-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathmini_db_firewall.stp
119 lines (95 loc) · 3.37 KB
/
mini_db_firewall.stp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#! /usr/bin/env stap
#
# Tested with ORACLE 11.2.0.4 on OEL6 with kernel UEK4
# Systemtap version used 3.0
#
# This script contains excerpt of code developed by :
# Luca Canali : http://externaltable.blogspot.com/2016/03/systemtap-guru-mode-and-oracle-sql.html
global listener_child_pid,oracle_process_pid,check_pid,statement_track,fd_socket
probe begin {
printf("-----------------------------\n");
printf("Waiting for new connection\n");
}
function block_parse(pointersql:long) %{
char *sqltext;
sqltext = (char *) STAP_ARG_pointersql;
/* Modify the SQL text with an end of line: this will throw ORA-00900: invalid SQL statement */
sqltext[0] = 0;
%}
probe kernel.function("inet_csk_accept").return {
sock = $return
if (target() == pid() && sock != 0) {
if (inet_get_ip_source(sock) == @1) {
printf("----------------------------- \n");
printf("User connected from %s on %s\n",inet_get_ip_source(sock),ctime());
check_pid = 1;
}
}
}
probe syscall.accept.return {
if (target() == pid() && check_pid == 1) {
printf("Allocated file discriptor : %s\n",retstr);
fd_socket = retstr;
}
}
probe nd_syscall.clone.return {
if (check_pid == 1 && target() == pid() ) {
printf("Tracking child listener with pid : %s\n",retstr);
listener_child_pid = retstr
check_pid = 0;
}
if (strtol(listener_child_pid,10) == pid()) {
printf("Assigned oracle process with pid : %s\n",retstr);
oracle_process_pid = retstr;
listener_child_pid = "-1";
}
}
probe process("oracle").function("kksParseCursor") {
if ( statement_track == 1 && strtol(oracle_process_pid,10) == pid()) {
sqltext = user_string2(register("rbx"),"error")
if (isinstr(sqltext, "create") || isinstr(sqltext, "drop")) {
printf("Bloked statement : %s \n",sqltext)
block_parse(register("rbx"))
} else if (isinstr(sqltext, "error") == 0 ){
printf("Parsed statement : %s \n", sqltext)
}
}
}
probe process("oracle").function("opiinfv") {
if (pid() == strtol(oracle_process_pid,10) )
{
connect_info = user_string2(pointer_arg(2),"ERROR");
printf("Connection info : \n");
printf("%s\n",connect_info )
printf("-----------------------------\n");
if (isinstr( connect_info,@2) == 1 )
{
printf("Traking statement parsing\n");
printf("-----------------------------\n");
statement_track= 1;
} else {
printf("Traking statement parsing not enabled (Different service_name specified)\n");
printf("-----------------------------\n");
printf("Waiting for new connection\n");
statement_track = 0;
}
}
}
probe nd_syscall.write {
if ( fd == strtol(fd_socket,10) && pid() == strtol(oracle_process_pid,10) ) {
#For some reason i was not able to get the full string using user_string_n(pointer_arg(2),ulong_arg(3)) so i used this very dirty trick (it will not work for all the cases and can be enhanced)
for (i=0;i<ulong_arg(3);i=i+10) {
if ( isinstr(user_string_n(pointer_arg(2)+i,10) , "HATEM" ) == 1 ) {
printf("Changing data\n");
replace_string(pointer_arg(2)+i,str_replace(user_string_n(pointer_arg(2)+i,10),"HATEM","LOOOL"));
}
}
}
}
function replace_string(old_text:long,new_text:string) %{
char *oldtext;
char *newtext;
oldtext = (char *) STAP_ARG_old_text;
newtext = (char *) STAP_ARG_new_text;
strcpy(oldtext,newtext);
%}