/** * sim_db_insert_event: * @database: a #SimDatabase * @event: a #SimEvent to insert * * This function gets an event-> id and insert the event into DB. */ void sim_db_insert_event (SimDatabase *database, SimEvent *event) { gchar *query = NULL; g_return_if_fail (SIM_IS_DATABASE (database)); g_return_if_fail (SIM_IS_EVENT (event)); if (event->is_stored) { ossim_debug ("%s: Duplicate insert event->id: %s", __func__, sim_uuid_get_string (event->id)); return; } ossim_debug ("%s: Storing event->id = %s event->is_stored = %u", __func__, sim_uuid_get_string (event->id), event->is_stored); query = sim_event_get_insert_clause (event); ossim_debug ("%s: query= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); if (event->src_username || event->dst_username) { query = sim_event_idm_get_insert_clause (sim_database_get_conn (database), event); ossim_debug ("%s: idm_data query_values= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); } if (event->data || event->log || event->binary_data) { query = sim_event_extra_get_insert_clause (sim_database_get_conn (database), event); ossim_debug ("%s: extra_data query_values= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); } if (g_hash_table_size (event->otx_data) > 0) { query = sim_event_pulses_get_insert_clause (sim_database_get_conn (database), event); ossim_debug ("%s: otx_data query_values= %s", __func__, query); sim_database_execute_no_query (database, query); g_free (query); } event->is_stored = TRUE; }
static gchar * sim_event_get_text_escape_fields_values(SimEvent *event) { int i; gchar *e_fields[N_TEXT_FIELDS]; GString * st; GdaConnection *conn; conn = sim_database_get_conn(ossim.dbossim); st = g_string_new(""); if (st == NULL) return NULL; // I prefer an assert here. If no memory, we must explicit print the warning and die! for (i = 0; i < N_TEXT_FIELDS; i++) { if (event->textfields[i] != NULL) { e_fields[i] = g_new0(gchar, strlen(event->textfields[i]) * 2 + 1); gda_connection_escape_string(conn, event->textfields[i], e_fields[i]); g_string_append_printf(st, "'%s'%s", e_fields[i], i != (N_TEXT_FIELDS - 1) ? "," : ""); g_free(e_fields[i]); } else g_string_append_printf(st, "'%s'%s", "", i != (N_TEXT_FIELDS - 1) ? "," : ""); } return g_string_free(st, FALSE); }
gchar * sim_event_get_text_escape_fields_values (SimEvent *event) { int i; gchar *e_fields[N_TEXT_FIELDS]; gchar *fields[N_TEXT_FIELDS]; GString * st; GdaConnection *conn; gchar *src_mac = NULL, *dst_mac = NULL; conn = sim_database_get_conn (ossim.dbossim); st = g_string_new (""); if (st == NULL) return NULL; if (event->src_mac) src_mac = sim_mac_to_db_string (event->src_mac); if (event->dst_mac) dst_mac = sim_mac_to_db_string (event->dst_mac); fields[SimTextFieldUsername] = event->username; fields[SimTextFieldPassword] = event->password; fields[SimTextFieldFilename] = event->filename; fields[SimTextFieldUserdata1] = event->userdata1; fields[SimTextFieldUserdata2] = event->userdata2; fields[SimTextFieldUserdata3] = event->userdata3; fields[SimTextFieldUserdata4] = event->userdata4; fields[SimTextFieldUserdata5] = event->userdata5; fields[SimTextFieldUserdata6] = event->userdata6; fields[SimTextFieldUserdata7] = event->userdata7; fields[SimTextFieldUserdata8] = event->userdata8; fields[SimTextFieldUserdata9] = event->userdata9; fields[SimTextFieldRulename] = event->rulename; fields[SimTextFieldValue] = event->value; for (i = 0; i< N_TEXT_FIELDS; i++) { if (fields[i] != NULL) { e_fields[i] = sim_str_escape (fields[i], conn, 0); g_string_append_printf (st, "'%s'%s", e_fields[i], i != (N_TEXT_FIELDS-1) ? "," : ""); g_free (e_fields[i]); } else { g_string_append_printf (st, "'%s'%s","", i != (N_TEXT_FIELDS-1) ? "," : ""); } } g_free (src_mac); g_free (dst_mac); return g_string_free (st,FALSE); }
gchar* sim_event_get_alarm_insert_clause (SimDatabase *db_ossim, SimEvent *event, gboolean removable) { gchar time[TIMEBUF_SIZE]; gchar *timestamp=time; GString *query; GdaConnection *conn; gchar *e_alarm_stats = NULL; g_return_val_if_fail (SIM_IS_EVENT (event), NULL); conn = sim_database_get_conn (db_ossim); if(event->time_str) timestamp=event->time_str; else strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time)); guint efr = event->priority * event->reliability * 2; //this is used for compliance. The "*2" is to take a percentage if (event->alarm_stats) e_alarm_stats = sim_str_escape (event->alarm_stats, conn, 0); ossim_debug ( "%s: risk_c:%f, risk_a:%f", __func__, event->risk_c, event->risk_a); query = g_string_new ("REPLACE INTO alarm " "(event_id, backlog_id, corr_engine_ctx, timestamp, plugin_id, plugin_sid, " "protocol, src_ip, dst_ip, src_port, dst_port, " "risk, efr, similar, removable, stats) VALUES ("); g_string_append_printf (query, "%s", sim_uuid_get_db_string (event->id)); g_string_append_printf (query, ",%s", sim_uuid_get_db_string (event->backlog_id)); g_string_append_printf (query, ",%s", sim_uuid_get_db_string (sim_engine_get_id (event->engine))); g_string_append_printf (query, ",'%s'", timestamp); g_string_append_printf (query, ",%d", event->plugin_id); g_string_append_printf (query, ",%d", event->plugin_sid); g_string_append_printf (query, ",%d", event->protocol); g_string_append_printf (query, ",%s", (event->src_ia) ? sim_inet_get_db_string (event->src_ia) : "NULL"); g_string_append_printf (query, ",%s", (event->dst_ia) ? sim_inet_get_db_string (event->dst_ia) : "NULL"); g_string_append_printf (query, ",%d", event->src_port); g_string_append_printf (query, ",%d", event->dst_port); g_string_append_printf (query, ",%d", ((gint)event->risk_a > (gint)event->risk_c) ? (gint)event->risk_a : (gint)event->risk_c); g_string_append_printf (query, ",%u", efr); g_string_append_printf (query, ",IF('%s'<>''", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : "")); g_string_append_printf (query, ",'%s'", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : "")); g_string_append_printf (query, ",SHA1('%s'))", sim_uuid_get_db_string (event->id)); g_string_append_printf (query, ",%d", removable); g_string_append_printf (query, ",'%s')", e_alarm_stats ? e_alarm_stats : ""); g_free (e_alarm_stats); return g_string_free (query, FALSE); }
gchar* sim_event_get_replace_clause(SimEvent *event) { gchar time[TIMEBUF_SIZE]; gchar *timestamp=time; gchar *query; gint c; gint a; int i; /* Temporal HACK */ gchar uuidtext[37]; gchar *values; gchar * e_rep_act_src = NULL, * e_rep_act_dst = NULL; g_return_val_if_fail(event, NULL); g_return_val_if_fail(SIM_IS_EVENT (event), NULL); c = rint(event->risk_c); a = rint(event->risk_a); if (c < 0) c = 0; else if (c > 10) c = 10; if (a < 0) a = 0; else if (a > 10) a = 10; if(event->time_str) timestamp=event->time_str; else strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time)); if (event->rep_act_src){ e_rep_act_src = g_new0 (gchar,strlen(event->rep_act_src)*2+1); gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_src,e_rep_act_src); } if (event->rep_act_dst){ e_rep_act_dst = g_new0 (gchar,strlen(event->rep_act_dst)*2+1); gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_dst,e_rep_act_dst); } uuid_unparse_upper(event->uuid, uuidtext); values = sim_event_get_text_escape_fields_values(event); query = g_strdup_printf( "REPLACE INTO event " "(id, timestamp, sensor, interface, type, plugin_id, plugin_sid, " "protocol, src_ip, dst_ip, src_port, dst_port, " "event_condition, value, time_interval, " "priority, reliability, asset_src, asset_dst, risk_c, risk_a, alarm, " "snort_sid, snort_cid, uuid, rep_prio_src, rep_prio_dst, rep_rel_src, " "rep_rel_dst, rep_act_src, rep_act_dst, %s) " " VALUES (%d, '%s', '%s', '%s', %d, %d, %d," " %d, %u, %u, %d, %d, %d, '%s', %d, %d, %d, %d, %d, %d, %d, %d, %u, %u,'%s'," " %u, %u, %u, %u, '%s', '%s', %s)", sim_event_get_sql_fields(), event->id, timestamp, (event->sensor) ? event->sensor : "", (event->interface) ? event->interface : "", event->type, event->plugin_id, event->plugin_sid, event->protocol, (event->src_ia) ? sim_inetaddr_ntohl(event->src_ia) : -1, (event->dst_ia) ? sim_inetaddr_ntohl(event->dst_ia) : -1, event->src_port, event->dst_port, event->condition, (event->value) ? event->value : "", event->interval, event->priority, event->reliability, event->asset_src, event->asset_dst, c, a, event->alarm, event->snort_sid, event->snort_cid, (!uuid_is_null(event->uuid) ? uuidtext : ""), event->rep_prio_src, event->rep_prio_dst, event->rep_rel_src, event->rep_rel_dst, (event->rep_act_src) ? e_rep_act_src : "", (event->rep_act_dst) ? e_rep_act_dst : "", values); g_free(values); g_free (e_rep_act_src); g_free (e_rep_act_dst); return query; }
gchar* sim_event_get_insert_clause(SimEvent *event) { gchar time[TIMEBUF_SIZE]; gchar *timestamp = time; gchar *query; gint c; gint a; gchar uuidtext[37]; GString *st; int i; gchar * e_rep_act_src = NULL, * e_rep_act_dst = NULL; gchar *e_fields[N_TEXT_FIELDS]; g_return_val_if_fail(event, NULL); g_return_val_if_fail(SIM_IS_EVENT (event), NULL); c = rint(event->risk_c); a = rint(event->risk_a); if (c < 0) c = 0; else if (c > 10) c = 10; if (a < 0) a = 0; else if (a > 10) a = 10; if(event->time_str) timestamp = event->time_str; else strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time)); if (!uuid_is_null(event->uuid)) { uuid_unparse_upper(event->uuid, uuidtext); } else { uuidtext[0] = '\0'; } if (event->rep_act_src){ e_rep_act_src = g_new0 (gchar,strlen(event->rep_act_src)*2+1); gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_src,e_rep_act_src); } if (event->rep_act_dst){ e_rep_act_dst = g_new0 (gchar,strlen(event->rep_act_dst)*2+1); gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_dst,e_rep_act_dst); } /* Escape de character data*/ /* ossimdb */ for (i = 0; i < N_TEXT_FIELDS; i++) { if (event->textfields[i] != NULL) { e_fields[i] = g_new0(gchar, strlen(event->textfields[i]) * 2 + 1); gda_connection_escape_string(sim_database_get_conn(ossim.dbossim), event->textfields[i], e_fields[i]); } else { e_fields[i] = NULL; } } st = g_string_new("INSERT INTO event " "(id, timestamp, tzone, sensor, interface, type, plugin_id, plugin_sid, " "protocol, src_ip, dst_ip, src_port, dst_port, " "event_condition, value, time_interval, " "priority, reliability, asset_src, asset_dst, risk_c, risk_a, alarm, " "snort_sid, snort_cid, rep_prio_src, rep_prio_dst, rep_rel_src, rep_rel_dst, rep_act_src, rep_act_dst, uuid "); for (i = 0; i < N_TEXT_FIELDS; i++) { g_string_append_printf(st, ",%s", sim_text_field_get_name(i)); } g_string_append_printf(st, ") VALUES (%d, '%s', %4.2f, '%s', '%s', %d, %d, %d," " %d, %u, %u, %d, %d, %d, '%s', %d, %d, %d, %d, %d, %d, %d, %d, %u, %u, " " %u, %u, %u, %u , '%s' ,'%s','%s' ", event->id, timestamp, event->tzone, (event->sensor) ? event->sensor : "", (event->interface) ? event->interface : "", event->type, event->plugin_id, event->plugin_sid, event->protocol, (event->src_ia) ? sim_inetaddr_ntohl(event->src_ia) : -1, (event->dst_ia) ? sim_inetaddr_ntohl(event->dst_ia) : -1, event->src_port, event->dst_port, event->condition, (event->value) ? event->value : "", event->interval, event->priority, event->reliability, event->asset_src, event->asset_dst, c, a, event->alarm, event->snort_sid, event->snort_cid, event->rep_prio_src, event->rep_prio_dst, event->rep_rel_src, event->rep_rel_dst, (event->rep_act_src) ? e_rep_act_src : "", (event->rep_act_dst) ? e_rep_act_dst : "", (uuid_is_null(event->uuid) != 1) ? uuidtext : ""); for (i = 0; i < N_TEXT_FIELDS; i++) { g_string_append_printf(st, ",'%s'", event->textfields[i] != NULL ? e_fields[i] : ""); } g_string_append(st, ");\n"); g_free (e_rep_act_src); g_free (e_rep_act_dst); /* Free memory*/ for (i = 0; i < N_TEXT_FIELDS; i++) { g_free(e_fields[i]); } return g_string_free(st, FALSE); }
gchar * sim_event_get_insert_clause_values (SimEvent *event) { gchar time[TIMEBUF_SIZE]; gchar *timestamp = time; GString *query; gchar *values; gchar *e_rep_act_src = NULL; gchar *e_rep_act_dst = NULL; gchar *e_src_hostname = NULL; gchar *e_dst_hostname = NULL; gchar *src_mac = NULL, *dst_mac = NULL; GdaConnection *conn; g_return_val_if_fail (SIM_IS_EVENT (event), NULL); conn = sim_database_get_conn (ossim.dbossim); values = sim_event_get_text_escape_fields_values (event); // If we already have the timestamp we use it.. else we calculate it if(event->time_str) timestamp = event->time_str; else strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time)); if (event->str_rep_act_src) e_rep_act_src = sim_str_escape (event->str_rep_act_src, conn, 0); if (event->str_rep_act_dst) e_rep_act_dst = sim_str_escape (event->str_rep_act_dst, conn, 0); if (event->src_hostname) e_src_hostname = sim_str_escape (event->src_hostname, conn, 0); if (event->dst_hostname) e_dst_hostname = sim_str_escape (event->dst_hostname, conn, 0); if (event->src_mac) src_mac = sim_mac_to_db_string (event->src_mac); if (event->dst_mac) dst_mac = sim_mac_to_db_string (event->dst_mac); query = g_string_new (""); g_string_append_printf (query, "(%s", sim_uuid_get_db_string (event->id)); g_string_append_printf (query, ",%s", sim_uuid_get_db_string (sim_context_get_id (event->context))); g_string_append_printf (query, ",'%s'", timestamp); g_string_append_printf (query, ",%f", event->tzone); g_string_append_printf (query, ",%s", sim_uuid_get_db_string (event->sensor_id)); g_string_append_printf (query, ",'%s'", (event->interface) ? event->interface : ""); g_string_append_printf (query, ",%d", event->type); g_string_append_printf (query, ",%d", event->plugin_id); g_string_append_printf (query, ",%d", event->plugin_sid); g_string_append_printf (query, ",%d", event->protocol); g_string_append_printf (query, ",%s", sim_inet_get_db_string (event->src_ia)); g_string_append_printf (query, ",%s", sim_inet_get_db_string (event->dst_ia)); g_string_append_printf (query, ",%s", (event->src_net) ? sim_uuid_get_db_string (sim_net_get_id (event->src_net)) : "NULL"); g_string_append_printf (query, ",%s", (event->dst_net) ? sim_uuid_get_db_string (sim_net_get_id (event->dst_net)) : "NULL"); g_string_append_printf (query, ",%d", event->src_port); g_string_append_printf (query, ",%d", event->dst_port); g_string_append_printf (query, ",%d", event->condition); g_string_append_printf (query, ",%d", event->interval); g_string_append_printf (query, ",%d", 0); //FIXME event->absolute g_string_append_printf (query, ",%d", event->priority); g_string_append_printf (query, ",%d", event->reliability); g_string_append_printf (query, ",%d", event->asset_src); g_string_append_printf (query, ",%d", event->asset_dst); g_string_append_printf (query, ",%d", (gint) event->risk_c); g_string_append_printf (query, ",%d", (gint) event->risk_a); g_string_append_printf (query, ",%d", event->alarm); g_string_append_printf (query, ",%s", values); g_string_append_printf (query, ",%u", event->rep_prio_src); g_string_append_printf (query, ",%u", event->rep_prio_dst); g_string_append_printf (query, ",%u", event->rep_rel_src); g_string_append_printf (query, ",%u", event->rep_rel_dst); g_string_append_printf (query, ",'%s'", (e_rep_act_src) ? e_rep_act_src : ""); g_string_append_printf (query, ",'%s'", (e_rep_act_dst) ? e_rep_act_dst : ""); g_string_append_printf (query, ",'%s'", (e_src_hostname) ? e_src_hostname : ""); g_string_append_printf (query, ",'%s'", (e_dst_hostname) ? e_dst_hostname : ""); g_string_append_printf (query, ",%s", (src_mac) ? src_mac : "NULL"); g_string_append_printf (query, ",%s", (dst_mac) ? dst_mac : "NULL"); g_string_append_printf (query, ",%s", (event->src_id) ? sim_uuid_get_db_string (event->src_id) : "NULL"); g_string_append_printf (query, ",%s)", (event->dst_id) ? sim_uuid_get_db_string (event->dst_id) : "NULL"); g_free (values); return g_string_free (query, FALSE); }