public static Iphdr GetIphdr(int cid, int sid, MySqlConnection conn)
{
Iphdr iphdr = new Iphdr();
UInt32 schema = AlertMapper.GetSchemaID(conn);
using (conn)
{
conn.Open();
MySqlCommand cmd;
cmd = new MySqlCommand("SELECT * FROM iphdr WHERE cid = " + cid.ToString() + " AND sid = " + sid.ToString(), conn);
using (MySqlDataReader reader = cmd.ExecuteReader())
{
while (reader.Read())
{
iphdr.sid = sid;
iphdr.cid = cid;
iphdr.ip_ver = reader.GetInt32("ip_ver");
if (schema < 200) //UINT32 IP column
{
iphdr.source = AlertMapper.ResolveIP4(reader.GetUInt32("ip_src"));
iphdr.destination = AlertMapper.ResolveIP4(reader.GetUInt32("ip_dst"));
}
else
{
//IP v6
if ((iphdr.ip_ver) != 4)
{
iphdr.ip_src = new Byte[16];
iphdr.ip_dst = new Byte[16];
reader.GetBytes(reader.GetOrdinal("ip_src"), 0, iphdr.ip_src, 0, 16);
reader.GetBytes(reader.GetOrdinal("ip_dst"), 0, iphdr.ip_dst, 0, 16);
}
//IP v4
else
{
iphdr.ip_src = new Byte[4];
iphdr.ip_dst = new Byte[4];
reader.GetBytes(reader.GetOrdinal("ip_src"), 0, iphdr.ip_src, 0, 4);
reader.GetBytes(reader.GetOrdinal("ip_dst"), 0, iphdr.ip_dst, 0, 4);
}
}
iphdr.ip_hlen = reader.GetInt32("ip_hlen");
iphdr.ip_tos = reader.GetInt32("ip_tos");
iphdr.ip_ecn = iphdr.ip_tos & 3;
iphdr.ip_len = reader.GetInt32("ip_len");
iphdr.ip_id = reader.GetInt32("ip_id");
iphdr.ip_flags = reader.GetInt32("ip_flags");
iphdr.ip_off = reader.GetInt32("ip_off");
iphdr.ip_csum = reader.GetInt32("ip_csum");
iphdr.ip_ttl = reader.GetInt32("ip_ttl");
iphdr.ip_proto = reader.GetInt32("ip_proto");
}
}
}
return(iphdr);
}
public void OnGet()
{
try
{
cid = Convert.ToInt32(HttpContext.Request.Query["cid"].ToString());
sid = Convert.ToInt32(HttpContext.Request.Query["sid"].ToString());
}
catch (Exception)
{
errors = new List <string>();
errors.Add("How did you get here? Invalid url.");
//errors.Add(e.Message);
return;
}
SnortContext db = HttpContext.RequestServices.GetService(typeof(SnortContext)) as SnortContext;
if (StaticData.alerts == null)
{
StaticData.alerts = AlertMapper.ResolveAlerts(0, ref StaticData.signatureStrings, db.GetConnection());
}
//Check for new alerts
else
{
}
if (StaticData.ref_classes == null)
{
StaticData.ref_classes = Reference_systemTable.GetRefClasses(db.GetConnection());
}
if (StaticData.class_names == null)
{
StaticData.class_names = Sig_classTable.GetClassNames(db.GetConnection());
}
if (StaticData.protocols == null)
{
StaticData.protocols = XmlUtils.GetProcotols();
//StaticData.protocols = db.GetProtocols();
}
if (StaticData.trprotocols == null)
{
StaticData.trprotocols = XmlUtils.GetTransportProcotols();
}
alerts.Add(StaticData.alerts.Where(x => x.cid == cid && x.sid == sid).FirstOrDefault());
//SessionExtensions.Set<List<Alert>>(HttpContext.Session,"alert", alerts);
eve = EventTable.GetEvent(cid, sid, db.GetConnection());
if (eve.cid == 0)
{
errors = new List <string>();
errors.Add("How did you get here? Event not found.");
//errors.Add(e.Message);
return;
}
//SIGNATURE
Signature signature = SignatureTable.GetSignature(eve.signature, db.GetConnection());
if (signature.sig_class_id > 0)
{
StaticData.class_names.TryGetValue(signature.sig_class_id, out className);
signature.class_name = className;
signatures.Add(signature);
}
sigrefs = ReferenceTable.GetReference(signature.sig_id, db.GetConnection());
if (sigrefs != null)
{
foreach (snortdb.Ref sigref in sigrefs)
{
string ref_url = StaticData.ref_classes.GetValueOrDefault(sigref.ref_system_id) + sigref.ref_tag;
if (!ref_url.StartsWith("http"))
{
signature.ref_url += "<a href=http://" + ref_url + " target=\"_blank\">" + ref_url + "</a></br>";
}
else
{
signature.ref_url += "<a href=" + ref_url + " target=\"_blank\">" + ref_url + "</a></br>";
}
}
}
else
{
signature.ref_url = "-";
}
//IP HEADER
Iphdr iphdr = IphdrTable.GetIphdr(cid, sid, db.GetConnection());
if (iphdr.source == null)
{
iphdr.source = AlertMapper.ResolveIP(iphdr.ip_src);
}
if (iphdr.destination == null)
{
iphdr.destination = AlertMapper.ResolveIP(iphdr.ip_dst);
}
string protocol = StaticData.protocols.Where(x => x.pid == iphdr.ip_proto).Select(x => x.name).FirstOrDefault();
string proto_ref = StaticData.protocols.Where(x => x.pid == iphdr.ip_proto).Select(x => x.reference).FirstOrDefault();
if (protocol != null)
{
if (proto_ref == null)
{
iphdr.protocol = protocol;
}
else
{
iphdr.protocol = "<a href=\"" + proto_ref + "\" target=\"_blank\">" + protocol + "</a>";
}
}
else
{
iphdr.protocol = iphdr.ip_proto.ToString();
}
iphdrs.Add(iphdr);
switch (iphdr.ip_proto)
{
case 1: //ICMP HEADER
{
Icmphdr icmphdr = IcmphdrTable.GetIcmphdr(cid, sid, db.GetConnection());
//icmphdr.icmp_type_text = Utils.Bash("cat " + path + " | grep '#" + icmphdr.icmp_type + " –'");
icmphdr.icmp_type_text = Utils.GetICMPType(icmphdr.icmp_type.ToString());
icmphdrs.Add(icmphdr);
break;
}
case 6: //TCP HEADER
{
Tcphdr tcphdr = TcphdrTable.GetTcphdr(cid, sid, db.GetConnection());
//var output = Utils.Bash("cat /etc/services | grep [[:space:]]" + tcphdr.tcp_sport + "/tcp");
//var output2 = Utils.Bash("cat /etc/services | grep [[:space:]]" + tcphdr.tcp_dport + "/tcp");
TransportProtocol trp = StaticData.trprotocols.Where(x => x.number == tcphdr.tcp_sport && x.protocol == "tcp").FirstOrDefault();
TransportProtocol trp2 = StaticData.trprotocols.Where(x => x.number == tcphdr.tcp_dport && x.protocol == "tcp").FirstOrDefault();
/*if(output != "") */
if (trp != null)
{
if (trp.xref != null)
{
tcphdr.tcp_protocol = "<a href=\"" + trp.xref + "\" target=\"_blank\">" + trp.name + "</a>";
}
else
{
tcphdr.tcp_protocol = trp.name;
}
// tcphdr.tcp_protocol = tcphdr.tcp_sport + " ("+ output.Split('\t')[0] + ")";
// if(output.Split('#').Count() > 1) tcphdr.tcp_protocol += " – " + output.Split('#')[1];
}
else
{
tcphdr.tcp_protocol = tcphdr.tcp_sport.ToString();
}
/*if(output2 != "") */
if (trp2 != null)
{
if (trp2.xref != null)
{
tcphdr.tcp_protocol2 = "<a href=\"" + trp2.xref + "\" target=\"_blank\">" + trp2.name + "</a>";
}
else
{
tcphdr.tcp_protocol2 = trp2.name;
}
// tcphdr.tcp_protocol2 = tcphdr.tcp_dport + " ("+ output2.Split('\t')[0] + ")";
// if(output2.Split('#').Count() > 1) tcphdr.tcp_protocol2 += " – " + output2.Split('#')[1];
}
else
{
tcphdr.tcp_protocol2 = tcphdr.tcp_dport.ToString();
}
tcphdrs.Add(tcphdr);
break;
}
case 17: //UDP HEADER
{
Udphdr udphdr = UdphdrTable.GetUdphdr(cid, sid, db.GetConnection());
//var output = Utils.Bash("cat /etc/services | grep [[:space:]]" + udphdr.udp_sport + "/udp");
//var output2 = Utils.Bash("cat /etc/services | grep [[:space:]]" + udphdr.udp_dport + "/udp");
TransportProtocol trp = StaticData.trprotocols.Where(x => x.number == udphdr.udp_sport && x.protocol == "udp").FirstOrDefault();
TransportProtocol trp2 = StaticData.trprotocols.Where(x => x.number == udphdr.udp_dport && x.protocol == "udp").FirstOrDefault();
/*if(output != "") */
if (trp != null)
{
// udphdr.udp_protocol = udphdr.udp_sport + " ("+ output.Split('\t')[0] + ")";
// if(output.Split('#').Count() > 1) udphdr.udp_protocol += " – " + output.Split('#')[1];
if (trp.xref != null)
{
udphdr.udp_protocol = "<a href=\"" + trp.xref + "\" target=\"_blank\">" + trp.name + "</a>";
}
else
{
udphdr.udp_protocol = trp.name;
}
}
else
{
udphdr.udp_protocol = udphdr.udp_sport.ToString();
}
/*if(output2 != "") */
if (trp2 != null)
{
//udphdr.udp_protocol2 = udphdr.udp_dport + " ("+ output2.Split('\t')[0] + ")";
//if(output2.Split('#').Count() > 1) udphdr.udp_protocol2 += " – " + output2.Split('#')[1];
if (trp2.xref != null)
{
udphdr.udp_protocol2 = "<a href=\"" + trp2.xref + "\" target=\"_blank\">" + trp2.name + "</a>";
}
else
{
udphdr.udp_protocol2 = trp2.name;
}
}
else
{
udphdr.udp_protocol2 = udphdr.udp_dport.ToString();
}
udphdrs.Add(udphdr);
break;
}
default:
{
break;
}
}
//WHOIS - RIPE
using (WebClient wc = new WebClient())
{
snortdb.Attributes attList = new snortdb.Attributes();
try //SOURCE
{
string url = "https://rest.db.ripe.net/search.xml?query-string=" + iphdr.source +
"&flags=no-filtering&source=RIPE";
var json = wc.DownloadString(url);
XmlDocument xdoc = new XmlDocument();
xdoc.LoadXml(json);
XmlNode root = xdoc.DocumentElement;
attList.attributes = new List <snortdb.Attribute>();
foreach (XmlNode record in root.SelectNodes("objects/object"))
{
if (record.Attributes["type"].Value == "inetnum" || record.Attributes["type"].Value == "inet6num" || record.Attributes["type"].Value == "person" ||
record.Attributes["type"].Value == "route")
{
foreach (XmlNode att in record.SelectNodes(@"attributes/attribute"))
{
if (att.Attributes["name"].Value == "remarks")
{
continue;
}
attList.attributes.Add(new snortdb.Attribute(att.Attributes["name"].Value, att.Attributes["value"].Value));
}
}
}
if (attList.attributes.Count() > 0)
{
whoisURL = "https://apps.db.ripe.net/db-web-ui/#/query?searchtext=" + iphdr.source + "&source=RIPE&bflag=true";
attList.attributes.Add(new snortdb.Attribute("source url", "<a href=\"" + whoisURL + "\" target=\"_blank\">" + whoisURL + "<a>"));
whoisData.Add(new AttributeOutput(String.Join("<br>", attList.attributes.Select(x => x.name)), String.Join("<br>", attList.attributes.Select(x => x.value))));
}
}
catch (Exception) { }
attList.attributes.Clear();
try //DESTINATION
{
string url = "https://rest.db.ripe.net/search.xml?query-string=" + iphdr.destination +
"&flags=no-filtering&source=RIPE";
var json = wc.DownloadString(url);
XmlDocument xdoc = new XmlDocument();
xdoc.LoadXml(json);
XmlNode root = xdoc.DocumentElement;
attList.attributes = new List <snortdb.Attribute>();
foreach (XmlNode record in root.SelectNodes("objects/object"))
{
if (record.Attributes["type"].Value == "inetnum" || record.Attributes["type"].Value == "inet6num" || record.Attributes["type"].Value == "person" ||
record.Attributes["type"].Value == "route")
{
foreach (XmlNode att in record.SelectNodes(@"attributes/attribute"))
{
if (att.Attributes["name"].Value == "remarks")
{
continue;
}
attList.attributes.Add(new snortdb.Attribute(att.Attributes["name"].Value, att.Attributes["value"].Value));
}
}
}
if (attList.attributes.Count() > 0)
{
whoisURL2 = "https://apps.db.ripe.net/db-web-ui/#/query?searchtext=" + iphdr.destination + "&source=RIPE&bflag=true";
attList.attributes.Add(new snortdb.Attribute("source url", "<a href=\"" + whoisURL2 + "\" target=\"_blank\">" + whoisURL2 + "<a>"));
whoisData2.Add(new AttributeOutput(String.Join("<br>", attList.attributes.Select(x => x.name)), String.Join("<br>", attList.attributes.Select(x => x.value))));
}
}
catch (Exception) { }
}
//SessionExtensions.Set<List<Data>>(HttpContext.Session,"datas", datas);
}
