diff -ruN barnyard-0.2.0/src/output-plugins/op_acid_db.c barnyard-0.2.0-combined/src/output-plugins/op_acid_db.c --- barnyard-0.2.0/src/output-plugins/op_acid_db.c 2004-04-03 13:57:32.000000000 -0600 +++ barnyard-0.2.0-combined/src/output-plugins/op_acid_db.c 2008-02-26 21:57:53.000000000 -0600 @@ -45,11 +45,20 @@ #endif /* ENABLE_POSTGRES */ /* D A T A S T R U C T U R E S **************************************/ +typedef struct _DbSignature +{ + int gen; + int sid; + int sig_id; + struct DbSignature *next; +} DbSignature; + typedef struct _OpAcidDb_Data { u_int8_t flavor; /* what flavor of db? MySQL, postgres, ... */ u_int8_t detail; u_int16_t unused; + u_int32_t vseq; char *server; char *database; char *user; @@ -57,6 +66,7 @@ int sensor_id; u_int32_t event_id; int linktype; + DbSignature *sig_cache; /* db handles go here */ #ifdef ENABLE_MYSQL MYSQL *mysql; @@ -105,6 +115,11 @@ int Insert(OpAcidDb_Data *data, char *sql, unsigned int *row_id); char *EscapeString(OpAcidDb_Data *data, char *string); +DbSignature * AddDbSignature (DbSignature *dbsig, u_int32_t gen, u_int32_t sid, u_int32_t sig_id); +DbSignature * RemoveDbSignature (DbSignature *dbsig); +int FindDbSignature (DbSignature *dbsig, u_int32_t gen, u_int32_t sid, u_int32_t *sig_id); +void ClearDbSignatures (DbSignature *dbsig); + #ifdef ENABLE_MYSQL int MysqlConnect(OpAcidDb_Data *); int MysqlClose(MYSQL *mysql); @@ -200,6 +215,8 @@ OpAcidDb_LogConfig(outputPlugin); } + data->sig_cache = NULL; + /* Connect to the database */ if(DbConnect(data)) FatalError("OpAcidDb_: Failed to connect to database: %s:%s@%s/%s\n", @@ -254,6 +271,7 @@ if(sid == NULL) sid = FakeSid(record->event.sig_generator, record->event.sig_id); + sid->rev = record->event.sig_rev; if(!(class_type = GetClassType(record->event.classification)) && record->event.classification != 0) @@ -353,6 +371,8 @@ sid = FakeSid(record->log.event.sig_generator, record->log.event.sig_id); class_type = GetClassType(record->log.event.classification); + sid->rev = record->log.event.sig_rev; + if((acid_sig_id = AcidDbGetSigId(op_data, sid, class_type, record->log.event.priority)) == 0) { @@ -721,7 +741,17 @@ int AcidDbCheckSchemaVersion(OpAcidDb_Data *data) { - return 0; + int rval; + + if(snprintf(sql_buffer, MAX_QUERY_SIZE, + "SELECT vseq FROM `schema` LIMIT 1") < MAX_QUERY_SIZE) + { + rval = SelectAsUInt(data, sql_buffer, &data->vseq); + if(data->vseq >= 106) + return 0; + } + + return 1; } @@ -729,7 +759,7 @@ * Returns 1 on success */ static int OpAcidDb_GetSigId(OpAcidDb_Data *op_data, char *msg, u_int32_t rev, - u_int32_t sid, u_int32_t *sig_id) + u_int32_t sid, u_int32_t gen, u_int32_t *sig_id) { int rval; char *e_message = NULL; @@ -737,16 +767,43 @@ if(!msg) msg = ""; + if(FindDbSignature(op_data->sig_cache, gen, sid, sig_id)) + { + return 1; + } + if(!(e_message = EscapeString(op_data, msg))) FatalError("Failed to escape string"); - if(snprintf(sql_buffer, MAX_QUERY_SIZE, - "SELECT sig_id FROM signature WHERE sig_name='%s' AND sig_rev=%u " - "AND sig_sid=%u", e_message, rev, sid) < MAX_QUERY_SIZE) + if(op_data->vseq >= 107) { - rval = SelectAsUInt(op_data, sql_buffer, sig_id); - free(e_message); - return rval; + if(snprintf(sql_buffer, MAX_QUERY_SIZE, + "SELECT sig_id FROM signature WHERE sig_name='%s' AND sig_rev=%u " + "AND sig_sid=%u AND sig_gid=%u", e_message, rev, sid, gen) < MAX_QUERY_SIZE) + { + rval = SelectAsUInt(op_data, sql_buffer, sig_id); + if(*sig_id != 0) + { + op_data->sig_cache = AddDbSignature(op_data->sig_cache, gen, sid, *sig_id); + } + free(e_message); + return rval; + } + } + else + { + if(snprintf(sql_buffer, MAX_QUERY_SIZE, + "SELECT sig_id FROM signature WHERE sig_name='%s' AND sig_rev=%u " + "AND sig_sid=%u", e_message, rev, sid) < MAX_QUERY_SIZE) + { + rval = SelectAsUInt(op_data, sql_buffer, sig_id); + if(*sig_id != 0) + { + op_data->sig_cache = AddDbSignature(op_data->sig_cache, gen, sid, *sig_id); + } + free(e_message); + return rval; + } } FatalError("SQL query too big"); return -1; @@ -839,7 +896,7 @@ if(!sid) return 0; - if(OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, &sig_id) == 1) + if(OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, sid->gen, &sig_id) == 1) return sig_id; /* Create a new signature entry */ @@ -848,21 +905,51 @@ if(!(e_message = EscapeString(op_data, sid->msg ? sid->msg : ""))) FatalError("Failed to escape string"); - if(snprintf(sql_buffer, MAX_QUERY_SIZE, - "INSERT INTO signature(sig_name, sig_class_id, sig_priority, " - "sig_rev, sig_sid) VALUES('%s', '%u', '%u', '%u', '%u')", - e_message, class_id, priority, sid->rev, sid->sid) < MAX_QUERY_SIZE) - { - Insert(op_data, sql_buffer, &sig_id); /* XXX: Error checking */ - free(e_message); - if(sig_id == -1) + if (op_data->vseq >= 107) + { + if(snprintf(sql_buffer, MAX_QUERY_SIZE, + "INSERT INTO signature(sig_name, sig_class_id, sig_priority, " + "sig_rev, sig_sid, sig_gid) VALUES('%s', '%u', '%u', '%u', '%u', '%u')", + e_message, class_id, priority, sid->rev, sid->sid, sid->gen) < MAX_QUERY_SIZE) + { + Insert(op_data, sql_buffer, &sig_id); /* XXX: Error checking */ + free(e_message); + if(sig_id == -1) + { + OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, sid->gen, &sig_id); + } + else + { + op_data->sig_cache = AddDbSignature(op_data->sig_cache, sid->gen, sid->sid, sig_id); + } + } + else { - OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, &sig_id); + FatalError("SQL query too big"); } } else { - FatalError("SQL query too big"); + if(snprintf(sql_buffer, MAX_QUERY_SIZE, + "INSERT INTO signature(sig_name, sig_class_id, sig_priority, " + "sig_rev, sig_sid) VALUES('%s', '%u', '%u', '%u', '%u')", + e_message, class_id, priority, sid->rev, sid->sid) < MAX_QUERY_SIZE) + { + Insert(op_data, sql_buffer, &sig_id); /* XXX: Error checking */ + free(e_message); + if(sig_id == -1) + { + OpAcidDb_GetSigId(op_data, sid->msg, sid->rev, sid->sid, sid->gen, &sig_id); + } + else + { + op_data->sig_cache = AddDbSignature(op_data->sig_cache, sid->gen, sid->sid, sig_id); + } + } + else + { + FatalError("SQL query too big"); + } } InsertSigReferences(op_data, sid->ref, sig_id); @@ -1196,6 +1283,78 @@ } } +DbSignature * AddDbSignature (DbSignature *dbsig, u_int32_t gen, u_int32_t sid, u_int32_t sig_id) +{ + + if(dbsig != NULL) + { + DbSignature *sig = dbsig; + while(dbsig->next != NULL) + { + dbsig = (DbSignature *)dbsig->next; + } + dbsig->next = (DbSignature *)SafeAlloc(sizeof(DbSignature)); + dbsig = (DbSignature *)dbsig->next; + dbsig->next = NULL; + dbsig->gen = gen; + dbsig->sid = sid; + dbsig->sig_id = sig_id; + return sig; + } + else + { + dbsig = (DbSignature *)SafeAlloc(sizeof(DbSignature)); + dbsig->next = NULL; + dbsig->gen = gen; + dbsig->sid = sid; + dbsig->sig_id = sig_id; + return dbsig; + } + +} + +DbSignature * RemoveDbSignature (DbSignature *dbsig) +{ + + DbSignature *sig = (DbSignature *)dbsig->next; + free(dbsig); + return sig; + +} + +int FindDbSignature (DbSignature *dbsig, u_int32_t gen, u_int32_t sid, u_int32_t *sig_id) +{ + + if(dbsig == NULL) + { + return 0; + } + + while(dbsig != NULL) + { + if(dbsig->gen == gen && dbsig->sid == sid) { + *sig_id = dbsig->sig_id; + return 1; + } + dbsig = (DbSignature *)dbsig->next; + } + + return 0; + +} + +void ClearDbSignatures (DbSignature *dbsig) +{ + + if(dbsig != NULL) + { + while(dbsig != NULL) + { + dbsig = RemoveDbSignature(dbsig); + } + } + +} #ifdef ENABLE_MYSQL int MysqlConnect(OpAcidDb_Data *op_data)