[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-cvs] ossec-hids: Makefile (NEW) dbd.c (NEW) main.c (NEW) mysql.schema (NEW) config.c (HEAD) db_op.c (HEAD) db_op.h (HEAD) rules.c (HEAD) [dcid]
- To: ossec-cvs@xxxxxxxxx
- Subject: [ossec-cvs] ossec-hids: Makefile (NEW) dbd.c (NEW) main.c (NEW) mysql.schema (NEW) config.c (HEAD) db_op.c (HEAD) db_op.h (HEAD) rules.c (HEAD) [dcid]
- From: OSSEC CVS <cvs-commit@xxxxxxxxx>
- Date: Mon, 13 Aug 2007 21:29:37 -0300 (ADT)
- Content-transfer-encoding: 8bit
Module name: ossec-hids
Changes by: dcid 07/08/13 21:29:34
Modified files:
config.c db_op.c db_op.h rules.c
Added files:
Makefile dbd.c main.c mysql.schema
Log message:
Description: Working alpha of the database support. the basic stuff should be working now, but we still need to improve the tables and a few other things.
Reviewed by: dcid
Example config:
<database_output>
<hostname>1.2.3.4</hostname>
<username>user</username>
<password>mypass</password>
<database>test1</database>
</database_output>
Bug:
--- NEW FILE: Makefile ---
# Makefile for dbd
# Daniel B. Cid <dcid@xxxxxxxxx>
PT=../
NAME=ossec-dbd
DBFLAGS=-I/usr/local/include/mysql -L/usr/local/lib/mysql -lmysqlclient
include ../Config.Make
LOCAL = *.c
OBJS = ${OS_CONFIG} ${OS_SHARED} ${OS_NET} ${OS_REGEX} ${OS_XML}
dbd:
${CC} ${CFLAGS} ${DBFLAGS} -DDBD -DUMYSQL ${LOCAL} ${OBJS} -o ${NAME}
clean:
${CLEAN}
build:
${BUILD}
--- NEW FILE: dbd.c ---
/* @(#) $Id: dbd.c,v 1.1 2007/08/14 00:29:34 dcid Exp $ */
/* Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation.
*
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#ifndef DBD
#define DBD
#endif
#ifndef ARGV0
#define ARGV0 "ossec-dbd"
#endif
#include "shared.h"
#include "dbd.h"
/* OS_DBD: Monitor the alerts and insert them into the database.
* Only return in case of error.
*/
void OS_DBD(DBConfig *db_config)
{
unsigned int s_ip, d_ip;
time_t tm;
struct tm *p;
char sql_query[OS_SIZE_2048 +1];
file_queue *fileq;
alert_data *al_data;
/* Getting currently time before starting */
tm = time(NULL);
p = localtime(&tm);
/* Initating file queue - to read the alerts */
os_calloc(1, sizeof(file_queue), fileq);
Init_FileQueue(fileq, p, 0);
memset(sql_query, '\0', OS_SIZE_2048 +1);
/* Infinite loop reading the alerts and inserting them. */
while(1)
{
tm = time(NULL);
p = localtime(&tm);
s_ip = 0;
d_ip = 0;
/* Get message if available (timeout of 5 seconds) */
al_data = Read_FileMon(fileq, p, 5);
if(!al_data)
{
continue;
}
debug2("%s: DEBUG: Got data: %d, %d, %s, %s",
ARGV0,
al_data->rule,
al_data->level,
al_data->location,
al_data->group);
/* Converting srcip to int */
if(al_data->srcip)
{
struct in_addr net;
/* Extracting ip address */
if(inet_aton(al_data->srcip, &net))
{
debug2("%s: DEBUG: found ip: %u for %s", ARGV0, net.s_addr,
al_data->srcip);
s_ip = net.s_addr;
}
}
/* Escaping strings */
osdb_escapestr(al_data->user);
osdb_escapestr(al_data->log[0]);
/* Generating SQL */
snprintf(sql_query, OS_SIZE_2048,
"INSERT INTO "
"alert(id,signature_id,timestamp,src_ip,user,full_log) "
"VALUES (NULL, '%u','%u','%lu', '%s', '%s') ",
al_data->rule, time(0),
(unsigned long)ntohl(s_ip), al_data->user,
al_data->log[0]);
/* Inserting into the db */
if(!osdb_query(db_config->conn, sql_query))
{
merror(DB_MAINERROR, ARGV0);
}
/* Clearing the memory */
FreeAlertData(al_data);
}
}
/* EOF */
--- NEW FILE: main.c ---
/* @(#) $Id: main.c,v 1.1 2007/08/14 00:29:34 dcid Exp $ */
/* Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation.
*
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#ifndef DBD
#define DBD
#endif
#ifndef ARGV0
#define ARGV0 "ossec-dbd"
#endif
#include "shared.h"
#include "dbd.h"
int main(int argc, char **argv)
{
int c, test_config = 0;
int uid = 0,gid = 0;
/* Using MAILUSER (read only) */
char *dir = DEFAULTDIR;
char *user = MAILUSER;
char *group = GROUPGLOBAL;
char *cfg = DEFAULTCPATH;
/* Database Structure */
DBConfig db_config;
/* Setting the name */
OS_SetName(ARGV0);
while((c = getopt(argc, argv, "Vdhtu:g:D:c:")) != -1){
switch(c){
case 'V':
print_version();
break;
case 'h':
help();
break;
case 'd':
nowDebug();
break;
case 'u':
if(!optarg)
ErrorExit("%s: -u needs an argument",ARGV0);
user=optarg;
break;
case 'g':
if(!optarg)
ErrorExit("%s: -g needs an argument",ARGV0);
group=optarg;
break;
case 'D':
if(!optarg)
ErrorExit("%s: -D needs an argument",ARGV0);
dir=optarg;
case 'c':
if(!optarg)
ErrorExit("%s: -c needs an argument",ARGV0);
cfg = optarg;
break;
case 't':
test_config = 1;
break;
default:
help();
break;
}
}
/* Starting daemon */
debug1(STARTED_MSG, ARGV0);
/* Check if the user/group given are valid */
uid = Privsep_GetUser(user);
gid = Privsep_GetGroup(group);
if((uid < 0)||(gid < 0))
{
ErrorExit(USER_ERROR, ARGV0, user, group);
}
/* Reading configuration */
if(OS_ReadDBConf(test_config, cfg, &db_config) < 0)
{
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
/* Maybe disable this debug? */
debug1("%s: DEBUG: Connecting to '%s', using '%s', '%s', '%s'.",
ARGV0, db_config.host, db_config.user,
db_config.pass, db_config.db);
/* Connecting to the database */
db_config.conn = osdb_connect(db_config.host, db_config.user,
db_config.pass, db_config.db);
if(!db_config.conn)
{
merror(DB_CONFIGERR, ARGV0);
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
/* Going on daemon mode */
if(!test_config)
{
nowDaemon();
goDaemon();
}
/* Privilege separation */
if(Privsep_SetGroup(gid) < 0)
ErrorExit(SETGID_ERROR,ARGV0,group);
/* chrooting */
if(Privsep_Chroot(dir) < 0)
ErrorExit(CHROOT_ERROR,ARGV0,dir);
/* Now on chroot */
nowChroot();
/* Read rules and insert into the db */
if(OS_InsertRulesDB(&db_config) < 0)
{
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
/* Exit here if test config is set */
if(test_config)
exit(0);
/* Changing user */
if(Privsep_SetUser(uid) < 0)
ErrorExit(SETUID_ERROR,ARGV0,user);
/* Basic start up completed. */
debug1(PRIVSEP_MSG,ARGV0,dir,user);
/* Signal manipulation */
StartSIG(ARGV0);
/* Creating PID files */
if(CreatePID(ARGV0, getpid()) < 0)
ErrorExit(PID_ERROR,ARGV0);
/* Start up message */
verbose(STARTUP_MSG, ARGV0, getpid());
/* the real daemon now */
OS_DBD(&db_config);
exit(0);
}
/* EOF */
--- NEW FILE: mysql.schema ---
CREATE TABLE category
(
cat_id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT,
cat_name VARCHAR(32) NOT NULL UNIQUE,
PRIMARY KEY (cat_id),
INDEX (cat_name)
);
CREATE TABLE signature
(
id SMALLINT UNSIGNED NOT NULL AUTO_INCREMENT,
rule_id MEDIUMINT UNSIGNED NOT NULL UNIQUE,
level TINYINT UNSIGNED,
category VARCHAR(64) NOT NULL,
description VARCHAR(255) NOT NULL,
PRIMARY KEY (id),
INDEX (level),
INDEX (rule_id)
);
CREATE TABLE alert
(
id INT UNSIGNED NOT NULL AUTO_INCREMENT,
signature_id SMALLINT UNSIGNED NOT NULL,
timestamp INT UNSIGNED NOT NULL,
src_ip INT UNSIGNED,
dst_ip INT UNSIGNED,
src_port SMALLINT UNSIGNED,
dst_port SMALLINT UNSIGNED,
user VARCHAR(32),
full_log VARCHAR(255),
PRIMARY KEY (id,signature_id),
INDEX time (timestamp),
INDEX (src_ip)
);
Index: config.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/config.c,v
diff -u -r1.1 -r1.2
--- config.c 13 Aug 2007 02:14:16 -0000 1.1
+++ config.c 14 Aug 2007 00:29:34 -0000 1.2
@@ -49,6 +49,18 @@
*/
db_config->includes = tmp_config->includes;
free(tmp_config);
+
+
+ /* Checking for a valid config. */
+ if(!db_config->host ||
+ !db_config->user ||
+ !db_config->pass ||
+ !db_config->db)
+ {
+ merror(DB_MISS_CONFIG, ARGV0);
+ return(OS_INVALID);
+ }
+
return(0);
}
Index: db_op.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/db_op.c,v
diff -u -r1.1 -r1.2
--- db_op.c 13 Aug 2007 02:14:16 -0000 1.1
+++ db_op.c 14 Aug 2007 00:29:34 -0000 1.2
@@ -18,6 +18,7 @@
#ifdef DBD
#include "shared.h"
+#include "db_op.h"
/* Using Mysql */
#ifdef UMYSQL
@@ -25,6 +26,28 @@
#endif
+/** void osdb_escapestr
+ * Escapes a null terminated string before inserting into the database.
