📄 spo_database.c
字号:
(u_long)ntohl(p->tcph->th_ack), TCP_OFFSET(p->tcph), TCP_X2(p->tcph), p->tcph->th_flags, ntohs(p->tcph->th_win), ntohs(p->tcph->th_sum), ntohs(p->tcph->th_urp)); } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) " "VALUES ('%u','%u','%u','%u','%u')", data->shared->sid, data->shared->cid, ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), p->tcph->th_flags); } if(data->detail) { /*** Build the query for TCP Options ***/ for(i=0; i < (int)(p->tcp_option_count); i++) { query = NewQueryNode(query, 0); if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII)) { packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len); } else { packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len); } snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES ('%u','%u','%u','%u','%u','%u','%s')", data->shared->sid, data->shared->cid, i, 6, p->tcp_options[i].code, p->tcp_options[i].len, packet_data); free(packet_data); packet_data = NULL; } } } else if(p->iph->ip_proto == IPPROTO_UDP && p->udph) { query = NewQueryNode(query, 0); /*** Build the query for the UDP Header ***/ if(data->detail) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "udphdr (sid, cid, udp_sport, udp_dport, udp_len, udp_csum) " "VALUES ('%u', '%u', '%u', '%u', '%u', '%u')", data->shared->sid, data->shared->cid, ntohs(p->udph->uh_sport), ntohs(p->udph->uh_dport), ntohs(p->udph->uh_len), ntohs(p->udph->uh_chk)); } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "udphdr (sid, cid, udp_sport, udp_dport) " "VALUES ('%u', '%u', '%u', '%u')", data->shared->sid, data->shared->cid, ntohs(p->udph->uh_sport), ntohs(p->udph->uh_dport)); } } } /*** Build the query for the IP Header ***/ if ( p->iph ) { query = NewQueryNode(query, 0); if(data->detail) { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, " " ip_tos, ip_len, ip_id, ip_flags, ip_off," " ip_ttl, ip_proto, ip_csum) " "VALUES ('%u','%u','%lu','%lu','%u','%u','%u','%u','%u','%u','%u','%u','%u','%u')", data->shared->sid, data->shared->cid, (u_long)ntohl(p->iph->ip_src.s_addr), (u_long)ntohl(p->iph->ip_dst.s_addr), IP_VER(p->iph), IP_HLEN(p->iph), p->iph->ip_tos, ntohs(p->iph->ip_len), ntohs(p->iph->ip_id), p->frag_flag, ntohs(p->frag_offset), p->iph->ip_ttl, p->iph->ip_proto, ntohs(p->iph->ip_csum)); } else { snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "iphdr (sid, cid, ip_src, ip_dst, ip_proto) " "VALUES ('%u','%u','%lu','%lu','%u')", data->shared->sid, data->shared->cid, (u_long)ntohl(p->iph->ip_src.s_addr), (u_long)ntohl(p->iph->ip_dst.s_addr), p->iph->ip_proto); } /*** Build querys for the IP Options ***/ if(data->detail) { for(i=0 ; i < (int)(p->ip_option_count); i++) { if(&p->ip_options[i]) { query = NewQueryNode(query, 0); if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII)) { packet_data = fasthex(p->ip_options[i].data, p->ip_options[i].len); } else { packet_data = base64(p->ip_options[i].data, p->ip_options[i].len); } snprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES ('%u','%u','%u','%u','%u','%u','%s')", data->shared->sid, data->shared->cid, i, 0, p->ip_options[i].code, p->ip_options[i].len, packet_data); free(packet_data); packet_data = NULL; } } } } /*** Build query for the payload ***/ if ( p->data ) { if(data->detail) { if(p->dsize) { query = NewQueryNode(query, p->dsize * 2 + MAX_QUERY_LENGTH); memset(query->val, 0, p->dsize*2 + MAX_QUERY_LENGTH); if(data->encoding == ENCODING_BASE64) { packet_data_not_escaped = base64(p->data, p->dsize); } else if(data->encoding == ENCODING_ASCII) { packet_data_not_escaped = ascii(p->data, p->dsize); } else { packet_data_not_escaped = fasthex(p->data, p->dsize); } packet_data = snort_escape_string(packet_data_not_escaped, data); if(data->shared->dbtype_id == DB_ORACLE) { snprintf(query->val, (p->dsize * 2) + MAX_QUERY_LENGTH - 3, "INSERT INTO " "data (sid,cid,data_payload) " "VALUES ('%u','%u',utl_raw.cast_to_raw('%s", data->shared->sid, data->shared->cid, packet_data); strcat(query->val, "'))"); free (packet_data); packet_data = NULL; free (packet_data_not_escaped); packet_data_not_escaped = NULL; } else { snprintf(query->val, (p->dsize * 2) + MAX_QUERY_LENGTH - 3, "INSERT INTO " "data (sid,cid,data_payload) " "VALUES ('%u','%u','%s", data->shared->sid, data->shared->cid, packet_data); strcat(query->val, "')"); free (packet_data); packet_data = NULL; free (packet_data_not_escaped); packet_data_not_escaped = NULL; } } } } } /* Execute the queries */ query = root; ok_transaction = 1; while(query) { if ( Insert(query->val,data) == 0 ) {#ifdef ENABLE_DB_TRANSACTIONS RollbackTransaction(data);#endif ok_transaction = 0; break; } else { query = query->next; } } FreeQueryNode(root); root = NULL; /* Increment the cid*/ data->shared->cid++;#ifdef ENABLE_DB_TRANSACTIONS if ( ok_transaction ) { CommitTransaction(data); }#endif /* An ODBC bugfix */#ifdef ENABLE_ODBC if(data->shared->cid == 600) { data->shared->cid = 601; }#endif}/* Some of the code in this function is from the mysql_real_escape_string() function distributed with mysql. Those portions of this function remain Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB We needed a more general case that was not MySQL specific so there were small modifications made to the mysql_real_escape_string() function. */char * snort_escape_string(char * from, DatabaseData * data){ char * to; char * to_start; char * end; int from_length; from_length = (int)strlen(from); to = (char *)SnortAlloc(strlen(from) * 2 + 1); to_start = to;#ifdef ENABLE_ORACLE if (data->shared->dbtype_id == DB_ORACLE) { for (end=from+from_length; from != end; from++) { switch(*from) { case '\'': /* ' --> '' */ *to++= '\''; *to++= '\''; break; case '\032': /* Ctrl-Z (Win32 EOF) --> \\Z */ *to++= '\\'; /* This gives problems on Win32 */ *to++= 'Z'; break; default: /* copy character directly */ *to++= *from; } } } else#endif#ifdef ENABLE_MSSQL if (data->shared->dbtype_id == DB_MSSQL) { for (end=from+from_length; from != end; from++) { switch(*from) { case '\'': /* ' --> '' */ *to++= '\''; *to++= '\''; break; default: /* copy character directly */ *to++= *from; } } } else#endif/* Historically these were together in a common "else". * Keeping it that way until somebody complains... */#if defined(ENABLE_MYSQL) || defined(ENABLE_POSTGRESQL) if (data->shared->dbtype_id == DB_MYSQL || data->shared->dbtype_id == DB_POSTGRESQL) { for(end=from+from_length; from != end; from++) { switch(*from) { /* * Only need to escape '%' and '_' characters * when querying a SELECT...LIKE, which never * occurs in Snort. Excluding these checks * for that reason. case '%': ** % --> \% ** *to++= '\\'; *to++= '%'; break; case '_': ** _ --> \_ ** *to++= '\\'; *to++= '_'; break; */ case 0: /* NULL --> \\0 (probably never encountered due to strlen() above) */ *to++= '\\'; /* Must be escaped for 'mysql' */ *to++= '0'; break; case '\n': /* \n --> \\n */ *to++= '\\'; /* Must be escaped for logs */ *to++= 'n'; break; case '\r': /* \r --> \\r */ *to++= '\\'; *to++= 'r'; break; case '\t': /* \t --> \\t */ *to++= '\\'; *to++= 't'; brea⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -