📄 spo_database.c
字号:
Insert(insert0,data); sig_id = Select(select0,data); if(sig_id == 0) { ErrorMessage("database: Problem inserting a new signature '%s': %s\n", msg,insert0); } free(insert0); insert0 = NULL; free(insert_fields); insert_fields = NULL; free(insert_values); insert_values = NULL; free(select0); select0 = NULL; /* add the external rule references */ if(otn_tmp) { refNode = otn_tmp->sigInfo.refs; i = 1; while(refNode) { /* Get the ID # of the reference from the DB */ select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ref_system_name = snort_escape_string(refNode->system->name, data); /* Note: There is an underlying assumption that the SELECT * will do a case-insensitive comparison. */ ret = SnortSnprintf(select0, MAX_QUERY_LENGTH, "SELECT ref_system_id " " FROM reference_system " " WHERE ref_system_name = '%s'", ref_system_name); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; ret = SnortSnprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "reference_system (ref_system_name) " "VALUES ('%s')", ref_system_name); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; ref_system_id = Select(select0, data); if ( ref_system_id == 0 ) { Insert(insert0, data); ref_system_id = Select(select0, data); } free(select0); select0 = NULL; free(insert0); insert0 = NULL; free(ref_system_name); ref_system_name = NULL; if ( ref_system_id > 0 ) { select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ref_tag = snort_escape_string(refNode->id, data); ret = SnortSnprintf(select0, MAX_QUERY_LENGTH, "SELECT ref_id " " FROM reference " " WHERE ref_system_id = %d " " AND ref_tag = '%s'", ref_system_id, ref_tag); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; ref_id = Select(select0, data); free(ref_tag); ref_tag = NULL; /* If this reference is not in the database, write it */ if ( ref_id == 0 ) { /* truncate the reference tag as necessary */ ref_node_id_string = (char *) SnortAlloc(101); if ( data->DBschema_version == 103 ) { ret = SnortSnprintf(ref_node_id_string, 20, "%s", refNode->id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else if ( data->DBschema_version >= 104 ) { ret = SnortSnprintf(ref_node_id_string, 100, "%s", refNode->id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ref_tag = snort_escape_string(ref_node_id_string, data); ret = SnortSnprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "reference (ref_system_id, ref_tag) " "VALUES (%d, '%s')", ref_system_id, ref_tag); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; Insert(insert0, data); ref_id = Select(select0, data); free(insert0); insert0 = NULL; free(ref_node_id_string); ref_node_id_string = NULL; free(ref_tag); ref_tag = NULL; if ( ref_id == 0 ) { ErrorMessage("database: Unable to insert the alert reference into the DB\n"); } } free(select0); select0 = NULL; insert0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); ret = SnortSnprintf(insert0, MAX_QUERY_LENGTH, "INSERT INTO " "sig_reference (sig_id, ref_seq, ref_id) " "VALUES (%u, %d, %u)", sig_id, i, ref_id); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; Insert(insert0, data); free(insert0); insert0 = NULL; i++; } else { ErrorMessage("database: Unable to insert unknown reference tag ('%s') used in rule.\n", refNode->id); } refNode = refNode->next; } } } else { free(select0); select0 = NULL; } free(sig_name); sig_name = NULL; if ( (data->shared->dbtype_id == DB_ORACLE) && (data->DBschema_version >= 105) ) { ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "event (sid,cid,signature,timestamp) " "VALUES (%u, %u, %u, TO_DATE('%s', 'YYYY-MM-DD HH24:MI:SS'))", data->shared->sid, data->shared->cid, sig_id, timestamp_string); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else if(data->shared->dbtype_id == DB_ODBC) { ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "event (sid,cid,signature,timestamp) " "VALUES (%u, %u, %u, {ts '%s'})", data->shared->sid, data->shared->cid, sig_id, timestamp_string); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else { ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "event (sid,cid,signature,timestamp) " "VALUES (%u, %u, %u, '%s')", data->shared->sid, data->shared->cid, sig_id, timestamp_string); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } free(timestamp_string); timestamp_string = NULL; /* We do not log fragments! They are assumed to be handled by the fragment reassembly pre-processor */ if(p != NULL) { if((!p->frag_flag) && (IPH_IS_VALID(p))) { /* query = NewQueryNode(query, 0); */ if(GET_IPH_PROTO(p) == IPPROTO_ICMP && p->icmph) { query = NewQueryNode(query, 0); /*** Build a query for the ICMP Header ***/ if(data->detail) { if(p->icmph) { ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum, icmp_id, icmp_seq) " "VALUES (%u,%u,%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, p->icmph->type, p->icmph->code, ntohs(p->icmph->csum), ntohs(p->icmph->s_icmp_id), ntohs(p->icmph->s_icmp_seq)); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else { ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code, icmp_csum) " "VALUES (%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, p->icmph->type, p->icmph->code, ntohs(p->icmph->csum)); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } } else { ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "icmphdr (sid, cid, icmp_type, icmp_code) " "VALUES (%u,%u,%u,%u)", data->shared->sid, data->shared->cid, p->icmph->type, p->icmph->code); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } } else if(GET_IPH_PROTO(p) == IPPROTO_TCP && p->tcph) { query = NewQueryNode(query, 0); /*** Build a query for the TCP Header ***/ if(data->detail) { ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "tcphdr (sid, cid, tcp_sport, tcp_dport, " " tcp_seq, tcp_ack, tcp_off, tcp_res, " " tcp_flags, tcp_win, tcp_csum, tcp_urp) " "VALUES (%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), (u_long)ntohl(p->tcph->th_seq), (u_long)ntohl(p->tcph->th_ack), TCP_OFFSET(p->tcph), TCP_X2(p->tcph), p->tcph->th_flags, ntohs(p->tcph->th_win), ntohs(p->tcph->th_sum), ntohs(p->tcph->th_urp)); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else { ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "tcphdr (sid,cid,tcp_sport,tcp_dport,tcp_flags) " "VALUES (%u,%u,%u,%u,%u)", data->shared->sid, data->shared->cid, ntohs(p->tcph->th_sport), ntohs(p->tcph->th_dport), p->tcph->th_flags); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } if(data->detail) { /*** Build the query for TCP Options ***/ for(i=0; i < (int)(p->tcp_option_count); i++) { query = NewQueryNode(query, 0); if((data->encoding == ENCODING_HEX) || (data->encoding == ENCODING_ASCII)) { packet_data = fasthex(p->tcp_options[i].data, p->tcp_options[i].len); } else { packet_data = base64(p->tcp_options[i].data, p->tcp_options[i].len); } if(data->shared->dbtype_id == DB_ORACLE) { /* Oracle field BLOB type case. We append unescaped * opt_data data after query, which later in Insert() * will be cut off and uploaded with OCIBindByPos(). */ ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES (%u,%u,%u,%u,%u,%u,:1)|%s", data->shared->sid, data->shared->cid, i, 6, p->tcp_options[i].code, p->tcp_options[i].len, packet_data); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; free(packet_data); packet_data = NULL; } else { ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, "INSERT INTO " "opt (sid,cid,optid,opt_proto,opt_code,opt_len,opt_data) " "VALUES (%u,%u,%u,%u,%u,%u,'%s')", data->shared->sid, data->shared->cid, i, 6, p->tcp_options[i].code, p->tcp_options[i].len, packet_data); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; free(packet_data); packet_data = NULL; } } } } else if(GET_IPH_PROTO(p) == IPPROTO_UDP && p->udph) { query =⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -