spo_database.c

Linux snort-2.4.4源代码

       }
    }
    if( data->ignore_bpf == 0 )
    {
        if(pv.pcap_cmd == NULL)
        {
            snprintf(insert_into_sensor, MAX_QUERY_LENGTH, 
                     "INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) "
                     "VALUES ('%s','%s','%u','%u', '0')", 
                     escapedSensorName,
                     escapedInterfaceName,
                     data->detail,
                     data->encoding);
            snprintf(select_sensor_id, MAX_QUERY_LENGTH, 
                     "SELECT sid "
                     "  FROM sensor "
                     " WHERE hostname = '%s' "
                     "   AND interface = '%s' "
                     "   AND detail = '%u' "
                     "   AND encoding = '%u' "
                     "   AND filter IS NULL",
                     escapedSensorName,
                     escapedInterfaceName,
                     data->detail,
                     data->encoding);
        }
        else
        {
            snprintf(insert_into_sensor, MAX_QUERY_LENGTH, 
                     "INSERT INTO sensor (hostname, interface, filter, detail, encoding, last_cid) "
                     "VALUES ('%s','%s','%s','%u','%u', '0')", 
                     escapedSensorName,
                     escapedInterfaceName,
                     pv.pcap_cmd,
                     data->detail,
                     data->encoding);
            snprintf(select_sensor_id, MAX_QUERY_LENGTH, 
                     "SELECT sid "
                     "  FROM sensor "
                     " WHERE hostname = '%s' "
                     "   AND interface = '%s' "
                     "   AND filter ='%s' "
                     "   AND detail = '%u' "
                     "   AND encoding = '%u'",
                     escapedSensorName,
                     escapedInterfaceName,
                     pv.pcap_cmd,
                     data->detail,
                     data->encoding);
        }
    }
    else /* ( data->ignore_bpf == 1 ) */
    {
        if(pv.pcap_cmd == NULL)
        {
            snprintf(insert_into_sensor, MAX_QUERY_LENGTH, 
                     "INSERT INTO sensor (hostname, interface, detail, encoding) "
                     "VALUES ('%s','%s','%u','%u')", 
                     escapedSensorName,
                     escapedInterfaceName,
                     data->detail,
                     data->encoding);
            snprintf(select_sensor_id, MAX_QUERY_LENGTH, 
                     "SELECT sid "
                     "  FROM sensor "
                     " WHERE hostname = '%s' "
                     "   AND interface = '%s' "
                     "   AND detail = '%u' "
                     "   AND encoding = '%u'",
                     escapedSensorName,
                     escapedInterfaceName,
                     data->detail,
                     data->encoding);
        }
        else
        {
            snprintf(insert_into_sensor, MAX_QUERY_LENGTH, 
                     "INSERT INTO sensor (hostname, interface, filter, detail, encoding) "
                     "VALUES ('%s','%s','%s','%u','%u')", 
                     escapedSensorName,
                     escapedInterfaceName,
                     pv.pcap_cmd,
                     data->detail, data->encoding);
            snprintf(select_sensor_id, MAX_QUERY_LENGTH, 
                     "SELECT sid "
                     "  FROM sensor "
                     " WHERE hostname = '%s' "
                     "   AND interface = '%s' "
                     "   AND detail = '%u' "
                     "   AND encoding = '%u'",
                     escapedSensorName,
                     escapedInterfaceName,
                     data->detail,
                     data->encoding);
        }
    }

    Connect(data);

    data->shared->sid = Select(select_sensor_id,data);
    if(data->shared->sid == 0)
    {
        Insert(insert_into_sensor,data);
        data->shared->sid = Select(select_sensor_id,data);
        if(data->shared->sid == 0)
        {
            ErrorMessage("database: Problem obtaining SENSOR ID (sid) from %s->sensor\n", 
                         data->shared->dbname);
            FatalError("\n"
                       " When this plugin starts, a SELECT query is run to find the sensor id for the\n"
                       " currently running sensor. If the sensor id is not found, the plugin will run\n"
                       " an INSERT query to insert the proper data and generate a new sensor id. Then a\n"
                       " SELECT query is run to get the newly allocated sensor id. If that fails then\n"
                       " this error message is generated.\n"
                       "\n"
                       " Some possible causes for this error are:\n"
                       "  * the user does not have proper INSERT or SELECT privileges\n"
                       "  * the sensor table does not exist\n"
                       "\n"
                       " If you are _absolutely_ certain that you have the proper privileges set and\n"
                       " that your database structure is built properly please let me know if you\n"
                       " continue to get this error. You can contact me at (roman@danyliw.com).\n"
                       "\n");
        }
    }

    if( !pv.quiet_flag )
    {
        printf("database:     sensor id = %u\n", data->shared->sid);
    }

    /* the cid may be shared across multiple instances of the database
     * plugin, first we check the shared data list to see if we already
     * have a value to use, if so, we replace the SharedDatabaseData struct
     * in the DatabaseData struct with the one out of the sharedDataList.
     * Sound confusing enough?  
     *   -Andrew    
     */

    /* XXX: Creating a set of list handling functions would make this cleaner */
    current = sharedDataList;
    while(current != NULL)
    {
        /* We have 4 key fields to check */
        if((current->data->sid == data->shared->sid) &&
           (current->data->dbtype_id == data->shared->dbtype_id) &&
           /* XXX: should this be a case insensitive compare? */
           (strcasecmp(current->data->dbname, data->shared->dbname) == 0) &&
           (strcasecmp(current->data->host, data->shared->host) == 0))
        {
            foundEntry = 1;
            break;
        }
        current = current->next;
    }
    
    if(foundEntry == 0)
    {
        /* Add it the the shared data list */
        SharedDatabaseDataNode *newNode = (SharedDatabaseDataNode *)SnortAlloc(sizeof(SharedDatabaseDataNode));
        newNode->data = data->shared;
        newNode->next = NULL;
        if(sharedDataList == NULL)
        {
            sharedDataList = newNode;
        }
        else
        {
            current = sharedDataList;
            while(current->next != NULL)
            {
                current = current->next;
            }
            current->next = newNode;
        }

        /* Set the cid value 
         * - get the cid value in sensor.last_cid
         * - get the MAX(cid) from event 
         * - if snort crashed without storing the latest cid, then
         *     the MAX(event.cid) > sensor.last_cid.  Update last_cid in this case
         */
        sensor_cid = GetLastCid(data, data->shared->sid);

        snprintf(select_max_sensor_id, MAX_QUERY_LENGTH,
                 "SELECT MAX(cid) "
                 "  FROM event "
                 " WHERE sid = '%u'",
                 data->shared->sid);
        event_cid = Select(select_max_sensor_id, data);

        if ( event_cid > sensor_cid )
        {
           UpdateLastCid(data, data->shared->sid, event_cid);
           ErrorMessage("database: inconsistent cid information for sid=%u\n", 
                        data->shared->sid);
           ErrorMessage("          Recovering by rolling forward the cid=%u\n", 
                        event_cid);
        }

        data->shared->cid = event_cid;
        ++(data->shared->cid);
    }
    else
    {
        /* Free memory associated with data->shared */
        free(data->shared);
        data->shared = current->data;
    }

    /* free memory */
    free(select_sensor_id);      select_sensor_id = NULL;
    free(select_max_sensor_id);  select_max_sensor_id = NULL;
    free(insert_into_sensor);    insert_into_sensor = NULL;
    free(escapedSensorName);     escapedSensorName = NULL;
    free(escapedInterfaceName);  escapedInterfaceName = NULL;

    /* Get the versioning information for the DB schema */
    data->DBschema_version = CheckDBVersion(data);
    if( !pv.quiet_flag ) printf("database: schema version = %d\n", data->DBschema_version);

    if ( data->DBschema_version == 0 )
    {
       FatalError("database: The underlying database has not been initialized correctly.  This\n"
                  "          version of Snort requires version %d of the DB schema.  Your DB\n"
                  "          doesn't appear to have any records in the 'schema' table.\n"
                  "          Please re-run the appropriate DB creation script (e.g. create_mysql,\n"
                  "          create_postgresql, create_oracle, create_mssql) located in the\n"
                  "          contrib\\ directory.\n\n"
                  "          See the database documentation for cursory details (doc/README.database).\n"
                  "          and the URL to the most recent database plugin documentation.\n",
                  LATEST_DB_SCHEMA_VERSION);
    }
    if ( data->DBschema_version < LATEST_DB_SCHEMA_VERSION )
    {
       FatalError("database: The underlying database seems to be running an older version of\n"
                  "          the DB schema (current version=%d, required minimum version= %d).\n\n"
                  "          If you have an existing database with events logged by a previous\n"
                  "          version of snort, this database must first be upgraded to the latest\n"
                  "          schema (see the snort-users mailing list archive or DB plugin\n"
                  "          documention for details).\n\n"
                  "          If migrating old data is not desired, merely create a new instance\n"
                  "          of the snort database using the appropriate DB creation script\n"
                  "          (e.g. create_mysql, create_postgresql, create_oracle, create_mssql)\n"
                  "          located in the contrib\\ directory.\n\n"
                  "          See the database documentation for cursory details (doc/README.database).\n"
                  "          and the URL to the most recent database plugin documentation.\n",
                  data->DBschema_version, LATEST_DB_SCHEMA_VERSION);
    }
    /*
    else if ( data->DBschema_version < LATEST_DB_SCHEMA_VERSION )
    {                
       ErrorMessage("database: The database is using an older version of the DB schema\n");
    }
    */

    /* Add the processor function into the function list */
    if(!strncasecmp(data->facility,"log",3))
    {
        pv.log_plugin_active = 1;
        if( !pv.quiet_flag ) printf("database: using the \"log\" facility\n");
        AddFuncToOutputList(Database, NT_OUTPUT_LOG, data);
    }
    else
    {
        pv.alert_plugin_active = 1;
        if( !pv.quiet_flag ) printf("database: using the \"alert\" facility\n");
        AddFuncToOutputList(Database, NT_OUTPUT_ALERT, data);
    }

    AddFuncToCleanExitList(SpoDatabaseCleanExitFunction, data);
    AddFuncToRestartList(SpoDatabaseRestartFunction, data); 
    ++instances;
}

/*******************************************************************************
 * Function: ParseDatabaseArgs(char *)
 *
 * Purpose: Process the preprocessor arguements from the rules file and 
 *          initialize the preprocessor's data struct.
 *
 * Arguments: args => argument list
 *
 * Returns: void function
 *
 ******************************************************************************/
DatabaseData *ParseDatabaseArgs(char *args)
{
    DatabaseData *data;
    char *dbarg;
    char *a1;
    char *type;
    char *facility;

    data = (DatabaseData *)SnortAlloc(sizeof(DatabaseData));
    data->shared = (SharedDatabaseData *)SnortAlloc(sizeof(SharedDatabaseData));

    if(args == NULL)
    {
        ErrorMessage("database: you must supply arguments for database plugin\n");
        DatabasePrintUsage();
        FatalError("");
    }

    data->shared->dbtype_id = DB_UNDEFINED;
    data->sensor_name = NULL;
    data->facility = NULL;
    data->encoding = ENCODING_HEX;
    data->detail = DETAIL_FULL;
    data->ignore_bpf = 0;

    facility = strtok(args, ", ");
    if(facility != NULL)
    {
        if((!strncasecmp(facility,"log",3)) || (!strncasecmp(facility,"alert",5)))
            data->facility = facility;
        else
        {
            ErrorMessage("database: The first argument needs to be the logging facility\n");
            DatabasePrintUsage();
            FatalError("");
        }
    }
    else
    {
        ErrorMessage("database: Invalid format for first argment\n"); 
        DatabasePrintUsage();
        FatalError("");
    }

    type = strtok(NULL, ", ");

    if(type == NULL)
    {
        ErrorMessage("database: you must enter the database type in configuration file as the second argument\n");
        DatabasePrintUsage();
        FatalError("");
    }

    /* print out and test the capability of this plugin */
    if( !pv.quiet_flag ) printf("database: compiled support for ( ");


#ifdef ENABLE_MYSQL
    if( !pv.quiet_flag ) printf("%s ",KEYWORD_MYSQL);
    if(!strncasecmp(type,KEYWORD_MYSQL,strlen(KEYWORD_MYSQL)))
        data->shared->dbtype_id = DB_MYSQL; 
#endif
#ifdef ENABLE_POSTGRESQL
    if( !pv.quiet_flag ) printf("%s ",KEYWORD_POSTGRESQL);
    if(!strncasecmp(type,KEYWORD_POSTGRESQL,strlen(KEYWORD_POSTGRESQL)))
        data->shared->dbtype_id = DB_POSTGRESQL; 
#endif
#ifdef ENABLE_ODBC
    if( !pv.quiet_flag ) printf("%s ",KEYWORD_ODBC);
    if(!strncasecmp(type,KEYWORD_ODBC,strlen(KEYWORD_ODBC)))
        data->shared->dbtype_id = DB_ODBC; 
#endif
#ifdef ENABLE_ORACLE