« back to all changes in this revision
Viewing changes to src/output-plugins/sagan-snort.c
- browse files at revision 1
- compare with another revision
- download diff
- download tarball
- view history from revision 1
- Committer: Bazaar Package Importer
- Author(s): Pierre Chifflier
- Date: 2011-03-17 15:18:58 UTC
- Revision ID: james.westby@ubuntu.com-20110317151858-iqvfx0hsxlamxp6b
Tags: upstream-0.1.9~svn129
ImportĀ upstreamĀ versionĀ 0.1.9~svn129
- files added:
- doc
- etc
- extra
- extra/conversion
- extra/sagan-gtk
- extra/sagan-notify
- src
- src/output-plugins
- src/parsers
added
removed
src/output-plugins/sagan-snort.c
1
/*
2
** Copyright (C) 2009-2011 Softwink, Inc.
3
** Copyright (C) 2009-2011 Champ Clark III <champ@softwink.com>
4
**
5
** This program is free software; you can redistribute it and/or modify
6
** it under the terms of the GNU General Public License Version 2 as
7
** published by the Free Software Foundation. You may not use, modify or
8
** distribute this program under any other version of the GNU General
9
** Public License.
10
**
11
** This program is distributed in the hope that it will be useful,
12
** but WITHOUT ANY WARRANTY; without even the implied warranty of
13
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
** GNU General Public License for more details.
15
**
16
** You should have received a copy of the GNU General Public License
17
** along with this program; if not, write to the Free Software
18
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
19
*/
20
21
/* sagan-db.c
22
*
23
* Threaded function for database support. These functions are for both
24
* MySQL and PostgreSQL. These allow Sagan to report to Snort databases
25
* where we'll attempt to correlate the events.
26
*
27
*/
28
29
#ifdef HAVE_CONFIG_H
30
#include "config.h" /* From autoconf */
31
#endif
32
33
34
#if defined(HAVE_LIBMYSQLCLIENT_R) || defined(HAVE_LIBPQ)
35
36
#include <stdio.h>
37
#include <netinet/in.h>
38
#include <arpa/inet.h>
39
#include <string.h>
40
#include <stdlib.h>
41
#include <pthread.h>
42
#include <stdint.h>
43
#include <inttypes.h>
44
#include <unistd.h>
45
46
#include "sagan-snort.h"
47
48
#include "sagan.h"
49
#include "version.h"
50
51
52
#ifdef HAVE_LIBMYSQLCLIENT_R
53
#include <mysql/mysql.h>
54
#include <mysql/errmsg.h>
55
MYSQL *connection, *mysql;
56
#endif
57
58
#ifdef HAVE_LIBPQ
59
#include <libpq-fe.h>
60
PGconn *psql;
61
PGresult *result;
62
char pgconnect[2048];
63
#endif
64
65
struct _SaganConfig *config;
66
struct _SaganDebug *debug;
67
struct _SaganCounters *counters;
68
69
struct rule_struct *rulestruct;
70
71
pthread_mutex_t db_mutex;
72
73
74
/********************************************/
75
/* Connection to various types of databases */
76
/********************************************/
77
78
int db_connect( void ) {
79
80
char *dbh=NULL;
81
char *dbu=NULL;
82
char *dbp=NULL;
83
char *dbn=NULL;
84
85
dbu = config->dbuser;
86
dbh = config->dbhost;
87
dbp = config->dbpassword;
88
dbn = config->dbname;
89
90
/********************/
91
/* MySQL connection */
92
/********************/
93
94
#ifdef HAVE_LIBMYSQLCLIENT_R
95
if ( config->dbtype == 1 ) {
96
97
mysql_thread_init();
98
mysql = mysql_init(NULL);
99
100
if ( mysql == NULL ) {
101
removelockfile();
102
sagan_log(1, "[%s, line %d] Error initializing MySQL", __FILE__, __LINE__);
103
}
104
105
106
my_bool reconnect = 1;
107
mysql_options(mysql,MYSQL_READ_DEFAULT_GROUP,config->dbname);
108
109
/* Re-connect to the database if the connection is lost */
110
111
mysql_options(mysql,MYSQL_OPT_RECONNECT, &reconnect);
112
113
if (!mysql_real_connect(mysql, dbh, dbu, dbp, dbn, MYSQL_PORT, NULL, 0)) {
114
sagan_log(1, "[%s, line %d] MySQL Error %u: \"%s\"", __FILE__, __LINE__, mysql_errno(mysql), mysql_error(mysql));
115
}
116
117
}
118
#endif
119
120
/*************************/
121
/* PostgreSQL connection */
122
/*************************/
123
124
#ifdef HAVE_LIBPQ
125
if ( config->dbtype == 2 ) {
126
127
//isthreadsafe = PQisthreadsafe(); // check
128
129
snprintf(pgconnect, sizeof(pgconnect), "hostaddr = '%s' port = '%d' dbname = '%s' user = '%s' password = '%s' connect_timeout = '30'", dbh, 5432 , dbn, dbu, dbp);
130
131
psql = PQconnectdb(pgconnect);
132
133
if (!psql) {
134
removelockfile();
135
sagan_log(1, "[%s, line %d] PostgreSQL: PQconnect Error", __FILE__, __LINE__);
136
}
137
138
if (PQstatus(psql) != CONNECTION_OK) {
139
removelockfile();
140
sagan_log(1, "[%s, line %d] PostgreSQL status not OK", __FILE__, __LINE__);
141
}
142
143
}
144
#endif
145
146
return(0);
147
} /* End of db_connect */
148
149
/****************************************************************************
150
* Query Database | iorq == 0 (SELECT) iorq == 1 (INSERT) *
151
* For SELECT, we typically only want one value back (row[0]) so return it *
152
* For INSERT, we don't need or get any results back *
153
****************************************************************************/
154
155
char *db_query ( int dbtype, char *sql ) {
156
157
char sqltmp[MAXSQL]; /* Make this a MAXSQL or something */
158
char *re=NULL; /* "return" point for row */
159
160
int mysql_last_errno = 0;
161
int mysql_reconnect_count = 0;
162
163
pthread_mutex_lock( &db_mutex );
164
165
strlcpy(sqltmp, sql, sizeof(sqltmp));
166
167
if ( debug->debugsql ) sagan_log(0, "%s", sqltmp);
168
169
#ifdef HAVE_LIBMYSQLCLIENT_R
170
if ( dbtype == 1 ) {
171
172
MYSQL_RES *res;
173
MYSQL_ROW row;
174
175
while ( mysql_real_query(mysql, sqltmp, strlen(sqltmp)) != 0 ) {
176
177
mysql_last_errno = mysql_errno(mysql);
178
179
if ( mysql_last_errno == CR_CONNECTION_ERROR ||
180
mysql_last_errno == CR_CONN_HOST_ERROR ||
181
mysql_last_errno == CR_SERVER_GONE_ERROR ) {
182
mysql_reconnect_count++;
183
sagan_log(0, "[%s, line %d] Lost connection to MySQL database. Trying %d", __FILE__, __LINE__, mysql_reconnect_count);
184
sleep(2); // Give the DB time to recover
185
186
} else {
187
188
sagan_log(0, "[%s, line %d] MySQL Error [%u:] \"%s\"\nOffending SQL statement: %s\n", __FILE__, __LINE__, mysql_errno(mysql), mysql_error(mysql), sqltmp);
189
}
190
191
}
192
193
194
if ( mysql_reconnect_count != 0 ) { /* If there's a reconnect_count, we must of lost connection */
195
sagan_log(0, "MySQL connection re-established!"); /* Log it */
196
mysql_reconnect_count=0; /* Reset the counter */
197
}
198
199
res = mysql_use_result(mysql);
200
201
if ( res != NULL ) {
202
while((row = mysql_fetch_row(res))) {
203
snprintf(sqltmp, sizeof(sqltmp), "%s", row[0]);
204
re=sqltmp;
205
}
206
}
207
208
mysql_free_result(res);
209
