程序功能描述:
对snort_rules/doc/signatures 下的所有规则文件(如图1),进行单个规则文件读取(每个文件如图2所示),提取对规则的描述信息,然后对应PID-SID为关键字存储到MySql数据库当中(如图3所示)
图1——signatures文件夹,文件目录截图
图2——单个规则文件打开截图
图3——运行最终结果图
程序代码:
Parserules.c
流程:1.遍历整个目录,2.取出每个文件,3.解析每个文件,4.将解析结果存入数据库
#include <stdio.h> #include <dirent.h> #include <string.h> #include <stdlib.h> #include "/usr/include/mysql/mysql.h" #define BUFF_SIZE 1024 #define MAX_PATH 200 #define RULESDIR "/root/snort_rules/doc/signatures" #define RULESDIRTEST "/root/snort_rules/doc/test" #define CONTENT_SIZE 10240 #define MYSQLBUFF_SIZE 102400 /* * 定义连接信息 */ #define MYSQL_CONNECT_IP "XXX.XXX.XXX.XXX" #define MYSQL_USER_NAME "root" #define MYSQL_USER_PWD "passwd" #define MYSQL_DATABASE "databaseName" struct ParseContent { char summary[CONTENT_SIZE]; char impact[CONTENT_SIZE]; char detailedInfo[CONTENT_SIZE]; char affectSystem[CONTENT_SIZE]; char attackscenar[CONTENT_SIZE]; char easeOfAttack[CONTENT_SIZE]; char falsePostitves[CONTENT_SIZE]; char falseNegatives[CONTENT_SIZE]; char correctiveAction[CONTENT_SIZE]; }ruleStruct; MYSQL *conn_global; int insertfileNum; int insetFailNum; int Parserule(char *chFileNameIn); int mysqlInit(); int InsertDatebase(char *psid[2],char *chFileNameIn); void strReplace(char *context); int main() { char filePath[MAX_PATH]=RULESDIRTEST; char chFileNameIn[MAX_PATH]={0}; char *psid[2]; char *p; int i; DIR *dir; struct dirent *ptr; insertfileNum=0; insetFailNum=0; mysqlInit(); if(filePath==NULL) { printf("file path is empty"); return -1; } if((dir=opendir(filePath))==NULL) { printf("can not open the dir: %s \n",filePath); return -1; } while((ptr=readdir(dir))!=NULL) { if(strcmp(ptr->d_name,".")==0||strcmp(ptr->d_name,"..")==0) continue; memset(chFileNameIn,'\0',MAX_PATH); if(ptr->d_type==DT_REG) { sprintf(chFileNameIn,"%s/%s",filePath,ptr->d_name); if(strstr(ptr->d_name,"-")!=NULL) { p=strtok(ptr->d_name,"-"); for(i=0;p!=NULL;i++) { psid[i]=p; p=strtok(NULL,"-"); } } else { psid[0]="1"; psid[1]=ptr->d_name; } psid[1]=strtok(psid[1],"."); //printf("this current file name is : %s the pid:%s the sid:%s\n",chFileNameIn,psid[0],psid[1]); Parserule(chFileNameIn); InsertDatebase(psid,chFileNameIn); } } mysql_close(conn_global); printf("共尝试插入%5d 个文件\n",insertfileNum); printf("插入失败 %5d 个文件\n",insetFailNum); return 0; } int mysqlInit() { if( (conn_global=mysql_init(NULL))==NULL ) { printf("mysql connection init error!\n"); return 0; } if(!mysql_real_connect(conn_global,"MYSQL_CONNECT_IP","MYSQL_USER_NAME","MYSQL_USER_PWD","MYSQL_DATABASE",0,NULL,0)) { printf("Failed to connect to Mysql!\n"); return 0; } //printf("mysql connect success!\n"); } int Parserule(char *pFileNameIn) { FILE *pFileIn; char chBuff[BUFF_SIZE]; int lineNum=0; memset(ruleStruct.summary,'\0',CONTENT_SIZE); memset(ruleStruct.impact,'\0',CONTENT_SIZE); memset(ruleStruct.detailedInfo,'\0',CONTENT_SIZE); memset(ruleStruct.affectSystem,'\0',CONTENT_SIZE); memset(ruleStruct.attackscenar,'\0',CONTENT_SIZE); memset(ruleStruct.easeOfAttack,'\0',CONTENT_SIZE); memset(ruleStruct.falsePostitves,'\0',CONTENT_SIZE); memset(ruleStruct.falseNegatives,'\0',CONTENT_SIZE); memset(ruleStruct.correctiveAction,'\0',CONTENT_SIZE); pFileIn=fopen(pFileNameIn,"r"); if(pFileIn==NULL) { printf("can not open the file:%s\n",pFileNameIn); return 0; } while(!feof(pFileIn)) { lineNum++; //printf("第 %2d 行:",lineNum); memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"Summary:\n")==0) { while(strcmp(chBuff,"--\n")!=0) { memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"--\n")!=0) { strcat(ruleStruct.summary,chBuff); } } strReplace(ruleStruct.summary); } if(strcmp(chBuff,"Impact:\n")==0) { while(strcmp(chBuff,"--\n")!=0) { memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"--\n")!=0) { strcat(ruleStruct.impact,chBuff); } } strReplace(ruleStruct.impact); } if(strcmp(chBuff,"Detailed Information:\n")==0) { while(strcmp(chBuff,"--\n")!=0) { memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"--\n")!=0) { strcat(ruleStruct.detailedInfo,chBuff); } } strReplace(ruleStruct.detailedInfo); } if(strcmp(chBuff,"Affected Systems:\n")==0) { while(strcmp(chBuff,"--\n")!=0) { memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"--\n")!=0) { strcat(ruleStruct.affectSystem,chBuff); } } strReplace(ruleStruct.affectSystem); } if(strcmp(chBuff,"Attack Scenarios:\n")==0) { while(strcmp(chBuff,"--\n")!=0) { memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"--\n")!=0) { strcat(ruleStruct.attackscenar,chBuff); } } strReplace(ruleStruct.attackscenar); } if(strcmp(chBuff,"Ease of Attack:\n")==0) { while(strcmp(chBuff,"--\n")!=0) { memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"--\n")!=0) { strcat(ruleStruct.easeOfAttack,chBuff); } } strReplace(ruleStruct.easeOfAttack); } if(strcmp(chBuff,"False Positives:\n")==0) { while(strcmp(chBuff,"--\n")!=0) { memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"--\n")!=0) { strcat(ruleStruct.falsePostitves,chBuff); } } strReplace(ruleStruct.falsePostitves); } if(strcmp(chBuff,"False Negatives:\n")==0) { while(strcmp(chBuff,"--\n")!=0) { memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"--\n")!=0) { strcat(ruleStruct.falseNegatives,chBuff); } } strReplace(ruleStruct.falseNegatives); } if(strcmp(chBuff,"Corrective Action:\n")==0) { while(strcmp(chBuff,"--\n")!=0) { memset(chBuff,'\0',BUFF_SIZE); fgets(chBuff,BUFF_SIZE,pFileIn); if(strcmp(chBuff,"--\n")!=0) { strcat(ruleStruct.correctiveAction,chBuff); } } strReplace(ruleStruct.correctiveAction); } } fclose(pFileIn); } void strReplace(char *context) { int i; for(i=0;i<strlen(context);i++) { if((context[i]=='\"')||(context[i]=='\'')) context[i]='`'; } } int InsertDatebase(char *psid[2],char *chFileNameIn) { insertfileNum++; //printf("正在插入第 %5d 个文件\n",insertfileNum); //printf("pid:%s,sid:%s,summary: %s\n impact : %s\n detailinfo : %s\n affectsystm: %s\n attackscenar:%s\n easeofattack:%s\n falsePostives:%s\n falseNegatives:%s\n coorectiveAction:%s\n",psid[0],psid[1],ruleStruct.summary,ruleStruct.impact,ruleStruct.detailedInfo,ruleStruct.affectSystem,ruleStruct.attackscenar,ruleStruct.easeOfAttack,ruleStruct.falsePostitves,ruleStruct.falseNegatives,ruleStruct.correctiveAction); char mysqlbuf[MYSQLBUFF_SIZE]; memset(mysqlbuf,'\0',MYSQLBUFF_SIZE); sprintf(mysqlbuf,"INSERT INTO rule_detail (PID,SID,DESCRIPTION,IMPACT,DETAIL,EFFECT,ATTACKSCEN,EASEOFATTACK,FALSEPOSTITVES,FALSENEGATIVES,RESOLUTION)VALUES('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')",psid[0],psid[1],ruleStruct.summary,ruleStruct.impact,ruleStruct.detailedInfo,ruleStruct.affectSystem,ruleStruct.attackscenar,ruleStruct.easeOfAttack,ruleStruct.falsePostitves,ruleStruct.falseNegatives,ruleStruct.correctiveAction); //printf("the sql:\n %s",mysqlbuf); if(mysql_real_query(conn_global,mysqlbuf,(unsigned long)strlen(mysqlbuf))) { insetFailNum++; printf("insert the file %s failed!\n",chFileNameIn); return 0; } return 1; }
编译命令:
gcc -o parseRule Parserules.c -I/usr/include/mysql -rdynamic -L/usr/lib64/mysql -lmysqlclient