Thread: [Secureideas-cvs] base-php4/includes base_cache.inc.php,1.34,1.35
Brought to you by:
secureideas,
sinukas
From: Juergen L. <jle...@us...> - 2009-04-20 22:49:49
|
Update of /cvsroot/secureideas/base-php4/includes In directory fdv4jf1.ch3.sourceforge.com:/tmp/cvs-serv29528/base-php4/includes Modified Files: base_cache.inc.php Log Message: Many preprocessor events did not find their way into the acid_event table. Reason being, that not every preprocessor alert has a signature name, that begins with "spp_". So the other signature names have to be added to the routine that queries specifically for preprocessor events. I also added tests that check whether every new event in the event table does really find its way into the acid_event table. If any event does NOT do so, BASE now rigorously prints a corresponding error message - one message for each missed event. Index: base_cache.inc.php =================================================================== RCS file: /cvsroot/secureideas/base-php4/includes/base_cache.inc.php,v retrieving revision 1.34 retrieving revision 1.35 diff -u -d -r1.34 -r1.35 --- base_cache.inc.php 17 Oct 2008 01:13:37 -0000 1.34 +++ base_cache.inc.php 20 Apr 2009 22:49:35 -0000 1.35 @@ -213,27 +213,56 @@ if ( $db->baseGetDBversion() >= 100 ) { $schema_specific[1] = ", sig_name"; - $schema_specific[2] = " INNER JOIN signature ON (signature = signature.sig_id)"; + $schema_specific[2] = " INNER JOIN signature ON (signature = signature.sig_id) "; } + if ( $db->baseGetDBversion() >= 103 ) { - $schema_specific[0] = $schema_specific[0].", sig_priority, sig_class_id"; - $schema_specific[1] = $schema_specific[1].", sig_priority, sig_class_id"; + $schema_specific[0] = $schema_specific[0].", sig_priority, sig_class_id "; + $schema_specific[1] = $schema_specific[1].", sig_priority, sig_class_id "; $schema_specific[2] = $schema_specific[2].""; } + if ( $db->baseGetDBversion() < 100 ) - $schema_specific[1] = $schema_specific[1].", signature"; + $schema_specific[1] = $schema_specific[1].", signature "; $update_sql = array(4); - /* IP events only */ - if ( $db->baseGetDBversion() >= 100 ) - $schema_specific[3] = " (sig_name LIKE '(spp_%') "; - else - $schema_specific[3] = " (signature LIKE '(spp_%') "; + /* Preprocessor events only */ + # The original "(sig_name LIKE '(spp_%')" is too limited. Cf. + # /usr/local/src/snort-2.8.3.1_unpatched/etc/gen-msg.map + # /usr/local/src/snort-2.8.3.1_unpatched/src/generators.h + # Currently I have included all the names that I have found in + # these files. + # Note: Do always add '%' in LIKE-statements. Otherwise the entries + # won't match. + if ( $db->baseGetDBversion() >= 100 ) { + $schema_specific[3] = " ( " . + "(sig_name LIKE '(spp_%') OR " . + "(sig_name LIKE '(spo_%') OR " . + "(sig_name LIKE '(snort_decoder)%') OR " . + "(sig_name LIKE '(http_decode)%') OR " . + "(sig_name LIKE '(http_inspect)%') OR " . + "(sig_name LIKE '(portscan)%') OR " . + "(sig_name LIKE '(flow-portscan)%') OR " . + "(sig_name LIKE '(frag3)%') OR " . + "(sig_name LIKE '(smtp)%') OR " . + "(sig_name LIKE '(ftp_pp)%') OR " . + "(sig_name LIKE '(telnet_pp)%') OR " . + "(sig_name LIKE '(ssh)%') OR " . + "(sig_name LIKE '(stream5)%') OR " . + "(sig_name LIKE '(dcerpc)%') OR " . + "(sig_name LIKE '(dns)%') OR " . + "(sig_name LIKE '(ppm)%') " . + " ) "; + } + else { + $schema_specific[3] = " (signature LIKE '(spp_%') "; + } + /* TCP events */ - if( $db->DB_type == 'oci8' ) { + if( $db->DB_type == 'oci8' ) { $update_sql[0] = "INSERT INTO acid_event (sid,cid,signature,timestamp, ip_src,ip_dst,ip_proto, @@ -269,9 +298,9 @@ WHERE (event.sid = $sid AND event.cid > $cid) AND ip_proto = 6 AND ( NOT ".$schema_specific[3].")"; } - /* UDP events */ - if( $db->DB_type == 'oci8' ) { + /* UDP events */ + if( $db->DB_type == 'oci8' ) { $update_sql[1] = "INSERT INTO acid_event (sid,cid,signature,timestamp, ip_src,ip_dst,ip_proto, @@ -308,9 +337,9 @@ AND ( NOT ".$schema_specific[3].")"; } - /* ICMP events */ - if( $db->DB_type == 'oci8' ) { - $update_sql[2] = + /* ICMP events */ + if( $db->DB_type == 'oci8' ) { + $update_sql[2] = "INSERT INTO acid_event (sid,cid,signature,timestamp, ip_src,ip_dst,ip_proto, sig_name". @@ -324,9 +353,10 @@ LEFT JOIN icmphdr c ON (a.sid=c.sid AND a.cid=c.cid) WHERE (a.sid = $sid AND a.cid > $cid) and ip_proto = 1 AND ( NOT ".$schema_specific[3].")"; - } - else { - $update_sql[2] = + } + else + { + $update_sql[2] = "INSERT INTO acid_event (sid,cid,signature,timestamp, ip_src,ip_dst,ip_proto, sig_name". @@ -340,10 +370,12 @@ LEFT JOIN icmphdr ON (event.sid=icmphdr.sid AND event.cid=icmphdr.cid) WHERE (event.sid = $sid AND event.cid > $cid) and ip_proto = 1 AND ( NOT ".$schema_specific[3].")"; - } + } - if( $db->DB_type == 'oci8' ) { - $update_sql[3] = + /* IP based protocols that are neither ICMP nor TCP nor UDP nor + preprocessor generated */ + if( $db->DB_type == 'oci8' ) { + $update_sql[3] = "INSERT INTO acid_event (sid,cid,signature,timestamp, ip_src,ip_dst,ip_proto, sig_name". @@ -357,9 +389,10 @@ WHERE (NOT (ip_proto IN (1, 6, 17))) AND ". " ( NOT ".$schema_specific[3].") AND (a.sid = $sid AND a.cid > $cid)"; - } - else { - $update_sql[3] = + } + else + { + $update_sql[3] = "INSERT INTO acid_event (sid,cid,signature,timestamp, ip_src,ip_dst,ip_proto, sig_name". @@ -373,9 +406,12 @@ WHERE (NOT (ip_proto IN (1, 6, 17))) AND ". " ( NOT ".$schema_specific[3].") AND (event.sid = $sid AND event.cid > $cid)"; - } - /* Event only -- pre-processor alerts */ - if( $db->DB_type == 'oci8' ) { + } + + + + /* Event only -- pre-processor alerts */ + if( $db->DB_type == 'oci8' ) { $update_sql[4] = "INSERT INTO acid_event (sid,cid,signature,timestamp, ip_src,ip_dst,ip_proto, @@ -389,14 +425,15 @@ LEFT JOIN iphdr b ON (a.sid=b.sid AND a.cid=b.cid) WHERE ".$schema_specific[3]." AND (a.sid = $sid AND a.cid > $cid)"; - } - else { - $update_sql[4] = + } + else + { + $update_sql[4] = "INSERT INTO acid_event (sid,cid,signature,timestamp, ip_src,ip_dst,ip_proto, sig_name". $schema_specific[0].") - SELECT event.sid as sid, event.cid as cid, signature, timestamp, + SELECT event.sid as sid, event.cid as cid, signature, timestamp, ip_src, ip_dst, ip_proto". $schema_specific[1]." FROM event @@ -404,20 +441,88 @@ LEFT JOIN iphdr ON (event.sid=iphdr.sid AND event.cid=iphdr.cid) WHERE ".$schema_specific[3]." AND (event.sid = $sid AND event.cid > $cid)"; - } + } - $update_cnt = count($update_sql); - for ( $i = 0; $i < $update_cnt; $i++ ) - { - $db->baseExecute($update_sql[$i]); - if ( $db->baseErrorMessage() != "" ) - ErrorMessage(_ERRCACHEERROR." ["._SENSOR." #$sid]["._EVENTTYPE." $i]". - " "._ERRCACHEUPDATE); - } + // Some checks for unexpected errors + $update_cnt = count($update_sql); + if (!isset($update_cnt)) + { + $mystr = '<BR>' . __FILE__ . ':' . __LINE__ . ": WARNING: \$update_cnt has not been set. sid = $sid, cid = $cid<BR>"; + echo $mystr; + } + else if ((integer)$update_cnt == 0) + { + $mystr = '<BR>' . __FILE__ . ':' . __LINE__ . ": WARNING: \$update_cnt = 0 with sid = $sid, cid = $cid<BR>"; + echo $mystr; + } + else if (!isset($update_sql[0]) && !isset($update_sql[1]) && !isset($update_sql[2]) && !isset($update_sql[3])) + { + $mystr = '<BR>' . __FILE__ . ':' . __LINE__ . ": WARNING: \$update_sql[] has only empty elements with sid = $sid, cid = $cid<BR>"; + echo $mystr; + } + else if ($update_sql[0] == "" && $update_sql[1] == "" && $update_sql[2] == "" && $update_sql[3] == "") + { + $mystr = '<BR>' . __FILE__ . ':' . __LINE__ . ": WARNING: \$update_sql[] has only empty elements with sid = $sid, cid = $cid<BR>"; + echo $mystr; + } + + + + // Now commit all those SQL commands + for ( $i = 0; $i < $update_cnt; $i++ ) + { + if ($debug_mode > 0) + { + $mystr = '<BR>' . __FILE__ . ':' . __LINE__ . ": <BR>\n$update_sql[$i] <BR><BR>\n\n"; + echo $mystr; + } + + + $db->baseExecute($update_sql[$i]); + + if ( $db->baseErrorMessage() != "" ) + ErrorMessage(_ERRCACHEERROR." ["._SENSOR." #$sid]["._EVENTTYPE." $i]". + " "._ERRCACHEUPDATE); + + } +} + + +// This is an auxiliary function for problems with updating acid_event +function dump_missing_events($db, $sid, $start_cid, $end_cid) +{ + GLOBAL $debug_mode; + GLOBAL $archive_exists; + GLOBAL $DBlib_path, $DBtype, + $archive_dbname, $archive_host, $archive_port, + $archive_user, $archive_password; + + for ($n = (integer)$start_cid; $n <= (integer)$end_cid; $n++) + { + // Does this particular really exist in the event table? + $event_list = $db->baseExecute( "SELECT count(*) FROM event WHERE sid='" . $sid . "' AND cid='" . $n. "'" ); + $event_row = $event_list->baseFetchRow(); + $event_value = $event_row[0]; + $event_list->baseFreeRows(); + if ((integer)$event_value == 1) { + // Yes, it does. + // So let's try and find it in acid event. + $acid_event_list = $db->baseExecute( "SELECT count(*) FROM acid_event WHERE sid='" . $sid . "' AND cid='" . $n. "'" ); + $acid_event_row = $acid_event_list->baseFetchRow(); + $acid_event_element = $acid_event_row[0]; + $acid_event_list->baseFreeRows(); + if ((integer)$acid_event_element == 0) + { + echo '<BR>' . __FILE__ . ':' . __LINE__ . ": ERROR: Alert \"$sid - $n\" could NOT be found in acid_event.<BR>"; + } + } + } } + + function UpdateAlertCache($db) { GLOBAL $debug_mode; @@ -511,107 +616,167 @@ $sid = $sid_row[0]; /* Get highest CID for a given sensor */ $cid_lst = $db->baseExecute("SELECT MAX(cid) FROM event WHERE sid='".$sid."'"); - $cid_row = $cid_lst->baseFetchRow(); - if ( - (!isset($cid_row)) || - ($cid_row == NULL) || - ($cid_row == "") - ) - { - /* NULL is in conflict with snort-2.8.0.1/schemas/create_mysql: - * CREATE TABLE event ( sid INT UNSIGNED NOT NULL, - cid INT UNSIGNED NOT NULL, - signature INT UNSIGNED NOT NULL, - timestamp DATETIME NOT NULL, - PRIMARY KEY (sid,cid), - INDEX sig (signature), - INDEX time (timestamp)); - */ - $cid = 0; - } - else - { - $cid = $cid_row[0]; - } - if ( $cid == NULL ) $cid = 0; + $cid_row = $cid_lst->baseFetchRow(); + if ( + (!isset($cid_row)) || + ($cid_row == NULL) || + ($cid_row == "") + ) + { + /* NULL is in conflict with snort-2.8.0.1/schemas/create_mysql: + * CREATE TABLE event ( sid INT UNSIGNED NOT NULL, + cid INT UNSIGNED NOT NULL, + signature INT UNSIGNED NOT NULL, + timestamp DATETIME NOT NULL, + PRIMARY KEY (sid,cid), + INDEX sig (signature), + INDEX time (timestamp)); + */ + $cid = 0; + } + else + { + $cid = $cid_row[0]; + } + if ( $cid == NULL ) $cid = 0; - /* Get highest CID for a given sensor in the cache */ - $ccid_lst = $db->baseExecute("SELECT MAX(cid) FROM acid_event WHERE sid='".$sid."'"); - $ccid_row = $ccid_lst->baseFetchRow(); - if ( - (!isset($ccid_row)) || - ($ccid_row == NULL) || - ($ccid_row == "") - ) - { - /* NULL is in conflict with base-php4/sql/create_base_tbls_mysql.sql: - CREATE TABLE acid_event ( sid INT UNSIGNED NOT NULL, + /* Get highest CID for a given sensor in the cache */ + $ccid_lst = $db->baseExecute("SELECT MAX(cid) FROM acid_event WHERE sid='".$sid."'"); + $ccid_row = $ccid_lst->baseFetchRow(); + if ( + (!isset($ccid_row)) || + ($ccid_row == NULL) || + ($ccid_row == "") + ) + { + /* NULL is in conflict with base-php4/sql/create_base_tbls_mysql.sql: + CREATE TABLE acid_event ( sid INT UNSIGNED NOT NULL, cid INT UNSIGNED NOT NULL, - (...) - */ - $ccid = 0; - } - else - { - $ccid = $ccid_row[0]; - } - if ( $ccid == NULL ) $ccid = 0; + (...) + */ + $ccid = 0; + } + else + { + $ccid = $ccid_row[0]; + } + if ( $ccid == NULL ) $ccid = 0; - if ( $debug_mode > 0 ) - echo "sensor #$sid: event.cid = $cid, acid_event.cid = $ccid"; + if ( $debug_mode > 0 ) + echo "sensor #$sid: event.cid = $cid, acid_event.cid = $ccid"; - /* if the CID in the cache < the CID in the event table - * then there are events which have NOT been added to the cache - */ - if ( $cid > $ccid ) - { - $before_cnt = EventCntBySensor($sid, $db); - CacheSensor($sid, $ccid, $db); - $updated_cache_cnt += EventCntBySensor($sid, $db) - $before_cnt; - } + /* if the CID in the cache < the CID in the event table + * then there are events which have NOT been added to the cache + */ + if ( $cid > $ccid ) + { + $expected_addition = (integer)($cid - $ccid); - if ( $debug_mode > 0 ) - echo "<BR>"; + $before_cnt = EventCntBySensor($sid, $db); + CacheSensor($sid, $ccid, $db); + $updated_cache_cnt += EventCntBySensor($sid, $db) - $before_cnt; + } - if ($cid_row != NULL) - { - $cid_lst->baseFreeRows(); - } + if ( $debug_mode > 0 ) + echo "<BR>"; - if ($ccid_row != NULL) - { - $ccid_lst->baseFreeRows(); - } - - /* BEGIN LOCAL FIX */ + if ($cid_row != NULL) + { + $cid_lst->baseFreeRows(); + } + + if ($ccid_row != NULL) + { + $ccid_lst->baseFreeRows(); + } - /* If there's an archive database, and this isn't it, get the MAX(cid) from there */ - if ( ($archive_exists == 1) && (@$_COOKIE['archive'] != 1) ) { - $db2 = NewBASEDBConnection($DBlib_path, $DBtype); - $db2->baseConnect($archive_dbname, $archive_host, $archive_port, - $archive_user, $archive_password); - $archive_ccid_lst = $db2->baseExecute("SELECT MAX(cid) FROM acid_event WHERE sid='".$sid."'"); - $archive_ccid_row = $archive_ccid_lst->baseFetchRow(); - $archive_ccid = $archive_ccid_row[0]; - $archive_ccid_lst->baseFreeRows(); - $db2->baseClose(); - if ( $archive_ccid == NULL ) $archive_ccid = 0; - } else { - $archive_ccid = 0; - } + /* BEGIN LOCAL FIX */ - if ( $archive_ccid > $ccid ) { - $max_ccid = $archive_ccid; - } else { - $max_ccid = $ccid; - } + /* If there's an archive database, and this isn't it, get the MAX(cid) from there */ + if ( ($archive_exists == 1) && (@$_COOKIE['archive'] != 1) ) { + $db2 = NewBASEDBConnection($DBlib_path, $DBtype); + $db2->baseConnect($archive_dbname, $archive_host, $archive_port, + $archive_user, $archive_password); + $archive_ccid_lst = $db2->baseExecute("SELECT MAX(cid) FROM acid_event WHERE sid='".$sid."'"); + $archive_ccid_row = $archive_ccid_lst->baseFetchRow(); + $archive_ccid = $archive_ccid_row[0]; + $archive_ccid_lst->baseFreeRows(); + $db2->baseClose(); + if ( $archive_ccid == NULL ) $archive_ccid = 0; + } else { + $archive_ccid = 0; + } - /* Fix the last_cid value for the sensor */ - $db->baseExecute("UPDATE sensor SET last_cid=$max_ccid WHERE sid=$sid"); + if ( $archive_ccid > $ccid ) { + $max_ccid = $archive_ccid; + } else { + $max_ccid = $ccid; + } - /* END LOCAL FIX */ + /* Fix the last_cid value for the sensor */ + $db->baseExecute("UPDATE sensor SET last_cid=$max_ccid WHERE sid=$sid"); - } // for loop + /* END LOCAL FIX */ + + + ####### Has every alert in the event table found its way into + ####### acid_event? + if (isset($ccid)) { + + if ($debug_mode > 0) + { + echo '<BR><BR>' . __FILE__ . ':' . __LINE__ . ": <BR>\nSensor no. $sid:<BR>\n<PRE>\n"; + echo "Old max cid in acid_event: $ccid<BR>"; + } + + $debug_new_ccid_lst = $db->baseExecute("SELECT MAX(cid) FROM acid_event WHERE sid='".$sid."'"); + $debug_new_ccid_row = $debug_new_ccid_lst->baseFetchRow(); + $debug_new_ccid_lst->baseFreeRows(); + if (isset($debug_new_ccid_row[0])) + { + $new_ccid = (integer) $debug_new_ccid_row[0]; + } + else + { + $new_ccid = 0; + } + + + $real_addition = (integer)($new_ccid - (integer)$ccid); + + if ($debug_mode > 0) + { + echo "New max cid in acid_event: $new_ccid<BR>"; + echo "This many events HAVE been added to acid_event: $real_addition<BR><BR>"; + + echo "Max cid in event: $cid<BR>"; + } + + if (!isset($expected_addition)) + { + $expected_addition = 0; + } + + if ($debug_mode > 0) + { + echo "This many events SHOULD have been added to acid_event: $expected_addition<BR>"; + } + + if ($expected_addition - $real_addition > 0) + { + $mystr = '<BR>' . __FILE__ . ':' . __LINE__ . ": ERROR: <BR>" . (integer)((integer)$expected_addition - (integer)$real_addition) . " alerts have NOT found their way into acid_event with sid = $sid<BR>"; + errorMessage($mystr); + + + dump_missing_events($db, $sid, $ccid, $new_ccid); + } + + if ($debug_mode > 0) + { + echo "\n---------------<BR><PRE>\n"; + } + } + } // for ($n = 0; $n < $number_sensors; $n++) $sensor_lst->baseFreeRows(); |