OSSIM开源安全信息管理系统(四)

2021SC@SDUSC

一、Web部分源代码分析


1、简述

用户接触OSSIM平台最多的是 Web UI,通过Web 以可视化方式轻松获取各种安全分析的图表,作为普通运维人员或者监控人员,绝大多数操作都是通过Web UI 来完成。

Web UI 界面以及各部分所对应的功能,已在前面的博文中进行了详细的阐述讲解,本篇博文便不再赘述



2、Web UI对应源代码目录结构

Web UI 以 php 为主要编程语言,各部分功能对应的源代码目录如下表所示:

一级菜单 二级菜单 调用界面
DASHBOARDS Overview ./dashboard/index.php
Deployment status ./deployment/index.php
Risk Maps ./risk maps/view.php
OTX ./reputation/index.php
Analysis Alarms Group View ./alarm/alarm_console.php ./alarm/alarm_group_console.php
Security Events (SIEM) Real Time ./forensics/base_ary_main.php ./control_ panel/event_panel.php
Raw Logs ./sem/index.php
Tickets ./incidents/index.php
ENVIRONMENT Assets Asset Discovery ./assets/index.php ./netscan/index.php
Groups&Networks Network Groups ./assets/list_view.php ./netgroup/netgroup.php
Vulnerabilities Overview : ./vulnmeter/index.php ScanJobs : ./vulnmeter/manage_jobs.php Settings : ./vulnmeter/webconfig.php Threat Database : ./vulnmeter/threats-db.php
Profiles ./ntop/index.php
NetFlow ./nfsen/nfsen.php
Traffic capture ./pcap/index.php
Availability ./nagios/index.php
Detection ./ossec/status.php Agents : ./ossec/agent.php Agentless : ./ossec/agentless.php Edit Rules : ./ossec/index.php Config : ./ossec/config.php Ossec control : ./ossec/ossec_control.php Wireles IDS : ./wireless/index.php
REPORTS Alarms Report 生成文件 : ./report/os_reports/Alarms/generaL.php Business&Compliance ISO PCI Report生成文件 : ./report/os_reports/BussinessAndComplianceISOPCI/general.php Tickets Status Report生成文件 : ./report/os_reports/Tickets/general.php SIEM Events 生成文件 : ./reports/os_reports/Siem/general.php Vulnerabilities Report 生成文件 : ./vulnmeter/lr_respdf.php
CONFIGURATION Administration USERS ./session/users.php Activity : ./conf/userlog.php
MAIN ./conf/index.php
BACKUP ./backup/index.php
Deployment Alienvault Center : ./av_center/index.php Sensors : ./server/sensor.php Servers : ./server/server.php Scheduler : ./av_inventory/index.php Locations : ./sensor/locations.php
Threat Intelligence Policy : ./policy/policy.php Edit pPolicy Groups : ./policy/policygroup.php
Actions : ./action/action.php
Ports : ./porUport.php Port Groups : ./port/portgroup.php
Directives : ./directives/index.php
ComplianceMapping : ./compliance/iso27001.php PCIDSS2.0 : ./compliance/pci-dss.php Run Scripts : ./compliance/mod scripts.php
Cross Correlation : ./conf/pluginref.php
Data Source : ./conf/plugin.php Data Source Groups : ./policy/plugingroups.php
Taxonomy : ./conficategory.php
Knowledge Base : ./repository/index.php
SETTINGS My Profile ./session/user_form.php
Current Sessions ./userlogopened_sessions.php
User Activity ./userlog/user_ action _log.php
Support Help ./help/index.php
Downloads ./downloads/index.php



3、security.php源码分析

本部分将对仪表盘子模块中 event模块中的一个比较重要的代码文件security.php的源代码进行初步分析。

源码地址:alienvault-ossim\os-sim\www\dashboard\sections\widgets\data\security.php

//首先在文件头部进行相关文件的引用,初始化函数库

require_once 'av_init.php';
require_once 'sensor_filter.php';
require_once '../widget_common.php';
require_once 'common.php';

