/**
* sim_event_set_context_and_engine:
* @event: a #SimEvent
* @context_id: a #SimUuid
*
*/
void
sim_event_set_context_and_engine (SimEvent *event,
SimUuid *context_id)
{
SimContext *context;
SimEngine *engine;
g_return_if_fail (SIM_IS_EVENT (event));
if (event->context)
g_object_unref (event->context);
if (event->engine)
g_object_unref (event->engine);
context = sim_container_get_context (ossim.container, context_id);
if (!context)
{
g_message ("%s: Error getting context_id %s", __func__, context_id ? sim_uuid_get_string (context_id) : "NULL");
return;
}
engine = sim_container_get_engine_for_context (ossim.container, context_id);
if (!engine)
{
g_message ("%s: Error getting engine for context_id %s", __func__, context_id ? sim_uuid_get_string (context_id) : "NULL");
return;
}
event->context = g_object_ref (context);
event->engine = g_object_ref (engine);
}
/*
* FIXME: This function will remove some things from the event, like SQL injection and so on.
* At this moment, it just substitute ";" with "," from event->data. The reason is that the call to GDA function
* wich is supposed to do just one query gda_connection_execute_non_query(), in fact accept
* multiple queries (as tells the GDA source in gda_connection_execute_command() comments. And
* that queries are supposed to be separated by ';'
*
* This is a FIXME because we have to analize much more in depth the event.
*/
void
sim_event_sanitize(SimEvent *event)
{
g_return_if_fail(event);
g_return_if_fail(SIM_IS_EVENT (event));
//sim_string_remove_char (event->data, ';');
//sim_string_remove_char (event->log, ';');
return;
/*
sim_string_substitute_char (event->data, ';', ',');
sim_string_substitute_char (event->log, ';', ',');
sim_string_substitute_char (event->userdata1, ';', ',');
sim_string_substitute_char (event->data, '\'', ',');
sim_string_substitute_char (event->log, '\'', ',');
sim_string_substitute_char (event->userdata1, '\'', ',');
sim_string_substitute_char (event->userdata2, '\'', ',');
sim_string_substitute_char (event->userdata3, '\'', ',');
sim_string_substitute_char (event->userdata4, '\'', ',');
sim_string_substitute_char (event->userdata5, '\'', ',');
sim_string_substitute_char (event->userdata6, '\'', ',');
sim_string_substitute_char (event->userdata7, '\'', ',');
sim_string_substitute_char (event->userdata8, '\'', ',');
sim_string_substitute_char (event->userdata9, '\'', ',');
*/
}
void
sim_event_add_backlog_ref_ul(SimEvent *event, GObject *directive)
{
g_return_if_fail(event != NULL);
g_return_if_fail(directive != NULL);
g_return_if_fail(SIM_IS_EVENT (event));
g_return_if_fail(SIM_IS_DIRECTIVE (directive));
event->backlog_list = g_list_prepend(event->backlog_list, g_object_ref(
G_OBJECT(directive)));
}
gchar*
sim_event_get_alarm_insert_clause (SimDatabase *db_ossim,
SimEvent *event,
gboolean removable)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp=time;
GString *query;
GdaConnection *conn;
gchar *e_alarm_stats = NULL;
g_return_val_if_fail (SIM_IS_EVENT (event), NULL);
conn = sim_database_get_conn (db_ossim);
if(event->time_str)
timestamp=event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
guint efr = event->priority * event->reliability * 2; //this is used for compliance. The "*2" is to take a percentage
if (event->alarm_stats)
e_alarm_stats = sim_str_escape (event->alarm_stats, conn, 0);
ossim_debug ( "%s: risk_c:%f, risk_a:%f", __func__, event->risk_c, event->risk_a);
query = g_string_new ("REPLACE INTO alarm "
"(event_id, backlog_id, corr_engine_ctx, timestamp, plugin_id, plugin_sid, "
"protocol, src_ip, dst_ip, src_port, dst_port, "
"risk, efr, similar, removable, stats) VALUES (");
g_string_append_printf (query, "%s", sim_uuid_get_db_string (event->id));
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (event->backlog_id));
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (sim_engine_get_id (event->engine)));
g_string_append_printf (query, ",'%s'", timestamp);
g_string_append_printf (query, ",%d", event->plugin_id);
g_string_append_printf (query, ",%d", event->plugin_sid);
g_string_append_printf (query, ",%d", event->protocol);
g_string_append_printf (query, ",%s", (event->src_ia) ? sim_inet_get_db_string (event->src_ia) : "NULL");
g_string_append_printf (query, ",%s", (event->dst_ia) ? sim_inet_get_db_string (event->dst_ia) : "NULL");
g_string_append_printf (query, ",%d", event->src_port);
g_string_append_printf (query, ",%d", event->dst_port);
g_string_append_printf (query, ",%d", ((gint)event->risk_a > (gint)event->risk_c) ? (gint)event->risk_a : (gint)event->risk_c);
g_string_append_printf (query, ",%u", efr);
g_string_append_printf (query, ",IF('%s'<>''", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : ""));
g_string_append_printf (query, ",'%s'", (event->groupalarmsha1 != NULL ? event->groupalarmsha1 : ""));
g_string_append_printf (query, ",SHA1('%s'))", sim_uuid_get_db_string (event->id));
g_string_append_printf (query, ",%d", removable);
g_string_append_printf (query, ",'%s')", e_alarm_stats ? e_alarm_stats : "");
g_free (e_alarm_stats);
return g_string_free (query, FALSE);
}
gchar*
sim_event_get_alarm_insert_clause(SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp=time;
gchar *query;
gint c;
gint a;
gchar uuidtext[37];
gchar uuidtext_backlog[37];
g_return_val_if_fail(event, NULL);
g_return_val_if_fail(SIM_IS_EVENT (event), NULL);
if (event->risk_c < 0)
event->risk_c = 0;
else if (event->risk_c > 10)
event->risk_c = 10;
if (event->risk_a < 0)
event->risk_a = 0;
else if (event->risk_a > 10)
event->risk_a = 10;
c = rint(event->risk_c);
a = rint(event->risk_a);
if(event->time_str)
timestamp=event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
uuid_unparse_upper(event->uuid, uuidtext);
uuid_unparse_upper(event->uuid_backlog, uuidtext_backlog);
query
= g_strdup_printf(
"REPLACE INTO alarm "
"(event_id, backlog_id, timestamp, plugin_id, plugin_sid, "
"protocol, src_ip, dst_ip, src_port, dst_port, "
"risk, snort_sid, snort_cid,uuid_backlog,uuid_event) "
" VALUES ('%u', '%u', '%s', %d, %d, %d, %u, %u, %d, %d, %d, %u, %u,'%s','%s')",
event->id, event->backlog_id, timestamp, event->plugin_id,
event->plugin_sid, event->protocol,
(event->src_ia) ? sim_inetaddr_ntohl(event->src_ia) : -1,
(event->dst_ia) ? sim_inetaddr_ntohl(event->dst_ia) : -1,
event->src_port, event->dst_port, (a > c) ? a : c, event->snort_sid,
event->snort_cid,
(!uuid_is_null(event->uuid_backlog) ? uuidtext_backlog : ""),
(!uuid_is_null(event->uuid) ? uuidtext : ""));
return query;
}
gchar*
sim_event_get_update_clause(SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp=time;
gchar *query;
gint c;
gint a;
g_return_val_if_fail(event, NULL);
g_return_val_if_fail(SIM_IS_EVENT (event), NULL);
c = rint(event->risk_c);
a = rint(event->risk_a);
if (c < 0)
c = 0;
else if (c > 10)
c = 10;
if (a < 0)
a = 0;
else if (a > 10)
a = 10;
if(event->time_str)
timestamp=event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
query = g_strdup_printf(
"UPDATE event SET timestamp='%s', sensor='%s', interface='%s', "
"type=%d, plugin_id=%d, plugin_sid=%d, "
"protocol=%d, src_ip=%u, dst_ip=%u, src_port=%d, dst_port=%d, "
"event_condition=%d, value='%s', time_interval=%d, "
"priority=%d, reliability=%d, asset_src=%d, asset_dst=%d, "
"risk_c=%d, risk_a=%d, alarm=%d, "
"snort_sid=%u, snort_cid=%u "
" WHERE id=%u", timestamp, (event->sensor) ? event->sensor : "",
(event->interface) ? event->interface : "", event->type,
event->plugin_id, event->plugin_sid, event->protocol,
(event->src_ia) ? sim_inetaddr_ntohl(event->src_ia) : -1,
(event->dst_ia) ? sim_inetaddr_ntohl(event->dst_ia) : -1,
event->src_port, event->dst_port, event->condition,
(event->value) ? event->value : "", event->interval, event->priority,
event->reliability, event->asset_src, event->asset_dst, c, a,
event->alarm, event->snort_sid, event->snort_cid, event->id);
return query;
}
/**
* sim_db_insert_event:
* @database: a #SimDatabase
* @event: a #SimEvent to insert
*
* This function gets an event-> id and insert the event into DB.
*/
void
sim_db_insert_event (SimDatabase *database,
SimEvent *event)
{
gchar *query = NULL;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_EVENT (event));
if (event->is_stored)
{
ossim_debug ("%s: Duplicate insert event->id: %s", __func__, sim_uuid_get_string (event->id));
return;
}
ossim_debug ("%s: Storing event->id = %s event->is_stored = %u", __func__,
sim_uuid_get_string (event->id), event->is_stored);
query = sim_event_get_insert_clause (event);
ossim_debug ("%s: query= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
if (event->src_username || event->dst_username)
{
query = sim_event_idm_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: idm_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
if (event->data || event->log || event->binary_data)
{
query = sim_event_extra_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: extra_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
if (g_hash_table_size (event->otx_data) > 0)
{
query = sim_event_pulses_get_insert_clause (sim_database_get_conn (database), event);
ossim_debug ("%s: otx_data query_values= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
event->is_stored = TRUE;
}
/**
* sim_db_insert_dummy_backlog_event:
* @database: a #SimDatabase
* @event: a #SimEvent
*
*/
void
sim_db_insert_dummy_backlog_event (SimDatabase *database,
SimEvent *event)
{
gchar *query, *values;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_EVENT (event));
values = sim_directive_dummy_backlog_event_get_values_clause (event);
query = g_strdup_printf("INSERT INTO backlog_event VALUES %s", values);
ossim_debug ("%s: query = %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (values);
g_free (query);
}
/**
* sim_db_insert_backlog_event:
* @database: a #SimDatabase
* @backlog: a #SimDirective
* @event: a #SimEvent
*
* Insert @backlog @event in @databse
*/
void
sim_db_insert_backlog_event (SimDatabase *database,
SimDirective *backlog,
SimEvent *event,
gint level)
{
gchar *query;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_DIRECTIVE (backlog));
g_return_if_fail (SIM_IS_EVENT (event));
query = sim_directive_backlog_event_get_insert_clause (backlog, event, level);
ossim_debug ("%s: query= %s", __func__, query);
sim_database_execute_no_query (database, query);
g_free (query);
}
/**
* sim_db_insert_alarm:
* @database: #SimDatabase
* @event: event alarm
* @removable: if the alarm is removable or not (it'll be removable only if it's finished/reached timeout).
*
* This is usefull if the event has the "alarm" flag. This can occur for example if the event has
* priority&reliability very high and it has been converted automatically into an alarm. Also, this can occur
* if the event is a directive_event which has been re-inserted into container from sim_correlation.
*
* we also assign here an event->id (if it hasn't got anyone, like the first time the event arrives).
* event->id is just needed to know if that event belongs to a specific backlog_id (a directive), so if
* an event is not part of an alarm, it hasn't got any sense to fill event->id.
*
*/
void
sim_db_insert_alarm (SimDatabase *database,
SimEvent *event,
gboolean removable)
{
gchar *insert;
g_return_if_fail (SIM_IS_DATABASE (database));
g_return_if_fail (SIM_IS_EVENT (event));
ossim_debug ("%s with id %s", __func__, sim_uuid_get_string (event->id));
insert = sim_event_get_alarm_insert_clause (database, event, removable);
sim_database_execute_no_query (database, insert);
g_free (insert);
return;
}
/**
* sim_event_set_dst_host_properties:
*
*/
void
sim_event_set_dst_host_properties (SimEvent *event,
SimHost *host)
{
SimUuid *host_id;
g_return_if_fail (SIM_IS_EVENT (event));
g_return_if_fail (SIM_IS_HOST (host));
host_id = sim_host_get_id (host);
if (event->dst_id)
g_object_unref (event->dst_id);
event->dst_id = g_object_ref (host_id);
event->asset_dst = sim_host_get_asset (host);
}
/*
* This function checks if some policy matches with the event, and sssociates the event to the policy. It also sets
* the event role (first it takes the server role, if any, after that, the specific policy event role)
*/
gboolean
sim_event_set_role_and_policy (SimEvent *event)
{
g_return_val_if_fail (SIM_IS_EVENT (event), FALSE);
//now we can segregate and tell this server to do a specific thing.
//For example we can decide that this server will be able to qualify events, but not to correlate them.
event->policy = sim_context_get_event_policy (event->context, event);
//The policy role (if any) supersedes the general server role.
if (event->policy && sim_policy_has_role (event->policy))
{
event->role = sim_policy_get_role (event->policy);
}
else // Uses general server role
{
SimConfig *config = sim_server_get_config (ossim.server);
event->role = sim_config_get_server_role (config);
}
return TRUE;
}
gchar *
sim_event_get_insert_clause (SimEvent *event)
{
GString *query;
gchar *header;
gchar *values;
g_return_val_if_fail (SIM_IS_EVENT (event), NULL);
header = sim_event_get_insert_clause_header ();
values = sim_event_get_insert_clause_values (event);
query = g_string_new ("INSERT INTO event ");
query = g_string_append (query, header);
query = g_string_append (query, " VALUES ");
query = g_string_append (query, values);
g_free (header);
g_free (values);
return g_string_free (query, FALSE);
}
gboolean
sim_event_set_sid (SimEvent *event)
{
gchar *device_ip;
gchar *sensor_device;
guint sid;
g_return_val_if_fail (SIM_IS_EVENT (event), FALSE);
ossim_debug ("%s: Setting (sid) for event->id=%s", __func__, sim_uuid_get_string (event->id));
if (event->device)
{
device_ip = sim_inet_get_canonical_name (event->device);
sensor_device = g_strdup_printf ("%s/%s/%s", sim_uuid_get_string (event->sensor_id), event->interface, device_ip);
g_free (device_ip);
}
else
sensor_device = g_strdup_printf ("%s", sim_uuid_get_string (event->sensor_id));
sid = sim_container_get_sensor_sid (ossim.container, sensor_device);
if (!sid) // First event for this sid, so we must insert the sensor to the database
{
// Insert it to db as the old way (but now it's cached).
sid = sim_organizer_snort_sensor_get_sid (ossim.dbsnort, event->sensor_id, event);
sim_container_add_sensor_sid (ossim.container, sensor_device, sid);
ossim_debug ("%s: not from cache: sid: %u", __func__, sid);
}
else
{
ossim_debug ("%s: from cache: sid: %u", __func__, sid);
g_free (sensor_device);
}
event->device_id = sid;
return TRUE;
}
void
sim_event_print(SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp = time;
gchar *ip;
int i;
g_return_if_fail(event);
g_return_if_fail(SIM_IS_EVENT (event));
g_print("event");
switch (event->type)
{
case SIM_EVENT_TYPE_DETECTOR:
g_print(" type=\"D\"");
break;
case SIM_EVENT_TYPE_MONITOR:
g_print(" type=\"M\"");
break;
case SIM_EVENT_TYPE_NONE:
g_print(" type=\"N\"");
break;
}
g_print(" id=\"%d\"", event->id);
if (event->time_str)
timestamp = event->time_str;
else if (event->time)
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
g_print(" alarm=\"%d\"", event->alarm);
if (event->sensor)
g_print(" sensor=\"%s\"", event->sensor);
if (event->device)
g_print(" device=\"%s\"", event->device);
if (event->interface)
g_print(" interface=\"%s\"", event->interface);
if (event->plugin_id)
g_print(" plugin_id=\"%d\"", event->plugin_id);
if (event->plugin_sid)
g_print(" plugin_sid=\"%d\"", event->plugin_sid);
if (event->protocol)
g_print(" protocol=\"%d\"", event->protocol);
if (event->src_ia)
{
ip = gnet_inetaddr_get_canonical_name(event->src_ia);
g_print(" src_ia=\"%s\"", ip);
g_free(ip);
}
if (event->src_port)
g_print(" src_port=\"%d\"", event->src_port);
if (event->dst_ia)
{
ip = gnet_inetaddr_get_canonical_name(event->dst_ia);
g_print(" dst_ia=\"%s\"", ip);
g_free(ip);
}
if (event->dst_port)
g_print(" dst_port=\"%d\"", event->dst_port);
if (event->condition)
g_print(" condition=\"%d\"", event->condition);
if (event->value)
g_print(" value=\"%s\"", event->value);
if (event->interval)
g_print(" ineterval=\"%d\"", event->interval);
if (event->priority)
g_print(" priority=\"%d\"", event->priority);
if (event->reliability)
g_print(" reliability=\"%d\"", event->reliability);
if (event->asset_src)
g_print(" asset_src=\"%d\"", event->asset_src);
if (event->asset_dst)
g_print(" asset_dst=\"%d\"", event->asset_dst);
if (event->risk_c)
g_print(" risk_c=\"%lf\"", event->risk_c);
if (event->risk_a)
g_print(" risk_a=\"%lf\"", event->risk_a);
if (event->snort_sid)
g_print(" sid =\"%d\"", event->snort_sid);
if (event->snort_cid)
g_print(" cid =\"%d\"", event->snort_cid);
if (event->data)
g_print(" data=\"%s\"", event->data);
if (event->rep_prio_src)
g_message (" rep_prio_src=\"%u\"", event->rep_prio_src);
if (event->rep_prio_dst)
g_message (" rep_prio_dst=\"%u\"", event->rep_prio_dst);
if (event->rep_rel_src)
g_message (" rep_rel_src=\"%u\"", event->rep_rel_src);
if (event->rep_rel_dst)
g_message (" rep_rel_dst=\"%u\"", event->rep_rel_dst);
if (event->rep_act_src)
g_message (" rep_act_src=\"%s\"", event->rep_act_src);
if (event->rep_act_dst)
g_message (" rep_act_dst=\"%s\"", event->rep_act_dst);
for (i = 0; i < N_TEXT_FIELDS; i++)
{
if (event->textfields[i] != NULL)
{
g_printf(" %s=\"%s\"", sim_text_field_get_name(i),
event->textfields[i]);
}
}
if (!uuid_is_null(event->uuid))
{
gchar uuidtext[37];
uuid_unparse_upper(event->uuid, uuidtext);
g_message(" uuid=\"%s\"", uuidtext);
}
g_print("\n");
}
gchar *
sim_event_get_insert_clause_values (SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp = time;
GString *query;
gchar *values;
gchar *e_rep_act_src = NULL;
gchar *e_rep_act_dst = NULL;
gchar *e_src_hostname = NULL;
gchar *e_dst_hostname = NULL;
gchar *src_mac = NULL, *dst_mac = NULL;
GdaConnection *conn;
g_return_val_if_fail (SIM_IS_EVENT (event), NULL);
conn = sim_database_get_conn (ossim.dbossim);
values = sim_event_get_text_escape_fields_values (event);
// If we already have the timestamp we use it.. else we calculate it
if(event->time_str)
timestamp = event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
if (event->str_rep_act_src)
e_rep_act_src = sim_str_escape (event->str_rep_act_src, conn, 0);
if (event->str_rep_act_dst)
e_rep_act_dst = sim_str_escape (event->str_rep_act_dst, conn, 0);
if (event->src_hostname)
e_src_hostname = sim_str_escape (event->src_hostname, conn, 0);
if (event->dst_hostname)
e_dst_hostname = sim_str_escape (event->dst_hostname, conn, 0);
if (event->src_mac)
src_mac = sim_mac_to_db_string (event->src_mac);
if (event->dst_mac)
dst_mac = sim_mac_to_db_string (event->dst_mac);
query = g_string_new ("");
g_string_append_printf (query, "(%s", sim_uuid_get_db_string (event->id));
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (sim_context_get_id (event->context)));
g_string_append_printf (query, ",'%s'", timestamp);
g_string_append_printf (query, ",%f", event->tzone);
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (event->sensor_id));
g_string_append_printf (query, ",'%s'", (event->interface) ? event->interface : "");
g_string_append_printf (query, ",%d", event->type);
g_string_append_printf (query, ",%d", event->plugin_id);
g_string_append_printf (query, ",%d", event->plugin_sid);
g_string_append_printf (query, ",%d", event->protocol);
g_string_append_printf (query, ",%s", sim_inet_get_db_string (event->src_ia));
g_string_append_printf (query, ",%s", sim_inet_get_db_string (event->dst_ia));
g_string_append_printf (query, ",%s", (event->src_net) ? sim_uuid_get_db_string (sim_net_get_id (event->src_net)) : "NULL");
g_string_append_printf (query, ",%s", (event->dst_net) ? sim_uuid_get_db_string (sim_net_get_id (event->dst_net)) : "NULL");
g_string_append_printf (query, ",%d", event->src_port);
g_string_append_printf (query, ",%d", event->dst_port);
g_string_append_printf (query, ",%d", event->condition);
g_string_append_printf (query, ",%d", event->interval);
g_string_append_printf (query, ",%d", 0); //FIXME event->absolute
g_string_append_printf (query, ",%d", event->priority);
g_string_append_printf (query, ",%d", event->reliability);
g_string_append_printf (query, ",%d", event->asset_src);
g_string_append_printf (query, ",%d", event->asset_dst);
g_string_append_printf (query, ",%d", (gint) event->risk_c);
g_string_append_printf (query, ",%d", (gint) event->risk_a);
g_string_append_printf (query, ",%d", event->alarm);
g_string_append_printf (query, ",%s", values);
g_string_append_printf (query, ",%u", event->rep_prio_src);
g_string_append_printf (query, ",%u", event->rep_prio_dst);
g_string_append_printf (query, ",%u", event->rep_rel_src);
g_string_append_printf (query, ",%u", event->rep_rel_dst);
g_string_append_printf (query, ",'%s'", (e_rep_act_src) ? e_rep_act_src : "");
g_string_append_printf (query, ",'%s'", (e_rep_act_dst) ? e_rep_act_dst : "");
g_string_append_printf (query, ",'%s'", (e_src_hostname) ? e_src_hostname : "");
g_string_append_printf (query, ",'%s'", (e_dst_hostname) ? e_dst_hostname : "");
g_string_append_printf (query, ",%s", (src_mac) ? src_mac : "NULL");
g_string_append_printf (query, ",%s", (dst_mac) ? dst_mac : "NULL");
g_string_append_printf (query, ",%s", (event->src_id) ? sim_uuid_get_db_string (event->src_id) : "NULL");
g_string_append_printf (query, ",%s)", (event->dst_id) ? sim_uuid_get_db_string (event->dst_id) : "NULL");
g_free (values);
return g_string_free (query, FALSE);
}
/**
* sim_event_to_string:
* @event: a #SimEvent object.
*
*/
gchar *
sim_event_to_string (SimEvent * event)
{
GString *str;
gchar *ip;
gchar * base64;
gint base64_len;
SimUuid * net_id;
g_return_val_if_fail(SIM_IS_EVENT (event), NULL);
str = g_string_new("event ");
g_string_append_printf(str, "event_id=\"%s\" ", sim_uuid_get_string (event->id));
g_string_append_printf(str, "ctx=\"%s\" ", sim_uuid_get_string (sim_context_get_id (event->context)));
g_string_append_printf(str, "alarm=\"%d\" ", event->alarm);
str = g_string_append (str, "is_remote=\"1\" ");
gchar *aux = sim_event_get_str_from_type(event->type);
if (aux)
{
g_string_append_printf(str, "type=\"%s\" ", aux);
g_free(aux);
}
g_string_append_printf(str, "date=\"%u\" ", (guint)event->time);
g_string_append_printf(str, "tzone=\"%4.2f\" ", event->tzone);
if (event->time_str)
g_string_append_printf(str, "fdate=\"%s\" ", event->time_str);
if (event->plugin_id)
g_string_append_printf(str, "plugin_id=\"%d\" ", event->plugin_id);
if (event->plugin_sid)
g_string_append_printf(str, "plugin_sid=\"%d\" ", event->plugin_sid);
if (event->src_ia)
{
ip = sim_inet_get_canonical_name (event->src_ia);
g_string_append_printf (str, "src_ip=\"%s\" ", ip);
g_free (ip);
}
if (event->src_port)
g_string_append_printf(str, "src_port=\"%d\" ", event->src_port);
if (event->dst_ia)
{
ip = sim_inet_get_canonical_name (event->dst_ia);
g_string_append_printf (str, "dst_ip=\"%s\" ", ip);
g_free (ip);
}
if (event->dst_port)
g_string_append_printf(str, "dst_port=\"%d\" ", event->dst_port);
if (event->src_net)
{
net_id = sim_net_get_id (event->src_net);
g_string_append_printf (str, "src_net=\"%s\" ", sim_uuid_get_string (net_id));
}
if (event->dst_net)
{
net_id = sim_net_get_id (event->dst_net);
g_string_append_printf (str, "dst_net=\"%s\" ", sim_uuid_get_string (net_id));
}
if (event->sensor)
{
ip = sim_inet_get_canonical_name (event->sensor);
g_string_append_printf(str, "sensor=\"%s\" ", ip);
g_free (ip);
}
if (event->sensor_id)
g_string_append_printf(str, "sensor_id=\"%s\" ", sim_uuid_get_string (event->sensor_id));
if (event->device)
{
ip = sim_inet_get_canonical_name (event->device);
g_string_append_printf(str, "device=\"%s\" ", ip);
g_free (ip);
}
if (event->device_id)
g_string_append_printf (str, "device_id=\"%d\" ", event->device_id);
#if 0
if (event->server)
g_string_append_printf (str, "server=\"%s\" ", event->server);
#endif
if (event->interface)
g_string_append_printf(str, "interface=\"%s\" ", event->interface);
if (event->protocol)
{
gchar *value = sim_protocol_get_str_from_type(event->protocol);
g_string_append_printf(str, "protocol=\"%s\" ", value);
g_free(value);
}
if (event->condition)
{
gchar *value = sim_condition_get_str_from_type(event->condition);
g_string_append_printf(str, "condition=\"%s\" ", value);
g_free(value);
}
if (event->value)
g_string_append_printf(str, "value=\"%s\" ", event->value);
if (event->interval)
g_string_append_printf(str, "interval=\"%d\" ", event->interval);
if (event->is_priority_set)
g_string_append_printf(str, "priority=\"%d\" ", event->priority);
if (event->is_reliability_set)
g_string_append_printf(str, "reliability=\"%d\" ", event->reliability);
g_string_append_printf(str, "asset_src=\"%d\" ", event->asset_src);
g_string_append_printf(str, "asset_dst=\"%d\" ", event->asset_dst);
if (event->risk_c)
g_string_append_printf(str, "risk_a=\"%lf\" ", event->risk_a);
if (event->risk_a)
g_string_append_printf(str, "risk_c=\"%lf\" ", event->risk_c);
// Only forward this field if this is a special event.
