📄 op_acid_db.c
字号:
p->dp) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error Checking */ } } return 0;}int InsertTCPData(OpAcidDb_Data *op_data, Packet *p){ if(!p->tcph) return 0; /* insert data into the tcp header table */ if(op_data->detail) { if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO tcphdr(sid, cid, tcp_sport, tcp_dport, tcp_seq, " "tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_csum, " "tcp_urp) VALUES('%u', '%u', '%u', '%u', '%u', " "'%u', '%u', '%u', '%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, p->sp, p->dp, ntohl(p->tcph->th_seq), ntohl(p->tcph->th_ack), TCP_OFFSET(p->tcph), TCP_X2(p->tcph), p->tcph->th_flags, ntohs(p->tcph->th_win), ntohs(p->tcph->th_sum), ntohs(p->tcph->th_urp)) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } /* XXX: TCP Options not handled */ } else { if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO tcphdr (sid, cid, tcp_sport, tcp_dport) " "VALUES('%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, p->sp, p->dp) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } } return 0;}int InsertICMPData(OpAcidDb_Data *op_data, Packet *p){ if(!p->icmph) return 0; if(op_data->detail) { if(p->icmph->icmp_type == 0 || p->icmph->icmp_type == 8 || p->icmph->icmp_type == 13 || p->icmph->icmp_type == 14 || p->icmph->icmp_type == 15 || p->icmph->icmp_type == 16) { if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO icmphdr(sid, cid, icmp_type, icmp_code, " "icmp_csum, icmp_id, icmp_seq) " "VALUES('%u', '%u', '%u', '%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, p->icmph->icmp_type, p->icmph->icmp_code, ntohs(p->icmph->icmp_csum), htons(p->icmph->icmp_hun.ih_idseq.icd_id), htons(p->icmph->icmp_hun.ih_idseq.icd_seq)) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } } else { if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO icmphdr(sid, cid, icmp_type, icmp_code, " "icmp_csum) VALUES('%u', '%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, p->icmph->icmp_type, p->icmph->icmp_code, ntohs(p->icmph->icmp_csum)) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error Checking */ } } } else { /* insert data into the icmp header table */ if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code) " "VALUES('%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, p->icmph->icmp_type, p->icmph->icmp_code) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error Checking */ } } return 0;}int InsertPayloadData(OpAcidDb_Data *op_data, Packet *p){ char *hex_payload; if(p->dsize) { hex_payload = fasthex(p->data, p->dsize); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO data(sid, cid, data_payload) " "VALUES('%u', '%u', '%s')", op_data->sensor_id, op_data->event_id, hex_payload) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error Checking */ } free(hex_payload); } return 0;}/* Attempts to retrieve the sensor id */static int OpAcidDb_GetSensorId(OpAcidDb_Data *op_data, char *hostname, char *interface, char *bpf_filter, u_int32_t detail, u_int32_t *sensor_id){ int rval; char *e_hostname = NULL; char *e_interface = NULL; char *e_filter = NULL; if(!hostname) hostname = "localhost"; if(!interface) interface = ""; if(!bpf_filter) bpf_filter = ""; if(!(e_hostname = EscapeString(op_data, hostname))) FatalError("Failed to escape string"); if(!(e_interface = EscapeString(op_data, interface))) FatalError("Failed to escape string"); if(!(e_filter = EscapeString(op_data, bpf_filter))) FatalError("Failed to escape string"); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' " "AND filter='%s' AND detail='%u' AND encoding='0'", e_hostname, e_interface, e_filter, detail) < MAX_QUERY_SIZE) { rval = SelectAsUInt(op_data, sql_buffer, sensor_id); free(e_filter); free(e_interface); free(e_hostname); return rval; } FatalError("SQL query too big"); return -1;}static int OpAcidDb_InsertSensor(OpAcidDb_Data *op_data, char *hostname, char *interface, char *bpf_filter, u_int32_t detail, unsigned int *sensor_id){ int rval; char *e_hostname = NULL; char *e_interface = NULL; char *e_filter = NULL; if(!hostname) hostname = "localhost"; if(!interface) interface = ""; if(!bpf_filter) bpf_filter = ""; if(!(e_hostname = EscapeString(op_data, hostname))) FatalError("Failed to escape string"); if(!(e_interface = EscapeString(op_data, interface))) FatalError("Failed to escape string"); if(!(e_filter = EscapeString(op_data, bpf_filter))) FatalError("Failed to escape string"); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO sensor(hostname, " "interface, filter, detail, encoding, last_cid) " "VALUES('%s', '%s', '%s', '%u', '0', '0')", e_hostname, e_interface, e_filter, detail) < MAX_QUERY_SIZE) { rval = Insert(op_data, sql_buffer, sensor_id); free(e_filter); free(e_interface); free(e_hostname); return rval; } FatalError("SQL query too big"); return -1;}unsigned int AcidDbGetSensorId(OpAcidDb_Data *op_data){ unsigned int sensor_id = 0; char *interface = ""; /* we need three things to determine the sensor id: interface, hostname, * filter * of these three, interface must be specified (ie we won't query it) */ if(pv.interface) interface = pv.interface; OpAcidDb_GetSensorId(op_data, pv.hostname, interface, pv.bpf_filter, op_data->detail, &sensor_id); if(sensor_id == 0) { OpAcidDb_InsertSensor(op_data, pv.hostname, interface, pv.bpf_filter, op_data->detail, &sensor_id); if(sensor_id == -1) { OpAcidDb_GetSensorId(op_data, pv.hostname, interface, pv.bpf_filter, op_data->detail, &sensor_id); } } if(pv.verbose >= 2) LogMessage("sensor_id == %u\n", sensor_id); return sensor_id;}/* Retrieves the next acid_cid to use for inserting into the database for this * sensor */unsigned int AcidDbGetNextCid(OpAcidDb_Data *data){ unsigned int cid = 0; if(snprintf(sql_buffer, MAX_QUERY_SIZE, "SELECT max(cid) FROM event WHERE sid='%u'", data->sensor_id) < MAX_QUERY_SIZE) { if(SelectAsUInt(data, sql_buffer, &cid) == -1) { FatalError("Database Error\n"); }#ifdef DEBUG LogMessage("cid == %u\n", cid); fflush(stdout);#endif } else { FatalError("Database Error\n"); } return ++cid;}int AcidDbCheckSchemaVersion(OpAcidDb_Data *data){ return 0;}/* * Returns 1 on success */static int OpAcidDb_GetSigId(OpAcidDb_Data *op_data, char *msg, u_int32_t rev, u_int32_t sid, u_int32_t *sig_id){ int rval; char *e_message = NULL; if(!msg) msg = ""; if(!(e_message = EscapeString(op_data, msg))) FatalError("Failed to escape string"); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "SELECT sig_id FROM signature WHERE sig_name='%s' AND sig_rev=%u " "AND sig_sid=%u", e_message, rev, sid) < MAX_QUERY_SIZE) { rval = SelectAsUInt(op_data, sql_buffer, sig_id); free(e_message); return rval; } FatalError("SQL query too big"); return -1;}static int OpAcidDb_GetClassId(OpAcidDb_Data *op_data, char *class_name, u_int32_t *class_id){ int rval; char *e_class_name = NULL; if(!class_name) class_name = ""; if(!(e_class_name = EscapeString(op_data, class_name))) FatalError("Failed to escape string"); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "SELECT sig_class_id FROM sig_class WHERE sig_class_name='%s'", e_class_name) < MAX_QUERY_SIZE) { rval = SelectAsUInt(op_data, sql_buffer, class_id); free(e_class_name); return rval; } FatalError("SQL query too big"); return -1;}static int OpAcidDb_GetRefSystemId(OpAcidDb_Data *op_data, char *system, u_int32_t *ref_system_id){ int rval; char *e_system = NULL; if(!system) system = ""; if(!