Snort mailing list archives

Previous By Date Next
Previous By Thread Next

MySQL UDF for ACID

From: "Bryan Miller" <BMiller () sycomtech com>
Date: Fri, 15 Aug 2003 10:33:23 -0400
While trying to create reports for our managed IDS customers, I found
that the acid_event table only stores the IP address for events.  In
trying to correlate that with acid_ip_cache to get the FQDN, I found
that as the cache empties you lose the IP address - domain name mapping.
I wrote a MySQL UDF to perform the lookup.  I did find a sample on the
web that was apparently written for Solaris and it wouldn't compile on
my Linux box.  Feel free to copy and modify as you see fit.
 
#ifdef STANDARD
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#ifdef __WIN__
typedef unsigned __int64 ulonglong; /* Microsofts 64 bit types */
typedef __int64 longlong;
#else
typedef unsigned long long ulonglong;
typedef long long longlong;
#endif /*__WIN__*/
#else
#include <my_global.h>
#include <my_sys.h>
#endif
#include <mysql.h>
#include <m_ctype.h>
#include <m_string.h>  // To get strmov()
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
 
#ifdef HAVE_DLOPEN
 
extern "C" {
 
my_bool reverse_lookup_init(UDF_INIT *initid, UDF_ARGS *args, char
*message);
 
char *reverse_lookup(UDF_INIT *initid, UDF_ARGS *args, char *result,
     unsigned long *length, char *is_null, char *error);
}
 
my_bool reverse_lookup_init(UDF_INIT *initid, UDF_ARGS *args, char
*message) {
  if (args->arg_count == 1)
  {
    if (args->arg_type[0] == STRING_RESULT)
    {
      args->arg_type[0] == INT_RESULT;
    }
  }
  else
  {
    strmov(message, "Wrong number of arguments to reverse_lookup_init");
    return 1;
  }
  initid->max_length = 255;
  initid->maybe_null = 1;
  return 0;
}
 

char *reverse_lookup(UDF_INIT *initid, UDF_ARGS *args, char *result,
      unsigned long *length, char *is_null, char *error)
{
  struct in_addr addr;
  struct hostent *hostent;
 
  if (args->arg_count == 1)
  {
    memcpy(&addr, args->args[0], 4);    /* copy arg to struct */
    addr.s_addr = htonl(addr.s_addr);   /* convert to network byte order
*/
    hostent = gethostbyaddr((const void *) &addr.s_addr, 
                            sizeof(struct in_addr), 
                            AF_INET);
    if (hostent == NULL)
    {
      strcpy(result, "----No lookup available----");
      *length = strlen(result);
      return result;
    }
    else
    {
      *is_null = 0;
      *length = strlen(hostent->h_name);
      return hostent->h_name;
    }
  }
  else
  {
    strcpy(result, "Wrong number of arguments to reverse_lookup");
    *length = strlen(result);
    return result;
  }
}
 
#endif /* HAVE_DLOPEN */

 
Bryan Miller
Security Practice Manager
CCIE, CISSP
SyCom Technologies
Previous By Date Next
Previous By Thread Next

Current thread: