📄 spo_database.c
字号:
" AND sig_rev IS NULL " " AND sig_sid = %u ", sig_name, event->sig_id); } } else { if( event->sig_id == 0) { snprintf(select0, MAX_QUERY_LENGTH, "SELECT sig_id " " FROM signature " " WHERE sig_name = '%s' " " AND sig_rev = %u " " AND sig_sid IS NULL ", sig_name, event->sig_rev); } else { snprintf(select0, MAX_QUERY_LENGTH, "SELECT sig_id " " FROM signature " " WHERE sig_name = '%s' " " AND sig_rev = %u " " AND sig_sid = %u ", sig_name, event->sig_rev, event->sig_id); } } sig_id = Select(select0, data); /* If this signature is detected for the first time * - write the signature * - write the signature's references, classification, priority, id, * revision number * Note: if a signature (identified with a unique text message, revision #) * initially is logged to the DB without references/classification, * but later they are added, this information will _not_ be * stored/updated unless the revision number is changed. * This algorithm is used in order to prevent many DB SELECTs to * verify their presence _every_ time the alert is triggered. */ if(sig_id == 0) { /* get classification and priority information */ if(otn_tmp) { class_ptr = otn_tmp->sigInfo.classType; if(class_ptr) { /* classification */ if(class_ptr->type) { /* Get the ID # of this classification */ select1 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); sig_class = snort_escape_string(class_ptr->type, data); snprintf(select1, MAX_QUERY_LENGTH, "SELECT sig_class_id " " FROM sig_class " " WHERE sig_class_name = '%s'", sig_class); class_id = Select(select1, data); if ( !class_id ) { insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); snprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "sig_class (sig_class_name) " "VALUES ('%s')", sig_class); Insert(insert0, data); free(insert0); insert0 = NULL; class_id = Select(select1, data); if ( !class_id ) { ErrorMessage("database: unable to write classification\n"); } } free(select1); select1 = NULL; free(sig_class); sig_class = NULL; } } } insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert_fields = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert_values = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert_fields_len = 0; insert_values_len = 0; snprintf(insert_fields, MAX_QUERY_LENGTH-insert_fields_len, "%s", "sig_name"); snprintf(insert_values, MAX_QUERY_LENGTH-insert_values_len, "'%s'", sig_name); insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); if ( class_id > 0 ) { snprintf(&insert_fields[insert_fields_len], MAX_QUERY_LENGTH-insert_fields_len, "%s", ",sig_class_id"); snprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH-insert_values_len, ",%u", class_id); insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } if ( event->priority > 0 ) { snprintf(&insert_fields[insert_fields_len], MAX_QUERY_LENGTH-insert_fields_len, "%s", ",sig_priority"); snprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH-insert_values_len, ",%u", event->priority); insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } if ( event->sig_rev > 0 ) { snprintf(&insert_fields[insert_fields_len], MAX_QUERY_LENGTH-insert_fields_len, "%s", ",sig_rev"); snprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH-insert_values_len, ",%u", event->sig_rev); insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } if ( event->sig_id > 0 ) { snprintf(&insert_fields[insert_fields_len], MAX_QUERY_LENGTH-insert_fields_len, "%s", ",sig_sid"); snprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH-insert_values_len, ",%u", event->sig_id); insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } snprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO signature (%s) VALUES (%s)", insert_fields, insert_values); Insert(insert0,data); free(insert0); insert0 = NULL; free(insert_fields); insert_fields = NULL; free(insert_values); insert_values = NULL; sig_id = Select(select0,data); if(sig_id == 0) { ErrorMessage("database: Problem inserting a new signature '%s'\n", msg); } free(select0); select0 = NULL; /* add the external rule references */ if(otn_tmp) { refNode = otn_tmp->sigInfo.refs; i = 1; while(refNode) { /* Get the ID # of the reference from the DB */ select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ref_system_name = snort_escape_string(refNode->system->name, data); /* Note: There is an underlying assumption that the SELECT * will do a case-insensitive comparison. */ snprintf(select0, MAX_QUERY_LENGTH, "SELECT ref_system_id " " FROM reference_system " " WHERE ref_system_name = '%s'", ref_system_name); snprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "reference_system (ref_system_name) " "VALUES ('%s')", ref_system_name); ref_system_id = Select(select0, data); if ( ref_system_id == 0 ) { Insert(insert0, data); ref_system_id = Select(select0, data); } free(select0); select0 = NULL; free(insert0); insert0 = NULL; free(ref_system_name); ref_system_name = NULL; if ( ref_system_id > 0 ) { select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ref_tag = snort_escape_string(refNode->id, data); snprintf(select0, MAX_QUERY_LENGTH, "SELECT ref_id " " FROM reference " " WHERE ref_system_id = %d " " AND ref_tag = '%s'", ref_system_id, ref_tag); ref_id = Select(select0, data); free(ref_tag); ref_tag = NULL; /* If this reference is not in the database, write it */ if ( ref_id == 0 ) { /* truncate the reference tag as necessary */ ref_node_id_string = (char *) SnortAlloc(101); if ( data->DBschema_version == 103 ) { snprintf(ref_node_id_string, 20, "%s", refNode->id); } else if ( data->DBschema_version >= 104 ) { snprintf(ref_node_id_string, 100, "%s", refNode->id); } insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ref_tag = snort_escape_string(ref_node_id_string, data); snprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "reference (ref_system_id, ref_tag) " "VALUES (%d, '%s')", ref_system_id, ref_tag); Insert(insert0, data); ref_id = Select(select0, data); free(insert0); insert0 = NULL; free(ref_node_id_string); ref_node_id_string = NULL; free(ref_tag); ref_tag = NULL; if ( ref_id == 0 ) { ErrorMessage("database: Unable to insert the alert reference into the DB\n"); } } free(select0); select0 = NULL; insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); snprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "sig_reference (sig_id, ref_seq, ref_id) " "VALUES (%u, %d, %u)", sig_id, i, ref_id); Insert(insert0, data); free(insert0); insert0 = NULL; ++i; } else { ErrorMessage("database: Unable to insert unknown reference tag ('%s') used in rule.\n", refNode->id); } refNode = refNode->next; } } } else { free(select0); select0 = NULL; } free(sig_name); sig_name = NULL; if ( (data->shared->dbtype_id == DB_ORACLE) && (data->DBschema_version >= 105) ) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "event (sid,cid,signature,timestamp) " "VALUES ('%u', '%u', '%u', TO_DATE('%s', 'YYYY-MM-DD HH24:MI:SS'))", data->shared->sid, data->shared->cid, sig_id, timestamp_string); } else if(data->shared->dbtype_id == DB_ODBC) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "event (sid,cid,signature,timestamp) " "VALUES ('%u', '%u', '%u', {ts '%s'})", data->shared->sid, data->shared->cid, sig_id, timestamp_string); } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "event (sid,cid,signature,timestamp) " "VALUES ('%u', '%u', '%u', '%s')", data->shared->sid, data->shared->cid, sig_id, timestamp_string); } free(timestamp_string); timestamp_string = NULL; /* We do not log fragments! They are assumed to be handled by the fragment reassembly pre-processor */ if(p != NULL) { if((!p->frag_flag) && (p->iph)) { /* query = NewQueryNode(query, 0); */ if(p->iph->ip_proto == IPPROTO_ICMP && p->icmph) { query = NewQueryNode(query, 0); /*** Build a query for the ICMP Header ***/ if(data->detail) { if(p->icmph) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) " "VALUES ('%u','%u','%u','%u','%u','%u','%u')", data->shared->sid, data->shared->cid, p->icmph->type, p->icmph->code, ntohs(p->icmph->csum), ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum) " "VALUES ('%u','%u','%u','%u','%u')", data->shared->sid, data->shared->cid, p->icmph->type, p->icmph->code, ntohs(p->icmph->csum)); } } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code) " "VALUES ('%u','%u','%u','%u')", data->shared->sid, data->shared->cid, p->icmph->type, p->icmph->code); } } else if(p->iph->ip_proto == IPPROTO_TCP && p->tcph) { query = NewQueryNode(query, 0); /*** Build a query for the TCP Header ***/ if(data->detail) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "tcphdr (sid, cid, tcp_sport, tcp_dport, " " tcp_seq, tcp_ack, tcp_off, tcp_res, " " tcp_flags, tcp_win, tcp_csum, tcp_urp) " "VALUES ('%u','%u','%u','%u','%lu','%lu','%u','%u','%u','%u','%u','%u')", data->shared->sid, data->shared->cid, ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), (u_long)ntohl(p->tcph->th_seq),⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -