📄 spo_database.c
字号:
timestamp_string = GetTimestamp((struct timeval *) &p->pkth->ts, data->tz); } else { timestamp_string = GetCurrentTimestamp(); }#ifdef ENABLE_MSSQL if(data->shared->dbtype_id == DB_MSSQL) { /* SQL Server uses a date format which is slightly * different from the ISO-8601 standard generated * by GetTimestamp() and GetCurrentTimestamp(). We * need to convert from the ISO-8601 format of: * "1998-01-25 23:59:59+14316557" * to the SQL Server format of: * "1998-01-25 23:59:59.143" */ if( timestamp_string!=NULL && strlen(timestamp_string)>20 ) { timestamp_string[19] = '.'; } if( timestamp_string!=NULL && strlen(timestamp_string)>24 ) { timestamp_string[23] = '\0'; } }#endif#ifdef ENABLE_ORACLE if (data->shared->dbtype_id == DB_ORACLE) { /* Oracle (everything before 9i) does not support * date information smaller than 1 second. * To go along with the TO_DATE() Oracle function * below, this was written to strip out all the * excess information. (everything beyond a second) * Use the Oracle format of: * "1998-01-25 23:59:59" */ if ( timestamp_string!=NULL && strlen(timestamp_string)>20 ) { timestamp_string[19] = '\0'; } }#endif#ifdef ENABLE_MYSQL if (data->shared->dbtype_id == DB_MYSQL) { /* MySql does not support date information smaller than * 1 second. This was written to strip out all the * excess information. (everything beyond a second) * Use the MySql format of: * "2005-12-23 22:37:16" */ if ( timestamp_string!=NULL && strlen(timestamp_string)>20 ) { timestamp_string[19] = '\0'; } }#endif#ifdef ENABLE_ODBC if (data->shared->dbtype_id == DB_ODBC) { /* ODBC defines escape sequences for date data. * These escape sequences are of the format: * {literal-type 'value'} * The Timestamp (ts) escape sequence handles * date/time values of the format: * yyyy-mm-dd hh:mm:ss[.f...] * where the number of digits to the right of the * decimal point in a time or timestamp interval * literal containing a seconds component is * dependent on the seconds precision, as contained * in the SQL_DESC_PRECISION descriptor field. (For * more information, see function SQLSetDescField.) * * The number of decimal places within the fraction * of a second is database dependant. I wasn't able * to easily determine the granularity of this * value using SQL_DESC_PRECISION, so choosing to * simply discard the fractional part. */ if( timestamp_string!=NULL && strlen(timestamp_string)>20 ) { timestamp_string[19] = '\0'; } }#endif#ifdef ENABLE_POSTGRESQL if( data->shared->dbtype_id == DB_POSTGRESQL ){ /* From Posgres Documentation * For timestamp with time zone, the internally stored * value is always in UTC (GMT). An input value that has * an explicit time zone specified is converted to UTC * using the appropriate offset for that time zone. If no * time zone is stated in the input string, then it is assumed * to be in the time zone indicated by the system's TimeZone * parameter, and is converted to UTC using the offset for * the TimeZone zone */ if( timestamp_string!=NULL && strlen(timestamp_string)>24 ) { timestamp_string[23] = '\0'; } }#endif /* Write the signature information * - Determine the ID # of the signature of this alert */ select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); sig_name = snort_escape_string(msg, data); if (event->sig_rev == 0) { ret = SnortSnprintf(sig_rev, sizeof(sig_rev), "IS NULL"); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else { ret = SnortSnprintf(sig_rev, sizeof(sig_rev), "= %u", event->sig_rev); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } if (event->sig_id == 0) { ret = SnortSnprintf(sig_sid, sizeof(sig_sid), "IS NULL"); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else { ret = SnortSnprintf(sig_sid, sizeof(sig_sid), "= %u", event->sig_id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } if (event->sig_generator == 0) { ret = SnortSnprintf(sig_gid, sizeof(sig_gid), "IS NULL"); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else { ret = SnortSnprintf(sig_gid, sizeof(sig_gid), "= %u", event->sig_generator); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } ret = SnortSnprintf(select0, MAX_QUERY_LENGTH, "SELECT sig_id " " FROM signature " " WHERE sig_name = '%s' " " AND sig_rev %s " " AND sig_sid %s " " AND sig_gid %s ", sig_name, sig_rev, sig_sid, sig_gid); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; sig_id = Select(select0, data); /* If this signature is detected for the first time * - write the signature * - write the signature's references, classification, priority, id, * revision number * Note: if a signature (identified with a unique text message, revision #) * initially is logged to the DB without references/classification, * but later they are added, this information will _not_ be * stored/updated unless the revision number is changed. * This algorithm is used in order to prevent many DB SELECTs to * verify their presence _every_ time the alert is triggered. */ if(sig_id == 0) { /* get classification and priority information */ if(otn_tmp) { class_ptr = otn_tmp->sigInfo.classType; if(class_ptr) { /* classification */ if(class_ptr->type) { /* Get the ID # of this classification */ select1 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); sig_class = snort_escape_string(class_ptr->type, data); ret = SnortSnprintf(select1, MAX_QUERY_LENGTH, "SELECT sig_class_id " " FROM sig_class " " WHERE sig_class_name = '%s'", sig_class); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; class_id = Select(select1, data); if ( !class_id ) { insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ret = SnortSnprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "sig_class (sig_class_name) " "VALUES ('%s')", sig_class); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; Insert(insert0, data); free(insert0); insert0 = NULL; class_id = Select(select1, data); if ( !class_id ) { ErrorMessage("database: unable to write classification\n"); } } free(select1); select1 = NULL; free(sig_class); sig_class = NULL; } } } insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert_fields = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert_values = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert_fields_len = 0; insert_values_len = 0; ret = SnortSnprintf(insert_fields, MAX_QUERY_LENGTH - insert_fields_len, "%s", "sig_name"); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; ret = SnortSnprintf(insert_values, MAX_QUERY_LENGTH - insert_values_len, "'%s'", sig_name); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); if ( class_id > 0 ) { ret = SnortSnprintf(&insert_fields[insert_fields_len], MAX_QUERY_LENGTH - insert_fields_len, "%s", ",sig_class_id"); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", class_id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } if ( event->priority > 0 ) { ret = SnortSnprintf(&insert_fields[insert_fields_len], MAX_QUERY_LENGTH - insert_fields_len, "%s", ",sig_priority"); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->priority); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } if ( event->sig_rev > 0 ) { ret = SnortSnprintf(&insert_fields[insert_fields_len], MAX_QUERY_LENGTH - insert_fields_len, "%s", ",sig_rev"); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->sig_rev); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } if ( event->sig_id > 0 ) { ret = SnortSnprintf(&insert_fields[insert_fields_len], MAX_QUERY_LENGTH - insert_fields_len, "%s", ",sig_sid"); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->sig_id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } if ( event->sig_generator > 0 ) { ret = SnortSnprintf(&insert_fields[insert_fields_len], MAX_QUERY_LENGTH - insert_fields_len, "%s", ",sig_gid"); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; ret = SnortSnprintf(&insert_values[insert_values_len], MAX_QUERY_LENGTH - insert_values_len, ",%u", event->sig_generator); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; insert_fields_len = strlen(insert_fields); insert_values_len = strlen(insert_values); } ret = SnortSnprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO signature (%s) VALUES (%s)", insert_fields, insert_values); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -