void sim_db_insert_alarm_view_tables (SimDatabase *database,
SimEvent *event)
{
g_return_if_fail (event->backlog_id);
gchar *insert, *src_values, *dst_values;
SimUuid *context_id = sim_context_get_id(event->context);
if(context_id)
{
insert = g_strdup_printf("INSERT IGNORE INTO alarm_ctxs (id_alarm, id_ctx) VALUES (%s, %s) ",
sim_uuid_get_db_string(event->backlog_id),
sim_uuid_get_db_string(context_id));
sim_database_execute_no_query (database, insert);
g_free (insert);
}
if(event->src_id || event->dst_id)
{
if(event->src_id)
src_values = g_strdup_printf("(%s, %s)", sim_uuid_get_db_string(event->backlog_id), sim_uuid_get_db_string(event->src_id));
else
src_values = NULL;
if(event->dst_id)
dst_values = g_strdup_printf("(%s, %s)", sim_uuid_get_db_string(event->backlog_id), sim_uuid_get_db_string(event->dst_id));
else
dst_values = NULL;
insert = g_strdup_printf("INSERT IGNORE INTO alarm_hosts (id_alarm, id_host) VALUES %s%c%s ",
src_values ? src_values : "",
(src_values && dst_values) ? ',' : ' ',
dst_values ? dst_values : "");
sim_database_execute_no_query (database, insert);
g_free (insert);
g_free (src_values);
g_free (dst_values);
}
if(event->src_net || event->dst_net)
{
if(event->src_net)
src_values = g_strdup_printf("(%s, %s)", sim_uuid_get_db_string(event->backlog_id), sim_uuid_get_db_string (sim_net_get_id (event->src_net)));
else
src_values = NULL;
if(event->dst_net)
dst_values = g_strdup_printf("(%s, %s)", sim_uuid_get_db_string(event->backlog_id), sim_uuid_get_db_string (sim_net_get_id (event->dst_net)));
else
dst_values = NULL;
insert = g_strdup_printf("INSERT IGNORE INTO alarm_nets (id_alarm, id_net) VALUES %s%c%s ",
src_values ? src_values : "",
(src_values && dst_values) ? ',' : ' ',
dst_values ? dst_values : "");
sim_database_execute_no_query (database, insert);
g_free (insert);
}
}
gchar *
sim_event_get_insert_clause_values (SimEvent *event)
{
gchar time[TIMEBUF_SIZE];
gchar *timestamp = time;
GString *query;
gchar *values;
gchar *e_rep_act_src = NULL;
gchar *e_rep_act_dst = NULL;
gchar *e_src_hostname = NULL;
gchar *e_dst_hostname = NULL;
gchar *src_mac = NULL, *dst_mac = NULL;
GdaConnection *conn;
g_return_val_if_fail (SIM_IS_EVENT (event), NULL);
conn = sim_database_get_conn (ossim.dbossim);
values = sim_event_get_text_escape_fields_values (event);
// If we already have the timestamp we use it.. else we calculate it
if(event->time_str)
timestamp = event->time_str;
else
strftime (timestamp, TIMEBUF_SIZE, "%F %T", gmtime ((time_t *) &event->time));
if (event->str_rep_act_src)
e_rep_act_src = sim_str_escape (event->str_rep_act_src, conn, 0);
if (event->str_rep_act_dst)
e_rep_act_dst = sim_str_escape (event->str_rep_act_dst, conn, 0);
if (event->src_hostname)
e_src_hostname = sim_str_escape (event->src_hostname, conn, 0);
if (event->dst_hostname)
e_dst_hostname = sim_str_escape (event->dst_hostname, conn, 0);
if (event->src_mac)
src_mac = sim_mac_to_db_string (event->src_mac);
if (event->dst_mac)
dst_mac = sim_mac_to_db_string (event->dst_mac);
query = g_string_new ("");
g_string_append_printf (query, "(%s", sim_uuid_get_db_string (event->id));
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (sim_context_get_id (event->context)));
g_string_append_printf (query, ",'%s'", timestamp);
g_string_append_printf (query, ",%f", event->tzone);
g_string_append_printf (query, ",%s", sim_uuid_get_db_string (event->sensor_id));
g_string_append_printf (query, ",'%s'", (event->interface) ? event->interface : "");
g_string_append_printf (query, ",%d", event->type);
g_string_append_printf (query, ",%d", event->plugin_id);
g_string_append_printf (query, ",%d", event->plugin_sid);
g_string_append_printf (query, ",%d", event->protocol);
g_string_append_printf (query, ",%s", sim_inet_get_db_string (event->src_ia));
g_string_append_printf (query, ",%s", sim_inet_get_db_string (event->dst_ia));
g_string_append_printf (query, ",%s", (event->src_net) ? sim_uuid_get_db_string (sim_net_get_id (event->src_net)) : "NULL");
