📄 op_sguil.c
字号:
ntohl(p.iph->ip_src.s_addr), ntohl(p.iph->ip_dst.s_addr), p.iph->ip_proto, IP_VER(p.iph), IP_HLEN(p.iph), p.iph->ip_tos, ntohs(p.iph->ip_len), ntohs(p.iph->ip_id),#if defined(WORDS_BIGENDIAN) ((p.iph->ip_off & 0xE000) >> 13), htons(p.iph->ip_off & 0x1FFF),#else ((p.iph->ip_off & 0x00E0) >> 5), htons(p.iph->ip_off & 0xFF1F),#endif p.iph->ip_ttl, htons(p.iph->ip_csum) < MAX_QUERY_SIZE); strcat(insertValues, valuesTemp); /* SYSLOG - Changed to SguilSendEvent*/ snprintf(ipInfo, 38, "|%u.%u.%u.%u|%u.%u.%u.%u|%u",#if defined(WORDS_BIGENDIAN) (p.iph->ip_src.s_addr & 0xff000000) >> 24, (p.iph->ip_src.s_addr & 0x00ff0000) >> 16, (p.iph->ip_src.s_addr & 0x0000ff00) >> 8, (p.iph->ip_src.s_addr & 0x000000ff), (p.iph->ip_dst.s_addr & 0xff000000) >> 24, (p.iph->ip_dst.s_addr & 0x00ff0000) >> 16, (p.iph->ip_dst.s_addr & 0x0000ff00) >> 8, (p.iph->ip_dst.s_addr & 0x000000ff),#else (p.iph->ip_src.s_addr & 0x000000ff), (p.iph->ip_src.s_addr & 0x0000ff00) >> 8, (p.iph->ip_src.s_addr & 0x00ff0000) >> 16, (p.iph->ip_src.s_addr & 0xff000000) >> 24, (p.iph->ip_dst.s_addr & 0x000000ff), (p.iph->ip_dst.s_addr & 0x0000ff00) >> 8, (p.iph->ip_dst.s_addr & 0x00ff0000) >> 16, (p.iph->ip_dst.s_addr & 0xff000000) >> 24,#endif p.iph->ip_proto); strcat(syslogMessage, ipInfo); /* store layer 4 data for non fragmented packets */ if(!(p.pkt_flags & PKT_FRAG_FLAG)) { switch(p.iph->ip_proto) { case IPPROTO_ICMP: snprintf(portInfo, 16, "|||"); if(!p.icmph) break; strcat(insertColumns, ", icmp_type, icmp_code)"); snprintf(valuesTemp, MAX_QUERY_SIZE, ", '%u', '%u')", p.icmph->icmp_type, p.icmph->icmp_code); strcat(insertValues, valuesTemp); strcat(insertColumns, insertValues); sgInsert(op_data, insertColumns, NULL); sgInsertICMPData(op_data, &p); break; case IPPROTO_TCP: strcat(insertColumns, ", src_port, dst_port)"); snprintf(valuesTemp, MAX_QUERY_SIZE, ", '%u', '%u')", p.sp, p.dp); strcat(insertValues, valuesTemp); strcat(insertColumns, insertValues); sgInsert(op_data, insertColumns, NULL); sgInsertTCPData(op_data, &p); snprintf(portInfo, 16, "|%u|%u|", p.sp, p.dp); break; case IPPROTO_UDP: strcat(insertColumns, ", src_port, dst_port)"); snprintf(valuesTemp, MAX_QUERY_SIZE, ", '%u', '%u')", p.sp, p.dp); strcat(insertValues, valuesTemp); strcat(insertColumns, insertValues); sgInsert(op_data, insertColumns, NULL); sgInsertUDPData(op_data, &p); snprintf(portInfo, 16, "|%u|%u|", p.sp, p.dp); break; } strcat(syslogMessage, portInfo); } else { strcat(syslogMessage, "|||"); } /* Insert payload data */ sgInsertPayloadData(op_data, &p); } else { strcat(syslogMessage, "||||||"); } } //sgEndTransaction(op_data); /* XXX: Error Checking */ ++op_data->event_id; /* Append the sig id and rev to the RT event */ snprintf(eventInfo, SYSLOG_BUF, "%u|%u|\n", sid->sid, sid->rev); strcat(syslogMessage, eventInfo); /* Write to the network socket */ SguilSendEvent(op_data, syslogMessage); return 0;}int sgInsertUDPData(OpSguil_Data *op_data, Packet *p){ if(!p->udph) return 0; if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO udphdr(sid, cid, udp_len, udp_csum)" "VALUES ('%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, ntohs(p->udph->uh_len), ntohs(p->udph->uh_chk)) < MAX_QUERY_SIZE) { sgInsert(op_data, sql_buffer, NULL); /* XXX: Error Checking */ } return 0;}int sgInsertTCPData(OpSguil_Data *op_data, Packet *p){ if(!p->tcph) return 0; /* insert data into the tcp header table */ if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO tcphdr(sid, cid, tcp_seq, " "tcp_ack, tcp_off, tcp_res, tcp_flags, tcp_win, tcp_csum, " "tcp_urp) VALUES('%u', '%u', '%u', '%u', '%u', " "'%u', '%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, ntohl(p->tcph->th_seq), ntohl(p->tcph->th_ack), TCP_OFFSET(p->tcph), TCP_X2(p->tcph), p->tcph->th_flags, ntohs(p->tcph->th_win), ntohs(p->tcph->th_sum), ntohs(p->tcph->th_urp)) < MAX_QUERY_SIZE) { sgInsert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } /* XXX: TCP Options not handled */ return 0;}int sgInsertICMPData(OpSguil_Data *op_data, Packet *p){ if(!p->icmph) return 0; if(p->icmph->icmp_type == 0 || p->icmph->icmp_type == 8 || p->icmph->icmp_type == 13 || p->icmph->icmp_type == 14 || p->icmph->icmp_type == 15 || p->icmph->icmp_type == 16) { if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO icmphdr(sid, cid, " "icmp_csum, icmp_id, icmp_seq) " "VALUES('%u', '%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, ntohs(p->icmph->icmp_csum), htons(p->icmph->icmp_hun.ih_idseq.icd_id), htons(p->icmph->icmp_hun.ih_idseq.icd_seq)) < MAX_QUERY_SIZE) { sgInsert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } } else { if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO icmphdr(sid, cid, " "icmp_csum) VALUES('%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, ntohs(p->icmph->icmp_csum)) < MAX_QUERY_SIZE) { sgInsert(op_data, sql_buffer, NULL); /* XXX: Error Checking */ } } return 0;}int sgInsertPayloadData(OpSguil_Data *op_data, Packet *p){ char *hex_payload; if(p->dsize) { hex_payload = fasthex(p->data, p->dsize); if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO data(sid, cid, data_payload) " "VALUES('%u', '%u', '%s')", op_data->sensor_id, op_data->event_id, hex_payload) < MAX_QUERY_SIZE) { sgInsert(op_data, sql_buffer, NULL); /* XXX: Error Checking */ } free(hex_payload); } return 0;}/* Attempts to retrieve the sensor id */unsigned int SguilGetSensorId(OpSguil_Data *op_data){ unsigned int sensor_id = 0; /* XXX: This should be moved to global setup */ if(pv.hostname == NULL) { /* query the hostname */ /* the DB schema allows for a hostname of up to 2^16-1 characters, i am limiting * this to 255 (+1 for the NULL) */ pv.hostname = (char *)malloc(256); if(gethostname(pv.hostname, 256)) { FatalError("Error querying hostname: %s\n", strerror(errno)); } } /* XXX: need to escape strings */ if(snprintf(sql_buffer, MAX_QUERY_SIZE, "SELECT sid FROM sensor WHERE hostname='%s'" , pv.hostname) < MAX_QUERY_SIZE) { if(sgSelectAsUInt(op_data, sql_buffer, &sensor_id) == -1) { FatalError("Database Error\n"); } if(sensor_id == 0) { /* insert sensor information */ if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO sensor (hostname) " "VALUES ('%s')", pv.hostname) < MAX_QUERY_SIZE) { sgInsert(op_data, sql_buffer, &sensor_id); /* XXX: Error checking */ } else { FatalError("Error building SQL Query\n"); } } if(pv.verbose >= 2) LogMessage("sensor_id == %u\n", sensor_id); } else { FatalError("Error building SQL Query\n"); } return sensor_id;}/* Retrieves the next acid_cid to use for inserting into the database for this * sensor */unsigned int SguilGetNextCid(OpSguil_Data *data){ unsigned int cid = 0; if(snprintf(sql_buffer, MAX_QUERY_SIZE, "SELECT max(cid) FROM event WHERE sid='%u'", data->sensor_id) < MAX_QUERY_SIZE) { if(sgSelectAsUInt(data, sql_buffer, &cid) == -1) { FatalError("Database Error\n"); }#ifdef DEBUG LogMessage("cid == %u\n", cid); fflush(stdout);#endif } else { FatalError("Database Error\n"); } return ++cid;}OpSguil_Data *OpSguil_ParseArgs(char *args){ OpSguil_Data *op_data; op_data = (OpSguil_Data *)SafeAlloc(sizeof(OpSguil_Data)); op_data->options = 0; if(args != NULL) { char **toks; int num_toks; int i; /* parse out your args */ toks = mSplit(args, ",", 31, &num_toks, '\\'); for(i = 0; i < num_toks; ++i) { char **stoks; int num_stoks; char *index = toks[i]; while(isspace((int)*index)) ++index; stoks = mSplit(index, " ", 2, &num_stoks, 0); if(strcasecmp("database", stoks[0]) == 0) { if(num_stoks > 1 && op_data->database == NULL) op_data->database = strdup(stoks[1]); else LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } else if(strcasecmp("server", stoks[0]) == 0) { if(num_stoks > 1 && op_data->server == NULL) op_data->server = strdup(stoks[1]); else LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } else if(strcasecmp("user", stoks[0]) == 0) { if(num_stoks > 1 && op_data->user == NULL) op_data->user = strdup(stoks[1]); else LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } else if(strcasecmp("password", stoks[0]) == 0) { if(num_stoks > 1 && op_data->password == NULL) op_data->password = strdup(stoks[1]); else LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } else if(strcasecmp("sensor_id", stoks[0]) == 0) { if(num_stoks > 1 && op_data->sensor_id == 0) op_data->sensor_id = atoi(stoks[1]); else LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } else if(strcasecmp("sguild_host", stoks[0]) == 0) { if(num_stoks > 1 && op_data->sguild_host == 0) op_data->sguild_host = strdup(stoks[1]); else LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } else if(strcasecmp("nospin", stoks[0]) == 0) { op_data->nospin = 1; } else if(strcasecmp("sguild_port", stoks[0]) == 0) { if(num_stoks > 1 && op_data->sguild_port == 0) op_data->sguild_port = atoi(stoks[1]); else LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); }#ifdef ENABLE_MYSQL else if(strcasecmp("mysql", stoks[0]) == 0) { if(op_data->flavor == 0) op_data->flavor = FLAVOR_MYSQL; else LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); }#endif /* ENABLE_MYSQL */ else { fprintf(stderr, "WARNING %s (%d) => Unrecognized argument for " "Sguil plugin: %s\n", file_name, file_line, index);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -