Snort mailing list archives
MySQL UDF for ACID
From: "Bryan Miller" <BMiller () sycomtech com>
Date: Fri, 15 Aug 2003 10:33:23 -0400
While trying to create reports for our managed IDS customers, I found that the acid_event table only stores the IP address for events. In trying to correlate that with acid_ip_cache to get the FQDN, I found that as the cache empties you lose the IP address - domain name mapping. I wrote a MySQL UDF to perform the lookup. I did find a sample on the web that was apparently written for Solaris and it wouldn't compile on my Linux box. Feel free to copy and modify as you see fit. #ifdef STANDARD #include <stdio.h> #include <string.h> #include <netdb.h> #ifdef __WIN__ typedef unsigned __int64 ulonglong; /* Microsofts 64 bit types */ typedef __int64 longlong; #else typedef unsigned long long ulonglong; typedef long long longlong; #endif /*__WIN__*/ #else #include <my_global.h> #include <my_sys.h> #endif #include <mysql.h> #include <m_ctype.h> #include <m_string.h> // To get strmov() #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #ifdef HAVE_DLOPEN extern "C" { my_bool reverse_lookup_init(UDF_INIT *initid, UDF_ARGS *args, char *message); char *reverse_lookup(UDF_INIT *initid, UDF_ARGS *args, char *result, unsigned long *length, char *is_null, char *error); } my_bool reverse_lookup_init(UDF_INIT *initid, UDF_ARGS *args, char *message) { if (args->arg_count == 1) { if (args->arg_type[0] == STRING_RESULT) { args->arg_type[0] == INT_RESULT; } } else { strmov(message, "Wrong number of arguments to reverse_lookup_init"); return 1; } initid->max_length = 255; initid->maybe_null = 1; return 0; } char *reverse_lookup(UDF_INIT *initid, UDF_ARGS *args, char *result, unsigned long *length, char *is_null, char *error) { struct in_addr addr; struct hostent *hostent; if (args->arg_count == 1) { memcpy(&addr, args->args[0], 4); /* copy arg to struct */ addr.s_addr = htonl(addr.s_addr); /* convert to network byte order */ hostent = gethostbyaddr((const void *) &addr.s_addr, sizeof(struct in_addr), AF_INET); if (hostent == NULL) { strcpy(result, "----No lookup available----"); *length = strlen(result); return result; } else { *is_null = 0; *length = strlen(hostent->h_name); return hostent->h_name; } } else { strcpy(result, "Wrong number of arguments to reverse_lookup"); *length = strlen(result); return result; } } #endif /* HAVE_DLOPEN */ Bryan Miller Security Practice Manager CCIE, CISSP SyCom Technologies
Current thread:
- MySQL UDF for ACID Bryan Miller (Aug 15)