errors in results returned

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
primate
Forum Commoner
Posts: 49
Joined: Fri Jun 18, 2004 4:38 am
Location: England, UK

errors in results returned

Post by primate »

The script below is basically me trying to do my first useful application of php.

I'm trying to parse syslog entries in an MS SQL database that look like the following:

"%PIX-4-106023: Deny udp src outside:213.249.135.9/137 dst inside:x.x.x.x/137 by access-group "acl_out""

where x.x.x.x is a public IP address in the subnet of the PIX.

The time, date etc. is also stored in separate columns of the database.

The first stage of the script is designed to look for IP addresses attempting to make a connection to one of our IP addresses - ie. to look for port-scanning attempts. The script then feeds results into an array which is counted and ordered by the IP which has occured the most.

The problem I am having is that seemingly at random I am getting a result that relates to one of our IP addresses that I haven't selected to look for. (ie one of the IP addresses that would be in the $_SESSION['IPs'] array but shouldn't be in this case because the tick box on the form wasn't selected).

I know it must be something I have done wrong but I just can't see what it is.

I know there is quite a lot of code below, but any help would be appreciated:

Code: Select all

<?php

ob_start()

//error handling.

ini_set ('display_errors', 1);
error_reporting (E_ALL & E_NOTICE);

//Code to handle date formatting omitted

//Date format converted

//Check which sites and IP's we are interested in then create an array of the inside IPs

if (isset ($_POST['JDH'])){
	
	$JDHIPs = array ('123.456.789.123', '123.456.789.123', '123.456.789.123');
	print_r ($JDHIPs);
	} else {
	
	$JDHIPs = NULL;
	
	}
	
if (isset ($_POST['College'])) {
	
	$CollegeIPs = array ('123.456.789.123', '123.456.789.123', '123.456.789.123', '194.83.245.180');
	print_r ($CollegeIPs);
	} else {
	
	$CollegeIPs = NULL;
	
	}
	
if (isset ($_POST['$Arts'])) {

	$ArtsIPs = array ('123.456.789.123', '123.456.789.123', '123.456.789.123');
	print_r ($ArtsIPs);
	} else {
	
	$ArtsIPs = NULL;
	
	}
	
$_SESSION['IPs'] = array_merge($JDHIPs, $CollegeIPs, $ArtsIPs);
print_r ($_SESSION['IPs']);	

print_r ($_POST);

$insideIP=NULL;

$message_ids = array('%PIX-3-106014', '%PIX-4-106023');



//begin SQL and Syslog parsing script


if ($sql = @mssql_connect("172.31.100.7","xxx", "xxx")) 
		{

			print '<p>Successfully connected to MSSQL.</p>';
			
		if ($sql=@mssql_select_db('syslog'))
		
			{
				print '<p>Succesfully selected syslog database.</p>';
				
			} else {
						
					print '<p>Failed to select syslog database:' . mssql_get_last_message . '</p>';
						
					}
		
			
		} else {
				
				die ('<p>Could not connect to MSSQL:' . mssql_get_last_message() .'</p>');

}


$query = "SELECT MsgText FROM syslog.PIXStats WHERE (MsgDate BETWEEN '{$_SESSION['date1']}' AND '{$_SESSION['date2']}')";


$n=0; //set the index for the sourceIPs array below

if ($results = mssql_query ($query)) //check that the query will work and run it

{ 

	while ($array = mssql_fetch_array($results)){
	
		print "{$array['MsgText']}<br />";
									
							/*The code below checks for port scanning or ICMP requests then feeds this into 
							an array which is then parsed to provide an indication of who is the 
							most prevalent scanner etc. This works for syslog messages where the inside IP 
							is prefixed with "inside:" and the outside by "outside:" and the port number, if present
							is prefixed by the IP then "/" */
																			
foreach ($message_ids as $key1 => $message_id) { //loop through each message ID we're interested in
	if (eregi ($message_id, $array['MsgText'])){			
						
	$data1 = strtok ($array['MsgText'], " ");  //tokenise string
	while ($data1) {
								
		if (eregi ('inside:', $data1)) {   //look for tokens relating to inside IP's
										
			$stripinside = substr($data1, 7);  //delete inside: from string
			if (eregi ('/', $stripinside)) { 
		 
				$length2 = strlen($stripinside);      		
				$position2 = strpos ($stripinside, '/');  //look for occurence of the "/" before the port number
				$needle2 = $length2-$position2;   
				$insideIP = substr($stripinside, 0, -$needle2); //get IP and remove port number
				
				//print "inside IP = $insideIP<br />";																																						
											} else {
													
				$insideIP = $stripinside;
				//print "inside IP = $insideIP<br />";
													}
											}
																				
		foreach ($_SESSION['IPs'] as $key2 => $IP) {   //loop through the IPs selected above and create a string from each
											
			if ($insideIP == $IP) {  //if the IP in MsgText matches an IP from range selected
									 //above then get source IP of attack
				if (eregi ('outside:', $data1)) {   //search for token corresponding to source IP
									
					$stripoutside = substr($data1, ;  //delete "outside:" from the string
										
						if (eregi ('/', $stripoutside)) {  //remove source port number  by checking for occurence of '/'
											
							$length1 = strlen ($stripoutside);	//calculate length of string										
							$position1 = strpos ($stripoutside, '/');  //find occurence of '/'
							$needle1 = $length1-$position1;			//get -ve number to count back from
							$sourceIP = substr($stripoutside, 0, -$needle1); //display from 0 to occurence of '/'
							//print "<tr><td>$sourceIP</td>";	
							if (isset ($sourceIPs)){
													
								$sourceIPs[$n]=$sourceIP;		//check to see if array exists
								$n++;							//if it does add stuff to it
													
													} else {
																			//if not create it
								$sourceIPs = array($n =>$sourceIP);						
								$n++;
													}
														
	    							} else {
	
	if (isset($_POST['include_icmp'])) { 
/*include ICMP requests */										
							$sourceIP = $stripoutside;
							print "<tr><td>$sourceIP</td>";
							if (isset ($sourceIPs)){
													
								$sourceIPs[$n]=$sourceIP;		
								$n++;
																				
													} else {
																			
								$sourceIPs = array($n =>$sourceIP);						
								$n++;
													}
													
														
														} 
													}
								
												}
												
												}
								
												} 
								$data1 = strtok (" ");
						}
					}
				}		
	}
				
	} else { //query didn't run
	
			die ('<p>Could not retrieve the data because: <b>' . mssql_get_last_message() . '</p>');
			
}

print '<p><table width="50%" border="4" bordercolor="#FF6633" cellspacing="0" cellpadding="2" align="centre">
		<tr><td align="center">Source IP</td><td align="center">No. of connection attempts</td></tr>';
		
$sortedIPs = array_count_values($sourceIPs);
natsort($sortedIPs);
$rsortedIPs = array_reverse($sortedIPs);
foreach ($rsortedIPs as $key3 => $rsortedIP) {
	print "<tr><td><a href="mssqlconnect4.php?ip=$key3" target="_blank">$key3</a></td><td>$rsortedIP</td></tr>";
	}
reset($sortedIPs);

mssql_close();
		
print '</table></p>';

} else { 							//display the form

.........form stuff



?>
Post Reply