Location: PHPKode > projects > Cancerbero - The watchdog of the ports > cancerbero-0.6/site/plugins/Compare with last scan.php
#!/usr/bin/php
<?php

# Cancerbero Plugin: compare_with_last_scan ver.1

# Plugin data.
$plugin_name = "Compare with last scan";
$description = "Compare last 2 scans of a host looking for changes.";
$version = "1";
$alerts = array("Service Change"=>array ("Critical", "on"),
                "Product Change"=>array ("Medium", "on"),
                "Extra Info Change"=>array ("Soft","off"),
                "Port Version Change"=>array ("Soft","off"),
                "Service Added"=>array ("Critical", "on"),
                "Service Deleted"=>array ("Critical", "on"),
                "Os Change"=>array ("Soft", "off"),
                "Os Generation Change"=>array ("Soft", "off"),
                "New Host"=>array ("Medium","on"));

# Include functions
include_once(dirname(__FILE__) ."/../include/dbconnect.php");
include_once(dirname(__FILE__) ."/../include/functions_plugins.php");


if (!isset ($argv[1])) {
	insert_new_plugin ($plugin_name, $description, $alerts, $version);
	exit;
}

# scan_rec_id (argument supplied)
$scan = $argv[1];

$host_id_query = mysql_query("SELECT scans.host_id, ip, hostname FROM scans,hosts WHERE scan_rec_id = $scan and scans.host_id = hosts.host_id") or die ('Querry failed1: ' . mysql_error());
while ($host = mysql_fetch_row($host_id_query)){
	$host_id = $host[0];
	$ip = $host[1];
	$hostname = $host[2];
}

function compare_portscans ($last_scan_id, $old_scan_id) {

	$changes = 0;
	$alerts_found = array();
	$array_port = array();
	$old_result = array();
	$last_result = array();
	$result_old_scan = mysql_query("SELECT port, service, product, extra_info, port_version from ports where scan_rec_id = $old_scan_id  ORDER BY `port` ASC") or die ('Querry failed1: ' . mysql_error());
	$result_last_scan = mysql_query("SELECT port, service, product, extra_info, port_version from ports where scan_rec_id = $last_scan_id  ORDER BY `port` ASC") or die ('Querry failed2: ' . mysql_error());

	while ($old_scan = mysql_fetch_array($result_old_scan, MYSQL_ASSOC)) {
		$array_port[] = $old_scan['port'];
	}
	while ($last_scan = mysql_fetch_array($result_last_scan, MYSQL_ASSOC)) {
		$array_port[] = $last_scan['port'];
	}
	$array_ports = array_unique($array_port);
	sort($array_ports);

	foreach ($array_ports as $port) {
		$active_port = 0;

		mysql_data_seek($result_old_scan, 0);
		mysql_data_seek($result_last_scan, 0);

		while ($old_scan = mysql_fetch_array($result_old_scan, MYSQL_ASSOC)) {
			if ($port == $old_scan['port']) {
				foreach ($old_scan as $old_scan_field => $old_scan_valor) {
					$old_result = array ($old_scan['port'],$old_scan['service'],$old_scan['product'],$old_scan['extra_info'],$old_scan['port_version']);
				}
				$active_port = 1;
				break;
			}
		}

		while ($last_scan = mysql_fetch_array($result_last_scan, MYSQL_ASSOC)) {
			if ($port == $last_scan['port']) {
				foreach ($last_scan as $last_scan_field => $last_scan_valor) {
					$last_result = array ($last_scan['port'],$last_scan['service'],$last_scan['product'],$last_scan['extra_info'],$last_scan['port_version']);
				}
				$active_port = $active_port + 2;
				break;
			}
		}

		if ( $old_result == $last_result ) {
			#no change
			continue;
		}


		if ($active_port == 3){
			$change_status = $changes;
			if ( strcmp($last_scan['service'], $old_scan['service']) ){
				if (check_active_alert('Service Change')){
					$alerts_found[" $port "]["Service Change"] = array ("Port $last_scan[port]## service change:","($old_scan[service])","($last_scan[service])");
					$changes++;
				}
			}
			if ( strcmp($last_scan['product'], $old_scan['product']) && $change_status == $changes){
				if (check_active_alert('Product Change')){
					$alerts_found[" $port "]["Product Change"] = array ("Port $last_scan[port]## product change:","($old_scan[product])","($last_scan[product])");
					$changes++;
				}
			}
			if ( strcmp($last_scan['extra_info'], $old_scan['extra_info']) && $change_status == $changes){
				if (check_active_alert('Extra Info Change')){
					$alerts_found[" $port "]["Extra Info Change"] = array ("Port $last_scan[port]## extra_info change:","($old_scan[extra_info])","($last_scan[extra_info])");
					$changes++;
				}
			}
			if ( strcmp($last_scan['port_version'], $old_scan['port_version']) && $change_status == $changes){
				if (check_active_alert('Port Version Change')){
					$alerts_found[" $port "]["Port Version Change"] = array ("Port $last_scan[port]## port_version change:","($old_scan[port_version])","($last_scan[port_version])");
					$changes++;
				}
			}
		} elseif ($active_port == 2) {
			if (check_active_alert('Service Added')){
				$alerts_found[" $port "]["Service Added"] = array ("New service: port $last_scan[port], $last_scan[service], $last_scan[product], $last_scan[extra_info], $last_scan[port_version]","NONE","($last_scan[port])");
				$changes++;
			}
		} elseif ($active_port == 1) {
			if (check_active_alert('Service Deleted')){
				$alerts_found[" $port "]["Service Deleted"] = array ("Service deleted: port $old_scan[port], $old_scan[service], $old_scan[product], $old_scan[extra_info], $old_scan[port_version]","($old_scan[port])","NONE");
				$changes++;
			}
		}
	}

	return array ($changes,$alerts_found);
}

function compare_scans ($host_id,$scan,$hostname) {
	$os_alerts_found = array();
	$port_alerts_found = array();
	$changes = 0;
	
	#Take the host_id and execute the query.
	$last_scan_query = mysql_query("SELECT scan_rec_id,open_ports,os_guessed,os_gen FROM scans WHERE host_id = $host_id AND scan_rec_id = $scan ORDER BY d_scan") or die ('Querry failed: ' . mysql_error());
	#Store the last scan
	$last_scan = mysql_fetch_assoc($last_scan_query);
	
	$query_scans_done = mysql_query("SELECT scan_rec_id FROM scans WHERE host_id = $host_id ORDER BY scan_rec_id ASC") or die ('Querry failed: ' . mysql_error());
	$result_scans_done = "";
	$old_scan = 0;
	$num_scans = 0;
	while ( $scan_id_array = mysql_fetch_array($query_scans_done)) {
		$scan_id = $scan_id_array[0];
		if ($num_scans == 0 && $scan_id == $scan) {
			if (check_active_alert('New Host')){
				$alerts_found[" 65536 "]["New Host"] = array ("","","New host found alive:","","$hostname");
				insert_alerts($last_scan['scan_rec_id'], $alerts_found, 0);
				return array (0,0,$changes++, $alerts_found);
			}
		} elseif ($scan_id == $scan) {
			mysql_data_seek($query_scans_done, $num_scans-1);
			list($old_scan) = mysql_fetch_array($query_scans_done);
			break;
		}
		
		$num_scans++;
	}
	
	$old_scan_query = mysql_query("SELECT scan_rec_id,open_ports,os_guessed,os_gen FROM scans WHERE host_id = $host_id AND scan_rec_id = $old_scan ORDER BY d_scan") or die ('Querry failed: ' . mysql_error());
	#Store the old scan
	$old_scan = mysql_fetch_assoc($old_scan_query);
	
	if ( strcmp($last_scan['os_guessed'], $old_scan['os_guessed']) ){
		if (check_active_alert('Os Change')){
			$os_alerts_found[" 65536 "]["Os Change"] = array ("OS guessed change:","$old_scan[os_guessed]","$last_scan[os_guessed]");
			$changes++;
		}
	} elseif ( strcmp($last_scan['os_gen'], $old_scan['os_gen']) ){
		if (check_active_alert('Os Generation Change')){
			$os_alerts_found[" 65536 "]["Os Generation Change"] = array ("OS generation change:","$old_scan[os_gen]","$last_scan[os_gen]");
			$changes++;
		}
	}
	
	list($port_changes,$port_alerts_found) =  compare_portscans($last_scan['scan_rec_id'],$old_scan['scan_rec_id']);
	
	$changes = $changes + $port_changes;
	
	if ($changes > 0) {
		echo "$changes Changes detected.\n";
		
	}

	$alerts_found = array_merge($os_alerts_found,$port_alerts_found);
	
	return array ($last_scan['scan_rec_id'],$old_scan['scan_rec_id'],$changes, $alerts_found);

}


echo "Processing alert plugins for Host: Host: $hostname($ip)\n";

list($last_scan_id,$old_scan_id,$changes,$alerts_found) = compare_scans($host_id,$scan,$hostname);

if ($last_scan_id != 0 ) {

	#$alerts_to_mail = array();
	
	if ($alerts_found){
		insert_alerts($last_scan_id, $alerts_found, $old_scan_id);
		#$alerts_to_mail = check_send_alert($last_scan_id, $alerts_found);
	}
	
	#print_r ($alerts_to_mail);
	
	#if ($alerts_to_mail) {
	#	send_mails($last_scan_id,$old_scan_id,$alerts_to_mail,$hostname,$ip);
	#}
}

?>
Return current item: Cancerbero - The watchdog of the ports