#!/usr/bin/php
<?php
# Cancerbero Plugin: compare_with_last_scan ver.1
# Plugin data.
$plugin_name = "Compare with last scan";
$description = "Compare last 2 scans of a host looking for changes.";
$version = "1";
$alerts = array("Service Change"=>array ("Critical", "on"),
"Product Change"=>array ("Medium", "on"),
"Extra Info Change"=>array ("Soft","off"),
"Port Version Change"=>array ("Soft","off"),
"Service Added"=>array ("Critical", "on"),
"Service Deleted"=>array ("Critical", "on"),
"Os Change"=>array ("Soft", "off"),
"Os Generation Change"=>array ("Soft", "off"),
"New Host"=>array ("Medium","on"));
# Include functions
include_once(dirname(__FILE__) ."/../include/dbconnect.php");
include_once(dirname(__FILE__) ."/../include/functions_plugins.php");
if (!isset ($argv[1])) {
insert_new_plugin ($plugin_name, $description, $alerts, $version);
exit;
}
# scan_rec_id (argument supplied)
$scan = $argv[1];
$host_id_query = mysql_query("SELECT scans.host_id, ip, hostname FROM scans,hosts WHERE scan_rec_id = $scan and scans.host_id = hosts.host_id") or die ('Querry failed1: ' . mysql_error());
while ($host = mysql_fetch_row($host_id_query)){
$host_id = $host[0];
$ip = $host[1];
$hostname = $host[2];
}
function compare_portscans ($last_scan_id, $old_scan_id) {
$changes = 0;
$alerts_found = array();
$array_port = array();
$old_result = array();
$last_result = array();
$result_old_scan = mysql_query("SELECT port, service, product, extra_info, port_version from ports where scan_rec_id = $old_scan_id ORDER BY `port` ASC") or die ('Querry failed1: ' . mysql_error());
$result_last_scan = mysql_query("SELECT port, service, product, extra_info, port_version from ports where scan_rec_id = $last_scan_id ORDER BY `port` ASC") or die ('Querry failed2: ' . mysql_error());
while ($old_scan = mysql_fetch_array($result_old_scan, MYSQL_ASSOC)) {
$array_port[] = $old_scan['port'];
}
while ($last_scan = mysql_fetch_array($result_last_scan, MYSQL_ASSOC)) {
$array_port[] = $last_scan['port'];
}
$array_ports = array_unique($array_port);
sort($array_ports);
foreach ($array_ports as $port) {
$active_port = 0;
mysql_data_seek($result_old_scan, 0);
mysql_data_seek($result_last_scan, 0);
while ($old_scan = mysql_fetch_array($result_old_scan, MYSQL_ASSOC)) {
if ($port == $old_scan['port']) {
foreach ($old_scan as $old_scan_field => $old_scan_valor) {
$old_result = array ($old_scan['port'],$old_scan['service'],$old_scan['product'],$old_scan['extra_info'],$old_scan['port_version']);
}
$active_port = 1;
break;
}
}
while ($last_scan = mysql_fetch_array($result_last_scan, MYSQL_ASSOC)) {
if ($port == $last_scan['port']) {
foreach ($last_scan as $last_scan_field => $last_scan_valor) {
$last_result = array ($last_scan['port'],$last_scan['service'],$last_scan['product'],$last_scan['extra_info'],$last_scan['port_version']);
}
$active_port = $active_port + 2;
break;
}
}
if ( $old_result == $last_result ) {
#no change
continue;
}
if ($active_port == 3){
$change_status = $changes;
if ( strcmp($last_scan['service'], $old_scan['service']) ){
if (check_active_alert('Service Change')){
$alerts_found[" $port "]["Service Change"] = array ("Port $last_scan[port]## service change:","($old_scan[service])","($last_scan[service])");
$changes++;
}
}
if ( strcmp($last_scan['product'], $old_scan['product']) && $change_status == $changes){
if (check_active_alert('Product Change')){
$alerts_found[" $port "]["Product Change"] = array ("Port $last_scan[port]## product change:","($old_scan[product])","($last_scan[product])");
$changes++;
}
}
if ( strcmp($last_scan['extra_info'], $old_scan['extra_info']) && $change_status == $changes){
if (check_active_alert('Extra Info Change')){
$alerts_found[" $port "]["Extra Info Change"] = array ("Port $last_scan[port]## extra_info change:","($old_scan[extra_info])","($last_scan[extra_info])");
$changes++;
}
}
if ( strcmp($last_scan['port_version'], $old_scan['port_version']) && $change_status == $changes){
if (check_active_alert('Port Version Change')){
$alerts_found[" $port "]["Port Version Change"] = array ("Port $last_scan[port]## port_version change:","($old_scan[port_version])","($last_scan[port_version])");
$changes++;
}
}
} elseif ($active_port == 2) {
if (check_active_alert('Service Added')){
$alerts_found[" $port "]["Service Added"] = array ("New service: port $last_scan[port], $last_scan[service], $last_scan[product], $last_scan[extra_info], $last_scan[port_version]","NONE","($last_scan[port])");
$changes++;
}
} elseif ($active_port == 1) {
if (check_active_alert('Service Deleted')){
$alerts_found[" $port "]["Service Deleted"] = array ("Service deleted: port $old_scan[port], $old_scan[service], $old_scan[product], $old_scan[extra_info], $old_scan[port_version]","($old_scan[port])","NONE");
$changes++;
}
}
}
return array ($changes,$alerts_found);
}
function compare_scans ($host_id,$scan,$hostname) {
$os_alerts_found = array();
$port_alerts_found = array();
$changes = 0;
#Take the host_id and execute the query.
