📄 spo_database.c
字号:
parent->next = (SQLQuery *)malloc(sizeof(SQLQuery)); rval = parent->next; } else { rval = (SQLQuery *)malloc(sizeof(SQLQuery)); } rval->val = (char *)malloc(query_size); rval->next = NULL; return rval;} /* * Function: Database(Packet *, char * msg, void *arg) * * Purpose: Insert data into the database * * Arguments: p => pointer to the current packet data struct * msg => pointer to the signature message * * Returns: void function * */void Database(Packet *p, char *msg, void *arg){ DatabaseData *data = (DatabaseData *)arg; SQLQuery * query; SQLQuery * root; char * tmp; char * tmp_not_escaped; int i; char sip[16]; char dip[16]; char *s0,*s1,*s2,*s3,*d0,*d1,*d2,*d3; query = NewQueryNode(NULL, 0); root = query; if(msg == NULL) { msg = ""; } /*** Build the query for the Event Table ***/ if(p != NULL) { tmp = GetTimestamp((time_t *)&p->pkth->ts.tv_sec, data->tz); } else { tmp = GetCurrentTimestamp(); } snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO event (sid,cid,signature,timestamp) VALUES " "('%u', '%u', '%s', '%s')", data->sid, data->cid, msg, tmp); free(tmp); /* We do not log fragments! They are assumed to be handled by the fragment reassembly pre-processor */ if(p != NULL) {/* THE FOLLOWING BLOCK OF CODE IS GOING TO GET WIPED OUT IF TRANSITION TO THE ONE FOUR BYTE INTEGER REPRESENTATION FOR IP ADDRESSES *//******************************************************************/ /* have to do this since inet_ntoa is f^@%&d up and writes to a static memory location */ strncpy(sip, inet_ntoa(p->iph->ip_src), 16); strncpy(dip, inet_ntoa(p->iph->ip_dst), 16); s0 = strtok(sip,"."); s1 = strtok(NULL,"."); s2 = strtok(NULL,"."); s3 = strtok(NULL,"."); d0 = strtok(dip,"."); d1 = strtok(NULL,"."); d2 = strtok(NULL,"."); d3 = strtok(NULL,".");/******************************************************************/ if(!p->frag_flag) { query = NewQueryNode(query, 0); if(p->iph->ip_proto == IPPROTO_ICMP) { /*** Build a query for the ICMP Header ***/ if(data->detail) { if(p->ext) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, " "icmp_csum, icmp_id, icmp_seq) " "VALUES ('%u','%u','%u','%u','%u','%u','%u')", data->sid, data->cid, p->icmph->type, p->icmph->code, ntohs(p->icmph->csum), ntohs(p->ext->id), ntohs(p->ext->seqno)); } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code, " "icmp_csum) " "VALUES ('%u','%u','%u','%u','%u')", data->sid, data->cid, p->icmph->type, p->icmph->code, ntohs(p->icmph->csum)); } } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code) " "VALUES ('%u','%u','%u','%u')", data->sid, data->cid, p->icmph->type, p->icmph->code); } } else if(p->iph->ip_proto == IPPROTO_TCP) { /*** Build a query for the TCP Header ***/ if(data->detail) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO tcphdr " "(sid, cid, tcp_sport, tcp_dport, tcp_seq," " tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win," " tcp_csum, tcp_urp) " "VALUES ('%u','%u','%u','%u','%lu','%lu','%u'," "'%u','%u','%u','%u','%u')", data->sid, data->cid, ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), (u_long)ntohl(p->tcph->th_seq), (u_long)ntohl(p->tcph->th_ack), p->tcph->th_off, p->tcph->th_x2, p->tcph->th_flags, ntohs(p->tcph->th_win), ntohs(p->tcph->th_sum), ntohs(p->tcph->th_urp)); } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO tcphdr " "(sid,cid,tcp_sport,tcp_dport,tcp_flags) " "VALUES ('%u','%u','%u','%u','%u')", data->sid, data->cid, ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), p->tcph->th_flags); } if(data->detail) { /*** Build the query for TCP Options ***/ for(i=0; i < (int)p->tcp_option_count; i++) { query = NewQueryNode(query, 0); if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII)) { tmp = hex(p->tcp_options[i].data, p->tcp_options[i].len); } else { tmp = base64(p->tcp_options[i].data, p->tcp_options[i].len); } snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO opt " "(sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES ('%u','%u','%u','%u','%u','%u','%s')", data->sid, data->cid, i, 6, p->tcp_options[i].code, p->tcp_options[i].len, tmp); free(tmp); } } } else if(p->iph->ip_proto == IPPROTO_UDP) { /*** Build the query for the UDP Header ***/ if(data->detail) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO udphdr " "(sid, cid, udp_sport, udp_dport, udp_len, udp_csum) " "VALUES ('%u', '%u', '%u', '%u', '%u', '%u')", data->sid, data->cid, ntohs(p->udph->uh_sport), ntohs(p->udph->uh_dport), ntohs(p->udph->uh_len), ntohs(p->udph->uh_chk)); } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO udphdr " "(sid, cid, udp_sport, udp_dport) " "VALUES ('%u', '%u', '%u', '%u')", data->sid, data->cid, ntohs(p->udph->uh_sport), ntohs(p->udph->uh_dport)); } } } /*** Build the query for the IP Header ***/ query = NewQueryNode(query, 0); if(data->detail) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO iphdr " "(sid, cid, ip_src, ip_src0, ip_src1, ip_src2, ip_src3," "ip_dst, ip_dst0, ip_dst1, ip_dst2, ip_dst3, ip_ver," "ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off," "ip_ttl, ip_proto, ip_csum) " "VALUES ('%u','%u','%lu','%s','%s','%s','%s'," "'%lu','%s','%s','%s','%s','%u'," "'%u','%u','%u','%u','%u','%u'," "'%u','%u','%u')", data->sid, data->cid, (u_long)ntohl(p->iph->ip_src.s_addr), s0, s1, s2, s3, (u_long)ntohl(p->iph->ip_dst.s_addr), d0, d1, d2, d3, p->iph->ip_ver, p->iph->ip_hlen, p->iph->ip_tos, ntohs(p->iph->ip_len), ntohs(p->iph->ip_id), p->frag_flag, ntohs(p->frag_offset), p->iph->ip_ttl, p->iph->ip_proto, ntohs(p->iph->ip_csum)); } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO iphdr " "(sid, cid, ip_src, ip_dst, ip_proto) " "VALUES ('%u','%u','%lu','%lu','%u')", data->sid, data->cid, (u_long)ntohl(p->iph->ip_src.s_addr), (u_long)ntohl(p->iph->ip_dst.s_addr), p->iph->ip_proto); } /*** Build querys for the IP Options ***/ if(data->detail) { for(i=0 ; i < (int)p->ip_option_count; i++) { if(&p->ip_options[i]) { query = NewQueryNode(query, 0); if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII)) { tmp = hex(p->ip_options[i].data, p->ip_options[i].len); } else { tmp = base64(p->ip_options[i].data, p->ip_options[i].len); } snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO opt " "(sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES ('%u','%u','%u','%u','%u','%u','%s')", data->sid, data->cid, i, 0, p->ip_options[i].code, p->ip_options[i].len, tmp); free(tmp); } } } /*** Build query for the payload ***/ if(data->detail) { if(p->dsize) { query = NewQueryNode(query, p->dsize * 2 + MAX_QUERY_LENGTH); if(data->encoding == ENCODING_BASE64) { tmp_not_escaped = base64(p->data, p->dsize); } else { if(data->encoding == ENCODING_ASCII) { tmp_not_escaped = ascii(p->data, p->dsize); } else { tmp_not_escaped = hex(p->data, p->dsize); } } tmp = snort_escape_string(tmp_not_escaped, data); snprintf(query->val, MAX_QUERY_LENGTH - 3, "INSERT INTO data " "(sid,cid,data_payload) " "VALUES ('%u','%u','%s", data->sid, data->cid, tmp); strcat(query->val, "')"); free (tmp); free (tmp_not_escaped); } } } /* Execute the qureies */ query = root; while(query) { Insert(query->val,data); query = query->next; } FreeQueryNode(root); data->cid++; /* A Unixodbc bugfix */#ifdef ENABLE_UNIXODBC if(data->cid == 600) { data->cid = 601; }#endif}/* Some of the code in this function is from the mysql_real_escape_string() function distributed with mysql. Those portions of this function remain Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB We needed a more general case that was not MySQL specific so there were small modifications made to the mysql_real_escape_string() function. */char * snort_escape_string(char * from, DatabaseData * data){ char * to; char * to_start; char * end; int from_length; from_length = (int)strlen(from); to = (char *)malloc(strlen(from) * 2 + 1); to_start = to;#ifdef ENABLE_ORACLE if (!strcasecmp(data->dbtype,ORACLE)) { for (end=from+from_length; from != end; from++) { switch(*from) { case '\n': /* Must be escaped for logs */ *to++= '\\'; *to++= 'n'; break; case '\r': *to++= '\\'; *to++= 'r'; break; case '\'': *to++= '\''; *to++= '\''; break; case '\032': /* This gives problems on Win32 */ *to++= '\\'; *to++= 'Z'; break; default: *to++= *from; } } } else#endif { for(end=from+from_length; from != end; from++) { switch(*from) { case 0: /* Must be escaped for 'mysql' */ *to++= '\\'; *to++= '0'; break; case '\n': /* Must be escaped for logs */ *to++= '\\'; *to++= 'n'; break; case '\r': *to++= '\\'; *to++= 'r'; break; case '\\': *to++= '\\'; *to++= '\\'; break; case '\'': *to++= '\\'; *to++= '\''; break; case '"': /* Better safe than sorry */ *to++= '\\'; *to++= '"'; break; case '\032': /* This gives problems on Win32 */ *to++= '\\'; *to++= 'Z'; break; default: *to++= *from; } } }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -