/**
* sim_event_set_context_and_engine:
* @event: a #SimEvent
* @context_id: a #SimUuid
*
*/
void
sim_event_set_context_and_engine (SimEvent *event,
SimUuid *context_id)
{
SimContext *context;
SimEngine *engine;
g_return_if_fail (SIM_IS_EVENT (event));
if (event->context)
g_object_unref (event->context);
if (event->engine)
g_object_unref (event->engine);
context = sim_container_get_context (ossim.container, context_id);
if (!context)
{
g_message ("%s: Error getting context_id %s", __func__, context_id ? sim_uuid_get_string (context_id) : "NULL");
return;
}
engine = sim_container_get_engine_for_context (ossim.container, context_id);
if (!engine)
{
g_message ("%s: Error getting engine for context_id %s", __func__, context_id ? sim_uuid_get_string (context_id) : "NULL");
return;
}
event->context = g_object_ref (context);
event->engine = g_object_ref (engine);
}
/**
* sim_db_insert_event:
* @database: a #SimDatabase
* @event: a #SimEvent to insert
*
* This function gets an event-> id and insert the event into DB.
*/
void
sim_db_insert_event (SimDatabase *database,
SimEvent *event)
{
gchar *query = NULL;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_EVENT (event));
if (event->is_stored)
{
ossim_debug ("%s: Duplicate insert event->id: %s", __func__, sim_uuid_get_string (event->id));
return;
}
ossim_debug ("%s: Storing event->id = %s event->is_stored = %u", __func__,
sim_uuid_get_string (event->id), event->is_stored);
query = sim_event_get_insert_clause (event);
ossim_debug ("%s: query= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
if (event->src_username || event->dst_username)
{
query = sim_event_idm_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: idm_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
if (event->data || event->log || event->binary_data)
{
query = sim_event_extra_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: extra_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
if (g_hash_table_size (event->otx_data) > 0)
{
query = sim_event_pulses_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: otx_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
event->is_stored = TRUE;
}
gboolean
sim_event_set_sid (SimEvent *event)
{
gchar *device_ip;
gchar *sensor_device;
guint sid;
g_return_val_if_fail (SIM_IS_EVENT (event), FALSE);
ossim_debug ("%s: Setting (sid) for event->id=%s", __func__, sim_uuid_get_string (event->id));
if (event->device)
{
device_ip = sim_inet_get_canonical_name (event->device);
sensor_device = g_strdup_printf ("%s/%s/%s", sim_uuid_get_string (event->sensor_id), event->interface, device_ip);
g_free (device_ip);
}
else
sensor_device = g_strdup_printf ("%s", sim_uuid_get_string (event->sensor_id));
sid = sim_container_get_sensor_sid (ossim.container, sensor_device);
if (!sid) // First event for this sid, so we must insert the sensor to the database
{
// Insert it to db as the old way (but now it's cached).
sid = sim_organizer_snort_sensor_get_sid (ossim.dbsnort, event->sensor_id, event);
sim_container_add_sensor_sid (ossim.container, sensor_device, sid);
ossim_debug ("%s: not from cache: sid: %u", __func__, sid);
}
else
{
ossim_debug ("%s: from cache: sid: %u", __func__, sid);
g_free (sensor_device);
}
event->device_id = sid;
return TRUE;
}
/**
* sim_db_insert_alarm:
* @database: #SimDatabase
* @event: event alarm
* @removable: if the alarm is removable or not (it'll be removable only if it's finished/reached timeout).
*
* This is usefull if the event has the "alarm" flag. This can occur for example if the event has
* priority&reliability very high and it has been converted automatically into an alarm. Also, this can occur
* if the event is a directive_event which has been re-inserted into container from sim_correlation.
*
* we also assign here an event->id (if it hasn't got anyone, like the first time the event arrives).
* event->id is just needed to know if that event belongs to a specific backlog_id (a directive), so if
* an event is not part of an alarm, it hasn't got any sense to fill event->id.
*
*/
void
sim_db_insert_alarm (SimDatabase *database,
SimEvent *event,
gboolean removable)
{
gchar *insert;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_EVENT (event));
ossim_debug ("%s with id %s", __func__, sim_uuid_get_string (event->id));
insert = sim_event_get_alarm_insert_clause (database, event, removable);
sim_database_execute_no_query (database, insert);
g_free (insert);
return;
}
/**
* sim_event_to_string:
* @event: a #SimEvent object.
*
*/
gchar *
sim_event_to_string (SimEvent * event)
{
GString *str;
gchar *ip;
gchar * base64;
gint base64_len;
SimUuid * net_id;
g_return_val_if_fail(SIM_IS_EVENT (event), NULL);
str = g_string_new("event ");
g_string_append_printf(str, "event_id=\"%s\" ", sim_uuid_get_string (event->id));
g_string_append_printf(str, "ctx=\"%s\" ", sim_uuid_get_string (sim_context_get_id (event->context)));
g_string_append_printf(str, "alarm=\"%d\" ", event->alarm);
str = g_string_append (str, "is_remote=\"1\" ");
gchar *aux = sim_event_get_str_from_type(event->type);
if (aux)
{
g_string_append_printf(str, "type=\"%s\" ", aux);
g_free(aux);
}
g_string_append_printf(str, "date=\"%u\" ", (guint)event->time);
g_string_append_printf(str, "tzone=\"%4.2f\" ", event->tzone);
if (event->time_str)
g_string_append_printf(str, "fdate=\"%s\" ", event->time_str);
if (event->plugin_id)
g_string_append_printf(str, "plugin_id=\"%d\" ", event->plugin_id);
if (event->plugin_sid)
g_string_append_printf(str, "plugin_sid=\"%d\" ", event->plugin_sid);
if (event->src_ia)
{
ip = sim_inet_get_canonical_name (event->src_ia);
g_string_append_printf (str, "src_ip=\"%s\" ", ip);
g_free (ip);
}
if (event->src_port)
g_string_append_printf(str, "src_port=\"%d\" ", event->src_port);
if (event->dst_ia)
{
ip = sim_inet_get_canonical_name (event->dst_ia);
g_string_append_printf (str, "dst_ip=\"%s\" ", ip);
g_free (ip);
}
if (event->dst_port)
g_string_append_printf(str, "dst_port=\"%d\" ", event->dst_port);
if (event->src_net)
{
net_id = sim_net_get_id (event->src_net);
g_string_append_printf (str, "src_net=\"%s\" ", sim_uuid_get_string (net_id));
}
if (event->dst_net)
{
net_id = sim_net_get_id (event->dst_net);
g_string_append_printf (str, "dst_net=\"%s\" ", sim_uuid_get_string (net_id));
}
if (event->sensor)
{
ip = sim_inet_get_canonical_name (event->sensor);
g_string_append_printf(str, "sensor=\"%s\" ", ip);
g_free (ip);
}
if (event->sensor_id)
g_string_append_printf(str, "sensor_id=\"%s\" ", sim_uuid_get_string (event->sensor_id));
if (event->device)
{
ip = sim_inet_get_canonical_name (event->device);
g_string_append_printf(str, "device=\"%s\" ", ip);
g_free (ip);
}
if (event->device_id)
g_string_append_printf (str, "device_id=\"%d\" ", event->device_id);
#if 0
if (event->server)
g_string_append_printf (str, "server=\"%s\" ", event->server);
#endif
if (event->interface)
g_string_append_printf(str, "interface=\"%s\" ", event->interface);
if (event->protocol)
{
gchar *value = sim_protocol_get_str_from_type(event->protocol);
g_string_append_printf(str, "protocol=\"%s\" ", value);
g_free(value);
}
if (event->condition)
{
gchar *value = sim_condition_get_str_from_type(event->condition);
g_string_append_printf(str, "condition=\"%s\" ", value);
g_free(value);
}
if (event->value)
g_string_append_printf(str, "value=\"%s\" ", event->value);
if (event->interval)
g_string_append_printf(str, "interval=\"%d\" ", event->interval);
if (event->is_priority_set)
g_string_append_printf(str, "priority=\"%d\" ", event->priority);
if (event->is_reliability_set)
g_string_append_printf(str, "reliability=\"%d\" ", event->reliability);
g_string_append_printf(str, "asset_src=\"%d\" ", event->asset_src);
g_string_append_printf(str, "asset_dst=\"%d\" ", event->asset_dst);
if (event->risk_c)
g_string_append_printf(str, "risk_a=\"%lf\" ", event->risk_a);
if (event->risk_a)
g_string_append_printf(str, "risk_c=\"%lf\" ", event->risk_c);
// Only forward this field if this is a special event.
if ((event->data) && sim_event_is_special (event))
{
gchar *base64;
base64 = g_base64_encode ((guchar *)event->data, strlen(event->data));
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf (str, "data=\"%s\" ", base64);
g_free (base64);
}
if (event->log)
{
base64 = g_base64_encode((guchar*)event->log->str, event->log->len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "log=\"%s\" ", base64);
g_free(base64);
}
if (event->filename && (base64_len = strlen(event->filename)))
{
base64 = g_base64_encode( (guchar*)event->filename, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "filename=\"%s\" ", base64);
g_free(base64);
}
if (event->username && (base64_len = strlen(event->username)))
{
base64 = g_base64_encode( (guchar*)event->username, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "username=\"%s\" ", base64);
g_free(base64);
}
if (event->password && (base64_len = strlen(event->password)))
{
base64 = g_base64_encode( (guchar*) event->password, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "password=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata1 && (base64_len = strlen(event->userdata1)))
{
base64 = g_base64_encode( (guchar*)event->userdata1, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata1=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata2 && (base64_len = strlen(event->userdata2)))
{
base64 = g_base64_encode( (guchar*)event->userdata2, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata2=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata3 && (base64_len = strlen(event->userdata3)))
{
base64 = g_base64_encode( (guchar*)event->userdata3, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata3=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata4 && (base64_len = strlen(event->userdata4)))
{
base64 = g_base64_encode( (guchar*)event->userdata4, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata4=\"%s\" ", base64);
g_free (base64);
}
if (event->userdata5 && (base64_len = strlen(event->userdata5)))
{
base64 = g_base64_encode( (guchar*)event->userdata5, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata5=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata6 && (base64_len = strlen(event->userdata6)))
{
base64 = g_base64_encode( (guchar*)event->userdata6, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata6=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata7 && (base64_len = strlen(event->userdata7)))
{
base64 = g_base64_encode( (guchar*)event->userdata7, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata7=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata8 && (base64_len = strlen(event->userdata8)))
{
base64 = g_base64_encode( (guchar*)event->userdata8, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata8=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata9 && (base64_len = strlen(event->userdata9)))
{
base64 = g_base64_encode( (guchar*)event->userdata9, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata9=\"%s\" ", base64);
g_free(base64);
}
if (event->src_username_raw && (base64_len = strlen(event->src_username_raw)))
{
base64 = g_base64_encode ((guchar *)event->src_username_raw, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "src_username=\"%s\" ", base64);
g_free (base64);
}
if (event->dst_username_raw && (base64_len = strlen (event->dst_username_raw)))
{
base64 = g_base64_encode ((guchar *)event->dst_username_raw, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "dst_username=\"%s\" ", base64);
g_free (base64);
}
if (event->src_id)
g_string_append_printf(str, "src_id=\"%s\" ", sim_uuid_get_string (event->src_id));
if (event->dst_id)
g_string_append_printf(str, "dst_id=\"%s\" ", sim_uuid_get_string (event->dst_id));
if (event->src_hostname)
g_string_append_printf(str, "src_hostname=\"%s\" ", event->src_hostname);
if (event->dst_hostname)
g_string_append_printf(str, "dst_hostname=\"%s\" ", event->dst_hostname);
if (event->src_mac)
g_string_append_printf(str, "src_mac=\"%s\" ", event->src_mac);
if (event->dst_mac)
g_string_append_printf(str, "dst_mac=\"%s\" ", event->dst_mac);
if (event->rep_prio_src)
g_string_append_printf(str, "rep_prio_src=\"%u\" ", event->rep_prio_src);
if (event->rep_prio_dst)
g_string_append_printf(str, "rep_prio_dst=\"%u\" ", event->rep_prio_dst);
if (event->rep_rel_src)
g_string_append_printf(str, "rep_rel_src=\"%u\" ", event->rep_rel_src);
if (event->rep_rel_dst)
g_string_append_printf(str, "rep_rel_dst=\"%u\" ", event->rep_rel_dst);
if (event->str_rep_act_src && (base64_len = strlen(event->str_rep_act_src)))
{
base64 = g_base64_encode( (guchar*)event->str_rep_act_src, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "rep_act_src=\"%s\" ", base64);
g_free(base64);
}
if (event->str_rep_act_dst && (base64_len = strlen(event->str_rep_act_dst)))
{
base64 = g_base64_encode( (guchar*)event->str_rep_act_dst, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "rep_act_dst=\"%s\" ", base64);
g_free(base64);
}
/* We need to check that the */
if (event->binary_data != NULL)
{
g_string_append_printf(str,"binary_data=\"%s\" ", event->binary_data);
}
g_string_append_printf(str, "\n");
return g_string_free(str, FALSE);
}
static void
_sim_event_free (SimEvent *event)
{
ossim_debug ("%s: Id %s, Device_id %u", __func__,
sim_uuid_get_string (event->id), event->device_id);
if (event->id)
g_object_unref (event->id);
if (event->src_ia)
g_object_unref (event->src_ia);
if (event->dst_ia)
g_object_unref (event->dst_ia);
if (event->src_net)
g_object_unref (event->src_net);
if (event->dst_net)
g_object_unref (event->dst_net);
if (event->src_id)
g_object_unref (event->src_id);
if (event->dst_id)
g_object_unref (event->dst_id);
if (event->sensor)
g_object_unref (event->sensor);
if (event->sensor_id)
g_object_unref (event->sensor_id);
if (event->device)
g_object_unref (event->device);
g_free (event->interface);
g_free (event->server);
if (event->servername)
g_free (event->servername);
g_free (event->sql_text_fields);
g_free (event->value);
g_free (event->data);
if (event->role)
sim_role_unref (event->role);
if (event->policy)
g_object_unref (event->policy);
g_free (event->time_str);
if (event->log)
g_string_free (event->log, TRUE);
g_free (event->alarm_stats);
g_free (event->filename); //no needed to check, g_free will just return if "filename" is NULL
g_free (event->username);
g_free (event->password);
g_free (event->userdata1);
g_free (event->userdata2);
g_free (event->userdata3);
g_free (event->userdata4);
g_free (event->userdata5);
g_free (event->userdata6);
g_free (event->userdata7);
g_free (event->userdata8);
g_free (event->userdata9);
g_free (event->rulename);
if (event->src_username)
g_hash_table_unref (event->src_username);
g_free (event->src_username_raw);
if (event->dst_username)
g_hash_table_unref (event->dst_username);
g_free (event->dst_username_raw);
g_free (event->src_hostname);
g_free (event->dst_hostname);
g_free (event->src_mac);
g_free (event->dst_mac);
g_free (event->str_rep_act_src);
if(event->rep_act_src)
g_hash_table_unref (event->rep_act_src);
g_free (event->str_rep_act_dst);
if(event->rep_act_dst)
g_hash_table_unref (event->rep_act_dst);
g_free (event->buffer);
if (event->groupalarmsha1)
g_free (event->groupalarmsha1);
if (event->binary_data)
g_free (event->binary_data);
if (event->context)
g_object_unref (event->context);
if (event->engine)
g_object_unref (event->engine);
g_slice_free (SimEvent, event);
}