public static Icmphdr GetIcmphdr(int cid, int sid, MySqlConnection conn) { Icmphdr icmphdr = new Icmphdr(); using (conn) { conn.Open(); MySqlCommand cmd; cmd = new MySqlCommand("SELECT * FROM icmphdr WHERE cid = " + cid.ToString() + " AND sid = " + sid.ToString(), conn); using (MySqlDataReader reader = cmd.ExecuteReader()) { while (reader.Read()) { icmphdr.icmp_type = reader.GetUInt16("icmp_type"); icmphdr.icmp_code = reader.GetInt32("icmp_code"); icmphdr.icmp_csum = reader.GetInt32("icmp_csum"); icmphdr.icmp_id = reader.GetInt32("icmp_id"); icmphdr.icmp_seq = reader.GetInt32("icmp_seq"); } } } return(icmphdr); }
public void OnGet() { try { cid = Convert.ToInt32(HttpContext.Request.Query["cid"].ToString()); sid = Convert.ToInt32(HttpContext.Request.Query["sid"].ToString()); } catch (Exception) { errors = new List <string>(); errors.Add("How did you get here? Invalid url."); //errors.Add(e.Message); return; } SnortContext db = HttpContext.RequestServices.GetService(typeof(SnortContext)) as SnortContext; if (StaticData.alerts == null) { StaticData.alerts = AlertMapper.ResolveAlerts(0, ref StaticData.signatureStrings, db.GetConnection()); } //Check for new alerts else { } if (StaticData.ref_classes == null) { StaticData.ref_classes = Reference_systemTable.GetRefClasses(db.GetConnection()); } if (StaticData.class_names == null) { StaticData.class_names = Sig_classTable.GetClassNames(db.GetConnection()); } if (StaticData.protocols == null) { StaticData.protocols = XmlUtils.GetProcotols(); //StaticData.protocols = db.GetProtocols(); } if (StaticData.trprotocols == null) { StaticData.trprotocols = XmlUtils.GetTransportProcotols(); } alerts.Add(StaticData.alerts.Where(x => x.cid == cid && x.sid == sid).FirstOrDefault()); //SessionExtensions.Set<List<Alert>>(HttpContext.Session,"alert", alerts); eve = EventTable.GetEvent(cid, sid, db.GetConnection()); if (eve.cid == 0) { errors = new List <string>(); errors.Add("How did you get here? Event not found."); //errors.Add(e.Message); return; } //SIGNATURE Signature signature = SignatureTable.GetSignature(eve.signature, db.GetConnection()); if (signature.sig_class_id > 0) { StaticData.class_names.TryGetValue(signature.sig_class_id, out className); signature.class_name = className; signatures.Add(signature); } sigrefs = ReferenceTable.GetReference(signature.sig_id, db.GetConnection()); if (sigrefs != null) { foreach (snortdb.Ref sigref in sigrefs) { string ref_url = StaticData.ref_classes.GetValueOrDefault(sigref.ref_system_id) + sigref.ref_tag; if (!ref_url.StartsWith("http")) { signature.ref_url += "<a href=http://" + ref_url + " target=\"_blank\">" + ref_url + "</a></br>"; } else { signature.ref_url += "<a href=" + ref_url + " target=\"_blank\">" + ref_url + "</a></br>"; } } } else { signature.ref_url = "-"; } //IP HEADER Iphdr iphdr = IphdrTable.GetIphdr(cid, sid, db.GetConnection()); if (iphdr.source == null) { iphdr.source = AlertMapper.ResolveIP(iphdr.ip_src); } if (iphdr.destination == null) { iphdr.destination = AlertMapper.ResolveIP(iphdr.ip_dst); } string protocol = StaticData.protocols.Where(x => x.pid == iphdr.ip_proto).Select(x => x.name).FirstOrDefault(); string proto_ref = StaticData.protocols.Where(x => x.pid == iphdr.ip_proto).Select(x => x.reference).FirstOrDefault(); if (protocol != null) { if (proto_ref == null) { iphdr.protocol = protocol; } else { iphdr.protocol = "<a href=\"" + proto_ref + "\" target=\"_blank\">" + protocol + "</a>"; } } else { iphdr.protocol = iphdr.ip_proto.ToString(); } iphdrs.Add(iphdr); switch (iphdr.ip_proto) { case 1: //ICMP HEADER { Icmphdr icmphdr = IcmphdrTable.GetIcmphdr(cid, sid, db.GetConnection()); //icmphdr.icmp_type_text = Utils.Bash("cat " + path + " | grep '#" + icmphdr.icmp_type + " –'"); icmphdr.icmp_type_text = Utils.GetICMPType(icmphdr.icmp_type.ToString()); icmphdrs.Add(icmphdr); break; } case 6: //TCP HEADER { Tcphdr tcphdr = TcphdrTable.GetTcphdr(cid, sid, db.GetConnection()); //var output = Utils.Bash("cat /etc/services | grep [[:space:]]" + tcphdr.tcp_sport + "/tcp"); //var output2 = Utils.Bash("cat /etc/services | grep [[:space:]]" + tcphdr.tcp_dport + "/tcp"); TransportProtocol trp = StaticData.trprotocols.Where(x => x.number == tcphdr.tcp_sport && x.protocol == "tcp").FirstOrDefault(); TransportProtocol trp2 = StaticData.trprotocols.Where(x => x.number == tcphdr.tcp_dport && x.protocol == "tcp").FirstOrDefault(); /*if(output != "") */ if (trp != null) { if (trp.xref != null) { tcphdr.tcp_protocol = "<a href=\"" + trp.xref + "\" target=\"_blank\">" + trp.name + "</a>"; } else { tcphdr.tcp_protocol = trp.name; } // tcphdr.tcp_protocol = tcphdr.tcp_sport + " ("+ output.Split('\t')[0] + ")"; // if(output.Split('#').Count() > 1) tcphdr.tcp_protocol += " – " + output.Split('#')[1]; } else { tcphdr.tcp_protocol = tcphdr.tcp_sport.ToString(); } /*if(output2 != "") */ if (trp2 != null) { if (trp2.xref != null) { tcphdr.tcp_protocol2 = "<a href=\"" + trp2.xref + "\" target=\"_blank\">" + trp2.name + "</a>"; } else { tcphdr.tcp_protocol2 = trp2.name; } // tcphdr.tcp_protocol2 = tcphdr.tcp_dport + " ("+ output2.Split('\t')[0] + ")"; // if(output2.Split('#').Count() > 1) tcphdr.tcp_protocol2 += " – " + output2.Split('#')[1]; } else { tcphdr.tcp_protocol2 = tcphdr.tcp_dport.ToString(); } tcphdrs.Add(tcphdr); break; } case 17: //UDP HEADER { Udphdr udphdr = UdphdrTable.GetUdphdr(cid, sid, db.GetConnection()); //var output = Utils.Bash("cat /etc/services | grep [[:space:]]" + udphdr.udp_sport + "/udp"); //var output2 = Utils.Bash("cat /etc/services | grep [[:space:]]" + udphdr.udp_dport + "/udp"); TransportProtocol trp = StaticData.trprotocols.Where(x => x.number == udphdr.udp_sport && x.protocol == "udp").FirstOrDefault(); TransportProtocol trp2 = StaticData.trprotocols.Where(x => x.number == udphdr.udp_dport && x.protocol == "udp").FirstOrDefault(); /*if(output != "") */ if (trp != null) { // udphdr.udp_protocol = udphdr.udp_sport + " ("+ output.Split('\t')[0] + ")"; // if(output.Split('#').Count() > 1) udphdr.udp_protocol += " – " + output.Split('#')[1]; if (trp.xref != null) { udphdr.udp_protocol = "<a href=\"" + trp.xref + "\" target=\"_blank\">" + trp.name + "</a>"; } else { udphdr.udp_protocol = trp.name; } } else { udphdr.udp_protocol = udphdr.udp_sport.ToString(); } /*if(output2 != "") */ if (trp2 != null) { //udphdr.udp_protocol2 = udphdr.udp_dport + " ("+ output2.Split('\t')[0] + ")"; //if(output2.Split('#').Count() > 1) udphdr.udp_protocol2 += " – " + output2.Split('#')[1]; if (trp2.xref != null) { udphdr.udp_protocol2 = "<a href=\"" + trp2.xref + "\" target=\"_blank\">" + trp2.name + "</a>"; } else { udphdr.udp_protocol2 = trp2.name; } } else { udphdr.udp_protocol2 = udphdr.udp_dport.ToString(); } udphdrs.Add(udphdr); break; } default: { break; } } //WHOIS - RIPE using (WebClient wc = new WebClient()) { snortdb.Attributes attList = new snortdb.Attributes(); try //SOURCE { string url = "https://rest.db.ripe.net/search.xml?query-string=" + iphdr.source + "&flags=no-filtering&source=RIPE"; var json = wc.DownloadString(url); XmlDocument xdoc = new XmlDocument(); xdoc.LoadXml(json); XmlNode root = xdoc.DocumentElement; attList.attributes = new List <snortdb.Attribute>(); foreach (XmlNode record in root.SelectNodes("objects/object")) { if (record.Attributes["type"].Value == "inetnum" || record.Attributes["type"].Value == "inet6num" || record.Attributes["type"].Value == "person" || record.Attributes["type"].Value == "route") { foreach (XmlNode att in record.SelectNodes(@"attributes/attribute")) { if (att.Attributes["name"].Value == "remarks") { continue; } attList.attributes.Add(new snortdb.Attribute(att.Attributes["name"].Value, att.Attributes["value"].Value)); } } } if (attList.attributes.Count() > 0) { whoisURL = "https://apps.db.ripe.net/db-web-ui/#/query?searchtext=" + iphdr.source + "&source=RIPE&bflag=true"; attList.attributes.Add(new snortdb.Attribute("source url", "<a href=\"" + whoisURL + "\" target=\"_blank\">" + whoisURL + "<a>")); whoisData.Add(new AttributeOutput(String.Join("<br>", attList.attributes.Select(x => x.name)), String.Join("<br>", attList.attributes.Select(x => x.value)))); } } catch (Exception) { } attList.attributes.Clear(); try //DESTINATION { string url = "https://rest.db.ripe.net/search.xml?query-string=" + iphdr.destination + "&flags=no-filtering&source=RIPE"; var json = wc.DownloadString(url); XmlDocument xdoc = new XmlDocument(); xdoc.LoadXml(json); XmlNode root = xdoc.DocumentElement; attList.attributes = new List <snortdb.Attribute>(); foreach (XmlNode record in root.SelectNodes("objects/object")) { if (record.Attributes["type"].Value == "inetnum" || record.Attributes["type"].Value == "inet6num" || record.Attributes["type"].Value == "person" || record.Attributes["type"].Value == "route") { foreach (XmlNode att in record.SelectNodes(@"attributes/attribute")) { if (att.Attributes["name"].Value == "remarks") { continue; } attList.attributes.Add(new snortdb.Attribute(att.Attributes["name"].Value, att.Attributes["value"].Value)); } } } if (attList.attributes.Count() > 0) { whoisURL2 = "https://apps.db.ripe.net/db-web-ui/#/query?searchtext=" + iphdr.destination + "&source=RIPE&bflag=true"; attList.attributes.Add(new snortdb.Attribute("source url", "<a href=\"" + whoisURL2 + "\" target=\"_blank\">" + whoisURL2 + "<a>")); whoisData2.Add(new AttributeOutput(String.Join("<br>", attList.attributes.Select(x => x.name)), String.Join("<br>", attList.attributes.Select(x => x.value)))); } } catch (Exception) { } } //SessionExtensions.Set<List<Data>>(HttpContext.Session,"datas", datas); }