Search
j0ke.net Open Build Service
>
Projects
>
ha
:
firewall
>
barnyard2
> barnyard2-ipv6.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File barnyard2-ipv6.patch of Package barnyard2
diff -ur firnsy-barnyard2-f71a8d3/configure.in firnsy-barnyard2-f71a8d3.mod/configure.in --- firnsy-barnyard2-f71a8d3/configure.in 2011-11-14 05:53:23.000000000 -0500 +++ firnsy-barnyard2-f71a8d3.mod/configure.in 2011-12-15 15:51:56.588020785 -0500 @@ -996,6 +996,13 @@ LIBS="${LIBS} -lbroccoli" fi +AC_ARG_ENABLE(acid-event, +[ --enable-acid-event Enable acid_event (BASE schema) logging], + enable_acid_event="$enableval", enable_acid_event="no") +if test "x$enable_acid_event" = "xyes"; then + CFLAGS="$CFLAGS -DENABLE_ACID_EVENT_LOGGING" +fi + # Checking for Tcl support (required by spo_sguil) AC_ARG_WITH(tcl, [ --with-tcl=DIR support for Tcl], diff -ur firnsy-barnyard2-f71a8d3/src/output-plugins/spo_database.c firnsy-barnyard2-f71a8d3.mod/src/output-plugins/spo_database.c --- firnsy-barnyard2-f71a8d3/src/output-plugins/spo_database.c 2011-11-14 05:53:23.000000000 -0500 +++ firnsy-barnyard2-f71a8d3.mod/src/output-plugins/spo_database.c 2011-12-15 16:22:13.378002691 -0500 @@ -56,6 +56,9 @@ #include <string.h> #include <time.h> #include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> #include "barnyard2.h" #include "debug.h" @@ -1191,11 +1194,21 @@ *select0 = NULL, *select1 = NULL, *insert0 = NULL; + + char timestamp_clause[128]; +#ifdef SUP_IP6 + char ip_buf[64]; +#endif + char src_buf[64]; + char dst_buf[64]; + int i, insert_fields_len, insert_values_len, ok_transaction, ref_system_id, + layer4_sport, + layer4_dport, ret; unsigned int sig_id, ref_id, @@ -1757,44 +1770,55 @@ free(select0); select0 = NULL; } - free(sig_name); sig_name = NULL; +/* free(sig_name); sig_name = NULL; */ if ( (data->shared->dbtype_id == DB_ORACLE) && (data->DBschema_version >= 105) ) { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " - "event (sid,cid,signature,timestamp) " - "VALUES (%u, %u, %u, TO_DATE('%s', 'YYYY-MM-DD HH24:MI:SS'))", - data->shared->sid, data->shared->cid, sig_id, timestamp_string); + ret = SnortSnprintf(timestamp_clause, sizeof(timestamp_clause), + "TO_DATE('%s', 'YYYY-MM-DD HH24:MI:SS')", timestamp_string); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else if(data->shared->dbtype_id == DB_ODBC) { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " - "event (sid,cid,signature,timestamp) " - "VALUES (%u, %u, %u, {ts '%s'})", - data->shared->sid, data->shared->cid, sig_id, timestamp_string); - + ret = SnortSnprintf(timestamp_clause, sizeof(timestamp_clause), "{ts '%s'}", timestamp_string); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; } else { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " - "event (sid,cid,signature,timestamp) " - "VALUES (%u, %u, %u, '%s')", - data->shared->sid, data->shared->cid, sig_id, timestamp_string); - - if (ret != SNORT_SNPRINTF_SUCCESS) + ret = SnortSnprintf(timestamp_clause, sizeof(timestamp_clause), "'%s'", timestamp_string); + if (ret != SNORT_SNPRINTF_SUCCESS) { + fprintf(stderr, "Error in timestamp_clause: %d, size %d, string: '%s'\n", + ret, (int) sizeof(timestamp_clause), timestamp_string); goto bad_query; + } + } - free(timestamp_string); timestamp_string = NULL; + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + "INSERT INTO " + "event (sid,cid,signature,timestamp) " + "VALUES (%u, %u, %u, %s)", + data->shared->sid, data->shared->cid, sig_id, timestamp_clause); + + if (p->tcph) { + + layer4_sport = ntohs(p->tcph->th_sport); + layer4_dport = ntohs(p->tcph->th_dport); + + } else if (p->udph) { + + layer4_sport = ntohs(p->udph->uh_sport); + layer4_dport = ntohs(p->udph->uh_dport); + + } else { + + layer4_sport = 0; + layer4_dport = 0; + } /* We do not log fragments! They are assumed to be handled by the fragment reassembly pre-processor */ @@ -1996,26 +2020,81 @@ if(data->detail) { - ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, - "INSERT INTO " - "iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, " - " ip_tos, ip_len, ip_id, ip_flags, ip_off," - " ip_ttl, ip_proto, ip_csum) " - "VALUES (%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u)", - data->shared->sid, - data->shared->cid, - (u_long)ntohl(p->iph->ip_src.s_addr), - (u_long)ntohl(p->iph->ip_dst.s_addr), - IP_VER(p->iph), - IP_HLEN(p->iph), - p->iph->ip_tos, - ntohs(p->iph->ip_len), - ntohs(p->iph->ip_id), - p->frag_flag, - ntohs(p->frag_offset), - p->iph->ip_ttl, - p->iph->ip_proto, - ntohs(p->iph->ip_csum)); + int sock_size; +#ifdef SUP_IP6 + int sock_size; +#endif + if(data->shared->dbtype_id == DB_POSTGRESQL) { +#ifdef SUP_IP6 + if (IP_VER(p->iph) == 6) { + SnortSnprintf(src_buf, sizeof(src_buf), "'%s'", inet_ntoa(&p->inner_ip6h.ip_src)); + SnortSnprintf(dst_buf, sizeof(dst_buf), "'%s'", inet_ntoa(&p->inner_ip6h.ip_dst)); + } else { + SnortSnprintf(src_buf, sizeof(src_buf), "'%s'", inet_ntoa(&p->inner_ip4h.ip_src)); + SnortSnprintf(dst_buf, sizeof(dst_buf), "'%s'", inet_ntoa(&p->inner_ip4h.ip_dst)); + } +#else + SnortSnprintf(src_buf, sizeof(src_buf), "%lu", (u_long)ntohl(p->iph->ip_src.s_addr)); + SnortSnprintf(dst_buf, sizeof(dst_buf), "%lu", (u_long)ntohl(p->iph->ip_dst.s_addr)); +#endif + + } else if (data->shared->dbtype_id == DB_MYSQL) { +#ifdef SUP_IP6 + if (IP_VER(p->iph) == 6) { + sock_size = 16; + mysql_real_escape_string (data->m_sock, + ip_buf, + (const char *) &p->inner_ip6h.ip_src.ip, + sock_size); + SnortSnprintf(src_buf, sizeof(src_buf), "'%s'", ip_buf); + mysql_real_escape_string (data->m_sock, + ip_buf, + (const char *) &p->inner_ip6h.ip_dst.ip, + sock_size); + SnortSnprintf(dst_buf, sizeof(dst_buf), "'%s'", ip_buf); + } else { + sock_size = 4; + mysql_real_escape_string (data->m_sock, + ip_buf, + (const char *) &p->inner_ip4h.ip_src.ip, + sock_size); + SnortSnprintf(src_buf, sizeof(src_buf), "'%s'", ip_buf); + mysql_real_escape_string (data->m_sock, + ip_buf, + (const char *) &p->inner_ip4h.ip_dst.ip, + sock_size); + SnortSnprintf(dst_buf, sizeof(dst_buf), "'%s'", ip_buf); + } +#else + SnortSnprintf(src_buf, sizeof(src_buf), "%lu", (u_long)ntohl(p->iph->ip_src.s_addr)); + SnortSnprintf(dst_buf, sizeof(dst_buf), "%lu", (u_long)ntohl(p->iph->ip_dst.s_addr)); +#endif + } else { + /* No ipv6 support for anything else right now */ + SnortSnprintf(src_buf, sizeof(src_buf), "%lu", (u_long)ntohl(p->iph->ip_src.s_addr)); + SnortSnprintf(dst_buf, sizeof(dst_buf), "%lu", (u_long)ntohl(p->iph->ip_dst.s_addr)); + } + + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + "INSERT INTO " + "iphdr (sid, cid, ip_src, ip_dst, ip_ver, ip_hlen, " + " ip_tos, ip_len, ip_id, ip_flags, ip_off," + " ip_ttl, ip_proto, ip_csum) " + "VALUES (%u,%u,%s,%s,%u,%u,%u,%u,%u,%u,%u,%u,%u,%u)", + data->shared->sid, + data->shared->cid, + src_buf, + dst_buf, + IP_VER(p->iph), + IP_HLEN(p->iph), + p->iph->ip_tos, + ntohs(p->iph->ip_len), + ntohs(p->iph->ip_id), + p->frag_flag, + ntohs(p->frag_offset), + p->iph->ip_ttl, + p->iph->ip_proto, + ntohs(p->iph->ip_csum)); if (ret != SNORT_SNPRINTF_SUCCESS) goto bad_query; @@ -2165,6 +2244,36 @@ } } +#ifdef ENABLE_ACID_EVENT_LOGGING + + query = NewQueryNode(query, 0); + + ret = SnortSnprintf(query->val, MAX_QUERY_LENGTH, + "INSERT into " + "acid_event (sid, cid, signature, sig_name, sig_class_id, sig_priority, " + "timestamp, ip_src, ip_dst, ip_proto, layer4_sport, layer4_dport) " + "VALUES ( '%u', '%u', '%u', '%s', '%u', '%u', %s, %s, %s, '%u', '%u', '%u')", + data->shared->sid, + data->shared->cid, + sig_id, + sig_name, + class_id, + ntohl(((Unified2EventCommon *)event)->priority_id), + timestamp_clause, + src_buf, + dst_buf, + GET_IPH_PROTO(p), + layer4_sport, + layer4_dport); + + if (ret != SNORT_SNPRINTF_SUCCESS) + goto bad_query; + +#endif + + free(timestamp_string); timestamp_string = NULL; + free(sig_name); sig_name = NULL; + /* Execute the queries */ query = root; ok_transaction = 1;