引入相关文件的主要功能:

av_init.php:AlienVault 初始化文件,通过引用其他文件,完成一些初始化操作,例如创建session、设置class path、DB 管理、获取全局配置、设置语言等等。

sensor_filter.php:主要实现相关过滤的功能。包含资产过滤、传感器过滤、分类过滤等。

widget_common.php:控件相关操作。主要与数据库中 dashboard_widget_config 表进行交互,进行控件重新排列、获取次序、获取数据等操作。

common.php:获取一些数据的趋势,以小时和周为单位获取 SIEM 趋势


//通过Session检查当前登录用户是否有访问该菜单的权限

Session::logcheck("dashboard-menu", "ControlPanelExecutive");
Session::logcheck("analysis-menu", "EventsForensics");

//接下来连接数据库

$db    = new ossim_db(TRUE);
$conn  = $db->connect();

//获取当前用户信息

$user = Session::get_session_user();

//get方式获取控件类型,设置安全控件的类型

$type = GET("type");

//get方式获取控件ID

$id = GET("id");

//对控件类型、ID进行有效性验证

ossim_valid($type,	OSS_TEXT, 					'illegal:' . _("type"));
ossim_valid($id, 	OSS_DIGIT, OSS_NULLABLE, 	'illegal:' . _("Widget ID"));

if (ossim_error()) 
{
     
    die(ossim_error());
}

//控件的数组信息,图表信息和标签云信息等

$winfo		= array();

$chart_info = array();

接下来判断ID

//如果ID为空,代表着目前在向导的预可视化中。系统可以从get参数中获取所有信息。

if (!isset($id) || empty($id)){
     
    //定义控件高度
    $winfo['height'] = GET("height");
    //定义类型:图表标签云等
    $winfo['wtype'] = GET("wtype"); 
    //定义资产
    $winfo['asset'] = GET("asset"); 
    //图表类型,图例参数等
    $chart_info = json_decode(GET("value"),true); 

}


//如果ID不为空,正常情况下,从仪表板加载控件,在这种情况下,系统从数据库获取相关信息。

else 
{
     
    $winfo = get_widget_data($conn, $id); 
    //图表类型,图例参数
    $chart_info = $winfo['params']; 
}

// 有效性检验

ossim_valid($winfo['wtype'], 	OSS_TEXT, 								'illegal:' . _("Type"));
ossim_valid($winfo['height'],	OSS_DIGIT, 								'illegal:' . _("Widget ID"));
ossim_valid($winfo['asset'], 	OSS_HEX,OSS_SCORE,OSS_ALPHA,OSS_USER, 	'illegal:' . _("Asset/User/Entity"));

if (is_array($chart_info) && !empty($chart_info))
{
     
	$validation = get_array_validation();
		
	foreach($chart_info as $key=>$val)
	{
     
    	if ($validation[$key] == '')
    	{
     
        	continue;
    	}
    	
		eval("ossim_valid(\"\$val\", ".$validation[$key].", 'illegal:" . _($key)."');");
	}	
}

if (ossim_error()) 
{
     
	die(ossim_error());
}

//存储图表信息的变量

//定义一个控件自身数组
$data  = array();	
//控件的标签,例如图表中的图例、标签云中的标题等...
$label = array();	
//定义每个元素的链接数组
$links = array();	

//switch case根据控件的类型对控件的数据进行计算
//type=“tcp”

switch($type)
{
     
	case "tcp":

//资产过滤器

$query_where = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-7200), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
//在控件中显示的最大攻击次数。	
$limit = ($chart_info['top'] != '')? $chart_info['top'] : 30;
		//SQL查询
		//在查询中使用参数
		$sql   = "select layer4_dport as port, count(id) as num from alienvault_siem.acid_event where layer4_dport != 0 and ip_proto=6 $query_where group by port order by num desc limit $limit";
		//回显 $sql;
		$rs = $conn->CacheExecute($sql);
		
		if (!$rs)
		{
     
		    print $conn->ErrorMsg();
		}
		else 
		{
     
			$array_aux = array();
		    while (!$rs->EOF) 
		    {
     			
				$array_aux[$rs->fields["port"]] = $rs->fields["num"];
				$link = Menu::get_menu_url('/ossim/forensics/base_qry_main.php?tcp_port[0][0]=&tcp_port[0][1]=layer4_dport&tcp_port[0][2]==&tcp_port[0][3]='.$rs->fields["port"].'&tcp_port[0][4]=&tcp_port[0][5]=&tcp_flags[0]=&layer4=TCP&num_result_rows=-1¤t_view=-1&new=1&submit=QUERYDBP&sort_order=sig_a&clear_allcriteria=1&clear_criteria=time&time_range=all', 'analysis', 'security_events');
				$links[$rs->fields["port"]] = $link; 
				$rs->MoveNext();
		    }
			
			//按照端口的名称排序对结果进行排序,而不是攻击的数量。
			ksort($array_aux);			
			$data   = array_values($array_aux);
			$label  = array_keys($array_aux);
			
			//serie名称
			$serie  = 'Amount of Attacks';
			//颜色设置
			$colors = "#333333";
		}

		break;

//type=“promiscuous”

case "promiscuous":
		    	
		//日期范围
		$range          = ($chart_info['range']  > 0)? ($chart_info['range'] * 86400) : 432000;
		
		//资产过滤
		$query_where    = Security_report::make_where($conn, gmdate("Y-m-d 00:00:00",gmdate("U")-$range), gmdate("Y-m-d 23:59:59"), array(), $assets_filters);
		
		
		//设置主机在控件中显示的限制。
		$limit          = ($chart_info['top'] != '')? $chart_info['top'] : 10;
		//连接到SIEM控制台页面
		$forensic_link  = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time_cnt=2&time[0][0]=+&time[0][1]=%3E%3D&time[0][8]=+&time[0][9]=AND&time[1][1]=%3C%3D&time[0][2]=".gmdate("m",$timetz-$range)."&time[0][3]=".gmdate("d",$timetz-$range)."&time[0][4]=".gmdate("Y",$timetz-$range)."&time[0][5]=00&time[0][6]=00&time[0][7]=00&time[1][2]=".gmdate("m",$timetz)."&time[1][3]=".gmdate("d",$timetz)."&time[1][4]=".gmdate("Y",$timetz)."&time[1][5]=23&time[1][6]=59&time[1][7]=59&submit=Query+DB&num_result_rows=-1&time_cnt=1&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');

		//SQL查询
		//在查询中使用参数,用户参数查询
		$sqlgraph       = "select count(distinct(ip_dst)) as num_events,ip_src as name from alienvault_siem.po_acid_event AS acid_event WHERE 1=1 $query_where group by ip_src having ip_src>0x00000000000000000000000000000000 order by num_events desc limit $limit";

        $rg = $conn->CacheExecute($sqlgraph);

		if (!$rg)
		{
     
		    print $conn->ErrorMsg();
		}
		else
		{
     
		    while (!$rg->EOF) 
		    {
     
		        $data[]  = $rg->fields["num_events"];
				$label[] = inet_ntop($rg->fields["name"]);
				
				$links[] = $forensic_link . '&ip_addr[0][0]=+&ip_addr[0][1]=ip_src&ip_addr[0][2]=%3D&ip_addr[0][3]=' . inet_ntop($rg->fields["name"]) . '&ip_addr[0][8]=+&ip_addr[0][9]=+&ip_addr_cnt=1';

		        $rg->MoveNext();
		    }
		}
		
		$colors = get_widget_colors(count($data));
		
		break;


//type=“siemhours”

case 'siemhours':
	
		//在控件中显示的小时数。
		$max = ($chart_info['range'] == '')? 16 : $chart_info['range'];
		
		//检索小部件的数据
		$js     = "analytics";
		$fdate  = gmdate("Y-m-d H",$timetz-(3600*($max-1)));
		$values = SIEM_trends($max, $assets_filters, $fdate);

		//将信息格式化为对处理程序有效的格式。
		for ($i=$max-1; $i>=0; $i--) 
		{
     
			$tref    = $timetz-(3600*$i);
			$h       = gmdate("j G",$tref)."h";
			
			$label[] = preg_replace("/\d+ /","",$h);
			$data[]  = ($values[$h]!="") ? $values[$h] : 0;

			$link    = Menu::get_menu_url("/ossim/forensics/base_qry_main.php?clear_allcriteria=1&time_range=range&time[0][0]=+&time[0][1]=>%3D&time[0][2]=".gmdate("m",$tref)."&time[0][3]=".gmdate("d",$tref)."&time[0][4]=".gmdate("Y",$tref)."&time[0][5]=".gmdate("H",$tref)."&time[0][6]=00&time[0][7]=00&time[0][8]=+&time[0][9]=AND&time[1][0]=+&time[1][1]=<%3D&time[1][2]=".gmdate("m",$tref)."&time[1][3]=".gmdate("d",$tref)."&time[1][4]=".gmdate("Y",$tref)."&time[1][5]=".gmdate("H",$tref)."&time[1][6]=59&time[1][7]=59&time[1][8]=+&time[1][9]=+&submit=Query+DB&num_result_rows=-1&time_cnt=2&sort_order=time_d&hmenu=Forensics&smenu=Forensics", 'analysis', 'security_events');
			
			$key = preg_replace('/^0/', '', gmdate("H",$tref) . 'h');
			
			$links[$key] = $link;
		}    
		
		$siem_url    = $links;
		
		$colors      = "'#444444'";
		
		//部件为空时的消息。
		$nodata_text = "No data available yet";
		
		break;

//最后调用处理程序来绘制适当的小部件,即:任何类型的图表、tag_cloud 等…

require 'handler.php';



4、Overview源码分析

index.php 主要为 php 代码,带有少部分 HTML 代码,主要实现当前菜单的基本内容的获取、权限判断等功能。

//引用文件

require_once 'av_init.php';

//检查是否有权限获取当前菜单

Session::logcheck("dashboard-menu", "ControlPanelExecutive");

//获取当前用户信息

$login = Session::get_session_user();
$pro   = Session::is_pro();

//获取默认选项卡

/*如果用户session里面存储了默认选项卡,直接赋值给default_tab*/
if (!empty($_SESSION['default_tab']))
{
     
    $default_tab = $_SESSION['default_tab'];
}
/*如果没有设置默认选项卡,新建用户配置,存储默认配置*/
else
{
     
    $config_aux  = new User_config($conn);
    $default_tab = $config_aux->get($login, 'panel_default', 'simple', "main");
    $default_tab = ($default_tab > 0) ? $default_tab : 1;

    //把选项卡保存在session中
    $_SESSION['default_tab'] = $default_tab;
}

//获取当前 panel

$panel_id = $default_tab;
//判断是否为空
if (GET('panel_id') != "")
{
     
    $panel_id = GET('panel_id');
}
elseif ($_SESSION['_db_panel_selected'] != "")
{
     
    $panel_id = $_SESSION['_db_panel_selected'];
}

//获取选项卡列表

$tab_list = Dashboard_tab::get_tabs_by_user($login, $edit);

//判断选项卡列表是否为空

if (empty($tab_list))
{
     
    //tab_list为空
    $config_nt = array(
        'content' => _('No tabs have been found').".",
        'options' => array (
            'type'          => 'nf_warning',
            'cancel_button' => ''
        ),
        //前端css代码
        'style'   => ' margin:25px auto 0 auto;text-align:center;padding:3px 30px;'
    ); 
    
    $nt = new Notification('nt_panel', $config_nt);
    $nt->show();

    die(); 
}

tabs.php 为 HTML+php 代码,主要实现选项卡的增加、删除、排序等选项卡相关操作的前端代码

+




上一篇(架构分析):OSSIM开源安全信息管理系统(三)
下一篇(代码分析):

你可能感兴趣的:(2021SC@SDUSC,web安全,安全,网络,运维,OSSIM)