op_sguil.c

知名的开源IDS的日志工具

/* $Id: op_sguil.c,v 1.5 2004/04/03 19:57:33 andrewbaker Exp $ */
/*
** Copyright (C) 2001-2002 Andrew R. Baker <andrewb@snort.org>
**
** This program is distributed under the terms of version 1.0 of the 
** Q Public License.  See LICENSE.QPL for further details.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
**
*/

/* op_sguil is a modified op_acid_db plugin configured to work with
 * sguil (Snort GUI for Lamerz). Sguil and ACIDs DB schemas differ.
 * Sguil combines the event and iphdr tables along with moving the
 * src and dst port columns into event. I've also added SguilSendEvent
 * which opens a network socket and sends RT events to sguild.
 *
 * Andrew, sorry about mangling your code but it works so well :)
 *
 * Bammkkkk
*/

/*  I N C L U D E S  *****************************************************/

#ifdef ENABLE_MYSQL /* Wrap the whole thing in an ENABLE_MYSQL block */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <time.h>
#include <errno.h>
#include <unistd.h>
#include <ctype.h>

#include "strlcpyu.h"
#include "ConfigFile.h"
#include "plugbase.h"
#include "mstring.h"
#include "sid.h"
#include "classification.h"
#include "util.h"
#include "input-plugins/dp_log.h"
#include "op_plugbase.h"
#include "op_decode.h"
#include "event.h"

/* Needed for network socket */
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>

#ifdef ENABLE_MYSQL
#include <mysql.h>
#include <errmsg.h>
#endif /* ENABLE_MYSQL */

/*  D A T A   S T R U C T U R E S  **************************************/
typedef struct _OpSguil_Data 
{
    u_int8_t flavor;  /* what flavor of db?  MySQL, postgres, ... */
    u_int16_t unused;
    char *server;
    char *database;
    char *user;
    char *password;
    int sensor_id;
    int options;
    char *sguild_host;
    int sguild_sock;
    int sguild_port;
    int nospin;
    u_int32_t event_id;
    /* db handles go here */
#ifdef ENABLE_MYSQL
    MYSQL *mysql;
#endif /* ENABLE_MYSQL */
} OpSguil_Data;


#define MAX_QUERY_SIZE 8192
#define SYSLOG_BUF 1024

/* database flavor defines */
#define FLAVOR_MYSQL    1
#define FLAVOR_POSTGRES 2

static char *sgdb_flavours[] = {NULL, "mysql", "postgres"};

/* Network socket defines */
#define MAX_MSG_LEN 100


/* Output plug-in API functions */
static int OpSguil_Setup(OutputPlugin *, char *args);
static int OpSguil_Exit(OutputPlugin *);
static int OpSguil_Start(OutputPlugin *, void *);
static int OpSguil_Stop(OutputPlugin *);
static int OpSguil_Log(void *, void *);
static int OpSguil_LogConfig(OutputPlugin *outputPlugin);

/* Internal functions */
int SguildConnect(OpSguil_Data *);
int SguilSendEvent(OpSguil_Data *data, char *eventMsg);
int read_line();
OpSguil_Data *OpSguil_ParseArgs(char *);
int sgDbClose(OpSguil_Data *data);
int sgDbConnect(OpSguil_Data *data);
u_int32_t SguilGetNextCid(OpSguil_Data *data);
u_int32_t SguilGetSensorId(OpSguil_Data *data);
int SguilCheckSchemaVersion(OpSguil_Data *data);
int InsertIPData(OpSguil_Data *data, Packet *p);
int sgInsertICMPData(OpSguil_Data *data, Packet *p);
int sgInsertUDPData(OpSguil_Data *data, Packet *p);
int sgInsertTCPData(OpSguil_Data *data, Packet *p);
int sgInsertPayloadData(OpSguil_Data *data, Packet *p);

int sgSelectAsUInt(OpSguil_Data *data, char *sql, unsigned int *result);
int sgInsert(OpSguil_Data *data, char *sql, unsigned int *row_id);
int sgBeginTransaction(OpSguil_Data *);
int sgEndTransaction(OpSguil_Data *);
int sgAbortTransaction(OpSguil_Data *);

#ifdef ENABLE_MYSQL
int sgMysqlConnect(OpSguil_Data *);
int sgMysqlClose(MYSQL *mysql);
int sgMysqlSelectAsUInt(MYSQL *mysql, char *sql, unsigned int *result);
int sgMysqlInsert(MYSQL *mysql, char *sql, unsigned int *row_id);
#endif

/* Global variables */
static char sql_buffer[MAX_QUERY_SIZE];

/* 
 * Rather than using an incremental connection id (cid), this uses the
 * current time in milliseconds. BY is fast, but will we get dups in the
 * same millisecond?
 * Okay, lets wait on doing this.
long GetMilliseconds() 
{
    struct timeval  tv;
    gettimeofday(&tv, NULL);

    return (long)(tv.tv_sec * 1000 + tv.tv_usec / 1000);
}*/

/* init routine makes this processor available for dataprocessor directives */
void OpSguil_Init()
{
    OutputPlugin *outputPlugin;

    outputPlugin = RegisterOutputPlugin("sguil", "log");
    outputPlugin->setupFunc = OpSguil_Setup;
    outputPlugin->exitFunc = OpSguil_Exit;
    outputPlugin->startFunc = OpSguil_Start;
    outputPlugin->stopFunc = OpSguil_Stop;
    outputPlugin->outputFunc = OpSguil_Log;
    outputPlugin->logConfigFunc = OpSguil_LogConfig;
    
}

int OpSguil_LogConfig(OutputPlugin *outputPlugin)
{
    OpSguil_Data *data = NULL;

    if(!outputPlugin || !outputPlugin->data)
        return -1;

    data = (OpSguil_Data *)outputPlugin->data;
    
    LogMessage("OpSguil configured\n");
    /* XXX We need to print the configuration details here */
    return 0;
}
    


/* Setup the output plugin, process any arguments, link the functions to
 * the output functional node
 */
int OpSguil_Setup(OutputPlugin *outputPlugin, char *args)
{
    /* setup the run time context for this output plugin */
    outputPlugin->data = OpSguil_ParseArgs(args);

    return 0;
}

/* Inverse of the setup function, free memory allocated in Setup 
 * can't free the outputPlugin since it is also the list node itself
 */
int OpSguil_Exit(OutputPlugin *outputPlugin)
{
    return 0;
}

/* 
 * this function gets called at start time, you should open any output files
 * or establish DB connections, etc, here
 */
int OpSguil_Start(OutputPlugin *outputPlugin, void *spool_header)
{
    char tmpMsg [256];
    OpSguil_Data *data = (OpSguil_Data *)outputPlugin->data;
    LogMessage("OpSguil_Start\n");

    if(data == NULL)
        FatalError("ERROR: Unable to find context for Sguil startup!\n");

    /* Connect to sguild */
    if(SguildConnect(data))
      FatalError("OpSguil_: Failed to connect to sguild: %s:%i\n",
        data->sguild_host, data->sguild_port);

    /* Write a system-info message*/
    sprintf(tmpMsg, "RTEvent |||system-info|%s||Barnyard started.||||||||\n", pv.hostname);
    SguilSendEvent(data, tmpMsg);
    
    /* Connect to the database */
    if(sgDbConnect(data))
        FatalError("OpSguil_: Failed to connect to database: %s:%s@%s/%s\n",
                data->user, data->password, data->server, data->database);

    /* check the db schema */
    /*if(SguilCheckSchemaVersion(data))
        FatalError("OpSguil_: database schema mismatch\n");*/
 
    /* if sensor id == 0, then we attempt attempt to determine it dynamically */
    if(data->sensor_id == 0)
    {
        data->sensor_id = SguilGetSensorId(data);
        /* XXX: Error checking */
    }
    /* Get the next cid from the database */
    data->event_id = SguilGetNextCid(data);
    if(pv.verbose)
    {
        LogMessage("OpAcidDB configuration details\n");
        LogMessage("Database Flavour: %s\n", sgdb_flavours[data->flavor]);
        LogMessage("Database Server: %s\n", data->server);
        LogMessage("Database User: %s\n", data->user);
        LogMessage("SensorID: %i\n", data->sensor_id);
        LogMessage("Sguild Host: %s\n", data->sguild_host);
        LogMessage("Sguild Port: %i\n", data->sguild_port);
    }
    if((data->nospin) == NULL)
    {
        if(pv.verbose)
        {
            LogMessage("Barnyard will sleep(15) if unable to connect to sguild.\n");
        }
        data->nospin = 0;
    }
    else
    {
        if(pv.verbose)
        {
            LogMessage("Spinning disabled.\n");
        }
    }

    sprintf(tmpMsg, "RTEvent |||system-info|%s||Database Server: %s.||||||||\n",
		   pv.hostname, data->server);
    SguilSendEvent(data, tmpMsg);

    sprintf(tmpMsg, "RTEvent |||system-info|%s||Database Next CID: %i.||||||||\n",
		    pv.hostname, data->event_id);
    SguilSendEvent(data, tmpMsg);
    return 0;
}

int OpSguil_Stop(OutputPlugin *outputPlugin)
{
    OpSguil_Data *data = (OpSguil_Data *)outputPlugin->data;

    if(data == NULL)
        FatalError("ERROR: Unable to find context for Sguil startup!\n");

    /* close database connection */
    sgDbClose(data);
    
    return 0;
}

/* sguil only uses log */
int OpSguil_Log(void *context, void *data)
{
    char timestamp[TIMEBUF_SIZE];
    char syslogMessage[SYSLOG_BUF];
    char eventInfo[SYSLOG_BUF];
    //int MAX_INSERT_LEN = 1024;
    char insertColumns[MAX_QUERY_SIZE];
    char insertValues[MAX_QUERY_SIZE];
    char valuesTemp[MAX_QUERY_SIZE];
    char ipInfo[38];
    char portInfo[16];
    char *esc_message;
    Sid *sid = NULL;
    ClassType *class_type;
    UnifiedLogRecord *record = (UnifiedLogRecord *)data; 
    OpSguil_Data *op_data = (OpSguil_Data *)context;
    Packet p;

    bzero(syslogMessage, SYSLOG_BUF);
    bzero(insertColumns, MAX_QUERY_SIZE);
    bzero(insertValues, MAX_QUERY_SIZE);

#if 0 /* this is broken */
    /* skip tagged packets, since the db does not have a mechanism to 
     * deal with them properly
     */
    if(record->log.event.event_reference)
    {
        LogMessage("Skipping tagged packet %i\n", record->log.event.event_reference);
        return 0;
    }
#endif


    RenderTimestamp(record->log.pkth.ts.tv_sec, timestamp, TIMEBUF_SIZE);
    //fprintf(stdout, "Timestamp: %lu\n", GetMilliseconds());
    //fflush(stdout);
    sid = GetSid(record->log.event.sig_generator, record->log.event.sig_id);
    if(sid == NULL)
        sid = FakeSid(record->log.event.sig_generator, record->log.event.sig_id);
    class_type = GetClassType(record->log.event.classification);

    //sgBeginTransaction(op_data); /* XXX: Error checking */
    /* Build the event insert. */
    snprintf(insertColumns, MAX_QUERY_SIZE,
            "INSERT INTO event (status, sid, cid, signature_id, signature_rev, signature, timestamp, priority, class");

    esc_message = malloc(strlen(sid->msg)*2+1);
    mysql_real_escape_string(op_data->mysql, esc_message, sid->msg, strlen(sid->msg));

    if(class_type == NULL)
    {
        snprintf(valuesTemp, MAX_QUERY_SIZE,
                "VALUES ('0', '%u', '%u', '%d', '%d', '%s', '%s', '%u', 'unknown'",
                op_data->sensor_id, op_data->event_id, sid->sid, sid->rev, esc_message, timestamp, 
                record->log.event.priority);
        snprintf(eventInfo, SYSLOG_BUF, "RTEvent |0|%u|unknown|%s|%s|%u|%u|%s",
                record->log.event.priority, 
                pv.hostname, timestamp, op_data->sensor_id, op_data->event_id,
                sid->msg);
    }
    else
    {
        snprintf(valuesTemp, MAX_QUERY_SIZE,
                "VALUES ('0', '%u', '%u', '%d', '%d', '%s', '%s', '%u', '%s'",
                op_data->sensor_id, op_data->event_id, sid->sid, sid->rev, esc_message, timestamp, 
                record->log.event.priority, class_type->type);
        snprintf(eventInfo, SYSLOG_BUF, "RTEvent |0|%u|%s|%s|%s|%u|%u|%s",
                record->log.event.priority, class_type->type,
                pv.hostname, timestamp, op_data->sensor_id, op_data->event_id,
                sid->msg);
    }

    free(esc_message);

    insertValues[0] = '\0';
    strcat(insertValues, valuesTemp);

    syslogMessage[0] = '\0';
    strcat(syslogMessage, eventInfo);
    /* decode the packet */
    if(DecodePacket(&p, &record->log.pkth, record->pkt + 2) == 0)
    {

        if(p.iph)
        {
            /* Insert ip header information */
            //InsertIPData(op_data, &p);
            strcat(insertColumns,
                    ",src_ip, dst_ip, ip_proto, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum");
            snprintf(valuesTemp, MAX_QUERY_SIZE,
                    ",'%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u'",