if ((event->data) && sim_event_is_special (event))
{
gchar *base64;
base64 = g_base64_encode ((guchar *)event->data, strlen(event->data));
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf (str, "data=\"%s\" ", base64);
g_free (base64);
}
if (event->log)
{
base64 = g_base64_encode((guchar*)event->log->str, event->log->len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "log=\"%s\" ", base64);
g_free(base64);
}
if (event->filename && (base64_len = strlen(event->filename)))
{
base64 = g_base64_encode( (guchar*)event->filename, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "filename=\"%s\" ", base64);
g_free(base64);
}
if (event->username && (base64_len = strlen(event->username)))
{
base64 = g_base64_encode( (guchar*)event->username, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "username=\"%s\" ", base64);
g_free(base64);
}
if (event->password && (base64_len = strlen(event->password)))
{
base64 = g_base64_encode( (guchar*) event->password, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "password=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata1 && (base64_len = strlen(event->userdata1)))
{
base64 = g_base64_encode( (guchar*)event->userdata1, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata1=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata2 && (base64_len = strlen(event->userdata2)))
{
base64 = g_base64_encode( (guchar*)event->userdata2, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata2=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata3 && (base64_len = strlen(event->userdata3)))
{
base64 = g_base64_encode( (guchar*)event->userdata3, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata3=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata4 && (base64_len = strlen(event->userdata4)))
{
base64 = g_base64_encode( (guchar*)event->userdata4, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata4=\"%s\" ", base64);
g_free (base64);
}
if (event->userdata5 && (base64_len = strlen(event->userdata5)))
{
base64 = g_base64_encode( (guchar*)event->userdata5, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata5=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata6 && (base64_len = strlen(event->userdata6)))
{
base64 = g_base64_encode( (guchar*)event->userdata6, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata6=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata7 && (base64_len = strlen(event->userdata7)))
{
base64 = g_base64_encode( (guchar*)event->userdata7, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata7=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata8 && (base64_len = strlen(event->userdata8)))
{
base64 = g_base64_encode( (guchar*)event->userdata8, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata8=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata9 && (base64_len = strlen(event->userdata9)))
{
base64 = g_base64_encode( (guchar*)event->userdata9, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata9=\"%s\" ", base64);
g_free(base64);
}
if (event->src_username_raw && (base64_len = strlen(event->src_username_raw)))
{
base64 = g_base64_encode ((guchar *)event->src_username_raw, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "src_username=\"%s\" ", base64);
g_free (base64);
}
if (event->dst_username_raw && (base64_len = strlen (event->dst_username_raw)))
{
base64 = g_base64_encode ((guchar *)event->dst_username_raw, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "dst_username=\"%s\" ", base64);
g_free (base64);
}
if (event->src_id)
g_string_append_printf(str, "src_id=\"%s\" ", sim_uuid_get_string (event->src_id));
if (event->dst_id)
g_string_append_printf(str, "dst_id=\"%s\" ", sim_uuid_get_string (event->dst_id));
if (event->src_hostname)
g_string_append_printf(str, "src_hostname=\"%s\" ", event->src_hostname);
if (event->dst_hostname)
g_string_append_printf(str, "dst_hostname=\"%s\" ", event->dst_hostname);
if (event->src_mac)
g_string_append_printf(str, "src_mac=\"%s\" ", event->src_mac);
if (event->dst_mac)
g_string_append_printf(str, "dst_mac=\"%s\" ", event->dst_mac);
if (event->rep_prio_src)
g_string_append_printf(str, "rep_prio_src=\"%u\" ", event->rep_prio_src);
if (event->rep_prio_dst)
g_string_append_printf(str, "rep_prio_dst=\"%u\" ", event->rep_prio_dst);
if (event->rep_rel_src)
g_string_append_printf(str, "rep_rel_src=\"%u\" ", event->rep_rel_src);
if (event->rep_rel_dst)
g_string_append_printf(str, "rep_rel_dst=\"%u\" ", event->rep_rel_dst);
if (event->str_rep_act_src && (base64_len = strlen(event->str_rep_act_src)))
{
base64 = g_base64_encode( (guchar*)event->str_rep_act_src, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "rep_act_src=\"%s\" ", base64);
g_free(base64);
}
if (event->str_rep_act_dst && (base64_len = strlen(event->str_rep_act_dst)))
{
base64 = g_base64_encode( (guchar*)event->str_rep_act_dst, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "rep_act_dst=\"%s\" ", base64);
g_free(base64);
}
/* We need to check that the */
if (event->binary_data != NULL)
{
g_string_append_printf(str,"binary_data=\"%s\" ", event->binary_data);
}
g_string_append_printf(str, "\n");
return g_string_free(str, FALSE);
}
gchar*
sim_event_get_insert_clause(SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp = time;
gchar *query;
gint c;
gint a;
gchar uuidtext[37];
GString *st;
int i;
gchar * e_rep_act_src = NULL, * e_rep_act_dst = NULL;
gchar *e_fields[N_TEXT_FIELDS];
g_return_val_if_fail(event, NULL);
g_return_val_if_fail(SIM_IS_EVENT (event), NULL);
c = rint(event->risk_c);
a = rint(event->risk_a);
if (c < 0)
c = 0;
else if (c > 10)
c = 10;
if (a < 0)
a = 0;
else if (a > 10)
a = 10;
if(event->time_str)
timestamp = event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
if (!uuid_is_null(event->uuid))
{
uuid_unparse_upper(event->uuid, uuidtext);
}
else
{
uuidtext[0] = '\0';
}
if (event->rep_act_src){
e_rep_act_src = g_new0 (gchar,strlen(event->rep_act_src)*2+1);
gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_src,e_rep_act_src);
}
if (event->rep_act_dst){
e_rep_act_dst = g_new0 (gchar,strlen(event->rep_act_dst)*2+1);
gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_dst,e_rep_act_dst);
}
/* Escape de character data*/
/* ossimdb */
for (i = 0; i < N_TEXT_FIELDS; i++)
{
if (event->textfields[i] != NULL)
{
e_fields[i] = g_new0(gchar, strlen(event->textfields[i]) * 2 + 1);
gda_connection_escape_string(sim_database_get_conn(ossim.dbossim),
event->textfields[i], e_fields[i]);
}
else
{
e_fields[i] = NULL;
}
}
st = g_string_new("INSERT INTO event "
"(id, timestamp, tzone, sensor, interface, type, plugin_id, plugin_sid, "
"protocol, src_ip, dst_ip, src_port, dst_port, "
"event_condition, value, time_interval, "
"priority, reliability, asset_src, asset_dst, risk_c, risk_a, alarm, "
"snort_sid, snort_cid, rep_prio_src, rep_prio_dst, rep_rel_src, rep_rel_dst, rep_act_src, rep_act_dst, uuid ");
for (i = 0; i < N_TEXT_FIELDS; i++)
{
g_string_append_printf(st, ",%s", sim_text_field_get_name(i));
}
g_string_append_printf(st, ") VALUES (%d, '%s', %4.2f, '%s', '%s', %d, %d, %d,"
" %d, %u, %u, %d, %d, %d, '%s', %d, %d, %d, %d, %d, %d, %d, %d, %u, %u, "
" %u, %u, %u, %u , '%s' ,'%s','%s' ",
event->id,
timestamp,
event->tzone,
(event->sensor) ? event->sensor : "",
(event->interface) ? event->interface : "",
event->type,
event->plugin_id, event->plugin_sid, event->protocol,
(event->src_ia) ? sim_inetaddr_ntohl(event->src_ia) : -1,
(event->dst_ia) ? sim_inetaddr_ntohl(event->dst_ia) : -1,
event->src_port, event->dst_port, event->condition,
(event->value) ? event->value : "", event->interval, event->priority,
event->reliability, event->asset_src, event->asset_dst, c, a,
event->alarm, event->snort_sid, event->snort_cid,
event->rep_prio_src,
event->rep_prio_dst,
event->rep_rel_src,
event->rep_rel_dst,
(event->rep_act_src) ? e_rep_act_src : "",
(event->rep_act_dst) ? e_rep_act_dst : "",
(uuid_is_null(event->uuid) != 1) ? uuidtext : "");
for (i = 0; i < N_TEXT_FIELDS; i++)
{
g_string_append_printf(st, ",'%s'",
event->textfields[i] != NULL ? e_fields[i] : "");
}
g_string_append(st, ");\n");
g_free (e_rep_act_src);
g_free (e_rep_act_dst);
/* Free memory*/
for (i = 0; i < N_TEXT_FIELDS; i++)
{
g_free(e_fields[i]);
}
return g_string_free(st, FALSE);
}
gchar*
sim_event_to_string(SimEvent *event)
{
GString *str;
gchar *ip;
gchar * base64;
gint base64_len;
gchar uuidtext[37];
int i;
g_return_if_fail(event);
g_return_if_fail(SIM_IS_EVENT (event));
gchar *e_filename = NULL, *e_username = NULL, *e_password = NULL;
gchar *e_userdata1 = NULL, *e_userdata2 = NULL, *e_userdata3 = NULL, *e_userdata4 = NULL;
gchar *e_userdata5 = NULL, *e_userdata6 = NULL, *e_userdata7 = NULL, *e_userdata8 = NULL;
gchar *e_userdata9 = NULL, *e_data = NULL, *e_log = NULL;
str = g_string_new("event ");
g_string_append_printf(str, "id=\"%u\" ", event->id);
g_string_append_printf(str, "alarm=\"%d\" ", event->alarm);
gchar *aux = sim_event_get_str_from_type(event->type);
if (aux)
{
g_string_append_printf(str, "type=\"%s\" ", aux);
g_free(aux);
}
g_string_append_printf(str, "date=\"%u\" ", event->time);
g_string_append_printf(str, "tzone=\"%4.2f\" ", event->tzone);
if (event->time_str)
g_string_append_printf(str, "fdate=\"%s\" ", event->time_str);
if (event->plugin_id)
g_string_append_printf(str, "plugin_id=\"%d\" ", event->plugin_id);
if (event->plugin_sid)
g_string_append_printf(str, "plugin_sid=\"%d\" ", event->plugin_sid);
if (event->src_ia)
{
ip = gnet_inetaddr_get_canonical_name(event->src_ia);
g_string_append_printf(str, "src_ip=\"%s\" ", ip);
g_free(ip);
}
if (event->src_port)
g_string_append_printf(str, "src_port=\"%d\" ", event->src_port);
if (event->dst_ia)
{
ip = gnet_inetaddr_get_canonical_name(event->dst_ia);
g_string_append_printf(str, "dst_ip=\"%s\" ", ip);
g_free(ip);
}
if (event->dst_port)
g_string_append_printf(str, "dst_port=\"%d\" ", event->dst_port);
if (event->sensor)
g_string_append_printf(str, "sensor=\"%s\" ", event->sensor);
if (event->device)
g_string_append_printf(str, "device=\"%s\" ", event->device);
if (event->interface)
g_string_append_printf(str, "interface=\"%s\" ", event->interface);
if (event->protocol)
{
gchar *value = sim_protocol_get_str_from_type(event->protocol);
g_string_append_printf(str, "protocol=\"%s\" ", value);
g_free(value);
}
if (event->condition)
{
gchar *value = sim_condition_get_str_from_type(event->condition);
g_string_append_printf(str, "condition=\"%s\" ", value);
g_free(value);
}
if (event->value)
g_string_append_printf(str, "value=\"%s\" ", event->value);
if (event->interval)
g_string_append_printf(str, "interval=\"%d\" ", event->interval);
if (event->is_priority_set)
g_string_append_printf(str, "priority=\"%d\" ", event->priority);
if (event->is_reliability_set)
g_string_append_printf(str, "reliability=\"%d\" ", event->reliability);
if (event->asset_src)
g_string_append_printf(str, "asset_src=\"%d\" ", event->asset_src);
if (event->asset_dst)
g_string_append_printf(str, "asset_dst=\"%d\" ", event->asset_dst);
if (event->risk_c)
g_string_append_printf(str, "risk_a=\"%lf\" ", event->risk_a);
if (event->risk_a)
g_string_append_printf(str, "risk_c=\"%lf\" ", event->risk_c);
if (event->snort_sid)
g_string_append_printf(str, "snort_sid=\"%u\" ", event->snort_sid);
if (event->snort_cid)
g_string_append_printf(str, "snort_cid=\"%u\" ", event->snort_cid);
// if (event->data)
// g_string_append_printf(str, "data=\"%s\" ", event->data);
if (event->log && (base64_len = strlen(event->log)))
{
base64 = g_base64_encode(event->log, base64_len);
assert(base64!=NULL);
g_string_append_printf(str, "log=\"%s\" ", base64);
g_free(base64);
}
if (event->rep_prio_src)
g_string_append_printf(str, "rep_prio_src=\"%u\" ", event->rep_prio_src);
if (event->rep_prio_dst)
g_string_append_printf(str, "rep_prio_dst=\"%u\" ", event->rep_prio_dst);
if (event->rep_rel_src)
g_string_append_printf(str, "rep_rel_src=\"%u\" ", event->rep_rel_src);
if (event->rep_rel_dst)
g_string_append_printf(str, "rep_rel_dst=\"%u\" ", event->rep_rel_dst);
if (event->rep_act_src && (base64_len = strlen(event->rep_act_src)))
{
base64 = g_base64_encode( (guchar*)event->rep_act_src, base64_len);
assert (base64 != NULL);
g_string_append_printf(str, "rep_act_src=\"%s\" ", base64);
g_free(base64);
}
if (event->rep_act_dst && (base64_len = strlen(event->rep_act_dst)))
{
base64 = g_base64_encode( (guchar*)event->rep_act_dst, base64_len);
assert (base64 != NULL);
g_string_append_printf(str, "rep_act_dst=\"%s\" ", base64);
g_free(base64);
}
//g_string_append_printf(str, "log=\"%s\" ", event->log);
for (i = 0; i < N_TEXT_FIELDS; i++)
{
if ((event->textfields[i] != NULL) && (base64_len = strlen(event->textfields[i])))
{
base64 = g_base64_encode(event->textfields[i], base64_len);
assert(base64!=NULL);
g_string_append_printf(str, "%s=\"%s\" ", sim_text_field_get_name(i), base64);
g_free(base64);
}
}
if (!uuid_is_null(event->uuid))
{
uuid_unparse_upper(event->uuid, uuidtext);
g_string_append_printf(str, "uuid=\"%s\" ", uuidtext);
}
if (event->packet)
if (event->packet->payloadlen > 0)
{
gchar *payload;
payload = sim_bin2hex(event->packet->payload, event->packet->payloadlen);
g_string_append_printf(str, "payload=\"%s\" ", payload);
g_free(payload);
}
g_string_append_printf(str, "\n");
return g_string_free(str, FALSE);
}
gchar*
sim_event_get_replace_clause(SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp=time;
gchar *query;
gint c;
gint a;
int i;
/* Temporal HACK */
gchar uuidtext[37];
gchar *values;
gchar * e_rep_act_src = NULL, * e_rep_act_dst = NULL;
g_return_val_if_fail(event, NULL);
g_return_val_if_fail(SIM_IS_EVENT (event), NULL);
c = rint(event->risk_c);
a = rint(event->risk_a);
if (c < 0)
c = 0;
else if (c > 10)
c = 10;
if (a < 0)
a = 0;
else if (a > 10)
a = 10;
if(event->time_str)
timestamp=event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
if (event->rep_act_src){
e_rep_act_src = g_new0 (gchar,strlen(event->rep_act_src)*2+1);
gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_src,e_rep_act_src);
}
if (event->rep_act_dst){
e_rep_act_dst = g_new0 (gchar,strlen(event->rep_act_dst)*2+1);
gda_connection_escape_string (sim_database_get_conn (ossim.dbossim),event->rep_act_dst,e_rep_act_dst);
}
uuid_unparse_upper(event->uuid, uuidtext);
values = sim_event_get_text_escape_fields_values(event);
query
= g_strdup_printf(
"REPLACE INTO event "
"(id, timestamp, sensor, interface, type, plugin_id, plugin_sid, "
"protocol, src_ip, dst_ip, src_port, dst_port, "
"event_condition, value, time_interval, "
"priority, reliability, asset_src, asset_dst, risk_c, risk_a, alarm, "
"snort_sid, snort_cid, uuid, rep_prio_src, rep_prio_dst, rep_rel_src, "
"rep_rel_dst, rep_act_src, rep_act_dst, %s) "
" VALUES (%d, '%s', '%s', '%s', %d, %d, %d,"
" %d, %u, %u, %d, %d, %d, '%s', %d, %d, %d, %d, %d, %d, %d, %d, %u, %u,'%s',"
" %u, %u, %u, %u, '%s', '%s', %s)",
sim_event_get_sql_fields(), event->id, timestamp,
(event->sensor) ? event->sensor : "",
(event->interface) ? event->interface : "", event->type,
event->plugin_id, event->plugin_sid, event->protocol,
(event->src_ia) ? sim_inetaddr_ntohl(event->src_ia) : -1,
(event->dst_ia) ? sim_inetaddr_ntohl(event->dst_ia) : -1,
event->src_port, event->dst_port, event->condition,
(event->value) ? event->value : "", event->interval, event->priority,
event->reliability, event->asset_src, event->asset_dst, c, a,
event->alarm, event->snort_sid, event->snort_cid,
(!uuid_is_null(event->uuid) ? uuidtext : ""),
event->rep_prio_src, event->rep_prio_dst,
event->rep_rel_src, event->rep_rel_dst,
(event->rep_act_src) ? e_rep_act_src : "",
(event->rep_act_dst) ? e_rep_act_dst : "", values);
g_free(values);
g_free (e_rep_act_src);
g_free (e_rep_act_dst);
return query;
}