$last_scan_query = mysql_query("SELECT scan_rec_id,open_ports,os_guessed,os_gen FROM scans WHERE host_id = $host_id AND scan_rec_id = $scan ORDER BY d_scan") or die ('Querry failed: ' . mysql_error());
#Store the last scan
$last_scan = mysql_fetch_assoc($last_scan_query);
$query_scans_done = mysql_query("SELECT scan_rec_id FROM scans WHERE host_id = $host_id ORDER BY scan_rec_id ASC") or die ('Querry failed: ' . mysql_error());
$result_scans_done = "";
$old_scan = 0;
$num_scans = 0;
while ( $scan_id_array = mysql_fetch_array($query_scans_done)) {
$scan_id = $scan_id_array[0];
if ($num_scans == 0 && $scan_id == $scan) {
if (check_active_alert('New Host')){
$alerts_found[" 65536 "]["New Host"] = array ("","","New host found alive:","","$hostname");
insert_alerts($last_scan['scan_rec_id'], $alerts_found, 0);
return array (0,0,$changes++, $alerts_found);
}
} elseif ($scan_id == $scan) {
mysql_data_seek($query_scans_done, $num_scans-1);
list($old_scan) = mysql_fetch_array($query_scans_done);
break;
}
$num_scans++;
}
$old_scan_query = mysql_query("SELECT scan_rec_id,open_ports,os_guessed,os_gen FROM scans WHERE host_id = $host_id AND scan_rec_id = $old_scan ORDER BY d_scan") or die ('Querry failed: ' . mysql_error());
#Store the old scan
$old_scan = mysql_fetch_assoc($old_scan_query);
if ( strcmp($last_scan['os_guessed'], $old_scan['os_guessed']) ){
if (check_active_alert('Os Change')){
$os_alerts_found[" 65536 "]["Os Change"] = array ("OS guessed change:","$old_scan[os_guessed]","$last_scan[os_guessed]");
$changes++;
}
} elseif ( strcmp($last_scan['os_gen'], $old_scan['os_gen']) ){
if (check_active_alert('Os Generation Change')){
$os_alerts_found[" 65536 "]["Os Generation Change"] = array ("OS generation change:","$old_scan[os_gen]","$last_scan[os_gen]");
$changes++;
}
}
list($port_changes,$port_alerts_found) = compare_portscans($last_scan['scan_rec_id'],$old_scan['scan_rec_id']);
$changes = $changes + $port_changes;
if ($changes > 0) {
echo "$changes Changes detected.\n";
}
$alerts_found = array_merge($os_alerts_found,$port_alerts_found);
return array ($last_scan['scan_rec_id'],$old_scan['scan_rec_id'],$changes, $alerts_found);
}
echo "Processing alert plugins for Host: Host: $hostname($ip)\n";
list($last_scan_id,$old_scan_id,$changes,$alerts_found) = compare_scans($host_id,$scan,$hostname);
if ($last_scan_id != 0 ) {
#$alerts_to_mail = array();
if ($alerts_found){
insert_alerts($last_scan_id, $alerts_found, $old_scan_id);
#$alerts_to_mail = check_send_alert($last_scan_id, $alerts_found);
}
#print_r ($alerts_to_mail);
#if ($alerts_to_mail) {
# send_mails($last_scan_id,$old_scan_id,$alerts_to_mail,$hostname,$ip);
#}
}
?>