📄 spo_database.c
字号:
} if( !pv.quiet_flag ) { printf("database: sensor name = %s\n", data->sensor_name); } } } /* allocate memory for configuration queries */ select_sensor_id = (char *)SnortAlloc(MAX_QUERY_LENGTH); select_max_sensor_id = (char *)SnortAlloc(MAX_QUERY_LENGTH); insert_into_sensor = (char *)SnortAlloc(MAX_QUERY_LENGTH); escapedSensorName = snort_escape_string(data->sensor_name, data); if(pv.interface != NULL) { escapedInterfaceName = snort_escape_string(PRINT_INTERFACE(pv.interface), data); } else { if(InlineMode()) { escapedInterfaceName = snort_escape_string("inline", data); } } if( data->ignore_bpf == 0 ) { if(pv.pcap_cmd == NULL) { ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, detail, encoding, last_cid) " "VALUES ('%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " " AND interface = '%s' " " AND detail = %u " " AND encoding = %u " " AND filter IS NULL", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; } else { escapedBPFFilter = snort_escape_string(pv.pcap_cmd, data); ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, filter, detail, encoding, last_cid) " "VALUES ('%s','%s','%s',%u,%u, 0)", escapedSensorName, escapedInterfaceName, escapedBPFFilter, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " " AND interface = '%s' " " AND filter ='%s' " " AND detail = %u " " AND encoding = %u ", escapedSensorName, escapedInterfaceName, escapedBPFFilter, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; } } else /* ( data->ignore_bpf == 1 ) */ { if(pv.pcap_cmd == NULL) { ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, detail, encoding) " "VALUES ('%s','%s',%u,%u)", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " " AND interface = '%s' " " AND detail = %u " " AND encoding = %u", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; } else { escapedBPFFilter = snort_escape_string(pv.pcap_cmd, data); ret = SnortSnprintf(insert_into_sensor, MAX_QUERY_LENGTH, "INSERT INTO sensor (hostname, interface, filter, detail, encoding) " "VALUES ('%s','%s','%s',%u,%u)", escapedSensorName, escapedInterfaceName, escapedBPFFilter, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; ret = SnortSnprintf(select_sensor_id, MAX_QUERY_LENGTH, "SELECT sid " " FROM sensor " " WHERE hostname = '%s' " " AND interface = '%s' " " AND detail = %u " " AND encoding = %u", escapedSensorName, escapedInterfaceName, data->detail, data->encoding); if (ret != SNORT_SNPRINTF_SUCCESS) bad_query = 1; } } if (bad_query) FatalError("Database: Unable to construct query - output error or truncation\n"); Connect(data); /* get password out of memory since we only need it for Connect */ if (data->password != NULL) { /* it'll be null terminated */ while (*data->password != '\0') { *data->password = '\0'; data->password++; } } data->shared->sid = Select(select_sensor_id,data); if(data->shared->sid == 0) { Insert(insert_into_sensor,data); data->shared->sid = Select(select_sensor_id,data); if(data->shared->sid == 0) { ErrorMessage("database: Problem obtaining SENSOR ID (sid) from %s->sensor\n", data->shared->dbname); FatalError("\n" " When this plugin starts, a SELECT query is run to find the sensor id for the\n" " currently running sensor. If the sensor id is not found, the plugin will run\n" " an INSERT query to insert the proper data and generate a new sensor id. Then a\n" " SELECT query is run to get the newly allocated sensor id. If that fails then\n" " this error message is generated.\n" "\n" " Some possible causes for this error are:\n" " * the user does not have proper INSERT or SELECT privileges\n" " * the sensor table does not exist\n" "\n" " If you are _absolutely_ certain that you have the proper privileges set and\n" " that your database structure is built properly please let me know if you\n" " continue to get this error. You can contact me at (roman@danyliw.com).\n" "\n"); } } if( !pv.quiet_flag ) { printf("database: sensor id = %u\n", data->shared->sid); } /* the cid may be shared across multiple instances of the database * plugin, first we check the shared data list to see if we already * have a value to use, if so, we replace the SharedDatabaseData struct * in the DatabaseData struct with the one out of the sharedDataList. * Sound confusing enough? * -Andrew */ /* XXX: Creating a set of list handling functions would make this cleaner */ current = sharedDataList; while(current != NULL) { /* We have 4 key fields to check */ if((current->data->sid == data->shared->sid) && (current->data->dbtype_id == data->shared->dbtype_id) && /* XXX: should this be a case insensitive compare? */ (strcasecmp(current->data->dbname, data->shared->dbname) == 0) && (strcasecmp(current->data->host, data->shared->host) == 0)) { foundEntry = 1; break; } current = current->next; } if(foundEntry == 0) { /* Add it the the shared data list */ SharedDatabaseDataNode *newNode = (SharedDatabaseDataNode *)SnortAlloc(sizeof(SharedDatabaseDataNode)); newNode->data = data->shared; newNode->next = NULL; if(sharedDataList == NULL) { sharedDataList = newNode; } else { current = sharedDataList; while(current->next != NULL) { current = current->next; } current->next = newNode; } /* Set the cid value * - get the cid value in sensor.last_cid * - get the MAX(cid) from event * - if snort crashed without storing the latest cid, then * the MAX(event.cid) > sensor.last_cid. Update last_cid in this case */ sensor_cid = GetLastCid(data, data->shared->sid); if (sensor_cid == -1) FatalError("Database: Unable to construct query - output error or truncation\n"); ret = SnortSnprintf(select_max_sensor_id, MAX_QUERY_LENGTH, "SELECT MAX(cid) " " FROM event " " WHERE sid = %u", data->shared->sid); if (ret != SNORT_SNPRINTF_SUCCESS) FatalError("Database: Unable to construct query - output error or truncation\n"); event_cid = Select(select_max_sensor_id, data); if ( event_cid > sensor_cid ) { ret = UpdateLastCid(data, data->shared->sid, event_cid); if (ret == -1) FatalError("Database: Unable to construct query - output error or truncation\n"); ErrorMessage("database: inconsistent cid information for sid=%u\n", data->shared->sid); ErrorMessage(" Recovering by rolling forward the cid=%u\n", event_cid); } data->shared->cid = event_cid; ++(data->shared->cid); } else { /* Free memory associated with data->shared */ free(data->shared); data->shared = current->data; } /* free memory */ free(select_sensor_id); select_sensor_id = NULL; free(select_max_sensor_id); select_max_sensor_id = NULL; free(insert_into_sensor); insert_into_sensor = NULL; free(escapedSensorName); escapedSensorName = NULL; free(escapedInterfaceName); escapedInterfaceName = NULL; if (escapedBPFFilter != NULL) { free(escapedBPFFilter); escapedBPFFilter = NULL; } /* Get the versioning information for the DB schema */ data->DBschema_version = CheckDBVersion(data); if (data->DBschema_version == -1) FatalError("Database: Unable to construct query - output error or truncation\n"); if( !pv.quiet_flag ) printf("database: schema version = %d\n", data->DBschema_version); if ( data->DBschema_version == 0 ) { FatalError("database: The underlying database has not been initialized correctly. This\n" " version of Snort requires version %d of the DB schema. Your DB\n" " doesn't appear to have any records in the 'schema' table.\n" " Please re-run the appropriate DB creation script (e.g. create_mysql,\n" " create_postgresql, create_oracle, create_mssql) located in the\n" " contrib\\ directory.\n\n" " See the database documentation for cursory details (doc/README.database).\n" " and the URL to the most recent database plugin documentation.\n", LATEST_DB_SCHEMA_VERSION); } if ( data->DBschema_version < LATEST_DB_SCHEMA_VERSION ) { FatalError("database: The underlying database seems to be running an older version of\n" " the DB schema (current version=%d, required minimum version= %d).\n\n" " If you have an existing database with events logged by a previous\n" " version of snort, this database must first be upgraded to the latest\n" " schema (see the snort-users mailing list archive or DB plugin\n" " documention for details).\n\n" " If migrating old data is not desired, merely create a new instance\n" " of the snort database using the appropriate DB creation script\n" " (e.g. create_mysql, create_postgresql, create_oracle, create_mssql)\n" " located in the contrib\\ directory.\n\n" " See the database documentation for cursory details (doc/README.database).\n" " and the URL to the most recent database plugin documentation.\n", data->DBschema_version, LATEST_DB_SCHEMA_VERSION); } /* else if ( data->DBschema_version < LATEST_DB_SCHEMA_VERSION ) { ErrorMessage("database: The database is using an older version of the DB schema\n"); } */ /* Add the processor function into the function list */ if(!strncasecmp(data->facility,"log",3)) { pv.log_plugin_active = 1; if( !pv.quiet_flag ) printf("database: using the \"log\" facility\n"); AddFuncToOutputList(Database, NT_OUTPUT_LOG, data); } else { pv.alert_plugin_active = 1; if( !pv.quiet_flag ) printf("database: using the \"alert\" facility\n"); AddFuncToOutputList(Database, NT_OUTPUT_ALERT, data); } AddFuncToCleanExitList(SpoDatabaseCleanExitFunction, data); AddFuncToRestartList(SpoDatabaseRestartFunction, data); ++instances;}/******************************************************************************* * Function: InitDatabaseData(char *) * * Purpose: Initialize the data structure for connecting to * this database.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -