diff -Naur snort-2.1.1/contrib/create_mysql snort-2.1.1/contrib/create_mysql --- snort-2.1.1/contrib/create_mysql 2002-09-03 22:46:00.000000000 +0200 +++ snort-2.1.1/contrib/create_mysql 2004-10-29 14:03:14.000000000 +0200 @@ -165,3 +165,40 @@ # be sure to also use the snortdb-extra tables if you want # mappings for tcp flags, protocols, and ports + +# Created by the WimS Project +# d.walther@wireless-bern.ch + +CREATE TABLE wifihdr +( + sid int4 NOT NULL, + cid int8 NOT NULL, + tid int4 NOT NULL, + bssid varchar(20), + ra varchar(20), + ta varchar(20), + da varchar(20), + sa varchar(20), + frame varchar(50), + tods varchar(10), + fromds varchar(10), + frag varchar(10), + retr varchar(10), + pwr varchar(10), + md varchar(10), + wep varchar(10), + ord varchar(20), + PRIMARY KEY (sid, cid) +); + +CREATE TABLE wifitype +( + tid int4 NOT NULL, + name varchar(50), + PRIMARY KEY (tid) +); + +INSERT INTO wifitype (tid, name) VALUES ('0', 'Beacon'); +INSERT INTO wifitype (tid, name) VALUES ('0', 'Management'); +INSERT INTO wifitype (tid, name) VALUES ('0', 'Control'); +INSERT INTO wifitype (tid, name) VALUES ('0', 'Data'); diff -Naur snort-2.1.1/contrib/create_postgresql snort-2.1.1/contrib/create_postgresql --- snort-2.1.1/contrib/create_postgresql 2003-04-28 15:08:05.000000000 +0200 +++ snort-2.1.1/contrib/create_postgresql 2004-10-29 14:03:26.000000000 +0200 @@ -164,3 +164,40 @@ -- be sure to also use the snortdb-extra tables if you want -- mappings for tcp flags, protocols, and ports + +-- Created by the WimS Project +-- d.walther@wireless-bern.ch + +CREATE TABLE wifihdr +( + sid int4 NOT NULL, + cid int8 NOT NULL, + tid int4 NOT NULL, + bssid varchar(20), + ra varchar(20), + ta varchar(20), + da varchar(20), + sa varchar(20), + frame varchar(50), + tods varchar(10), + fromds varchar(10), + frag varchar(10), + retr varchar(10), + pwr varchar(10), + md varchar(10), + wep varchar(10), + ord varchar(20), + PRIMARY KEY (sid, cid) +); + +CREATE TABLE wifitype +( + tid int4 NOT NULL, + name varchar(50), + PRIMARY KEY (tid) +); + +INSERT INTO wifitype (tid, name) VALUES ('0', 'Beacon'); +INSERT INTO wifitype (tid, name) VALUES ('0', 'Management'); +INSERT INTO wifitype (tid, name) VALUES ('0', 'Control'); +INSERT INTO wifitype (tid, name) VALUES ('0', 'Data'); diff -Naur snort-2.1.1/src/output-plugins/spo_database.c snort-2.1.1/src/output-plugins/spo_database.c --- snort-2.1.1/src/output-plugins/spo_database.c 2004-02-25 17:52:52.000000000 +0100 +++ snort-2.1.1/src/output-plugins/spo_database.c 2004-10-29 14:02:40.000000000 +0200 @@ -609,6 +609,7 @@ pv.log_plugin_active = 1; if( !pv.quiet_flag ) printf("database: using the \"log\" facility\n"); AddFuncToOutputList(Database, NT_OUTPUT_LOG, data); + AddFuncToOutputList(Database, NT_OUTPUT_ALERT, data); } else { @@ -932,7 +933,11 @@ unsigned int ref_id, class_id=0; ClassType *class_ptr; ReferenceNode *refNode; - + /*** for Wifi, added by WimS Project ***/ + u_char *da = NULL, *sa = NULL, *bssid = NULL, *ra = NULL, *ta = NULL; + int wifi_type; + char frame[50], bssidc[30], rac[30], tac[30], dac[30], sac[30]; + /*** End of Wifi ***/ query = NewQueryNode(NULL, 0); root = query; @@ -1029,6 +1034,7 @@ */ select0 = (char *) SnortAlloc(MAX_QUERY_LENGTH+1); sig_name = snort_escape_string(msg, data); + if ( event->sig_rev == 0 ) { if( event->sig_id == 0) @@ -1486,8 +1492,158 @@ ntohs(p->udph->uh_dport)); } } - } + } + /*** Added by the WimS Project ***/ + /*** Build the query for the Wifi Header ***/ + if ( p->wifih != NULL ) + { + if ((p->wifih->frame_control & WLAN_FLAG_TODS) && (p->wifih->frame_control & WLAN_FLAG_FROMDS)) { + ra = p->wifih->addr1; + ta = p->wifih->addr2; + da = p->wifih->addr3; + sa = p->wifih->addr4; + sprintf(rac,"%X:%X:%X:%X:%X:%X",ra[0],ra[1],ra[2],ra[3],ra[4],ra[5]); + sprintf(sac,"%X:%X:%X:%X:%X:%X",sa[0],sa[1],sa[2],sa[3],sa[4],sa[5]); + sprintf(dac,"%X:%X:%X:%X:%X:%X",da[0],da[1],da[2],da[3],da[4],da[5]); + sprintf(tac,"%X:%X:%X:%X:%X:%X",ta[0],ta[1],ta[2],ta[3],ta[4],ta[5]); + sprintf(bssidc,"empty"); + } + else if (p->wifih->frame_control & WLAN_FLAG_TODS) { + bssid = p->wifih->addr1; + sa = p->wifih->addr2; + da = p->wifih->addr3; + sprintf(rac,"empty"); + sprintf(sac,"%X:%X:%X:%X:%X:%X",sa[0],sa[1],sa[2],sa[3],sa[4],sa[5]); + sprintf(dac,"%X:%X:%X:%X:%X:%X",da[0],da[1],da[2],da[3],da[4],da[5]); + sprintf(tac,"empty"); + sprintf(bssidc,"%X:%X:%X:%X:%X:%X",bssid[0],bssid[1],bssid[2],bssid[3],bssid[4],bssid[5]); + } + else if (p->wifih->frame_control & WLAN_FLAG_FROMDS) { + da = p->wifih->addr1; + bssid = p->wifih->addr2; + sa = p->wifih->addr3; + sprintf(rac,"empty"); + sprintf(sac,"%X:%X:%X:%X:%X:%X",sa[0],sa[1],sa[2],sa[3],sa[4],sa[5]); + sprintf(dac,"%X:%X:%X:%X:%X:%X",da[0],da[1],da[2],da[3],da[4],da[5]); + sprintf(tac,"empty"); + sprintf(bssidc,"%X:%X:%X:%X:%X:%X",bssid[0],bssid[1],bssid[2],bssid[3],bssid[4],bssid[5]); + } + else { + da = p->wifih->addr1; + sa = p->wifih->addr2; + bssid = p->wifih->addr3; + sprintf(rac,"empty"); + sprintf(sac,"%X:%X:%X:%X:%X:%X",sa[0],sa[1],sa[2],sa[3],sa[4],sa[5]); + sprintf(dac,"%X:%X:%X:%X:%X:%X",da[0],da[1],da[2],da[3],da[4],da[5]); + sprintf(tac,"empty"); + sprintf(bssidc,"%X:%X:%X:%X:%X:%X",bssid[0],bssid[1],bssid[2],bssid[3],bssid[4],bssid[5]); + } + /* DO this switch to provide additional info on the type */ + switch(p->wifih->frame_control & 0x00ff) + { + case WLAN_TYPE_MGMT_BEACON: + sprintf(frame,"Beacon"); + wifi_type = 0; + break; + /* management frames */ + case WLAN_TYPE_MGMT_ASREQ: + sprintf(frame,"Association Request"); + wifi_type = 1; + break; + case WLAN_TYPE_MGMT_ASRES: + sprintf(frame,"Association Response"); + wifi_type = 1; + break; + case WLAN_TYPE_MGMT_REREQ: + sprintf(frame,"Reassociation Request"); + wifi_type = 1; + break; + case WLAN_TYPE_MGMT_RERES: + sprintf(frame,"Reassociation Response"); + wifi_type = 1; + break; + case WLAN_TYPE_MGMT_PRREQ: + sprintf(frame,"Probe Request"); + wifi_type = 1; + break; + case WLAN_TYPE_MGMT_PRRES: + sprintf(frame,"Probe Response"); + wifi_type = 1; + break; + case WLAN_TYPE_MGMT_ATIM: + sprintf(frame,"ATIM"); + wifi_type = 1; + break; + case WLAN_TYPE_MGMT_DIS: + sprintf(frame,"Dissassociation"); + wifi_type = 1; + break; + case WLAN_TYPE_MGMT_AUTH: + sprintf(frame,"Authentication"); + wifi_type = 1; + break; + case WLAN_TYPE_MGMT_DEAUTH: + sprintf(frame,"Deauthentication"); + wifi_type = 1; + break; + /* Control frames */ + case WLAN_TYPE_CONT_PS: + sprintf(frame,"Power Save Poll"); + wifi_type = 2; + break; + case WLAN_TYPE_CONT_RTS: + sprintf(frame,"Request to send"); + wifi_type = 2; + break; + case WLAN_TYPE_CONT_CTS: + sprintf(frame,"Clear to send"); + wifi_type = 2; + break; + case WLAN_TYPE_CONT_ACK: + sprintf(frame,"Acknowledgement"); + wifi_type = 2; + break; + case WLAN_TYPE_CONT_CFE: + sprintf(frame,"Content-Free-End"); + wifi_type = 2; + break; + case WLAN_TYPE_CONT_CFACK: + sprintf(frame,"CF-End,CF-Ack"); + wifi_type = 2; + break; + default: + sprintf(frame,"Data"); + wifi_type = 3; + } + query = NewQueryNode(query, 0); + if(data->detail) + { + snprintf(query->val, MAX_QUERY_LENGTH, + "INSERT INTO " + "wifihdr (sid, cid, tid, bssid, ra, ta, da, sa, " + "frame, tods, fromds, frag, retr, pwr, md, wep, ord) " + "VALUES ('%u','%u','%u','%s','%s','%s','%s','%s','%s'," + "'%u','%u','%u','%u','%u','%u','%u','%u')", + data->shared->sid, + data->shared->cid, + wifi_type, + bssidc, + rac, + tac, + dac, + sac, + frame, + p->wifih->frame_control & WLAN_FLAG_TODS, + p->wifih->frame_control & WLAN_FLAG_TODS, + p->wifih->frame_control & WLAN_FLAG_FRAG, + p->wifih->frame_control & WLAN_FLAG_RETRY, + p->wifih->frame_control & WLAN_FLAG_PWRMGMT, + p->wifih->frame_control & WLAN_FLAG_MOREDAT, + p->wifih->frame_control & WLAN_FLAG_WEP, + p->wifih->frame_control & WLAN_FLAG_ORDER); + } + } /*** Build the query for the IP Header ***/ if ( p->iph ) {