Vous êtes sur la page 1sur 9

Websense SQL Queries

David Buyer
June 2009
Be281@bfn.org

Introduction
The SQL queries that are listed here I have been using for a number of years now. I use them almost exclusively
as an alternative to the Websense Explorer and Reporter which are limited. Hope you can get some use out of
them.
These queries were written and used with a bunch of different versions of Websense Enterprise. They havent
modified their database in awhile so these should still work until they decide to modify it. They work in a
Microsoft SQL Server 2000 and 2005. That said, if you want to see what Websense Explorer is doing then in
order to see some of the queries that Websense uses you can set the value "&gubed=1" (without the quotes) in
the Websense Exporter after running a report to get all the debug and SQL info. It should be appended to the
end of the URL and takes some practice to get it right. You also have to filter out all the extra "stuff" from the
code to actually get something you can build on. The Websense database is not too complex but complex
enough that it will take some work to understand and be able to code queries for. Just take your time and start
hacking at it. If you come up with some other useful queries please let me know and I'll add them to this doc
and give you credit.

Code 1
/*Websense uses the number of unique IP addresses within a 24 hour period for its license count. Run this for a
24 hour period to check on that count. If you have been getting those pesky "exceeded license count" emails
then run this to see how many licenses you will need to purchase. You can also use their ConsoleClient but this
query is a more accurate measure.*/
SELECT COUNT (DISTINCT SOURCE_IP) AS IPs
FROM INCOMING_VIEW
--set start and end dates here
WHERE (DATE_TIME > {d 'YYYY-MM-DD'}) AND (DATE_TIME < {d 'YYYY-MM-DD'})

Code 2
/*The Websense Explorer and Reporter are "ok" tools if you need to run a one user report but if you need to run
a report on multiple users then it simply can't do it. Sure you could run multiple reports for each user but there
just isnt enough time in the day. Use this query to run a report on multiple user names. If you only have one
user you can still use this query. Just change the "in" parameter to "=" where noted*/
SELECT INCOMING.DATE_TIME as 'Date and Time',
USER_NAMES.USER_FULL_NAME as 'Full Name',
USER_NAMES.USER_LOGIN_NAME as 'Login ID',
PROTOCOLS.NAME as 'Protocol',
INCOMING.PORT as 'Port',
INCOMING.FULL_URL as 'URL',
CATEGORY.NAME as 'Category'
FROM
INCOMING (NOLOCK),
USER_NAMES (NOLOCK),
PROTOCOLS (NOLOCK),
CATEGORY (NOLOCK)
WHERE
INCOMING.USER_ID = USER_NAMES.USER_ID
AND
INCOMING.PROTOCOL_ID = PROTOCOLS.ID
AND
INCOMING.CATEGORY = CATEGORY.CATEGORY
AND
--insert the user ids here
--if using just one user then use the equal sign instead of the 'in' parameter
USER_NAMES.USER_LOGIN_NAME in (
'user1',
'user2',
'user3'
)
AND
--set start date here
INCOMING.date_time BETWEEN convert (datetime, 'YYYY-MM-DD 00:00:00', 120)
AND
--set end date here
convert (datetime, 'YYYY-MM-DD 23:59:59', 120)
ORDER BY
USER_NAMES.USER_FULL_NAME ASC,
convert (varchar(10),INCOMING.date_time, 120) ASC,
convert (varchar(10),INCOMING.date_time, 108) ASC

Code 3
/*This query is similar to the multiple users query but instead of multiple users it queries on multiple SOURCE
IP addresses. Again, the Explorer and Reporter are good for single items but can't run reports on multiple
sources. Use this query for this purpose. If you only have one IP you can still use this query. Just change the
"in" parameter to "=" where noted*/
SELECT INCOMING.DATE_TIME as 'Date and Time',
dbo.IntToIp(INCOMING.SOURCE_IP_INT) as 'IP Address',
USER_NAMES.USER_FULL_NAME as 'Full Name',
USER_NAMES.USER_LOGIN_NAME as 'Login ID',
PROTOCOLS.NAME as 'Protocol',
INCOMING.PORT as 'Port',
INCOMING.FULL_URL as 'URL',
CATEGORY.NAME as 'Category',
DISPOSITION.DESCRIPTION as 'Disposition'
FROM
INCOMING (NOLOCK),
USER_NAMES (NOLOCK),
PROTOCOLS (NOLOCK),
CATEGORY (NOLOCK),
DISPOSITION (NOLOCK)
WHERE
INCOMING.USER_ID = USER_NAMES.USER_ID
AND
INCOMING.PROTOCOL_ID = PROTOCOLS.ID
AND
INCOMING.CATEGORY = CATEGORY.CATEGORY
AND
INCOMING.DISPOSITION_CODE = DISPOSITION.DISPOSITION_CODE
AND
--insert the ints of the IP here
--if using just one IP then use the equal sign instead of the 'in' parameter
INCOMING.SOURCE_IP_INT in (
'128564845',
'138564845',
'148503534'
)
AND
--set start date here
INCOMING.date_time BETWEEN convert (datetime, 'YYYY-MM-DD 00:00:00', 120)
AND
--set end date here
convert (datetime, 'YYYY-MM-DD 23:59:59', 120)
ORDER BY
dbo.IntToIp(INCOMING.SOURCE_IP_INT) ASC,
USER_NAMES.USER_FULL_NAME ASC,
convert (varchar(10),INCOMING.date_time, 120) ASC,
convert (varchar(10),INCOMING.date_time, 108) ASC

Code 4
/*This query is again similar to the multiple users query but instead of multiple users it queries on multiple
DESTINATION IP addresses. If you only have one IP you can still use this query. Just change the "in"
parameter to "=" where noted*/
SELECT INCOMING.DATE_TIME as 'Date and Time',
dbo.IntToIp(INCOMING.SOURCE_IP_INT) as 'IP Address',
USER_NAMES.USER_FULL_NAME as 'Full Name',
USER_NAMES.USER_LOGIN_NAME as 'Login ID',
PROTOCOLS.NAME as 'Protocol',
INCOMING.PORT as 'Port',
INCOMING.FULL_URL as 'URL',
CATEGORY.NAME as 'Category',
DISPOSITION.DESCRIPTION as 'Disposition'
FROM
INCOMING (NOLOCK),
USER_NAMES (NOLOCK),
PROTOCOLS (NOLOCK),
CATEGORY (NOLOCK),
DISPOSITION (NOLOCK)
WHERE
INCOMING.USER_ID = USER_NAMES.USER_ID
AND
INCOMING.PROTOCOL_ID = PROTOCOLS.ID
AND
INCOMING.CATEGORY = CATEGORY.CATEGORY
AND
INCOMING.DISPOSITION_CODE = DISPOSITION.DISPOSITION_CODE
AND
--insert the integer of the destination IP here
--if using just one IP then use the equal sign instead of the 'in' parameter
INCOMING.DESTINATION_IP_INT in (
'3423467676',
'3494790234',
'3494790467',
'1266584565'
)
AND
--set start date here
INCOMING.date_time BETWEEN convert (datetime, 'YYYY-MM-DD 00:00:00', 120)
AND
--set end date here
convert (datetime, 'YYYY-MM-DD 23:59:59', 120)
ORDER BY
dbo.IntToIp(INCOMING.SOURCE_IP_INT) ASC,
USER_NAMES.USER_FULL_NAME ASC,
convert (varchar(10),INCOMING.date_time, 120) ASC,
convert (varchar(10),INCOMING.date_time, 108) ASC

Code 5
/*Websense doesn't store IP addresses as IP addresses. It stores them in converted integer form after performing
a simple algorithm to them. In order to use the DESTINATION and SOURCE queries you must first convert IP
addresses into integer form. Use this query to convert IP addresses to their intger values that Websense
recognizes. You can use multiple IP addresses or just one.*/
Declare @strIp varchar(20)
Declare @strAllIp varchar(255)
Declare @result1 bigint
Declare @octet1 bigint
Declare @octet2 bigint
Declare @octet3 bigint
Declare @octet4 bigint
Declare @ci1 int
Declare @ci2 int
Declare @ci3 int
Declare @ci4 int
Declare @pos int
--put IP's here
Set @strAllIp =
'10.10.20.30,
10.10.20.31,
10.10.20.32,
10.10.20.33,
10.10.20.34,
10.10.20.35,
10.10.20.36'
--gets rid of the newline if using column of IP's, I hate when lines go beyond the screen so I use columns
set @strAllIp = replace(@strAllIp,char(13)+char(10),'')
IF substring(@strAllIp, LEN(@strAllIp)-1,1)<>','
SET @strAllIp = @strAllIp + ',' --add a comma to the end if it isn't there
SET @pos = 0
WHILE charindex(',',@strAllIp) > 0
BEGIN
SET @strIp = substring(@strAllIp,0, charindex(',',@strAllIp))
--removes the first item from the list
SET @strAllIp = substring(@strAllIp, charindex(',',@strAllIp)+1, LEN(@strAllIp) - @pos)
select @ci1 = cast((charindex('.', @strIp)) as bigint)
select @octet1 = cast((substring(@strIp, 0, @ci1)) as bigint)
select @ci2 = cast((charindex('.', @strIp, @ci1+1)) as bigint)
select @octet2 = cast((substring(@strIp, @ci1+1, (@ci2-@ci1-1))) as bigint)
select @ci3 = cast((charindex('.', @strIp, @ci2+1)) as bigint)

select @octet3 = cast((substring(@strIp, @ci2+1, (@ci3-@ci2-1))) as bigint)


select @ci4 = len(@strIp) - @ci3
select @octet4 = cast((right(@strIp, @ci4)) as bigint)
select @result1 = (@octet1 * 16777216) + (@octet2 * 65536) + (@octet3 * 256) + @octet4
print @result1
END

Conclusion
Once they are run you can save the query results as a TAB delimited csv file and then import that into an
Access database. The table structure is as follows:
For the User based queries:

For the IP based queries:

Once you have the data in the database you can then run some nice pretty reports. I have created some Crystal
Reports that format all this data and make a nice report. I know there is probably a way to run the SQL code
right from Crystal Reports so you can skip all the import stuff but I dont know Crystal Reports that well to pull
it off. If you have a way to do it let me know. If you want the Crystal Reports that I have created email me at
be281@bfn.org and Ill send them to you.
Here is generally what the Crystal Reports look like (real name and user name have been altered for obvious
reasons).: