/**
* sim_db_insert_event:
* @database: a #SimDatabase
* @event: a #SimEvent to insert
*
* This function gets an event-> id and insert the event into DB.
*/
void
sim_db_insert_event (SimDatabase *database,
SimEvent *event)
{
gchar *query = NULL;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_EVENT (event));
if (event->is_stored)
{
ossim_debug ("%s: Duplicate insert event->id: %s", __func__, sim_uuid_get_string (event->id));
return;
}
ossim_debug ("%s: Storing event->id = %s event->is_stored = %u", __func__,
sim_uuid_get_string (event->id), event->is_stored);
query = sim_event_get_insert_clause (event);
ossim_debug ("%s: query= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
if (event->src_username || event->dst_username)
{
query = sim_event_idm_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: idm_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
if (event->data || event->log || event->binary_data)
{
query = sim_event_extra_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: extra_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
if (g_hash_table_size (event->otx_data) > 0)
{
query = sim_event_pulses_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: otx_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
event->is_stored = TRUE;
}
static gchar *
sim_event_get_text_escape_fields_values(SimEvent *event)
{
int i;
gchar *e_fields[N_TEXT_FIELDS];
GString * st;
GdaConnection *conn;
conn = sim_database_get_conn(ossim.dbossim);
st = g_string_new("");
if (st == NULL)
return NULL; // I prefer an assert here. If no memory, we must explicit print the warning and die!
for (i = 0; i < N_TEXT_FIELDS; i++)
{
if (event->textfields[i] != NULL)
{
e_fields[i] = g_new0(gchar, strlen(event->textfields[i]) * 2 + 1);
gda_connection_escape_string(conn, event->textfields[i], e_fields[i]);
g_string_append_printf(st, "'%s'%s", e_fields[i], i != (N_TEXT_FIELDS
- 1) ? "," : "");
g_free(e_fields[i]);
}
else
g_string_append_printf(st, "'%s'%s", "", i != (N_TEXT_FIELDS - 1) ? ","
: "");
}
return g_string_free(st, FALSE);
}
gchar *
sim_event_get_text_escape_fields_values (SimEvent *event)
{
int i;
gchar *e_fields[N_TEXT_FIELDS];
gchar *fields[N_TEXT_FIELDS];
GString * st;
GdaConnection *conn;
gchar *src_mac = NULL, *dst_mac = NULL;
conn = sim_database_get_conn (ossim.dbossim);
st = g_string_new ("");
if (st == NULL)
return NULL;
if (event->src_mac)
src_mac = sim_mac_to_db_string (event->src_mac);
if (event->dst_mac)
dst_mac = sim_mac_to_db_string (event->dst_mac);
fields[SimTextFieldUsername] = event->username;
fields[SimTextFieldPassword] = event->password;
fields[SimTextFieldFilename] = event->filename;
fields[SimTextFieldUserdata1] = event->userdata1;
fields[SimTextFieldUserdata2] = event->userdata2;
fields[SimTextFieldUserdata3] = event->userdata3;
fields[SimTextFieldUserdata4] = event->userdata4;
fields[SimTextFieldUserdata5] = event->userdata5;
fields[SimTextFieldUserdata6] = event->userdata6;
fields[SimTextFieldUserdata7] = event->userdata7;
fields[SimTextFieldUserdata8] = event->userdata8;
fields[SimTextFieldUserdata9] = event->userdata9;
fields[SimTextFieldRulename] = event->rulename;
fields[SimTextFieldValue] = event->value;
for (i = 0; i< N_TEXT_FIELDS; i++)
{
if (fields[i] != NULL)
{
e_fields[i] = sim_str_escape (fields[i], conn, 0);
g_string_append_printf (st, "'%s'%s", e_fields[i], i != (N_TEXT_FIELDS-1) ? "," : "");
g_free (e_fields[i]);
}
else
{
g_string_append_printf (st, "'%s'%s","", i != (N_TEXT_FIELDS-1) ? "," : "");
}
}
g_free (src_mac);
g_free (dst_mac);
return g_string_free (st,FALSE);
}
gchar*
sim_event_get_alarm_insert_clause (SimDatabase *db_ossim,
SimEvent *event,
gboolean removable)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp=time;
GString *query;
GdaConnection *conn;
gchar *e_alarm_stats = NULL;
g_return_val_if_fail (SIM_IS_EVENT (event), NULL);
conn = sim_database_get_conn (db_ossim);
if(event->time_str)
timestamp=event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
guint efr = event->priority * event->reliability * 2; //this is used for compliance. The "*2" is to take a percentage
if (event->alarm_stats)
e_alarm_stats = sim_str_escape (event->alarm_stats, conn, 0);
ossim_debug ( "%s: risk_c:%f, risk_a:%f", __func__, event->risk_c, event->risk_a);
query = g_string_new ("REPLACE INTO alarm "
"(event_id, backlog_id, corr_engine_ctx, timestamp, plugin_id, plugin_sid, "
"protocol, src_ip, dst_ip, src_port, dst_port, "
"risk, efr, similar, removable, stats) VALUES (");
g_string_append_printf (query, "%s", sim_uuid_get_db_string (event->id));
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (event->backlog_id));
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (sim_engine_get_id (event->engine)));
g_string_append_printf (query, ",'%s'", timestamp);
g_string_append_printf (query, ",%d", event->plugin_id);
g_string_append_printf (query, ",%d", event->plugin_sid);
g_string_append_printf (query, ",%d", event->protocol);
g_string_append_printf (query, ",%s", (event->src_ia) ? sim_inet_get_db_string (event->src_ia) : "NULL");
g_string_append_printf (query, ",%s", (event->dst_ia) ? sim_inet_get_db_string (event->dst_ia) : "NULL");
g_string_append_printf (query, ",%d", event->src_port);
g_string_append_printf (query, ",%d", event->dst_port);
g_string_append_printf (query, ",%d", ((gint)event->risk_a > (gint)event->risk_c) ? (gint)event->risk_a : (gint)event->risk_c);
g_string_append_printf (query, ",%u", efr);
g_string_append_printf (query, ",IF('%s'<>''", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : ""));
g_string_append_printf (query, ",'%s'", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : ""));
g_string_append_printf (query, ",SHA1('%s'))", sim_uuid_get_db_string (event->id));
g_string_append_printf (query, ",%d", removable);
g_string_append_printf (query, ",'%s')", e_alarm_stats ? e_alarm_stats : "");
g_free (e_alarm_stats);
return g_string_free (query, FALSE);
}
gchar*
sim_event_get_replace_clause(SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp=time;
gchar *query;
gint c;
gint a;
int i;
/* Temporal HACK */
gchar uuidtext[37];
gchar *values;
gchar * e_rep_act_src = NULL, * e_rep_act_dst = NULL;
g_return_val_if_fail(event, NULL);
g_return_val_if_fail(SIM_IS_EVENT (event), NULL);
c = rint(event->risk_c);
a = rint(event->risk_a);
if (c < 0)
c = 0;
else if (c > 10)
c = 10;
if (a < 0)
a = 0;
else if (a > 10)
a = 10;
if(event->time_str)
timestamp=event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
if (event->rep_act_src){
e_rep_act_src = g_new0 (gchar,strlen(event->rep_act_src)*2+1);
gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_src,e_rep_act_src);
}
if (event->rep_act_dst){
e_rep_act_dst = g_new0 (gchar,strlen(event->rep_act_dst)*2+1);
gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_dst,e_rep_act_dst);
}
uuid_unparse_upper(event->uuid, uuidtext);
values = sim_event_get_text_escape_fields_values(event);
query
= g_strdup_printf(
"REPLACE INTO event "
"(id, timestamp, sensor, interface, type, plugin_id, plugin_sid, "
"protocol, src_ip, dst_ip, src_port, dst_port, "
"event_condition, value, time_interval, "
"priority, reliability, asset_src, asset_dst, risk_c, risk_a, alarm, "
"snort_sid, snort_cid, uuid, rep_prio_src, rep_prio_dst, rep_rel_src, "
"rep_rel_dst, rep_act_src, rep_act_dst, %s) "
" VALUES (%d, '%s', '%s', '%s', %d, %d, %d,"
" %d, %u, %u, %d, %d, %d, '%s', %d, %d, %d, %d, %d, %d, %d, %d, %u, %u,'%s',"
" %u, %u, %u, %u, '%s', '%s', %s)",
sim_event_get_sql_fields(), event->id, timestamp,
(event->sensor) ? event->sensor : "",
(event->interface) ? event->interface : "", event->type,
event->plugin_id, event->plugin_sid, event->protocol,
(event->src_ia) ? sim_inetaddr_ntohl(event->src_ia) : -1,
(event->dst_ia) ? sim_inetaddr_ntohl(event->dst_ia) : -1,
event->src_port, event->dst_port, event->condition,
(event->value) ? event->value : "", event->interval, event->priority,
event->reliability, event->asset_src, event->asset_dst, c, a,
event->alarm, event->snort_sid, event->snort_cid,
(!uuid_is_null(event->uuid) ? uuidtext : ""),
event->rep_prio_src, event->rep_prio_dst,
event->rep_rel_src, event->rep_rel_dst,
(event->rep_act_src) ? e_rep_act_src : "",
(event->rep_act_dst) ? e_rep_act_dst : "", values);
g_free(values);
g_free (e_rep_act_src);
g_free (e_rep_act_dst);
return query;
}
gchar*
sim_event_get_insert_clause(SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp = time;
gchar *query;
gint c;
gint a;
gchar uuidtext[37];
GString *st;
int i;
gchar * e_rep_act_src = NULL, * e_rep_act_dst = NULL;
gchar *e_fields[N_TEXT_FIELDS];
g_return_val_if_fail(event, NULL);
g_return_val_if_fail(SIM_IS_EVENT (event), NULL);
c = rint(event->risk_c);
a = rint(event->risk_a);
if (c < 0)
c = 0;
else if (c > 10)
c = 10;
if (a < 0)
a = 0;
else if (a > 10)
a = 10;
if(event->time_str)
timestamp = event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
if (!uuid_is_null(event->uuid))
{
uuid_unparse_upper(event->uuid, uuidtext);
}
else
{
uuidtext[0] = '\0';
}
if (event->rep_act_src){
e_rep_act_src = g_new0 (gchar,strlen(event->rep_act_src)*2+1);
gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_src,e_rep_act_src);
}
if (event->rep_act_dst){
e_rep_act_dst = g_new0 (gchar,strlen(event->rep_act_dst)*2+1);
gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_dst,e_rep_act_dst);
}
/* Escape de character data*/
/* ossimdb */
for (i = 0; i < N_TEXT_FIELDS; i++)
{
if (event->textfields[i] != NULL)
{
e_fields[i] = g_new0(gchar, strlen(event->textfields[i]) * 2 + 1);
gda_connection_escape_string(sim_database_get_conn(ossim.dbossim),
event->textfields[i], e_fields[i]);
}
else
{
e_fields[i] = NULL;
}
}
st = g_string_new("INSERT INTO event "
"(id, timestamp, tzone, sensor, interface, type, plugin_id, plugin_sid, "
"protocol, src_ip, dst_ip, src_port, dst_port, "
"event_condition, value, time_interval, "
"priority, reliability, asset_src, asset_dst, risk_c, risk_a, alarm, "
"snort_sid, snort_cid, rep_prio_src, rep_prio_dst, rep_rel_src, rep_rel_dst, rep_act_src, rep_act_dst, uuid ");
for (i = 0; i < N_TEXT_FIELDS; i++)
{
g_string_append_printf(st, ",%s", sim_text_field_get_name(i));
}
g_string_append_printf(st, ") VALUES (%d, '%s', %4.2f, '%s', '%s', %d, %d, %d,"
" %d, %u, %u, %d, %d, %d, '%s', %d, %d, %d, %d, %d, %d, %d, %d, %u, %u, "
" %u, %u, %u, %u , '%s' ,'%s','%s' ",
event->id,
timestamp,
event->tzone,
(event->sensor) ? event->sensor : "",
(event->interface) ? event->interface : "",
event->type,
event->plugin_id, event->plugin_sid, event->protocol,
(event->src_ia) ? sim_inetaddr_ntohl(event->src_ia) : -1,
(event->dst_ia) ? sim_inetaddr_ntohl(event->dst_ia) : -1,
event->src_port, event->dst_port, event->condition,
(event->value) ? event->value : "", event->interval, event->priority,
event->reliability, event->asset_src, event->asset_dst, c, a,
event->alarm, event->snort_sid, event->snort_cid,
event->rep_prio_src,
event->rep_prio_dst,
event->rep_rel_src,
event->rep_rel_dst,
(event->rep_act_src) ? e_rep_act_src : "",
(event->rep_act_dst) ? e_rep_act_dst : "",
(uuid_is_null(event->uuid) != 1) ? uuidtext : "");
for (i = 0; i < N_TEXT_FIELDS; i++)
{
g_string_append_printf(st, ",'%s'",
event->textfields[i] != NULL ? e_fields[i] : "");
}
g_string_append(st, ");\n");
g_free (e_rep_act_src);
g_free (e_rep_act_dst);
/* Free memory*/
for (i = 0; i < N_TEXT_FIELDS; i++)
{
g_free(e_fields[i]);
}
return g_string_free(st, FALSE);
}
gchar *
sim_event_get_insert_clause_values (SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp = time;
GString *query;
gchar *values;
gchar *e_rep_act_src = NULL;
gchar *e_rep_act_dst = NULL;
gchar *e_src_hostname = NULL;
gchar *e_dst_hostname = NULL;
gchar *src_mac = NULL, *dst_mac = NULL;
GdaConnection *conn;
g_return_val_if_fail (SIM_IS_EVENT (event), NULL);
conn = sim_database_get_conn (ossim.dbossim);
values = sim_event_get_text_escape_fields_values (event);
// If we already have the timestamp we use it.. else we calculate it
if(event->time_str)
timestamp = event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
if (event->str_rep_act_src)
e_rep_act_src = sim_str_escape (event->str_rep_act_src, conn, 0);
if (event->str_rep_act_dst)
e_rep_act_dst = sim_str_escape (event->str_rep_act_dst, conn, 0);
if (event->src_hostname)
e_src_hostname = sim_str_escape (event->src_hostname, conn, 0);
if (event->dst_hostname)
e_dst_hostname = sim_str_escape (event->dst_hostname, conn, 0);
if (event->src_mac)
src_mac = sim_mac_to_db_string (event->src_mac);
if (event->dst_mac)
dst_mac = sim_mac_to_db_string (event->dst_mac);
query = g_string_new ("");
g_string_append_printf (query, "(%s", sim_uuid_get_db_string (event->id));
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (sim_context_get_id (event->context)));
g_string_append_printf (query, ",'%s'", timestamp);
g_string_append_printf (query, ",%f", event->tzone);
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (event->sensor_id));
g_string_append_printf (query, ",'%s'", (event->interface) ? event->interface : "");
g_string_append_printf (query, ",%d", event->type);
g_string_append_printf (query, ",%d", event->plugin_id);
g_string_append_printf (query, ",%d", event->plugin_sid);
g_string_append_printf (query, ",%d", event->protocol);
g_string_append_printf (query, ",%s", sim_inet_get_db_string (event->src_ia));
g_string_append_printf (query, ",%s", sim_inet_get_db_string (event->dst_ia));
g_string_append_printf (query, ",%s", (event->src_net) ? sim_uuid_get_db_string (sim_net_get_id (event->src_net)) : "NULL");
g_string_append_printf (query, ",%s", (event->dst_net) ? sim_uuid_get_db_string (sim_net_get_id (event->dst_net)) : "NULL");
g_string_append_printf (query, ",%d", event->src_port);
g_string_append_printf (query, ",%d", event->dst_port);
g_string_append_printf (query, ",%d", event->condition);
g_string_append_printf (query, ",%d", event->interval);
g_string_append_printf (query, ",%d", 0); //FIXME event->absolute
g_string_append_printf (query, ",%d", event->priority);
g_string_append_printf (query, ",%d", event->reliability);
g_string_append_printf (query, ",%d", event->asset_src);
g_string_append_printf (query, ",%d", event->asset_dst);
g_string_append_printf (query, ",%d", (gint) event->risk_c);
g_string_append_printf (query, ",%d", (gint) event->risk_a);
g_string_append_printf (query, ",%d", event->alarm);
g_string_append_printf (query, ",%s", values);
g_string_append_printf (query, ",%u", event->rep_prio_src);
g_string_append_printf (query, ",%u", event->rep_prio_dst);
g_string_append_printf (query, ",%u", event->rep_rel_src);
g_string_append_printf (query, ",%u", event->rep_rel_dst);
g_string_append_printf (query, ",'%s'", (e_rep_act_src) ? e_rep_act_src : "");
g_string_append_printf (query, ",'%s'", (e_rep_act_dst) ? e_rep_act_dst : "");
g_string_append_printf (query, ",'%s'", (e_src_hostname) ? e_src_hostname : "");
g_string_append_printf (query, ",'%s'", (e_dst_hostname) ? e_dst_hostname : "");
g_string_append_printf (query, ",%s", (src_mac) ? src_mac : "NULL");
g_string_append_printf (query, ",%s", (dst_mac) ? dst_mac : "NULL");
g_string_append_printf (query, ",%s", (event->src_id) ? sim_uuid_get_db_string (event->src_id) : "NULL");
g_string_append_printf (query, ",%s)", (event->dst_id) ? sim_uuid_get_db_string (event->dst_id) : "NULL");
g_free (values);
return g_string_free (query, FALSE);
}