(e_system = EscapeString(op_data, system))) FatalError("Failed to escape string"); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "SELECT ref_system_id FROM reference_system WHERE " "ref_system_name='%s'", e_system) < MAX_QUERY_SIZE) { rval = SelectAsUInt(op_data, sql_buffer, ref_system_id); free(e_system); return rval; } FatalError("SQL query too big"); return -1;}static int OpAcidDb_GetReferenceId(OpAcidDb_Data *op_data, u_int32_t ref_system_id, char *ref_tag, u_int32_t *ref_id){ int rval; char *e_ref_tag = NULL; if(!ref_tag) ref_tag = ""; if(!(e_ref_tag = EscapeString(op_data, ref_tag))) FatalError("Failed to escape string"); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "SELECT ref_id FROM reference WHERE ref_system_id=%u AND " "ref_tag='%s'", ref_system_id, e_ref_tag) < MAX_QUERY_SIZE) { rval = SelectAsUInt(op_data, sql_buffer, ref_id); free(e_ref_tag); return rval; } FatalError("SQL query too big"); return -1;}/* looks up the acid sig_id for a message and returns it. If no sig_id exists, * one is created * XXX: Unfortunately, the db does not use the same sig_ids that snort does */u_int32_t AcidDbGetSigId(OpAcidDb_Data *op_data, Sid *sid, ClassType *class_type, unsigned int priority){ char *e_message; unsigned int sig_id = 0; unsigned int class_id = 0; if(!sid) return 0; if(OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, &sig_id) == 1) return sig_id; /* Create a new signature entry */ class_id = GetAcidDbClassId(op_data, class_type); if(!(e_message = EscapeString(op_data, sid->msg ? sid->msg : ""))) FatalError("Failed to escape string"); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO signature(sig_name, sig_class_id, sig_priority, " "sig_rev, sig_sid) VALUES('%s', '%u', '%u', '%u', '%u')", e_message, class_id, priority, sid->rev, sid->sid) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, &sig_id); /* XXX: Error checking */ free(e_message); if(sig_id == -1) { OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, &sig_id); } } else { FatalError("SQL query too big"); } InsertSigReferences(op_data, sid->ref, sig_id); return sig_id;}/* looks up the acid class_id since it does not use the standard snort ids */unsigned int GetAcidDbClassId(OpAcidDb_Data *op_data, ClassType *class_type){ char *e_class_name; unsigned int class_id = 0; if(!class_type || !class_type->type) return 0; if(OpAcidDb_GetClassId(op_data, class_type->type, &class_id) == 1) return class_id; if(!(e_class_name = EscapeString(op_data, class_type->type ? class_type->type : ""))) FatalError("Failed to escape string"); /* Insert a new sig_class record */ if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO sig_class(sig_class_name) VALUES('%s')", e_class_name) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, &class_id); /* XXX: Error checking */ free(e_class_name); if(class_id == -1) { OpAcidDb_GetClassId(op_data, class_type->type, &class_id); } } else { FatalError("SQL query too big"); } return class_id;}int InsertSigReferences(OpAcidDb_Data *op_data, ReferenceData *ref, unsigned int sig_id){ unsigned int ref_system_id = 0; unsigned int ref_id = 0; unsigned int ref_seq = 1; char *e_ref_system_name; char *e_ref_tag; while(ref != NULL) { if(OpAcidDb_GetRefSystemId(op_data, ref->system, &ref_system_id) != 1) { /* if not found */ if(!(e_ref_system_name = EscapeString(op_data, ref->system ? ref->system : ""))) FatalError("Failed to escape string"); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO reference_system(ref_system_name) " "VALUES('%s')", e_ref_system_name) < MAX_QUERY_SIZE) { free(e_ref_system_name); Insert(op_data, sql_buffer, &ref_system_id); if(ref_system_id == -1) { OpAcidDb_GetRefSystemId(op_data, ref->system, &ref_system_id); } } else { FatalError("SQL query too big"); }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -