[Snort-users] Database logging and new ruleset

Brian Caswell bmc at ...312...
Thu Mar 1 18:21:49 EST 2001


Steve Halligan wrote:
> 1)  Is spo_database set up currently to log the contents of the reference
> tag in the new rules?
> 
> 2)  If so, what is the name of the field in the database that needs to be
> created for it to log this info?  (I assume the field would be in the events
> table).

Well... No it doesn't.  Jed & friends are working on cleaning up the
database schema.  Until then, you can use the attached patch.  

Check the mail archives for patches for the other output formats.

-- 
Brian Caswe
The MITRE Corporation
-------------- next part --------------
Index: spo_database.c
===================================================================
RCS file: /cvsroot/snort/snort/spo_database.c,v
retrieving revision 1.14
diff -u -r1.14 spo_database.c
--- spo_database.c	2001/01/18 20:46:59	1.14
+++ spo_database.c	2001/03/01 23:09:56
@@ -429,12 +429,40 @@
     char *s0,*s1,*s2,*s3,*d0,*d1,*d2,*d3;
 
 
+    ReferenceData *ds_ptr;  /* data struct pointer */
+    extern OptTreeNode *otn_tmp;
+    char *newmsg;
+    char *realmsg;
+
     query = NewQueryNode(NULL, 0);
     root = query;
+
+    realmsg = calloc(strlen(msg) + 1, sizeof(char));
+    strncat(realmsg, msg, strlen(msg) +1);
+
+    if(otn_tmp != NULL)
+    {
+       ds_ptr = (ReferenceData *)otn_tmp->ds_list[PLUGIN_REFERENCE_NUMBER];
+
+       while (ds_ptr != NULL)
+       {
+           newmsg = calloc(strlen(realmsg) + strlen(ds_ptr->id) +
+                strlen(ds_ptr->system) +3, sizeof(char));
+           strncat(newmsg, realmsg, strlen(realmsg) +1);
+           strncat(newmsg, " ", 2);
+           strncat(newmsg, ds_ptr->id, strlen(ds_ptr->id) +1);
+           strncat(newmsg, " ", 2);
+           strncat(newmsg, ds_ptr->system, strlen(ds_ptr->system) +1);
+
+           realmsg = calloc(strlen(newmsg) +1, sizeof(char));
+           strncat(realmsg, newmsg, strlen(newmsg) +1);
+           ds_ptr = ds_ptr->next;
+       }
+    }
 
-    if(msg == NULL)
+    if(realmsg == NULL)
     {
-        msg = "";
+        realmsg = "";
     }
 
     /*** Build the query for the Event Table ***/
@@ -449,7 +477,7 @@
     snprintf(query->val, MAX_QUERY_LENGTH, 
              "INSERT INTO event (sid,cid,signature,timestamp) VALUES "
              "('%u', '%u', '%s', '%s')",
-             data->sid, data->cid, msg, tmp);
+             data->sid, data->cid, realmsg, tmp);
     free(tmp); 
 
 /* We do not log fragments! They are assumed to be handled 


More information about the Snort-users mailing list