spo_database.c

Linux snort-2.4.4源代码

/*
** Portions Copyright (C) 2000,2001,2002 Carnegie Mellon University
** Copyright (C) 2001 Jed Pickel <jed@pickel.net>
** Portions Copyright (C) 2001 Andrew R. Baker <andrewb@farm9.com>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/

/* $Id$ */

/* Snort Database Output Plug-in
 * 
 *  Maintainer: Roman Danyliw <rdd@cert.org>, <roman@danyliw.com>
 *
 *  Originally written by Jed Pickel <jed@pickel.net> (2000-2001)
 *
 * See the doc/README.database file with this distribution 
 * documentation or the snortdb web site for configuration
 * information
 *
 * Web Site: http://www.andrew.cmu.edu/~rdanyliw/snortdb/snortdb.html
 */

/******** Configuration *************************************************/

/* 
 * If you want extra debugging information for solving database 
 * configuration problems, uncomment the following line. 
 */
/* #define DEBUG */

/* Enable DB transactions */
#define ENABLE_DB_TRANSACTIONS

/******** Headers ******************************************************/

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include <sys/types.h>
#include <stdlib.h>
#include <string.h>

#include "event.h"
#include "decode.h"
#include "rules.h"
#include "plugbase.h"
#include "spo_plugbase.h"
#include "parser.h"
#include "debug.h"
#include "util.h"

#include "snort.h"
#include "inline.h"

#ifdef ENABLE_POSTGRESQL
    #include <libpq-fe.h>
#endif
#ifdef ENABLE_MYSQL
    #if defined(_WIN32) || defined(_WIN64)
        #include <windows.h>
    #endif
    #include <mysql.h>
#endif
#ifdef ENABLE_ODBC
    #include <sql.h>
    #include <sqlext.h>
    #include <sqltypes.h>
    /* The SQL Server libraries, for some reason I can't
     * understand, define their own constants for SQLRETURN
     * and SQLCHAR.  But, in SQL Server, these are numeric
     * values, not datatypes.  So we define datatypes here
     * with a non-conflicting name.
     */
    typedef SQLRETURN ODBC_SQLRETURN;
    typedef SQLCHAR   ODBC_SQLCHAR;
#endif
#ifdef ENABLE_ORACLE
    #include <oci.h>
#endif
#ifdef ENABLE_MSSQL
    #define DBNTWIN32
    #include <windows.h>
    #include <sqlfront.h>
    #include <sqldb.h>
#endif

/******** Data Types  **************************************************/

/* enumerate the supported databases */
enum db_types_en
{
    DB_UNDEFINED  = 0,
    DB_MYSQL      = 1,
    DB_POSTGRESQL = 2,
    DB_MSSQL      = 3,
    DB_ORACLE     = 4,
    DB_ODBC       = 5
};
typedef enum db_types_en dbtype_t;

/* link-list of SQL queries */
typedef struct _SQLQuery
{
    char * val;
    struct _SQLQuery * next;
} SQLQuery;


/* the cid is unique across the dbtype, dbname, host, and sid */
/* therefore, we use these as a lookup key for the cid */
typedef struct _SharedDatabaseData
{
    dbtype_t  dbtype_id;
    char     *dbname;
    char     *host;
    int       sid;
    int       cid;
    int       reference;
} SharedDatabaseData;

typedef struct _DatabaseData
{
    SharedDatabaseData *shared;
    char  *facility;
    char  *password;
    char  *user;
    char  *port;
    char  *sensor_name;
    int    encoding;
    int    detail;
    int    ignore_bpf;
    int    tz;
    int    DBschema_version;
#ifdef ENABLE_POSTGRESQL
    PGconn * p_connection;
    PGresult * p_result;
#endif
#ifdef ENABLE_MYSQL
    MYSQL * m_sock;
    MYSQL_RES * m_result;
    MYSQL_ROW m_row;
#endif
#ifdef ENABLE_ODBC
    SQLHENV u_handle;
    SQLHDBC u_connection;
    SQLHSTMT u_statement;
    SQLINTEGER  u_col;
    SQLINTEGER  u_rows;
    dbtype_t    u_underlying_dbtype_id;
#endif
#ifdef ENABLE_ORACLE
    OCIEnv *o_environment;
    OCISvcCtx *o_servicecontext;
    OCIError *o_error;
    OCIStmt *o_statement;
    OCIDefine *o_define;
    text o_errormsg[512];
    sb4 o_errorcode;
#endif
#ifdef ENABLE_MSSQL
    PDBPROCESS  ms_dbproc;
    PLOGINREC   ms_login;
    DBINT       ms_col;
#endif
} DatabaseData;

/* list for lookup of shared data information */
typedef struct _SharedDatabaseDataNode
{
    SharedDatabaseData *data;
    struct _SharedDatabaseDataNode *next;
} SharedDatabaseDataNode;


/******** Constants  ***************************************************/

#define MAX_QUERY_LENGTH 8192
#define KEYWORD_POSTGRESQL   "postgresql"
#define KEYWORD_MYSQL        "mysql"
#define KEYWORD_ODBC         "odbc"
#define KEYWORD_ORACLE       "oracle"
#define KEYWORD_MSSQL        "mssql"

#define KEYWORD_HOST         "host"
#define KEYWORD_PORT         "port"
#define KEYWORD_USER         "user"
#define KEYWORD_PASSWORD     "password"
#define KEYWORD_DBNAME       "dbname"
#define KEYWORD_SENSORNAME   "sensor_name"
#define KEYWORD_ENCODING     "encoding"
    #define KEYWORD_ENCODING_HEX      "hex"
    #define KEYWORD_ENCODING_BASE64   "base64"
    #define KEYWORD_ENCODING_ASCII    "ascii"
#define KEYWORD_DETAIL       "detail"
    #define KEYWORD_DETAIL_FULL  "full"
    #define KEYWORD_DETAIL_FAST  "fast"
#define KEYWORD_IGNOREBPF    "ignore_bpf"
#define KEYWORD_IGNOREBPF_NO   "no"
#define KEYWORD_IGNOREBPF_ZERO "0"
#define KEYWORD_IGNOREBPF_YES  "yes"
#define KEYWORD_IGNOREBPF_ONE  "1"


#define LATEST_DB_SCHEMA_VERSION 106

/******** Prototypes  **************************************************/

void          DatabaseInit(u_char *);
DatabaseData *ParseDatabaseArgs(char *);
void          Database(Packet *, char *, void *, Event *);
char *        snort_escape_string(char *, DatabaseData *);
void          SpoDatabaseCleanExitFunction(int, void *);
void          SpoDatabaseRestartFunction(int, void *);
void          InitDatabase();
int           UpdateLastCid(DatabaseData *, int, int);
int           GetLastCid(DatabaseData *, int);
int           CheckDBVersion(DatabaseData *);
void          BeginTransaction(DatabaseData * data);
void          CommitTransaction(DatabaseData * data);
void          RollbackTransaction(DatabaseData * data);
int           Insert(char *, DatabaseData *);
int           Select(char *, DatabaseData *);
void          Connect(DatabaseData *);
void          DatabasePrintUsage();
void          FreeSharedDataList();

/******** Global Variables  ********************************************/

extern PV pv;
extern OptTreeNode *otn_tmp;  /* rule node */

static SharedDatabaseDataNode *sharedDataList = NULL;
static int instances = 0;

/******** Database Specific Extras  ************************************/

/* The following is for supporting Microsoft SQL Server */
#ifdef ENABLE_MSSQL

/* If you want extra debugging information (specific to
   Microsoft SQL Server), uncomment the following line. */
#define ENABLE_MSSQL_DEBUG

