[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-cvs] ossec-hids: README (NEW) alert.c (NEW) db_op.c (HEAD) dbd.c (HEAD) dbd.h (HEAD) main.c (HEAD) mysql.schema (HEAD) rules.c (HEAD) server.c (HEAD) [dcid]
Module name: ossec-hids
Changes by: dcid 07/08/18 00:38:35
Modified files:
db_op.c dbd.c dbd.h main.c mysql.schema rules.c server.c
Added files:
README alert.c
Log message:
Description: Database seems to be working good now...
Reviewed by: dcid
Bug:
--- NEW FILE: README ---
# Simple readme with some query examples.
1- View all rules:
> SELECT rule_id, level, description FROM signature;
2- View all categories (groups)
> SELECT * FROM category;
3- View all categories of a specific rule (1002 for example):
> SELECT rule_id, cat_name from category, signature_category_mapping WHERE rule_id = 1002 AND signature_category_mapping.cat_id = category.cat_id;
4- View all alerts (without data):
> SELECT * FROM alert;
5- View all alerts (with IP as string):
> SELECT rule_id, timestamp, INET_ATON(src_ip) srcip from alert;
6- View all alerts, including locations (IP as string and time as string):
>SELECT FROM_UNIXTIME(timestamp) time, rule_id,location.name location, full_log FROM alert,location, data WHERE location.id = alert.location_id;
Output:
+---------------------+---------+---------------------------+-----------------------------------------------------+
| time | rule_id | location | full_log |
+---------------------+---------+---------------------------+-----------------------------------------------------+
| 2007-08-18 00:28:49 | 1002 | enigma->/var/log/messages | Aug 18 00:28:49 enigma dcid: Segmentation Fault 1q2 |
+---------------------+---------+---------------------------+-----------------------------------------------------+
--- NEW FILE: alert.c ---
/* @(#) $Id: alert.c,v 1.1 2007/08/18 03:38:34 dcid Exp $ */
/* Copyright (C) 2003-2007 Daniel B. Cid <dcid@xxxxxxxxx>
* All rights reserved.
*
* This program is a free software; you can redistribute it
* and/or modify it under the terms of the GNU General Public
* License (version 3) as published by the FSF - Free Software
* Foundation
*
* License details at the LICENSE file included with OSSEC or
* online at: http://www.ossec.net/en/licensing.html
*/
#include "dbd.h"
#include "config/config.h"
#include "rules_op.h"
/** int OS_SelectMaxID(DBConfig *db_config)
* Selects the maximum ID from the alert table.
* Returns 0 if not found.
*/
int OS_SelectMaxID(DBConfig *db_config)
{
int result = 0;
char sql_query[OS_SIZE_1024];
memset(sql_query, '\0', OS_SIZE_1024);
/* Generating SQL */
snprintf(sql_query, OS_SIZE_1024 -1,
"SELECT MAX(id) FROM "
"alert WHERE server_id = '%u'",
db_config->server_id);
/* Checking return code. */
result = osdb_query_select(db_config->conn, sql_query);
return(result);
}
/** int __DBSelectLocation(char *locaton, DBConfig *db_config)
* Selects the location ID from the db.
* Returns 0 if not found.
*/
int __DBSelectLocation(char *location, DBConfig *db_config)
{
int result = 0;
char sql_query[OS_SIZE_1024];
memset(sql_query, '\0', OS_SIZE_1024);
/* Generating SQL */
snprintf(sql_query, OS_SIZE_1024 -1,
"SELECT id FROM "
"location WHERE name = '%s' AND server_id = '%d'",
location, db_config->server_id);
/* Checking return code. */
result = osdb_query_select(db_config->conn, sql_query);
return(result);
}
/** int __DBInsertLocation(char *location, DBConfig *db_config)
* Inserts location in to the db.
*/
int __DBInsertLocation(char *location, DBConfig *db_config)
{
char sql_query[OS_SIZE_1024];
memset(sql_query, '\0', OS_SIZE_1024);
/* Generating SQL */
snprintf(sql_query, OS_SIZE_1024 -1,
"INSERT INTO "
"location(id, server_id, name) "
"VALUES (NULL, '%u', '%s')",
db_config->server_id, location);
/* Checking return code. */
if(!osdb_query_insert(db_config->conn, sql_query))
{
merror(DB_MAINERROR, ARGV0);
}
return(0);
}
/** int OS_Alert_InsertDB(DBConfig *db_config)
* Insert alert into to the db.
* Returns 1 on success or 0 on error.
*/
int OS_Alert_InsertDB(alert_data *al_data, DBConfig *db_config)
{
unsigned int s_ip = 0, d_ip = 0, location_id = 0;
int *loc_id;
char sql_query[OS_SIZE_2048 +1];
/* Clearing the memory before insert */
memset(sql_query, '\0', OS_SIZE_2048 +1);
/* Converting srcip to int */
if(al_data->srcip)
{
struct in_addr net;
/* Extracting ip address */
if(inet_aton(al_data->srcip, &net))
{
s_ip = net.s_addr;
}
}
d_ip = 0;
/* Escaping strings */
osdb_escapestr(al_data->user);
osdb_escapestr(al_data->log[0]);
/* We first need to insert the location */
loc_id = OSHash_Get(db_config->location_hash, al_data->location);
/* If we dont have location id, we must select and/or insert in the db */
if(!loc_id)
{
location_id = __DBSelectLocation(al_data->location, db_config);
if(location_id == 0)
{
/* Insert it */
__DBInsertLocation(al_data->location, db_config);
location_id = __DBSelectLocation(al_data->location, db_config);
}
if(!location_id)
{
merror("%s: Unable to insert location.", ARGV0);
return(0);
}
/* Adding to hash */
os_calloc(1, sizeof(int), loc_id);
*loc_id = location_id;
OSHash_Add(db_config->location_hash, al_data->location, loc_id);
}
/* Inserting data */
snprintf(sql_query, OS_SIZE_2048,
"INSERT INTO "
"data(id, server_id, user,full_log) "
"VALUES ('%u', '%u', '%s', '%s') ",
db_config->alert_id, db_config->server_id,
al_data->user, al_data->log[0]);
/* Inserting into the db */
if(!osdb_query_insert(db_config->conn, sql_query))
{
merror(DB_MAINERROR, ARGV0);
}
/* Generating final SQL */
snprintf(sql_query, OS_SIZE_2048,
"INSERT INTO "
"alert(id,server_id,rule_id,timestamp,location_id,src_ip) "
"VALUES ('%u', '%u', '%u','%u', '%u', '%lu')",
db_config->alert_id, db_config->server_id, al_data->rule,
time(0), *loc_id, (unsigned long)ntohl(s_ip));
/* Inserting into the db */
if(!osdb_query_insert(db_config->conn, sql_query))
{
merror(DB_MAINERROR, ARGV0);
}
db_config->alert_id++;
return(1);
}
/* EOF */
Index: db_op.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/db_op.c,v
diff -u -r1.3 -r1.4
--- db_op.c 18 Aug 2007 01:07:49 -0000 1.3
+++ db_op.c 18 Aug 2007 03:38:34 -0000 1.4
@@ -110,6 +110,7 @@
MYSQL_RES *result_data;
MYSQL_ROW result_row;
+
/* Sending the query. It can not fail. */
if(mysql_query(db_conn, query) != 0)
{
@@ -131,11 +132,12 @@
/* Getting row. We only care about the first result. */
result_row = mysql_fetch_row(result_data);
- if(result_row[0] != NULL)
+ if(result_row && (result_row[0] != NULL))
{
result_int = atoi(result_row[0]);
}
+
mysql_free_result(result_data);
Index: dbd.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/dbd.c,v
diff -u -r1.2 -r1.3
--- dbd.c 18 Aug 2007 01:07:49 -0000 1.2
+++ dbd.c 18 Aug 2007 03:38:34 -0000 1.3
@@ -31,12 +31,9 @@
*/
void OS_DBD(DBConfig *db_config)
{
- unsigned int s_ip, d_ip;
-
time_t tm;
struct tm *p;
- char sql_query[OS_SIZE_2048 +1];
file_queue *fileq;
alert_data *al_data;
@@ -51,7 +48,17 @@
Init_FileQueue(fileq, p, 0);
- memset(sql_query, '\0', OS_SIZE_2048 +1);
+ /* Creating location hash */
+ db_config->location_hash = OSHash_Create();
+ if(!db_config)
+ {
+ ErrorExit(MEM_ERROR, ARGV0);
+ }
+
+
+ /* Getting maximum ID */
+ db_config->alert_id = OS_SelectMaxID(db_config);
+ db_config->alert_id++;
/* Infinite loop reading the alerts and inserting them. */
@@ -60,10 +67,7 @@
tm = time(NULL);
p = localtime(&tm);
- s_ip = 0;
- d_ip = 0;
-
/* Get message if available (timeout of 5 seconds) */
al_data = Read_FileMon(fileq, p, 5);
if(!al_data)
@@ -72,54 +76,10 @@
}
- debug2("%s: DEBUG: Got data: %d, %d, %s, %s",
- ARGV0,
- al_data->rule,
- al_data->level,
- al_data->location,
- al_data->group);
-
-
- /* Converting srcip to int */
- if(al_data->srcip)
- {
- struct in_addr net;
-
- /* Extracting ip address */
- if(inet_aton(al_data->srcip, &net))
- {
- debug2("%s: DEBUG: found ip: %u for %s", ARGV0, net.s_addr,
- al_data->srcip);
- s_ip = net.s_addr;
- }
- }
-
-
- /* Escaping strings */
- osdb_escapestr(al_data->user);
- osdb_escapestr(al_data->log[0]);
-
-
- /* We first need to insert the location */
-
-
- /* Generating SQL */
- snprintf(sql_query, OS_SIZE_2048,
- "INSERT INTO "
- "alert(id,signature_id,timestamp,src_ip,user,full_log) "
- "VALUES (NULL, '%u','%u','%lu', '%s', '%s') ",
- al_data->rule, time(0),
- (unsigned long)ntohl(s_ip), al_data->user,
- al_data->log[0]);
-
-
/* Inserting into the db */
- if(!osdb_query_insert(db_config->conn, sql_query))
- {
- merror(DB_MAINERROR, ARGV0);
- }
+ OS_Alert_InsertDB(al_data, db_config);
+
-
/* Clearing the memory */
FreeAlertData(al_data);
}
Index: dbd.h
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/dbd.h,v
diff -u -r1.2 -r1.3
--- dbd.h 18 Aug 2007 01:07:49 -0000 1.2
+++ dbd.h 18 Aug 2007 03:38:34 -0000 1.3
@@ -36,6 +36,14 @@
int OS_InsertRulesDB(DBConfig *db_config);
+/* Get maximum ID */
+int OS_SelectMaxID(DBConfig *db_config);
+
+
+/* Insert alerts in to the database */
+int OS_Alert_InsertDB(alert_data *al_data, DBConfig *db_config);
+
+
/* Database inserting main function */
void OS_DBD(DBConfig *db_config);
Index: main.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/main.c,v
diff -u -r1.2 -r1.3
--- main.c 18 Aug 2007 01:07:49 -0000 1.2
+++ main.c 18 Aug 2007 03:38:34 -0000 1.3
@@ -121,6 +121,7 @@
merror(DB_CONFIGERR, ARGV0);
ErrorExit(CONFIG_ERROR, ARGV0, cfg);
}
+ debug1("%s: DEBUG: db connected.", ARGV0);
/* Going on daemon mode */
Index: mysql.schema
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/mysql.schema,v
diff -u -r1.2 -r1.3
--- mysql.schema 18 Aug 2007 01:07:49 -0000 1.2
+++ mysql.schema 18 Aug 2007 03:38:34 -0000 1.3
@@ -57,15 +57,16 @@
CREATE TABLE data
(
- id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ id INT UNSIGNED NOT NULL,
+ server_id SMALLINT UNSIGNED NOT NULL,
user TEXT NOT NULL,
- full_log TEXT NOT NULL
- PRIMARY KEY (id)
+ full_log TEXT NOT NULL,
+ PRIMARY KEY (id, server_id)
);
CREATE TABLE alert
(
- id INT UNSIGNED NOT NULL AUTO_INCREMENT,
+ id INT UNSIGNED NOT NULL,
server_id SMALLINT UNSIGNED NOT NULL,
rule_id SMALLINT UNSIGNED NOT NULL,
timestamp INT UNSIGNED NOT NULL,
@@ -74,7 +75,7 @@
dst_ip INT UNSIGNED,
src_port SMALLINT UNSIGNED,
dst_port SMALLINT UNSIGNED,
- PRIMARY KEY (id,rule_id),
+ PRIMARY KEY (id, rule_id, server_id),
INDEX time (timestamp),
INDEX (src_ip)
);
Index: rules.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/rules.c,v
diff -u -r1.3 -r1.4
--- rules.c 18 Aug 2007 01:07:49 -0000 1.3
+++ rules.c 18 Aug 2007 03:38:34 -0000 1.4
@@ -126,16 +126,26 @@
-/** void *_Groups_ReadInsertDB(RuleInfo *rule, DBConfig *db_config)
+/** void _Groups_ReadInsertDB(RuleInfo *rule, DBConfig *db_config)
* Insert groups (categories) in to the db.
*/
-void *_Groups_ReadInsertDB(RuleInfo *rule, DBConfig *db_config)
+void _Groups_ReadInsertDB(RuleInfo *rule, DBConfig *db_config)
{
/* We must insert each group separately. */
int cat_id;
char *tmp_group;
char *tmp_str;
+
+ debug1("%s: DEBUG: entering _Groups_ReadInsertDB", ARGV0);
+
+
+ /* If group is null, just return */
+ if(rule->group == NULL)
+ {
+ return;
+ }
+
tmp_str = strchr(rule->group, ',');
tmp_group = rule->group;
@@ -199,7 +209,7 @@
}
}
- return(NULL);
+ return;
}
@@ -225,6 +235,8 @@
if(rule->level < 0)
rule->level = 0;
+
+ debug1("%s: DEBUG: entering _Rules_ReadInsertDB()", ARGV0);
/* Checking rule limit */
Index: server.c
===================================================================
RCS file: /usr/cvsroot/ossec-hids/src/os_dbd/server.c,v
diff -u -r1.1 -r1.2
--- server.c 18 Aug 2007 01:07:49 -0000 1.1
+++ server.c 18 Aug 2007 03:38:34 -0000 1.2
@@ -83,9 +83,11 @@
char *info;
+ debug1("%s: DEBUG: entering OS_Server_ReadInsertDB()", ARGV0);
+
+
/* Getting servers hostname */
memset(__shost, '\0', 512);
- memset(info, '\0', 512);
if(gethostname(__shost, 512 -1) != 0)
{
merror("%s: Error: gethostname() failed", ARGV0);
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.