);
                        if ($num_data > 0 ) {
                                $row_data = pg_fetch_array($sql_res_data,0);
                                print hex2asc($row_data[0]);
                        } else {
                                print "";
                        }
                        print "</textarea>\n";
                        print "</td>\n";
                        print "</tr>\n";
                        break;
                case 6:
                        $sql_tcp = "select tcp_sport, tcp_dport, tcp_seq, tcp_ack,tcp_flags, tcp_win from tcphdr where sid=$row[3] and cid=$row[4];";
                        $sql_res_tcp = pg_exec($connect,$sql_tcp) or die ("Couldn't exec");
                        $num_tcp = pg_numrows($sql_res_tcp);
                        $row_tcp = pg_fetch_array($sql_res_tcp,0);
                        print "<tr>\n";
                        print "<td bgcolor=salmon colspan=2>".$row[2]."</td>\n";
                        print "<td bgcolor=salmon align=center> TCP (". $row[6] .")</td>\n";
                        print "<td bgcolor=salmon>&nbsp</td>";
                        print "<td bgcolor=salmon align=right>".$row[5]."</td>\n";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>Src: ".gethostbyname($row[0]).":".$row_tcp[0]."</td>\n";
                        print "<td>Dst: ".gethostbyname($row[1]).":".$row_tcp[1]."</td>\n";
                        print "<td>hLen:".$row[11]."</td>";
                        print "<td>pLen:".$row[12]."</td>";
                        print "<td rowspan='3' align=right>\n";
                        print "</td>\n";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>Offset:".$row[10]."</td>";
                        print "<td>TTL:".$row[9]."</td>\n";
                        print "<td>TOS:".$row[8]."</td>";
                        print "<td>ID:".$row[7]."</td>";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>Flags:".flag_conv($row_tcp[4])."</td>\n";
                        print "<td>Seq:".$row_tcp[2]."</td>\n";
                        print "<td>Ack:".$row_tcp[3]."</td>\n";
                        print "<td>Win:".$row_tcp[5]."</td>";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td colspan=5>\n";
                        print "<textarea rows=5 cols=80>\n";
                        $sql_data = "select data_payload from data where sid=$row[3] and cid=$row[4];";
                        $sql_res_data = pg_exec($connect,$sql_data) or die ("Couldn't exec");
                        $num_data = pg_numrows($sql_res_data);
                        if ($num_data > 0 ) {
                                $row_data = pg_fetch_array($sql_res_data,0);
                                print hex2asc($row_data[0]);
                        } else {
                                print "";
                        }
                        print "</textarea>\n";
                        print "</td>\n";
                        print "</tr>\n";
                        break;
                case 17:
                        $sql_udp = "select udp_sport, udp_dport, udp_len from udphdr where sid=$row[3] and cid=$row[4];";
                        $sql_res_udp = pg_exec($connect,$sql_udp) or die ("Couldn't exec");
                        $num_udp = pg_numrows($sql_res_udp);
                        $row_udp = pg_fetch_array($sql_res_udp,0);
                        print "<tr>\n";
                        print "<td bgcolor=salmon colspan=2>".$row[2]."</td>\n";
                        print "<td bgcolor=salmon align=center> UDP (". $row[6] .")</td>\n";
                        print "<td bgcolor=salmon>&nbsp</td>";
                        print "<td bgcolor=salmon align=right>".$row[5]."</td>\n";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>Src: ".gethostbyname($row[0]).":".$row_udp[0]."</td>\n";
                        print "<td>Dst: ".gethostbyname($row[1]).":".$row_udp[1]."</td>\n";
                        print "<td>hLen:".$row[11]."</td>";
                        print "<td>pLen:".$row[12]."</td>";
                        print "<td rowspan='3' align=right>\n";
                        print "</td>\n";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>Offset:".$row[10]."</td>\n";
                        print "<td>TTL:".$row[9]."</td>";
                        print "<td>TOS:".$row[8]."</td>";
                        print "<td>ID:".$row[7]."</td>";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>UDP Len:".$row_udp[2]."</td>\n";
                        print "<td>&nbsp</td>";
                        print "<td>&nbsp</td>";
                        print "<td>&nbsp</td>";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td colspan=5>\n";
                        print "<textarea rows=5 cols=80>\n";
                        $sql_data = "select data_payload from data where sid=$row[3] and cid=$row[4];";
                        $sql_res_data = pg_exec($connect,$sql_data) or die ("Couldn't exec");
                        $num_data = pg_numrows($sql_res_data);
                        if ($num_data > 0 ) {
                                $row_data = pg_fetch_array($sql_res_data,0);
                                print hex2asc($row_data[0]);
                        } else {
                                print "";
                        }
                        print "</textarea>\n";
                        print "</td>\n";
                        print "</tr>\n";
                        break;
                default:
                        print "<tr>\n";
                        print "<td bgcolor=salmon colspan=2>".$row[2]."</td>\n";
                        print "<td bgcolor=salmon align=center> Unknown (". $row[6] .")</td>\n";
                        print "<td bgcolor=salmon>&nbsp</td>";
                        print "<td bgcolor=salmon align=right>".$row[5]."</td>\n";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>Src: ". gethostbyname($row[0])."</td>\n";
                        print "<td>Dst: ".gethostbyname($row[1])."</td>\n";
                        print "<td>hLen:".$row[11]."</td>";
                        print "<td>pLen:".$row[12]."</td>";
                        print "<td rowspan='3' align=right>\n";
                        print "</td>\n";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td>Offset:".$row[10]."</td>\n";
                        print "<td>TTL:".$row[9]."</td>";
                        print "<td>TOS:".$row[8]."</td>";
                        print "<td>ID:".$row[7]."</td>";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td colspan=2> </td>\n";
                        print "<td>&nbsp</td>";
                        print "<td>&nbsp</td>";
                        print "<td>&nbsp</td>";
                        print "</tr>\n";
                        print "<tr> \n";
                        print "<td colspan=5>\n";
                        print "<textarea rows=5 cols=80>\n";
                        $sql_data = "select data_payload from data where sid=$row[3] and cid=$row[4];";
                        $sql_res_data = pg_exec($connect,$sql_data) or die ("Couldn't exec");
                        $num_data = pg_numrows($sql_res_data);
                        if ($num_data > 0 ) {
                                $row_data = pg_fetch_array($sql_res_data,0);
                                print hex2asc($row_data[0]);
                        } else {
                                print "";
                        }
                        print "</textarea>\n";
                        print "</td>\n";
                        print "</tr>\n";
                }

        }
        print "</table>\n";
        pg_freeresult($sql_result);
        pg_close($connect);   


function flag_conv ($flags) {
        $output = "";
        $mod = $flags % "128";
        if ($flags == $mod) { $output = $output."*";}else{$output = $output."1";}
        $flags = $mod;
        $mod = $flags % "64";
        if ($flags == $mod) { $output = $output."*";}else{$output = $output."2";}
        $flags = $mod;
        $mod = $flags % "32";
        if ($flags == $mod) { $output = $output."*";}else{$output = $output."U";}
        $flags = $mod;
        $mod = $flags % "16";
        if ($flags == $mod) { $output = $output."*";}else{$output = $output."A";}
        $flags = $mod;
        $mod = $flags % "8";
        if ($flags == $mod) { $output = $output."*";}else{$output = $output."P";}
        $flags = $mod;
        $mod = $flags % "4";
        if ($flags == $mod) { $output = $output."*";}else{$output = $output."R";}
        $flags = $mod;
        $mod = $flags % "2";
        if ($flags == $mod) { $output = $output."*";}else{$output = $output."S";}
        $flags = $mod;
        $mod = $flags % "1";
        if ($flags == $mod) { $output = $output."*";}else{$output = $output."F";}
        $flags = $mod;
return $output;
}

function hex2asc($hexstr) {
        $length = strlen($hexstr);
        $i = 0;

        for ($i = 0; $i < $length; $i=$i+2 ) {
                $hex=$hexstr[$i] . $hexstr[$i+1];
           $dec=hexdec($hex);
                if ($dec < "127") {
                        if ($dec > "32") {
                                $output2 = $output2.chr($dec);
                        } elseif ($dec == "32") {
                                $output2 = $output2." ";
                        } elseif ($dec == "13") {
                                $output2 = $output2." ";
                        } elseif ($dec == "10") {
                                $output2 = $output2."\n";
                        } else {
                                $output2 = $output2.".";
                        }
                }
        }
return $output2;
}

?>
</form>
</body>
</html>

---
Jason Robertson                
Network Analyst            
jason at ...734...    
http://www.astroadvice.com      



More information about the Snort-users mailing list