#if defined(DEBUG) || defined(ENABLE_MSSQL_DEBUG)
    /* this is for debugging purposes only */
    static char g_CurrentStatement[2048];
    #define SAVESTATEMENT(str)   strncpy(g_CurrentStatement, str, sizeof(g_CurrentStatement) - 1);
    #define CLEARSTATEMENT()     bzero((char *) g_CurrentStatement, sizeof(g_CurrentStatement));
#else
    #define SAVESTATEMENT(str)   NULL;
    #define CLEARSTATEMENT()     NULL;
#endif /* DEBUG || ENABLE_MSSQL_DEBUG*/

    /* Prototype of SQL Server callback functions. 
     * See actual declaration elsewhere for details. 
     */
    static int mssql_err_handler(PDBPROCESS dbproc, int severity, int dberr, 
                                 int oserr, LPCSTR dberrstr, LPCSTR oserrstr);
    static int mssql_msg_handler(PDBPROCESS dbproc, DBINT msgno, int msgstate, 
                                 int severity, LPCSTR msgtext, LPCSTR srvname, LPCSTR procname, 
                                 DBUSMALLINT line);
#endif /* ENABLE_MSSQL */

/*******************************************************************************
 * Function: SetupDatabase()
 *
 * Purpose: Registers the output plugin keyword and initialization 
 *          function into the output plugin list.  This is the function that
 *          gets called from InitOutputPlugins() in plugbase.c.
 *
 * Arguments: None.
 *
 * Returns: void function
 *
 ******************************************************************************/
void DatabaseSetup()
{
    /* link the preprocessor keyword to the init function in 
       the preproc list */
    RegisterOutputPlugin("database", NT_OUTPUT_ALERT, DatabaseInit);

    DEBUG_WRAP(DebugMessage(DEBUG_INIT, "database(debug): database plugin is registered...\n"););
}

/*******************************************************************************
 * Function: DatabaseInit(u_char *)
 *
 * Purpose: Calls the argument parsing function, performs final setup on data
 *          structs, links the preproc function into the function list.
 *
 * Arguments: args => ptr to argument string
 *
 * Returns: void function
 *
 ******************************************************************************/
void DatabaseInit(u_char *args)
{
    DatabaseData *data = NULL;
    char * select_sensor_id = NULL;
    char * select_max_sensor_id = NULL;
    char * insert_into_sensor = NULL;
    int foundEntry = 0, sensor_cid, event_cid;
    SharedDatabaseDataNode *current = NULL;
    char * escapedSensorName = NULL;
    char * escapedInterfaceName = NULL;


    /* parse the argument list from the rules file */
    data = ParseDatabaseArgs(args);

    /* find a unique name for sensor if one was not supplied as an option */
    if(!data->sensor_name)
    {
        data->sensor_name = GetUniqueName((char *)PRINT_INTERFACE(pv.interface));
        if ( data->sensor_name )
        {
           if( data->sensor_name[strlen(data->sensor_name)-1] == '\n' )
           {
              data->sensor_name[strlen(data->sensor_name)-1] = '\0';
           }

           if( !pv.quiet_flag )
           {
               printf("database:   sensor name = %s\n", data->sensor_name);
           }
        }
    }

    data->tz = GetLocalTimezone();

    /* allocate memory for configuration queries */
    select_sensor_id     = (char *)SnortAlloc(MAX_QUERY_LENGTH);
    select_max_sensor_id = (char *)SnortAlloc(MAX_QUERY_LENGTH);
    insert_into_sensor   = (char *)SnortAlloc(MAX_QUERY_LENGTH);

    escapedSensorName    = snort_escape_string(data->sensor_name, data);
    if(pv.interface != NULL)
    {
    	escapedInterfaceName = snort_escape_string(PRINT_INTERFACE(pv.interface), data);
    }
    else
    {   
       if(InlineMode())
       {
	  escapedInterfaceName = snort_escape_string("inline", data);