g_string_append_printf (query, ",%s", (event->dst_net) ? sim_uuid_get_db_string (sim_net_get_id (event->dst_net)) : "NULL");
g_string_append_printf (query, ",%d", event->src_port);
g_string_append_printf (query, ",%d", event->dst_port);
g_string_append_printf (query, ",%d", event->condition);
g_string_append_printf (query, ",%d", event->interval);
g_string_append_printf (query, ",%d", 0); //FIXME event->absolute
g_string_append_printf (query, ",%d", event->priority);
g_string_append_printf (query, ",%d", event->reliability);
g_string_append_printf (query, ",%d", event->asset_src);
g_string_append_printf (query, ",%d", event->asset_dst);
g_string_append_printf (query, ",%d", (gint) event->risk_c);
g_string_append_printf (query, ",%d", (gint) event->risk_a);
g_string_append_printf (query, ",%d", event->alarm);
g_string_append_printf (query, ",%s", values);
g_string_append_printf (query, ",%u", event->rep_prio_src);
g_string_append_printf (query, ",%u", event->rep_prio_dst);
g_string_append_printf (query, ",%u", event->rep_rel_src);
g_string_append_printf (query, ",%u", event->rep_rel_dst);
g_string_append_printf (query, ",'%s'", (e_rep_act_src) ? e_rep_act_src : "");
g_string_append_printf (query, ",'%s'", (e_rep_act_dst) ? e_rep_act_dst : "");
g_string_append_printf (query, ",'%s'", (e_src_hostname) ? e_src_hostname : "");
g_string_append_printf (query, ",'%s'", (e_dst_hostname) ? e_dst_hostname : "");
g_string_append_printf (query, ",%s", (src_mac) ? src_mac : "NULL");
g_string_append_printf (query, ",%s", (dst_mac) ? dst_mac : "NULL");
g_string_append_printf (query, ",%s", (event->src_id) ? sim_uuid_get_db_string (event->src_id) : "NULL");
g_string_append_printf (query, ",%s)", (event->dst_id) ? sim_uuid_get_db_string (event->dst_id) : "NULL");
g_free (values);
return g_string_free (query, FALSE);
}
/**
* sim_event_to_string:
* @event: a #SimEvent object.
*
*/
gchar *
sim_event_to_string (SimEvent * event)
{
GString *str;
gchar *ip;
gchar * base64;
gint base64_len;
SimUuid * net_id;
g_return_val_if_fail(SIM_IS_EVENT (event), NULL);
str = g_string_new("event ");
g_string_append_printf(str, "event_id=\"%s\" ", sim_uuid_get_string (event->id));
g_string_append_printf(str, "ctx=\"%s\" ", sim_uuid_get_string (sim_context_get_id (event->context)));
g_string_append_printf(str, "alarm=\"%d\" ", event->alarm);
str = g_string_append (str, "is_remote=\"1\" ");
gchar *aux = sim_event_get_str_from_type(event->type);
if (aux)
{
g_string_append_printf(str, "type=\"%s\" ", aux);
g_free(aux);
}
g_string_append_printf(str, "date=\"%u\" ", (guint)event->time);
g_string_append_printf(str, "tzone=\"%4.2f\" ", event->tzone);
if (event->time_str)
g_string_append_printf(str, "fdate=\"%s\" ", event->time_str);
if (event->plugin_id)
g_string_append_printf(str, "plugin_id=\"%d\" ", event->plugin_id);
if (event->plugin_sid)
g_string_append_printf(str, "plugin_sid=\"%d\" ", event->plugin_sid);
if (event->src_ia)
{
ip = sim_inet_get_canonical_name (event->src_ia);
g_string_append_printf (str, "src_ip=\"%s\" ", ip);
g_free (ip);
}
if (event->src_port)
g_string_append_printf(str, "src_port=\"%d\" ", event->src_port);
if (event->dst_ia)
{
ip = sim_inet_get_canonical_name (event->dst_ia);
g_string_append_printf (str, "dst_ip=\"%s\" ", ip);
g_free (ip);
}
if (event->dst_port)
g_string_append_printf(str, "dst_port=\"%d\" ", event->dst_port);
if (event->src_net)
{
net_id = sim_net_get_id (event->src_net);
g_string_append_printf (str, "src_net=\"%s\" ", sim_uuid_get_string (net_id));
}
if (event->dst_net)
{
net_id = sim_net_get_id (event->dst_net);
g_string_append_printf (str, "dst_net=\"%s\" ", sim_uuid_get_string (net_id));
}
if (event->sensor)
{
ip = sim_inet_get_canonical_name (event->sensor);
g_string_append_printf(str, "sensor=\"%s\" ", ip);
g_free (ip);
}
if (event->sensor_id)
g_string_append_printf(str, "sensor_id=\"%s\" ", sim_uuid_get_string (event->sensor_id));
if (event->device)
{
ip = sim_inet_get_canonical_name (event->device);
g_string_append_printf(str, "device=\"%s\" ", ip);
g_free (ip);
}
if (event->device_id)
g_string_append_printf (str, "device_id=\"%d\" ", event->device_id);
#if 0
if (event->server)
g_string_append_printf (str, "server=\"%s\" ", event->server);
#endif
if (event->interface)
g_string_append_printf(str, "interface=\"%s\" ", event->interface);
if (event->protocol)
{
gchar *value = sim_protocol_get_str_from_type(event->protocol);
g_string_append_printf(str, "protocol=\"%s\" ", value);
g_free(value);
}
if (event->condition)
{
gchar *value = sim_condition_get_str_from_type(event->condition);
g_string_append_printf(str, "condition=\"%s\" ", value);
g_free(value);
}
if (event->value)
g_string_append_printf(str, "value=\"%s\" ", event->value);
if (event->interval)
g_string_append_printf(str, "interval=\"%d\" ", event->interval);
if (event->is_priority_set)
g_string_append_printf(str, "priority=\"%d\" ", event->priority);
if (event->is_reliability_set)
g_string_append_printf(str, "reliability=\"%d\" ", event->reliability);
g_string_append_printf(str, "asset_src=\"%d\" ", event->asset_src);
g_string_append_printf(str, "asset_dst=\"%d\" ", event->asset_dst);
if (event->risk_c)
g_string_append_printf(str, "risk_a=\"%lf\" ", event->risk_a);
if (event->risk_a)
g_string_append_printf(str, "risk_c=\"%lf\" ", event->risk_c);
// Only forward this field if this is a special event.
if ((event->data) && sim_event_is_special (event))
{
gchar *base64;
base64 = g_base64_encode ((guchar *)event->data, strlen(event->data));
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf (str, "data=\"%s\" ", base64);
g_free (base64);
}
if (event->log)
{
base64 = g_base64_encode((guchar*)event->log->str, event->log->len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "log=\"%s\" ", base64);
g_free(base64);
}
if (event->filename && (base64_len = strlen(event->filename)))
{
base64 = g_base64_encode( (guchar*)event->filename, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "filename=\"%s\" ", base64);
g_free(base64);
}
if (event->username && (base64_len = strlen(event->username)))
{
base64 = g_base64_encode( (guchar*)event->username, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "username=\"%s\" ", base64);
g_free(base64);
}
if (event->password && (base64_len = strlen(event->password)))
{
base64 = g_base64_encode( (guchar*) event->password, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "password=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata1 && (base64_len = strlen(event->userdata1)))
{
base64 = g_base64_encode( (guchar*)event->userdata1, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata1=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata2 && (base64_len = strlen(event->userdata2)))
{
base64 = g_base64_encode( (guchar*)event->userdata2, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata2=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata3 && (base64_len = strlen(event->userdata3)))
{
base64 = g_base64_encode( (guchar*)event->userdata3, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata3=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata4 && (base64_len = strlen(event->userdata4)))
{
base64 = g_base64_encode( (guchar*)event->userdata4, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata4=\"%s\" ", base64);
g_free (base64);
}
if (event->userdata5 && (base64_len = strlen(event->userdata5)))
{
base64 = g_base64_encode( (guchar*)event->userdata5, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata5=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata6 && (base64_len = strlen(event->userdata6)))
{
base64 = g_base64_encode( (guchar*)event->userdata6, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata6=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata7 && (base64_len = strlen(event->userdata7)))
{
base64 = g_base64_encode( (guchar*)event->userdata7, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata7=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata8 && (base64_len = strlen(event->userdata8)))
{
base64 = g_base64_encode( (guchar*)event->userdata8, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata8=\"%s\" ", base64);
g_free(base64);
}
if (event->userdata9 && (base64_len = strlen(event->userdata9)))
{
base64 = g_base64_encode( (guchar*)event->userdata9, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "userdata9=\"%s\" ", base64);
g_free(base64);
}
if (event->src_username_raw && (base64_len = strlen(event->src_username_raw)))
{
base64 = g_base64_encode ((guchar *)event->src_username_raw, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "src_username=\"%s\" ", base64);
g_free (base64);
}
if (event->dst_username_raw && (base64_len = strlen (event->dst_username_raw)))
{
base64 = g_base64_encode ((guchar *)event->dst_username_raw, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "dst_username=\"%s\" ", base64);
g_free (base64);
}
if (event->src_id)
g_string_append_printf(str, "src_id=\"%s\" ", sim_uuid_get_string (event->src_id));
if (event->dst_id)
g_string_append_printf(str, "dst_id=\"%s\" ", sim_uuid_get_string (event->dst_id));
if (event->src_hostname)
g_string_append_printf(str, "src_hostname=\"%s\" ", event->src_hostname);
if (event->dst_hostname)
g_string_append_printf(str, "dst_hostname=\"%s\" ", event->dst_hostname);
if (event->src_mac)
g_string_append_printf(str, "src_mac=\"%s\" ", event->src_mac);
if (event->dst_mac)
g_string_append_printf(str, "dst_mac=\"%s\" ", event->dst_mac);
if (event->rep_prio_src)
g_string_append_printf(str, "rep_prio_src=\"%u\" ", event->rep_prio_src);
if (event->rep_prio_dst)
g_string_append_printf(str, "rep_prio_dst=\"%u\" ", event->rep_prio_dst);
if (event->rep_rel_src)
g_string_append_printf(str, "rep_rel_src=\"%u\" ", event->rep_rel_src);
if (event->rep_rel_dst)
g_string_append_printf(str, "rep_rel_dst=\"%u\" ", event->rep_rel_dst);
if (event->str_rep_act_src && (base64_len = strlen(event->str_rep_act_src)))
{
base64 = g_base64_encode( (guchar*)event->str_rep_act_src, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "rep_act_src=\"%s\" ", base64);
g_free(base64);
}
if (event->str_rep_act_dst && (base64_len = strlen(event->str_rep_act_dst)))
{
base64 = g_base64_encode( (guchar*)event->str_rep_act_dst, base64_len);
if(base64 == NULL)
return g_string_free(str, TRUE);
g_string_append_printf(str, "rep_act_dst=\"%s\" ", base64);
g_free(base64);
}
/* We need to check that the */
if (event->binary_data != NULL)
{
g_string_append_printf(str,"binary_data=\"%s\" ", event->binary_data);
}
g_string_append_printf(str, "\n");
return g_string_free(str, FALSE);
}
void
sim_event_enrich_idm (SimEvent *event)
{
SimIdmEntry *entry;
// IDM queries only if the IDM info is empty, usefull for not overwriting forwarded events
if (!event->src_username && !event->src_hostname && !event->src_mac && !event->src_id)
{
entry = sim_idm_get (sim_context_get_id (event->context), event->src_ia);
if (entry)
{
const gchar *value;
value = sim_idm_entry_get_username (entry);
if (value)
{
event->src_username_raw = g_strdup (value);
event->src_username = sim_command_idm_event_parse_username (value);
}
value = sim_idm_entry_get_hostname (entry);
if (value)
event->src_hostname = g_strdup(value);
value = sim_idm_entry_get_mac(entry);
if (value)
event->src_mac = g_strdup(value);
event->src_id = g_object_ref (sim_idm_entry_get_host_id (entry));
g_object_unref (entry);
}
}
if (!event->dst_username && !event->dst_hostname && !event->dst_mac && !event->dst_id)
{
entry = sim_idm_get (sim_context_get_id (event->context), event->dst_ia);
if (entry)
{
const gchar *value;
value = sim_idm_entry_get_username (entry);
if (value)
{
event->dst_username_raw = g_strdup (value);
event->dst_username = sim_command_idm_event_parse_username (value);
}
value = sim_idm_entry_get_hostname (entry);
if (value)
event->dst_hostname = g_strdup(value);
value = sim_idm_entry_get_mac(entry);
if (value)
event->dst_mac = g_strdup(value);
event->dst_id = g_object_ref (sim_idm_entry_get_host_id (entry));
g_object_unref (entry);
}
}
}