pthread_mutex_unlock( &db_mutex );
210
return(re);
211
}
212
#else
213
if ( dbtype == 1 ) {
214
removelockfile();
215
sagan_log(1, "Sagan was not compiled with MySQL support. Aborting!");
216
}
217
#endif
218
219
#ifdef HAVE_LIBPQ
220
if ( dbtype == 2 ) {
221
222
if (( result = PQexec(psql, sqltmp )) == NULL ) {
223
//removelockfile();
224
sagan_log(0, "[%s, line %d] PostgreSQL Error: %s", __FILE__, __LINE__, PQerrorMessage( psql ));
225
}
226
227
if (PQresultStatus(result) != PGRES_COMMAND_OK &&
228
PQresultStatus(result) != PGRES_TUPLES_OK) {
229
sagan_log(0, "[%s, line %d] PostgreSQL Error: %s", __FILE__, __LINE__, PQerrorMessage( psql ));
230
PQclear(result);
231
//removelockfile();
232
sagan_log(0, "DB Query failed: %s", sqltmp);
233
}
234
235
if ( PQntuples(result) != 0 ) {
236
re = PQgetvalue(result,0,0);
237
}
238
239
PQclear(result);
240
pthread_mutex_unlock( &db_mutex);
241
return(re);
242
243
}
244
#else
245
if ( dbtype == 2 ) {
246
removelockfile();
247
sagan_log(1, "[%s, line %d] Sagan was not compiled with PostgreSQL support. Aborting!", __FILE__, __LINE__);
248
}
249
#endif
250
251
return(0);
252
}
253
254
/*****************************************************************************/
255
/* Get's the current sensor ID or creates a new one if this is the first run */
256
/*****************************************************************************/
257
258
int get_sensor_id ( char *hostname, char *interface, char *filter, int detail, int dbtype ) {
259
260
char sqltmp[MAXSQL];
261
char *sql;
262
char *sqlout;
263
264
snprintf(sqltmp, sizeof(sqltmp), "SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' AND filter='%s' AND detail='%d' AND encoding='0'", hostname, interface, filter, detail);
265
sql=sqltmp;
266
sqlout = db_query( dbtype, sql );
267
268
if ( sqlout == NULL ) {
269
270
/* Insert new sensor ID */
271
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO sensor (hostname, interface, filter, detail, encoding, last_cid) VALUES ('%s', '%s', '%s', '%u', '0', '0')", hostname, interface, filter, detail);
272
sql=sqltmp;
273
db_query(dbtype, sql);
274
275
/* Get new sensor ID */
276
snprintf(sqltmp, sizeof(sqltmp), "SELECT sid FROM sensor WHERE hostname='%s' AND interface='%s' AND filter='%s' AND detail='%d' AND encoding='0'", hostname, interface, filter, detail);
277
sql=sqltmp;
278
sqlout = db_query( dbtype, sql );
279
}
280
281
config->sensor_id = atoi(sqlout);
282
//return(sensor_id);
283
return(0);
284
285
}
286
287
/******************************************/
288
/* Get the last used CID and increment it */
289
/******************************************/
290
291
uint64_t get_cid ( int sensor_sid, int dbtype ) {
292
293
char sqltmp[MAXSQL];
294
char *sql;
295
char *sqlout;
296
uint64_t t_cid;
297
298
299
snprintf(sqltmp, sizeof(sqltmp), "SELECT last_cid from sensor where sid=%d and hostname='%s' and interface='%s' and filter='%s' and detail=%d", sensor_sid, config->sagan_hostname, config->sagan_interface, config->sagan_filter, config->sagan_detail);
300
301
sql=sqltmp;
302
sqlout = db_query( dbtype, sql );
303
304
if ( sqlout == NULL ) {
305
t_cid = 0; /* Returned NULL, no CID found */
306
} else {
307
t_cid = atol(sqlout);
308
}
309
310
return(t_cid);
311
}
312
313
314
/*********************************************************/
315
/* Get signature ID. If on doesn't exsist, put one in. */
316
/*********************************************************/
317
318
319
int get_sig_sid(char *t_msg, char *t_sig_rev, char *t_sig_sid, char *classtype, int t_sig_pri, int dbtype ) {
320
321
322
char sqltmp[MAXSQL];
323
char *sql;
324
char *sqlout;
325
int sig_class_id;
326
int t_sig_id;
327
328
snprintf(sqltmp, sizeof(sqltmp), "SELECT sig_class_id from sig_class where sig_class_name='%s'", classtype);
329
sql=sqltmp;
330
sqlout = db_query( dbtype, sql );
331
332
if ( sqlout == NULL ) {
333
334
/* classification hasn't been recorded in sig_class, so put it in */
335
336
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO sig_class(sig_class_id, sig_class_name) VALUES (DEFAULT, '%s')", classtype);
337
sql=sqltmp;
338
db_query( dbtype, sql);
339
340
/* Grab new ID */
341
342
snprintf(sqltmp, sizeof(sqltmp), "SELECT sig_class_id from sig_class where sig_class_name='%s'", classtype);
343
sql=sqltmp;
344
sqlout = db_query( dbtype, sql );
345
}
346
347
sig_class_id = atoi(sqlout);
348
349
/* Look for the signature id */
350
351
snprintf(sqltmp, sizeof(sqltmp), "SELECT sig_id FROM signature WHERE sig_name='%s' AND sig_rev=%s AND sig_sid=%s", t_msg, t_sig_rev, t_sig_sid);
352
sql=sqltmp;
353
354
355
sqlout = db_query( dbtype, sql );
356
357
/* If not found, create a new entry for it */
358
359
if ( sqlout == NULL ) {
360
361
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO signature(sig_name, sig_class_id, sig_priority, sig_rev, sig_sid) VALUES ('%s', '%d', '%d', '%s', '%s' )", t_msg, sig_class_id, t_sig_pri, t_sig_rev, t_sig_sid);
362
sql=sqltmp;
363
db_query( dbtype, sql );
364
365
/* Get the new ID of the new entry */
366
snprintf(sqltmp, sizeof(sqltmp), "SELECT sig_id FROM signature WHERE sig_name='%s' AND sig_rev=%s AND sig_sid=%s", t_msg, t_sig_rev, t_sig_sid);
367
sql=sqltmp;
368
sqlout = db_query( dbtype, sql );;
369
}
370
371
t_sig_id = atoi(sqlout);
372
return(t_sig_id);
373
374
}
375
376
377
/***************************/
378
/* Insert into event table */
379
/***************************/
380
381
void insert_event (int t_sid, uint64_t t_cid, int t_sig_sid, int dbtype, char *date, char *time ) {
382
383
char sqltmp[MAXSQL];
384
char *sql;
385
386
pthread_mutex_lock( &db_mutex );
387
388
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO event(sid, cid, signature, timestamp) VALUES ('%d', '%" PRIu64 "', '%d', '%s %s')", t_sid, t_cid, t_sig_sid, date, time );
389
sql=sqltmp;
390
391
pthread_mutex_unlock( &db_mutex );
392
393
db_query( dbtype, sql );
394
395
}
396
397
398
/****************************************************************************************/
399
/* Insert data into iphdr and tcphdr - most of this is bogus as we're not really TCP/IP */
400
/****************************************************************************************/
401
402
void insert_hdr(int t_sid, uint64_t t_cid, char *t_ipsrc, char *t_ipdst, int t_ipproto, int endian, int dbtype, int dst_port, int src_port) {
403
404
405
char sqltmp[MAXSQL];
406
char *sql;
407
408
/* Temp. store 32bit IP address for DB insertion */
409
410
/* 4 == IPv4 */
411
412
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO iphdr VALUES ( '%d', '%" PRIu64 "', '%d', '%d', '4', '0', '0', '0', '0', '0', '0', '0', '%d', '0' )", t_sid, t_cid, ip2bit(t_ipsrc, endian), ip2bit(t_ipdst, endian), t_ipproto );
413
414
sql=sqltmp;
415
db_query( dbtype, sql );
416
417
/* "tcp" */
418
if ( t_ipproto == 6 ) {
419
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO tcphdr VALUES ( '%d', '%" PRIu64 "', '%d', '%d', '0', '0', '0', '0', '0', '0', '0', '0' )", t_sid, t_cid, src_port, dst_port );
420
sql=sqltmp;
421
db_query( dbtype, sql );
422
}
423
424
/* "udp" */
425
426
if ( t_ipproto == 17 ) {
427
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO udphdr VALUES ( '%d', '%" PRIu64 "', '%d', '%d', '0', '0' )", t_sid, t_cid, src_port, dst_port );
428
sql=sqltmp;
429
db_query( dbtype, sql );
430
}
431
432
/* Basic ICMP - Set to type 8 (echo) , code of 8 */
433
/* May expand on this if there's actually a use for it */
434
435
if ( t_ipproto == 1 ) {
436
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO icmphdr VALUES ( '%d', '%" PRIu64 "', '8', '8', '0', '0', '0' )", t_sid, t_cid );
437
sql=sqltmp;
438
db_query( dbtype, sql );
439
}
440
441
442
}
443
444
/*****************************/
445
/* Insert into payload table */
446
/*****************************/
447
448
void insert_payload ( int t_sid, uint64_t t_cid, char *t_hex_data, int dbtype ) {
449
450
char sqltmp[MAXSQL];
451
char *sql;
452
453
pthread_mutex_lock( &db_mutex );
454
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO data(sid, cid, data_payload) VALUES ('%d', '%" PRIu64 "', '%s')", t_sid, t_cid, t_hex_data);
455
sql=sqltmp;
456
pthread_mutex_unlock( &db_mutex );
457
db_query( dbtype, sql );
458
459
}
460
461
/*******************/
462
/* Record last cid */
463
/*******************/
464
465
void record_last_cid ( void ) {
466
467
char sqltmp[MAXSQL];
468
char *sql;
469
470
snprintf(sqltmp, sizeof(sqltmp), "UPDATE sensor SET last_cid='%" PRIu64 "' where sid=%d and hostname='%s' and interface='%s' and filter='%s' and detail=%d", counters->sigcid, config->sensor_id, config->sagan_hostname, config->sagan_interface, config->sagan_filter, config->sagan_detail);
471
sql=sqltmp;
472
db_query( config->dbtype, sql );
473
474
}
475
476
/********************/
477
/* Reference system */
478
/********************/
479
480
void query_reference ( char *ref, char *rule_sid, int sig_sid, int seq )
481
{
482
483
char *saveptr=NULL;
484
char *tmptoken1=NULL;
485
char *tmptoken2=NULL;
486
char reference[128];
487
488
int ref_system_id;
489
int ref_id;
490
491
char sqltmp[MAXSQL];
492
char *sql;
493
char *sqlout;
494
495
496
strlcpy(reference, ref, sizeof(reference));
497
498
tmptoken1 = strtok_r(reference, ",", &saveptr);
499
tmptoken2 = strtok_r(NULL, "," , &saveptr);
500
501
/* Look for improperly formated references */
502
503
if (tmptoken1 == NULL || tmptoken2 == NULL )
504
{
505
sagan_log(0, "Warning: \"reference:\" contains a NULL value. Check sid: %s", rule_sid);
506
return;
507
}
508
509
snprintf(sqltmp, sizeof(sqltmp), "SELECT ref_system_id from reference_system where ref_system_name='%s'", tmptoken1);
510
sql=sqltmp;
511
sqlout = db_query( config->dbtype, sql );
512
513
/* reference_system hasn't been entered into the DB. Do so now */
514
515
if ( sqlout == NULL ) {
516
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO reference_system (ref_system_id, ref_system_name) VALUES (DEFAULT, '%s')", tmptoken1);
517
sql=sqltmp;
518
db_query( config->dbtype, sql );
519
520
snprintf(sqltmp, sizeof(sqltmp), "SELECT ref_system_id from reference_system where ref_system_name='%s'", tmptoken1);
521
sql=sqltmp;
522
sqlout = db_query( config->dbtype, sql );
523
}
524
525
ref_system_id = atoi(sqlout);
526
527
snprintf(sqltmp, sizeof(sqltmp), "SELECT ref_id from reference where ref_system_id='%d' and ref_tag='%s'", ref_system_id, tmptoken2);
528
sql=sqltmp;
529
sqlout = db_query( config->dbtype, sql );
530
531
if ( sqlout == NULL ) {
532
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO reference (ref_id, ref_system_id, ref_tag) VALUES (DEFAULT, '%d', '%s')", ref_system_id, tmptoken2);
533
sql=sqltmp;
534
sqlout = db_query( config->dbtype, sql );
535
536
snprintf(sqltmp, sizeof(sqltmp), "SELECT ref_id from reference where ref_system_id='%d' and ref_tag='%s'", ref_system_id, tmptoken2);
537
sql=sqltmp;
538
sqlout = db_query( config->dbtype, sql );
539
540
}
541
542
ref_id = atoi(sqlout);
543
544
snprintf(sqltmp, sizeof(sqltmp), "SELECT sig_id from sig_reference where sig_id='%d' and ref_id='%d'", sig_sid, ref_id);
545
sql=sqltmp;
546
sqlout = db_query( config->dbtype, sql );
547
548
if ( sqlout == NULL ) {
549
snprintf(sqltmp, sizeof(sqltmp), "INSERT INTO sig_reference (sig_id, ref_seq, ref_id) VALUES ('%d', '%d', '%d')", sig_sid, seq, ref_id);
550
sql=sqltmp;
551
sqlout = db_query( config->dbtype, sql );
552
553
}
554
555
}
556
557
558
/***************************************************************************/
559
/* Snort specific thread code */
560
/***************************************************************************/
561
562
void sagan_db_thread( SaganEvent *Event ) {
563
564
int sig_sid;
565
int i;
566
char *hex_data = NULL;
567
char message[MAX_SYSLOGMSG];
568
569
char ip_srctmp[65];
570
char ip_dsttmp[65];
571
572
char time[30];
573
char date[30];
574
575
snprintf(message, sizeof(message), "%s", Event->message);
576
snprintf(ip_srctmp, sizeof(ip_srctmp), "%s", Event->ip_src);
577
snprintf(ip_dsttmp, sizeof(ip_dsttmp), "%s", Event->ip_dst);
578
snprintf(time, sizeof(time), "%s", Event->time);
579
snprintf(date, sizeof(date), "%s", Event->date);
580
581
sig_sid = get_sig_sid(rulestruct[Event->found].s_msg, rulestruct[Event->found].s_rev, rulestruct[Event->found].s_sid, rulestruct[Event->found].s_classtype, rulestruct[Event->found].s_pri , config->dbtype );
582
583
insert_event( config->sensor_id, Event->cid, sig_sid, config->dbtype, date, time );
584
insert_hdr(config->sensor_id, Event->cid, ip_srctmp, ip_dsttmp, rulestruct[Event->found].ip_proto, Event->endian, config->dbtype, Event->dst_port, Event->src_port );
585
586
hex_data = fasthex(message, strlen(message));
587
insert_payload ( config->sensor_id, Event->cid, hex_data, config->dbtype ) ;
588
589
for (i = 0; i < rulestruct[Event->found].ref_count; i++ ) {
590
query_reference( rulestruct[Event->found].s_reference[i], rulestruct[Event->found].s_sid, sig_sid, i );
591
}
592
593
pthread_mutex_lock( &db_mutex );
594
counters->threaddbc--;
595
pthread_mutex_unlock( &db_mutex );
596
597
pthread_exit(NULL);
598
}
599
600
#endif
Loggerhead is a web-based interface for Breezy
Version: 2.0.1