📄 spo_database.c
字号:
/*** Copyright (C) 2000,2001 Carnegie Mellon University**** This program is free software; you can redistribute it and/or modify** it under the terms of the GNU General Public License as published by** the Free Software Foundation; either version 2 of the License, or** (at your option) any later version.**** This program is distributed in the hope that it will be useful,** but WITHOUT ANY WARRANTY; without even the implied warranty of** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the** GNU General Public License for more details.**** You should have received a copy of the GNU General Public License** along with this program; if not, write to the Free Software** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.*//* $Id: spo_database.c,v 1.14 2001/01/18 20:46:59 jpickel Exp $ *//* Snort Database Output Plug-in by Jed Pickel <jed@pickel.net> * * See the README.database file with this distribution * documentation or the snortdb web site for configuration * information * * Web Site: http://www.incident.org/snortdb * */#include "spo_database.h"extern PV pv;/* If you want extra debugging information for solving database configuration problems, uncomment the following line. *//* #define DEBUG *//* * Function: SetupDatabase() * * Purpose: Registers the output plugin keyword and initialization * function into the output plugin list. This is the function that * gets called from InitOutputPlugins() in plugbase.c. * * Arguments: None. * * Returns: void function * */void SetupDatabase(){ /* link the preprocessor keyword to the init function in the preproc list */ RegisterOutputPlugin("database", NT_OUTPUT_ALERT, DatabaseInit);#ifdef DEBUG printf("database(debug): database plugin is registered...\n");#endif}/* * Function: DatabaseInit(u_char *) * * Purpose: Calls the argument parsing function, performs final setup on data * structs, links the preproc function into the function list. * * Arguments: args => ptr to argument string * * Returns: void function * */void DatabaseInit(u_char *args){ DatabaseData *data; char * select0; char * select1; char * insert0; /* parse the argument list from the rules file */ data = ParseDatabaseArgs(args); /* find a unique name for sensor if one was not supplied as an option */ if(!data->sensor_name) {#ifdef WIN32 data->sensor_name = GetUniqueName((char *)print_interface(pv.interfaces[0]));#else data->sensor_name = GetUniqueName((char *)pv.interfaces[0]);#endif printf("database: sensor name = %s\n", data->sensor_name); } data->tz = GetLocalTimezone(); /* allocate memory for configuration queries */ select0 = (char *)calloc(MAX_QUERY_LENGTH, sizeof(char)); select1 = (char *)calloc(MAX_QUERY_LENGTH, sizeof(char)); insert0 = (char *)calloc(MAX_QUERY_LENGTH, sizeof(char)); if(pv.pcap_cmd == NULL) { snprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, detail, encoding) " "VALUES ('%s','%s','%u','%u')", #ifdef WIN32 data->sensor_name, print_interface(pv.interfaces[0]), data->detail, data->encoding);#else data->sensor_name, pv.interfaces[0], data->detail, data->encoding);#endif snprintf(select0, MAX_QUERY_LENGTH, "SELECT sid FROM sensor WHERE hostname = '%s' " "AND interface = '%s' AND detail = '%u' AND " "encoding = '%u' AND filter IS NULL",#ifdef WIN32 data->sensor_name, print_interface(pv.interfaces[0]), data->detail, data->encoding);#else data->sensor_name, pv.interfaces[0], data->detail, data->encoding);#endif } else { snprintf(select0, MAX_QUERY_LENGTH, "SELECT sid FROM sensor WHERE hostname = '%s' " "AND interface = '%s' AND filter ='%s' AND " "detail = '%u' AND encoding = '%u'",#ifdef WIN32 data->sensor_name, print_interface(pv.interfaces[0]), pv.pcap_cmd,#else data->sensor_name, pv.interfaces[0], pv.pcap_cmd,#endif data->detail, data->encoding); snprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, filter," "detail, encoding) " "VALUES ('%s','%s','%s','%u','%u')", #ifdef WIN32 data->sensor_name, print_interface(pv.interfaces[0]), pv.pcap_cmd,#else data->sensor_name, pv.interfaces[0], pv.pcap_cmd,#endif data->detail, data->encoding); } Connect(data); data->sid = Select(select0,data); if(data->sid == 0) { Insert(insert0,data); data->sid = Select(select0,data); if(data->sid == 0) { ErrorMessage("database: Problem obtaining SENSOR ID (sid) from %s->%s->sensor\n", data->dbtype,data->dbname); FatalError("\n When this plugin starts, a SELECT query is run to find the sensor id for the\n currently running sensor. If the sensor id is not found, the plugin will run\n an INSERT query to insert the proper data and generate a new sensor id. Then a\n SELECT query is run to get the newly allocated sensor id. If that fails then\n this error message is generated.\n\n Some possible causes for this error are:\n * the user does not have proper INSERT or SELECT privileges\n * the sensor table does not exist\n\n If you are _absolutly_ certain that you have the proper privileges set and\n that your database structure is built properly please let me know if you\n continue to get this error. You can contact me at (jed@pickel.net).\n\n"); } } printf("database: sensor id = %u\n", data->sid); snprintf(select1, MAX_QUERY_LENGTH, "SELECT max(cid) FROM event WHERE sid = '%u'", data->sid); data->cid = Select(select1,data); data->cid++; /* free memory */ free(select0); free(select1); free(insert0); /* Add the processor function into the function list */ if(!strncasecmp(data->facility,"log",3)) { pv.log_plugin_active = 1; printf("database: using the \"log\" facility\n"); AddFuncToOutputList(Database, NT_OUTPUT_LOG, data); } else { pv.alert_plugin_active = 1; printf("database: using the \"alert\" facility\n"); AddFuncToOutputList(Database, NT_OUTPUT_ALERT, data); } AddFuncToCleanExitList(SpoDatabaseCleanExitFunction, data); AddFuncToRestartList(SpoDatabaseRestartFunction, data); }/* * Function: ParseDatabaseArgs(char *) * * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. * * Arguments: args => argument list * * Returns: void function * */DatabaseData *ParseDatabaseArgs(char *args){ DatabaseData *data; char *dbarg; char *a1; char *type; char *facility; data = (DatabaseData *)calloc(1, sizeof(DatabaseData)); if(args == NULL) { ErrorMessage("database: you must supply arguments for database plugin\n"); DatabasePrintUsage(); FatalError(""); } data->dbtype = NULL; data->sensor_name = NULL; data->facility = NULL; data->encoding = ENCODING_HEX; data->detail = DETAIL_FULL; facility = strtok(args, ", "); if(facility != NULL) { if((!strncasecmp(facility,"log",3)) || (!strncasecmp(facility,"alert",5))) { data->facility = facility; } else { ErrorMessage("database: The first argument needs to be the logging facility\n"); DatabasePrintUsage(); FatalError(""); } } else { ErrorMessage("database: Invalid format for first argment\n"); DatabasePrintUsage(); FatalError(""); } type = strtok(NULL, ", "); if(type == NULL) { ErrorMessage("database: you must enter the database type in configuration file as the second argument\n"); DatabasePrintUsage(); FatalError(""); } /* print out and test the capability of this plugin */ printf("database: compiled support for ( ");#ifdef ENABLE_MYSQL printf("%s ",MYSQL); if(!strncasecmp(type,MYSQL,5)) { data->dbtype = type; }#endif#ifdef ENABLE_POSTGRESQL printf("%s ",POSTGRESQL); if(!strncasecmp(type,POSTGRESQL,10)) { data->dbtype = type; }#endif#ifdef ENABLE_UNIXODBC printf("%s ",UNIXODBC); if(!strncasecmp(type,UNIXODBC,8)) { data->dbtype = type; }#endif#ifdef ENABLE_ORACLE printf("%s ",ORACLE); if(!strncasecmp(type,ORACLE,5)) { data->dbtype = type; }#endif printf(")\n"); printf("database: configured to use %s\n", type); if(data->dbtype == NULL) { ErrorMessage("database: %s support is not compiled in this copy\n\n", type); FatalError(" Check your configuration file to be sure you did not mis-spell \"%s\".\n If you did not, you will need to reconfigure and recompile ensuring that\n you have set the correct options to the configure script. Type \n \"./configure --help\" to see options for the configure script.\n\n", type); } dbarg = strtok(NULL, " ="); while(dbarg != NULL) { a1 = NULL; a1 = strtok(NULL, ", "); if(!strncasecmp(dbarg,"host",4)) { data->host = a1; printf("database: host = %s\n", data->host); } if(!strncasecmp(dbarg,"port",4)) { data->port = a1; printf("database: port = %s\n", data->port); } if(!strncasecmp(dbarg,"user",4)) { data->user = a1; printf("database: user = %s\n", data->user); } if(!strncasecmp(dbarg,"password",8)) { printf("database: password is set\n"); data->password = a1; } if(!strncasecmp(dbarg,"dbname",6)) { data->dbname = a1; printf("database: database name = %s\n", data->dbname); } if(!strncasecmp(dbarg,"sensor_name",11)) { data->sensor_name = a1; printf("database: sensor name = %s\n", data->sensor_name); } if(!strncasecmp(dbarg,"encoding",6)) { if(!strncasecmp(a1, "hex", 3)) { data->encoding = ENCODING_HEX; } else { if(!strncasecmp(a1, "base64", 6)) { data->encoding = ENCODING_BASE64; } else { if(!strncasecmp(a1, "ascii", 5)) { data->encoding = ENCODING_ASCII; } else { FatalError("database: unknown (%s)", a1); } } } printf("database: data encoding = %s\n", a1); } if(!strncasecmp(dbarg,"detail",6)) { if(!strncasecmp(a1, "full", 4)) { data->detail = DETAIL_FULL; } else { if(!strncasecmp(a1, "fast", 4)) { data->detail = DETAIL_FAST; } else { FatalError("database: unknown detail level (%s)", a1); } } printf("database: detail level = %s\n", a1); } dbarg = strtok(NULL, "="); } if(data->dbname == NULL) { ErrorMessage("database: must enter database name in configuration file\n\n"); DatabasePrintUsage(); FatalError(""); } return data;}void FreeQueryNode(SQLQuery * node){ if(node) { FreeQueryNode(node->next); free(node->val); free(node); }}SQLQuery * NewQueryNode(SQLQuery * parent, int query_size){ SQLQuery * rval; if(query_size == 0) { query_size = MAX_QUERY_LENGTH; } if(parent) { while(parent->next) { parent = parent->next; } ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -