Snort文本处理源代码

attack.conf 配置文件：

sql

info.conf 配置文件：

MYSQL_LOCALHOST = 127.0.0.1
MYSQL_NAME = root
MYSQL_PWD = ******
MYSQL_DBNAME = snort
MYSQL_TABLE = securityevent

 

st.sh 启动脚本：

#!/bin/sh

kill -9 `ps -ef | grep 'snort' | grep -v | awk '{print $2}'`

/home/******/snort_c/main

snort -c snort.conf -l /usr/local/snort/snort-2.9.4/etc/log/

 

mmm 编译脚本：

#!/bin/sh
g++ -g -o log_db $(mysql_config --cflags) log_db.c -I/usr/include/mysql -L/usr/lib64/mysql $    (mysql_config --libs)

 

log_db.c 主程序：

#include <sys/time.h>
#include <time.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <mysql.h>

#define _NAME_LEN 30
#define BUFF_LEN 1024
#define COMM_SIZE 20
#define HASH_LEN 20
#define _ERROR (-1)
#define _SUCCESS 0

char hashStr[HASH_LEN][COMM_SIZE] = {"sql"};
MYSQL* conn = NULL;
char mysql_localhost[COMM_SIZE] = "127.0.0.1", _mysql_name[COMM_SIZE] = "root", _mysql_pwd[COMM_SIZE] = "root", dbname[COMM_SIZE] = "snort";
char snort_table[COMM_SIZE] = "securityevent";

void init(char* buff, char* _time, char* _sip, char* _dip, char* time, char* dip, char* sip, char* type) {
	memset(buff, 0, sizeof(buff));
	memset(_time, 0, sizeof(_time));
	memset(_sip, 0, sizeof(_sip));
	memset(_dip, 0, sizeof(_dip));
	memset(time, 0, sizeof(time));
	memset(dip, 0, sizeof(dip));
	memset(sip, 0, sizeof(sip));
	memset(type, 0, sizeof(type));
}

void initBuff(char* buff) {
	memset(buff, 0, sizeof(buff));
}

void attack_init() {
	FILE* ifp;
	char str[20];
	int index = 0;
	ifp = freopen("attack.conf", "r", stdin);
	if(NULL == ifp) {
		fprintf(stderr, "attack.conf Error: no such file, please check out!");
		exit(1);
	}
	while(!feof(ifp)) {
		fgets(str, 20, ifp);
		strcpy(hashStr[index++], str);
	}
	fclose(ifp);
	fclose(stdin);
}

void info_init() {
	FILE* ifp;
	char str[1024], tmp[40], name[40];
	ifp = freopen("info.conf", "r", stdin);
	if(NULL == ifp) {
		fprintf(stderr, "info.conf Error: no such file, please check out!");
		exit(1);
	}
	while(!feof(ifp)) {
		memset(str, 0, sizeof(str));
		memset(name, 0, sizeof(name));
		memset(tmp, 0, sizeof(tmp));
		fgets(str, 1024, ifp);
		sscanf(str, "%s = %s", name, tmp);
		if(!strcmp("MYSQL_LOCALHOST", name)) {
			strcpy(mysql_localhost, tmp);
		}
		else if(!strcmp("MYSQL_NAME", name)) {
			strcpy(_mysql_name, tmp);
		}
		else if(!strcmp("MYSQL_PWD", name)) {
			strcpy(_mysql_pwd, tmp);
		}
		else if(!strcmp("MYSQL_DBNAME", name)) {
			strcpy(dbname, tmp);
		}
		else if(!strcmp("MYSQL_TABLE", name)) {
			strcpy(snort_table, tmp);
		}
	}
	fclose(ifp);
	fclose(stdin);
}

void _mysql_init() {
	conn = mysql_init(NULL);
	if(!conn) {
		fprintf(stderr, "mysql_init failed\n");
		exit(1);
	}
	conn = mysql_real_connect(conn, mysql_localhost, _mysql_name, _mysql_pwd, dbname, 0, NULL, 0);
	if(!conn) {
		fprintf(stderr, "mysql_real_connect failed\n");
		if(mysql_errno(conn)) {
			fprintf(stderr, "Connection error: %s %s\n", mysql_errno(conn), mysql_error(conn));
		}
		exit(1);
	}
}

void disIP(char* _ip, char* ip, int& port) {
	int len = strlen(_ip);
	int i;
	for(i = 0; i < len; i++) {
		if(':' == _ip[i]) break;
		ip[i] = _ip[i];
	}
	ip[i] = '\0';
	char sport[COMM_SIZE];
	memset(sport, 0, sizeof(sport));
	strcpy(sport, _ip+i+1);
	port = atoi(sport);
}

void _itoa(int num, char* str) {
	if(num < 10) {
		str[0] = '0';
		str[1] = num+'0';
	}
	else {
		str[0] = num%10+'0';
		str[1] = num/10+'0';
	}
}

int disTime(int _month, int _day, char* _time, char* time) {
	time_t timep;
	char month[2], day[2];
	char sa[4], sb[4], sc[10], sd[20], se[5];
	int len, i, index, flag;
//	time(&timep);
//	sscanf(ctime(&timep), "%s%s%s%s%s", sa, sb, sc, sd, se);
	strcpy(se, "2013");
	_itoa(_month, month);
	_itoa(_day, day);
	len = strlen(se);
	for(index = 0, i = 0; i < len; i++) {
		time[index++] = se[i];
	}
	time[index++] = '-';
//	printf("%s\n", month);
	if(month[0] == '0') {
		time[index++] = month[0];
		time[index++] = month[1];
	}
	else {
		for(i = 0; i < 2; i++) {
			time[index++] = month[1-i];
		}
	}
	time[index++] = '-';
	for(i = 0; i < 2; i++) {
		time[index++] = day[1-i];
	}
	time[index++] = ' ';
	len = strlen(_time);
	if(_time[1] == ':') {
		time[index++] = '0';
		for(i = 0; i < 7; i++) {
			time[index++] = _time[i];
		}
	}
	else {
		for(i = 0; i < 8; i++) {
			time[index++] = _time[i];
		}
	}
	time[index] = '\0';
	if(0 == len) {
		return _ERROR;
	}
	else {
		return _SUCCESS;
	}
}

int main() {
	FILE *fp;
	char filepath[_NAME_LEN];
	char buff[BUFF_LEN];
	int month, day, sport, dport;
    char _time[COMM_SIZE], _sip[COMM_SIZE], _dip[COMM_SIZE];
	char time[COMM_SIZE], dip[COMM_SIZE], sip[COMM_SIZE];
	char type[COMM_SIZE], detail[COMM_SIZE];

	memset(filepath, 0, sizeof(filepath));
	info_init();
	_mysql_init();
	fp = freopen("alert", "r", stdin);
	while(!feof(fp)) {
		int len, i;
		init(buff, _time, _sip, _dip, time, dip, sip, type);
		fgets(buff, BUFF_LEN, fp);
		len = sizeof(buff);
		for(i = 0; i < HASH_LEN; i++) {
			if(strstr(buff, hashStr[i])) {
				break;
			}
		}
		strcpy(type, hashStr[i]);
		
		initBuff(buff);
		while(fgets(buff, BUFF_LEN, fp)) {
			if('[' != buff[0]) break;
			initBuff(buff);
		}
		sscanf(buff, "%d/%d-%s %s -> %s", &month, &day, _time, _sip, _dip);
		disIP(_sip, sip, sport);
		disIP(_dip, dip, dport);
//		printf("%d %d %s %s %s\n", month, day, _time, _sip, _dip);
//		printf("%s %s %d %d\n", sip, dip, sport, dport);
		int retval = disTime(month, day, _time, time);
//		printf("time%s\n", time);
		fgets(buff, BUFF_LEN, fp);
		sscanf(buff, "%s", detail);
		while(fgets(buff, BUFF_LEN, fp)) {
			if('*' != buff[0]) break;
		}
		if(_SUCCESS == retval){
			char sql[BUFF_LEN];
			memset(sql, 0, sizeof(sql));
			sprintf(sql, "INSERT INTO %s (protocol,name,time,detail,srcIP,desIP,srcPort,desPort,srcMac,desMac)"
					" VALUES('%s','%s','%s',null,'%s','%s',%d,%d,NULL,NULL)", 
					snort_table, detail, type, time, sip, dip, sport, dport);
			int res = mysql_real_query(conn, sql, strlen(sql));
			if(res) {
				fprintf(stderr, "INSERT INTO error: %s\n", mysql_error(conn));
			}
		}
	}
	printf("Running successfully!\n");
	mysql_close(conn);
	fclose(fp);
	fclose(stdin);
	return 0;
}