+ * We built a white list of allowed characters at insert_map. Everything
+ * not allowed will become spaces.
+ */
+void osdb_escapestr(char *str)
+{
+ while(*str)
+ {
+ if(*str == '\'')
+ {
+ *str = '`';
+ }
+ else if(insert_map[(unsigned char)*str] != '\001')
+ {
+ *str = ' ';
+ }
+ str++;
+ }
+}
+
+
/* Create the tree
* Return NULL on error
*/
@@ -54,6 +77,9 @@
}
+/** int osdb_query(void *db_conn, char *query)
+ * Sends query to database.
+ */
int osdb_query(void *db_conn, char *query)
{
if(mysql_query(db_conn, query) != 0)
Index: db_op.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/db_op.h,v
diff -u -r1.1 -r1.2
--- db_op.h 13 Aug 2007 02:14:16 -0000 1.1
+++ db_op.h 14 Aug 2007 00:29:34 -0000 1.2
@@ -21,7 +21,55 @@
/* Connects to the database */
void *osdb_connect(char *host, char *user, char *pass, char *db);
+
+/* Queries the database */
int osdb_query(void *db_conn, char *query);
+
+/* escape strings before inserting. */
+void osdb_escapestr(char *str);
+
+
+/* Allowed characters */
+/* Insert charmap.
+ * Available chars: a-z, A-Z, 0-9, -, _, ., %, $, @, (, ), +, *, <space> /
+ * Basically: 040-046 (oct)
+ * 050-176 (oct)
+ */
+static const unsigned char insert_map[] =
+{
+ '\000', '\000', '\002', '\003', '\004', '\005', '\006', '\007',
+ '\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017',
+ '\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027',
+ '\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\047',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\001',
+ '\001', '\001', '\001', '\001', '\001', '\001', '\001', '\177',
+ '\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207',
+ '\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217',
+ '\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227',
+ '\230', '\231', '\232', '\233', '\234', '\235', '\236', '\237',
+ '\240', '\241', '\242', '\243', '\244', '\245', '\246', '\247',
+ '\250', '\251', '\252', '\253', '\254', '\255', '\256', '\257',
+ '\260', '\261', '\262', '\263', '\264', '\265', '\266', '\267',
+ '\270', '\271', '\272', '\273', '\274', '\275', '\276', '\277',
+ '\300', '\301', '\302', '\303', '\304', '\305', '\306', '\307',
+ '\310', '\311', '\312', '\313', '\314', '\315', '\316', '\317',
+ '\320', '\321', '\322', '\323', '\324', '\325', '\326', '\327',
+ '\330', '\331', '\332', '\333', '\334', '\335', '\336', '\337',
+ '\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347',
+ '\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357',
+ '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
+ '\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
+};
#endif
Index: rules.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/rules.c,v
diff -u -r1.1 -r1.2
--- rules.c 13 Aug 2007 02:14:16 -0000 1.1
+++ rules.c 14 Aug 2007 00:29:34 -0000 1.2
@@ -22,7 +22,28 @@
memset(sql_query, '\0', OS_SIZE_1024);
- merror("XXX inserting: %d", rule->sigid);
+ /* Escaping strings */
+ osdb_escapestr(rule->group);
+ osdb_escapestr(rule->comment);
+
+
+ /* Checking level limit */
+ if(rule->level > 20)
+ rule->level = 20;
+ if(rule->level < 0)
+ rule->level = 0;
+
+
+
+ /* Checking rule limit */
+ if(rule->sigid < 0 || rule->sigid > 9999999)
+ {
+ merror("%s: Invalid rule id: %u", rule->sigid);
+ return(NULL);
+ }
+
+
+ debug2("%s: DEBUG: Inserting: %d", ARGV0, rule->sigid);
/* Generating SQL */
@@ -34,6 +55,8 @@
rule->sigid, rule->level, rule->group, rule->comment,
rule->level);
+
+ /* Checking return code. */
if(!osdb_query(dbc->conn, sql_query))
{
merror(DB_MAINERROR, ARGV0);
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.