Example #1
0
/**
 * sim_event_set_context_and_engine:
 * @event: a #SimEvent
 * @context_id: a #SimUuid
 *
 */
void
sim_event_set_context_and_engine (SimEvent *event,
                                  SimUuid  *context_id)
{
  SimContext *context;
  SimEngine  *engine;

  g_return_if_fail (SIM_IS_EVENT (event));

  if (event->context)
    g_object_unref (event->context);
  if (event->engine)
    g_object_unref (event->engine);


  context = sim_container_get_context (ossim.container, context_id);
  if (!context)
  {
    g_message ("%s: Error getting context_id %s", __func__, context_id ? sim_uuid_get_string (context_id) : "NULL");
    return;
  }
  engine = sim_container_get_engine_for_context (ossim.container, context_id);
  if (!engine)
  {
    g_message ("%s: Error getting engine for context_id %s", __func__, context_id ? sim_uuid_get_string (context_id) : "NULL");
    return;
  }

  event->context = g_object_ref (context);
  event->engine = g_object_ref (engine);
}
Example #2
0
/**
 * sim_db_insert_event:
 * @database: a #SimDatabase
 * @event: a #SimEvent to insert
 *
 * This function gets an event-> id and insert the event into DB.
 */
void
sim_db_insert_event (SimDatabase *database,
                     SimEvent    *event)
{
    gchar *query = NULL;

    g_return_if_fail (SIM_IS_DATABASE (database));
    g_return_if_fail (SIM_IS_EVENT (event));

    if (event->is_stored)
    {
        ossim_debug ("%s: Duplicate insert event->id: %s", __func__, sim_uuid_get_string (event->id));
        return;
    }


    ossim_debug ("%s: Storing event->id = %s event->is_stored = %u", __func__,
                 sim_uuid_get_string (event->id), event->is_stored);

    query = sim_event_get_insert_clause (event);
    ossim_debug ("%s: query= %s", __func__, query);
    sim_database_execute_no_query (database, query);
    g_free (query);

    if (event->src_username || event->dst_username)
    {
        query = sim_event_idm_get_insert_clause (sim_database_get_conn (database), event);
        ossim_debug ("%s: idm_data query_values= %s", __func__, query);
        sim_database_execute_no_query (database, query);
        g_free (query);
    }

    if (event->data || event->log || event->binary_data)
    {
        query = sim_event_extra_get_insert_clause (sim_database_get_conn (database), event);
        ossim_debug ("%s: extra_data query_values= %s", __func__, query);
        sim_database_execute_no_query (database, query);
        g_free (query);
    }
    if (g_hash_table_size (event->otx_data) > 0)
    {
        query = sim_event_pulses_get_insert_clause (sim_database_get_conn (database), event);
        ossim_debug ("%s: otx_data query_values= %s", __func__, query);
        sim_database_execute_no_query (database, query);
        g_free (query);
    }

    event->is_stored = TRUE;
}
Example #3
0
gboolean
sim_event_set_sid (SimEvent *event)
{
  gchar *device_ip;
  gchar *sensor_device;
  guint sid;

  g_return_val_if_fail (SIM_IS_EVENT (event), FALSE);

  ossim_debug ("%s: Setting (sid)  for event->id=%s", __func__, sim_uuid_get_string (event->id));

  if (event->device)
  {
    device_ip = sim_inet_get_canonical_name (event->device);
    sensor_device = g_strdup_printf ("%s/%s/%s", sim_uuid_get_string (event->sensor_id), event->interface, device_ip);
    g_free (device_ip);
  }
  else
    sensor_device = g_strdup_printf ("%s", sim_uuid_get_string (event->sensor_id));

  sid = sim_container_get_sensor_sid (ossim.container, sensor_device);

  if (!sid)                     // First event for this sid, so we must insert the sensor to the database
  {
    // Insert it to db as the old way (but now it's cached).
    sid = sim_organizer_snort_sensor_get_sid (ossim.dbsnort, event->sensor_id, event);
    sim_container_add_sensor_sid (ossim.container, sensor_device, sid);
    ossim_debug ("%s: not from cache: sid: %u", __func__, sid);
  }
  else
  {
    ossim_debug ("%s: from cache: sid: %u", __func__, sid);
    g_free (sensor_device);
  }

  event->device_id = sid;

  return TRUE;
}
Example #4
0
/**
 * sim_db_insert_alarm:
 * @database: #SimDatabase
 * @event: event alarm
 * @removable: if the alarm is removable or not (it'll be removable only if it's finished/reached timeout).
 *
 * This is usefull if the event has the "alarm" flag. This can occur for example if the event has
 * priority&reliability very high and it has been converted automatically into an alarm. Also, this can occur
 * if the event is a directive_event which has been re-inserted into container from sim_correlation.
 *
 * we also assign here an event->id (if it hasn't got anyone, like the first time the event arrives).
 * event->id is just needed to know if that event belongs to a specific backlog_id (a directive), so if
 * an event is not part of an alarm, it hasn't got any sense to fill event->id.
 *
 */
void
sim_db_insert_alarm (SimDatabase *database,
                     SimEvent    *event,
                     gboolean     removable)
{
    gchar *insert;

    g_return_if_fail (SIM_IS_DATABASE (database));
    g_return_if_fail (SIM_IS_EVENT (event));

    ossim_debug ("%s with id %s", __func__, sim_uuid_get_string (event->id));

    insert = sim_event_get_alarm_insert_clause (database, event, removable);
    sim_database_execute_no_query (database, insert);
    g_free (insert);

    return;
}
Example #5
0
/**
 * sim_event_to_string:
 * @event: a #SimEvent object.
 *
 */
gchar *
sim_event_to_string (SimEvent * event)
{
  GString *str;
  gchar *ip;
  gchar * base64;
  gint    base64_len;
  SimUuid * net_id;

  g_return_val_if_fail(SIM_IS_EVENT (event), NULL);

  str = g_string_new("event ");

  g_string_append_printf(str, "event_id=\"%s\" ", sim_uuid_get_string (event->id));
  g_string_append_printf(str, "ctx=\"%s\" ", sim_uuid_get_string (sim_context_get_id (event->context)));
  g_string_append_printf(str, "alarm=\"%d\" ", event->alarm);
  str = g_string_append (str, "is_remote=\"1\" ");

  gchar *aux = sim_event_get_str_from_type(event->type);
  if (aux)
  {
    g_string_append_printf(str, "type=\"%s\" ", aux);
    g_free(aux);
  }

  g_string_append_printf(str, "date=\"%u\" ", (guint)event->time);
  g_string_append_printf(str, "tzone=\"%4.2f\" ", event->tzone);

  if (event->time_str)
    g_string_append_printf(str, "fdate=\"%s\" ", event->time_str);

  if (event->plugin_id)
    g_string_append_printf(str, "plugin_id=\"%d\" ", event->plugin_id);

  if (event->plugin_sid)
    g_string_append_printf(str, "plugin_sid=\"%d\" ", event->plugin_sid);

  if (event->src_ia)
  {
    ip = sim_inet_get_canonical_name (event->src_ia);
    g_string_append_printf (str, "src_ip=\"%s\" ", ip);
    g_free (ip);
  }

  if (event->src_port)
    g_string_append_printf(str, "src_port=\"%d\" ", event->src_port);

  if (event->dst_ia)
  {
    ip = sim_inet_get_canonical_name (event->dst_ia);
    g_string_append_printf (str, "dst_ip=\"%s\" ", ip);
    g_free (ip);
  }

  if (event->dst_port)
    g_string_append_printf(str, "dst_port=\"%d\" ", event->dst_port);

  if (event->src_net)
  {
    net_id = sim_net_get_id (event->src_net);
    g_string_append_printf (str, "src_net=\"%s\" ", sim_uuid_get_string (net_id));
  }

  if (event->dst_net)
  {
    net_id = sim_net_get_id (event->dst_net);
    g_string_append_printf (str, "dst_net=\"%s\" ", sim_uuid_get_string (net_id));
  }

  if (event->sensor)
  {
    ip = sim_inet_get_canonical_name (event->sensor);
    g_string_append_printf(str, "sensor=\"%s\" ", ip);
    g_free (ip);
  }
  if (event->sensor_id)
    g_string_append_printf(str, "sensor_id=\"%s\" ", sim_uuid_get_string (event->sensor_id));

  if (event->device)
  {
    ip = sim_inet_get_canonical_name (event->device);
    g_string_append_printf(str, "device=\"%s\" ", ip);
    g_free (ip);
  }

  if (event->device_id)
    g_string_append_printf (str, "device_id=\"%d\" ", event->device_id);

#if 0
  if (event->server)
    g_string_append_printf (str, "server=\"%s\" ", event->server);
#endif

  if (event->interface)
    g_string_append_printf(str, "interface=\"%s\" ", event->interface);

  if (event->protocol)
  {
    gchar *value = sim_protocol_get_str_from_type(event->protocol);
    g_string_append_printf(str, "protocol=\"%s\" ", value);
    g_free(value);
  }

  if (event->condition)
  {
    gchar *value = sim_condition_get_str_from_type(event->condition);
    g_string_append_printf(str, "condition=\"%s\" ", value);
    g_free(value);
  }
  if (event->value)
    g_string_append_printf(str, "value=\"%s\" ", event->value);
  if (event->interval)
    g_string_append_printf(str, "interval=\"%d\" ", event->interval);

  if (event->is_priority_set)
    g_string_append_printf(str, "priority=\"%d\" ", event->priority);
  if (event->is_reliability_set)
    g_string_append_printf(str, "reliability=\"%d\" ", event->reliability);

  g_string_append_printf(str, "asset_src=\"%d\" ", event->asset_src);
  g_string_append_printf(str, "asset_dst=\"%d\" ", event->asset_dst);

  if (event->risk_c)
    g_string_append_printf(str, "risk_a=\"%lf\" ", event->risk_a);
  if (event->risk_a)
    g_string_append_printf(str, "risk_c=\"%lf\" ", event->risk_c);

  // Only forward this field if this is a special event.
  if ((event->data) && sim_event_is_special (event))
  {
    gchar *base64;
    base64 = g_base64_encode ((guchar *)event->data, strlen(event->data));
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf (str, "data=\"%s\" ", base64);
    g_free (base64);
  }

  if (event->log)
  {
    base64 = g_base64_encode((guchar*)event->log->str, event->log->len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "log=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->filename && (base64_len = strlen(event->filename)))
  {
    base64 = g_base64_encode( (guchar*)event->filename, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "filename=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->username && (base64_len = strlen(event->username)))
  {
    base64 = g_base64_encode( (guchar*)event->username, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "username=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->password && (base64_len = strlen(event->password)))
  {
    base64 = g_base64_encode( (guchar*) event->password, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "password=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->userdata1 && (base64_len = strlen(event->userdata1)))
  {
    base64 = g_base64_encode( (guchar*)event->userdata1, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "userdata1=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->userdata2 && (base64_len = strlen(event->userdata2)))
  {
    base64 = g_base64_encode( (guchar*)event->userdata2, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "userdata2=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->userdata3 && (base64_len = strlen(event->userdata3)))
  {
    base64 = g_base64_encode( (guchar*)event->userdata3, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "userdata3=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->userdata4 && (base64_len = strlen(event->userdata4)))
  {
    base64 = g_base64_encode( (guchar*)event->userdata4, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "userdata4=\"%s\" ", base64);
    g_free (base64);
  }
  if (event->userdata5 && (base64_len = strlen(event->userdata5)))
  {
    base64 = g_base64_encode( (guchar*)event->userdata5, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "userdata5=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->userdata6 && (base64_len = strlen(event->userdata6)))
  {
    base64 = g_base64_encode( (guchar*)event->userdata6, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "userdata6=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->userdata7 && (base64_len = strlen(event->userdata7)))
  {
    base64 = g_base64_encode( (guchar*)event->userdata7, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "userdata7=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->userdata8 && (base64_len = strlen(event->userdata8)))
  {
    base64 = g_base64_encode( (guchar*)event->userdata8, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "userdata8=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->userdata9 && (base64_len = strlen(event->userdata9)))
  {
    base64 = g_base64_encode( (guchar*)event->userdata9, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "userdata9=\"%s\" ", base64);
    g_free(base64);
  }
  if (event->src_username_raw && (base64_len = strlen(event->src_username_raw)))
  {
    base64 = g_base64_encode ((guchar *)event->src_username_raw, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "src_username=\"%s\" ", base64);
    g_free (base64);
  }
  if (event->dst_username_raw && (base64_len = strlen (event->dst_username_raw)))
  {
    base64 = g_base64_encode ((guchar *)event->dst_username_raw, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "dst_username=\"%s\" ", base64);
    g_free (base64);
  }
  if (event->src_id)
    g_string_append_printf(str, "src_id=\"%s\" ", sim_uuid_get_string (event->src_id));
  if (event->dst_id)
    g_string_append_printf(str, "dst_id=\"%s\" ", sim_uuid_get_string (event->dst_id));
  if (event->src_hostname)
    g_string_append_printf(str, "src_hostname=\"%s\" ", event->src_hostname);
  if (event->dst_hostname)
    g_string_append_printf(str, "dst_hostname=\"%s\" ", event->dst_hostname);
  if (event->src_mac)
    g_string_append_printf(str, "src_mac=\"%s\" ", event->src_mac);
  if (event->dst_mac)
    g_string_append_printf(str, "dst_mac=\"%s\" ", event->dst_mac);
  if (event->rep_prio_src)
    g_string_append_printf(str, "rep_prio_src=\"%u\" ", event->rep_prio_src);

  if (event->rep_prio_dst)
    g_string_append_printf(str, "rep_prio_dst=\"%u\" ", event->rep_prio_dst);

  if (event->rep_rel_src)
    g_string_append_printf(str, "rep_rel_src=\"%u\" ", event->rep_rel_src);

  if (event->rep_rel_dst)
    g_string_append_printf(str, "rep_rel_dst=\"%u\" ", event->rep_rel_dst);

  if (event->str_rep_act_src && (base64_len = strlen(event->str_rep_act_src)))
  {
    base64 = g_base64_encode( (guchar*)event->str_rep_act_src, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "rep_act_src=\"%s\" ", base64);
    g_free(base64);
  }

  if (event->str_rep_act_dst && (base64_len = strlen(event->str_rep_act_dst)))
  {
    base64 = g_base64_encode( (guchar*)event->str_rep_act_dst, base64_len);
    if(base64 == NULL)
      return g_string_free(str, TRUE);
    g_string_append_printf(str, "rep_act_dst=\"%s\" ", base64);
    g_free(base64);
  }

  /* We need to check that the */
  if (event->binary_data != NULL)
  {
    g_string_append_printf(str,"binary_data=\"%s\" ", event->binary_data);
  }

  g_string_append_printf(str, "\n");

  return g_string_free(str, FALSE);
}
Example #6
0
static void
_sim_event_free (SimEvent *event)
{
  ossim_debug ("%s: Id %s, Device_id %u", __func__,
               sim_uuid_get_string (event->id), event->device_id);

  if (event->id)
    g_object_unref (event->id);

  if (event->src_ia)
    g_object_unref (event->src_ia);
  if (event->dst_ia)
    g_object_unref (event->dst_ia);
  if (event->src_net)
    g_object_unref (event->src_net);
  if (event->dst_net)
    g_object_unref (event->dst_net);
  if (event->src_id)
    g_object_unref (event->src_id);
  if (event->dst_id)
    g_object_unref (event->dst_id);

  if (event->sensor)
    g_object_unref (event->sensor);
  if (event->sensor_id)
    g_object_unref (event->sensor_id);
  if (event->device)
    g_object_unref (event->device);
  g_free (event->interface);
  g_free (event->server);
  if (event->servername)
    g_free (event->servername);

  g_free (event->sql_text_fields);
  g_free (event->value);
  g_free (event->data);

  if (event->role)
    sim_role_unref (event->role);
  if (event->policy)
    g_object_unref (event->policy);

  g_free (event->time_str);
  if (event->log)
    g_string_free (event->log, TRUE);
  g_free (event->alarm_stats);

  g_free (event->filename);    //no needed to check, g_free will just return if "filename" is NULL
  g_free (event->username);
  g_free (event->password);
  g_free (event->userdata1);
  g_free (event->userdata2);
  g_free (event->userdata3);
  g_free (event->userdata4);
  g_free (event->userdata5);
  g_free (event->userdata6);
  g_free (event->userdata7);
  g_free (event->userdata8);
  g_free (event->userdata9);

  g_free (event->rulename);

  if (event->src_username)
    g_hash_table_unref (event->src_username);
  g_free (event->src_username_raw);
  if (event->dst_username)
    g_hash_table_unref (event->dst_username);
  g_free (event->dst_username_raw);
  g_free (event->src_hostname);
  g_free (event->dst_hostname);
  g_free (event->src_mac);
  g_free (event->dst_mac);

  g_free (event->str_rep_act_src);
  if(event->rep_act_src)
    g_hash_table_unref (event->rep_act_src);
  g_free (event->str_rep_act_dst);
  if(event->rep_act_dst)
    g_hash_table_unref (event->rep_act_dst);

  g_free (event->buffer);

  if (event->groupalarmsha1)
    g_free (event->groupalarmsha1);

  if (event->binary_data)
    g_free (event->binary_data);

  if (event->context)
    g_object_unref (event->context);

  if (event->engine)
    g_object_unref (event->engine);

  g_slice_free (SimEvent, event);
}