程序功能描述:
对snort_rules/doc/signatures 下的所有规则文件(如图1),进行单个规则文件读取(每个文件如图2所示),提取对规则的描述信息,然后对应PID-SID为关键字存储到MySql数据库当中(如图3所示)
图1——signatures文件夹,文件目录截图
图2——单个规则文件打开截图
图3——运行最终结果图
程序代码:
Parserules.c
流程:1.遍历整个目录,2.取出每个文件,3.解析每个文件,4.将解析结果存入数据库
#include <stdio.h>
#include <dirent.h>
#include <string.h>
#include <stdlib.h>
#include "/usr/include/mysql/mysql.h"
#define BUFF_SIZE 1024
#define MAX_PATH 200
#define RULESDIR "/root/snort_rules/doc/signatures"
#define RULESDIRTEST "/root/snort_rules/doc/test"
#define CONTENT_SIZE 10240
#define MYSQLBUFF_SIZE 102400
/*
* 定义连接信息
*/
#define MYSQL_CONNECT_IP "XXX.XXX.XXX.XXX"
#define MYSQL_USER_NAME "root"
#define MYSQL_USER_PWD "passwd"
#define MYSQL_DATABASE "databaseName"
struct ParseContent
{
char summary[CONTENT_SIZE];
char impact[CONTENT_SIZE];
char detailedInfo[CONTENT_SIZE];
char affectSystem[CONTENT_SIZE];
char attackscenar[CONTENT_SIZE];
char easeOfAttack[CONTENT_SIZE];
char falsePostitves[CONTENT_SIZE];
char falseNegatives[CONTENT_SIZE];
char correctiveAction[CONTENT_SIZE];
}ruleStruct;
MYSQL *conn_global;
int insertfileNum;
int insetFailNum;
int Parserule(char *chFileNameIn);
int mysqlInit();
int InsertDatebase(char *psid[2],char *chFileNameIn);
void strReplace(char *context);
int main()
{
char filePath[MAX_PATH]=RULESDIRTEST;
char chFileNameIn[MAX_PATH]={0};
char *psid[2];
char *p;
int i;
DIR *dir;
struct dirent *ptr;
insertfileNum=0;
insetFailNum=0;
mysqlInit();
if(filePath==NULL)
{
printf("file path is empty");
return -1;
}
if((dir=opendir(filePath))==NULL)
{
printf("can not open the dir: %s \n",filePath);
return -1;
}
while((ptr=readdir(dir))!=NULL)
{
if(strcmp(ptr->d_name,".")==0||strcmp(ptr->d_name,"..")==0)
continue;
memset(chFileNameIn,'\0',MAX_PATH);
if(ptr->d_type==DT_REG)
{
sprintf(chFileNameIn,"%s/%s",filePath,ptr->d_name);
if(strstr(ptr->d_name,"-")!=NULL)
{
p=strtok(ptr->d_name,"-");
for(i=0;p!=NULL;i++)
{
psid[i]=p;
p=strtok(NULL,"-");
}
}
else
{
psid[0]="1";
psid[1]=ptr->d_name;
}
psid[1]=strtok(psid[1],".");
//printf("this current file name is : %s the pid:%s the sid:%s\n",chFileNameIn,psid[0],psid[1]);
Parserule(chFileNameIn);
InsertDatebase(psid,chFileNameIn);
}
}
mysql_close(conn_global);
printf("共尝试插入%5d 个文件\n",insertfileNum);
printf("插入失败 %5d 个文件\n",insetFailNum);
return 0;
}
int mysqlInit()
{
if( (conn_global=mysql_init(NULL))==NULL )
{
printf("mysql connection init error!\n");
return 0;
}
if(!mysql_real_connect(conn_global,"MYSQL_CONNECT_IP","MYSQL_USER_NAME","MYSQL_USER_PWD","MYSQL_DATABASE",0,NULL,0))
{
printf("Failed to connect to Mysql!\n");
return 0;
}
//printf("mysql connect success!\n");
}
int Parserule(char *pFileNameIn)
{
FILE *pFileIn;
char chBuff[BUFF_SIZE];
int lineNum=0;
memset(ruleStruct.summary,'\0',CONTENT_SIZE);
memset(ruleStruct.impact,'\0',CONTENT_SIZE);
memset(ruleStruct.detailedInfo,'\0',CONTENT_SIZE);
memset(ruleStruct.affectSystem,'\0',CONTENT_SIZE);
memset(ruleStruct.attackscenar,'\0',CONTENT_SIZE);
memset(ruleStruct.easeOfAttack,'\0',CONTENT_SIZE);
memset(ruleStruct.falsePostitves,'\0',CONTENT_SIZE);
memset(ruleStruct.falseNegatives,'\0',CONTENT_SIZE);
memset(ruleStruct.correctiveAction,'\0',CONTENT_SIZE);
pFileIn=fopen(pFileNameIn,"r");
if(pFileIn==NULL)
{
printf("can not open the file:%s\n",pFileNameIn);
return 0;
}
while(!feof(pFileIn))
{
lineNum++;
//printf("第 %2d 行:",lineNum);
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"Summary:\n")==0)
{
while(strcmp(chBuff,"--\n")!=0)
{
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"--\n")!=0)
{
strcat(ruleStruct.summary,chBuff);
}
}
strReplace(ruleStruct.summary);
}
if(strcmp(chBuff,"Impact:\n")==0)
{
while(strcmp(chBuff,"--\n")!=0)
{
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"--\n")!=0)
{
strcat(ruleStruct.impact,chBuff);
}
}
strReplace(ruleStruct.impact);
}
if(strcmp(chBuff,"Detailed Information:\n")==0)
{
while(strcmp(chBuff,"--\n")!=0)
{
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"--\n")!=0)
{
strcat(ruleStruct.detailedInfo,chBuff);
}
}
strReplace(ruleStruct.detailedInfo);
}
if(strcmp(chBuff,"Affected Systems:\n")==0)
{
while(strcmp(chBuff,"--\n")!=0)
{
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"--\n")!=0)
{
strcat(ruleStruct.affectSystem,chBuff);
}
}
strReplace(ruleStruct.affectSystem);
}
if(strcmp(chBuff,"Attack Scenarios:\n")==0)
{
while(strcmp(chBuff,"--\n")!=0)
{
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"--\n")!=0)
{
strcat(ruleStruct.attackscenar,chBuff);
}
}
strReplace(ruleStruct.attackscenar);
}
if(strcmp(chBuff,"Ease of Attack:\n")==0)
{
while(strcmp(chBuff,"--\n")!=0)
{
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"--\n")!=0)
{
strcat(ruleStruct.easeOfAttack,chBuff);
}
}
strReplace(ruleStruct.easeOfAttack);
}
if(strcmp(chBuff,"False Positives:\n")==0)
{
while(strcmp(chBuff,"--\n")!=0)
{
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"--\n")!=0)
{
strcat(ruleStruct.falsePostitves,chBuff);
}
}
strReplace(ruleStruct.falsePostitves);
}
if(strcmp(chBuff,"False Negatives:\n")==0)
{
while(strcmp(chBuff,"--\n")!=0)
{
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"--\n")!=0)
{
strcat(ruleStruct.falseNegatives,chBuff);
}
}
strReplace(ruleStruct.falseNegatives);
}
if(strcmp(chBuff,"Corrective Action:\n")==0)
{
while(strcmp(chBuff,"--\n")!=0)
{
memset(chBuff,'\0',BUFF_SIZE);
fgets(chBuff,BUFF_SIZE,pFileIn);
if(strcmp(chBuff,"--\n")!=0)
{
strcat(ruleStruct.correctiveAction,chBuff);
}
}
strReplace(ruleStruct.correctiveAction);
}
}
fclose(pFileIn);
}
void strReplace(char *context)
{
int i;
for(i=0;i<strlen(context);i++)
{
if((context[i]=='\"')||(context[i]=='\''))
context[i]='`';
}
}
int InsertDatebase(char *psid[2],char *chFileNameIn)
{
insertfileNum++;
//printf("正在插入第 %5d 个文件\n",insertfileNum);
//printf("pid:%s,sid:%s,summary: %s\n impact : %s\n detailinfo : %s\n affectsystm: %s\n attackscenar:%s\n easeofattack:%s\n falsePostives:%s\n falseNegatives:%s\n coorectiveAction:%s\n",psid[0],psid[1],ruleStruct.summary,ruleStruct.impact,ruleStruct.detailedInfo,ruleStruct.affectSystem,ruleStruct.attackscenar,ruleStruct.easeOfAttack,ruleStruct.falsePostitves,ruleStruct.falseNegatives,ruleStruct.correctiveAction);
char mysqlbuf[MYSQLBUFF_SIZE];
memset(mysqlbuf,'\0',MYSQLBUFF_SIZE);
sprintf(mysqlbuf,"INSERT INTO rule_detail (PID,SID,DESCRIPTION,IMPACT,DETAIL,EFFECT,ATTACKSCEN,EASEOFATTACK,FALSEPOSTITVES,FALSENEGATIVES,RESOLUTION)VALUES('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",psid[0],psid[1],ruleStruct.summary,ruleStruct.impact,ruleStruct.detailedInfo,ruleStruct.affectSystem,ruleStruct.attackscenar,ruleStruct.easeOfAttack,ruleStruct.falsePostitves,ruleStruct.falseNegatives,ruleStruct.correctiveAction);
//printf("the sql:\n %s",mysqlbuf);
if(mysql_real_query(conn_global,mysqlbuf,(unsigned long)strlen(mysqlbuf)))
{
insetFailNum++;
printf("insert the file %s failed!\n",chFileNameIn);
return 0;
}
return 1;
}
编译命令:
gcc -o parseRule Parserules.c -I/usr/include/mysql -rdynamic -L/usr/lib64/mysql -lmysqlclient