static void event3_dump(u2record *record) { uint8_t *field; int i; Serial_Unified2IDSEvent event; memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent)); /* network to host ordering */ /* In the event structure, only the last 40 bits are not 32 bit fields */ /* The first 11 fields need to be convertted */ field = (uint8_t*)&event; for(i=0; i<11; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } /* last 3 fields, with the exception of the last most since it's just one byte */ *(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */ field += 2; *(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */ field +=6; *(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */ field += 4; /* policy_id and vlanid */ for(i=0; i<2; i++, field+=2) { *(uint16_t*)field = ntohs(*(uint16_t*)field); } /* done changing the network ordering */ printf("\n(Event)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n" "\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n" "\tpriority: %u\tip source: %u.%u.%u.%u\tip destination: %u.%u.%u.%u\n" "\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n" "\tmpls label: %u\tvland id: %u\tpolicy id: %u\tappid: %s\n", event.sensor_id, event.event_id, event.event_second, event.event_microsecond, event.signature_id, event.generator_id, event.signature_revision, event.classification_id, event.priority_id, TO_IP(event.ip_source), TO_IP(event.ip_destination), event.sport_itype, event.dport_icode, event.protocol, event.impact_flag, event.blocked, event.mpls_label, event.vlanId, event.pad2, event.app_name); }
static void extradata_dump(const u2record *record,FILE *out_file) { uint8_t *field, *data; int i; int len = 0; SerialUnified2ExtraData event; Unified2ExtraDataHdr eventHdr; uint32_t ip; char ip6buf[INET6_ADDRSTRLEN+1]; struct in6_addr ipAddr; memcpy(&eventHdr, record->data, sizeof(Unified2ExtraDataHdr)); memcpy(&event, record->data + sizeof(Unified2ExtraDataHdr) , sizeof(SerialUnified2ExtraData)); /* network to host ordering */ field = (uint8_t*)&eventHdr; for(i=0; i<2; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } field = (uint8_t*)&event; for(i=0; i<6; i++, field+=4) { *(uint32_t*)field = ntohl(*(uint32_t*)field); } fprintf(out_file,"\n(ExtraDataHdr)\n" "\tevent type: %u\tevent length: %u\n", eventHdr.event_type, eventHdr.event_length); fprintf(out_file,"\n(ExtraData)\n" "\tsensor id: %u\tevent id: %u\tevent second: %u\n" "\ttype: %u\tdatatype: %u\tbloblength: %u\t", event.sensor_id, event.event_id, event.event_second, event.type, event.data_type, event.blob_length); len = event.blob_length - sizeof(event.blob_length) - sizeof(event.data_type); switch(event.type) { case EVENT_INFO_XFF_IPV4: memcpy(&ip, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(uint32_t)); ip = ntohl(ip); fprintf(out_file,"Original Client IP: %u.%u.%u.%u\n", TO_IP(ip)); break; case EVENT_INFO_XFF_IPV6: memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); fprintf(out_file,"Original Client IP: %s\n", ip6buf); break; case EVENT_INFO_GZIP_DATA: fprintf(out_file,"GZIP Decompressed Data: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_JSNORM_DATA: fprintf(out_file,"Normalized JavaScript Data: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_FILENAME: fprintf(out_file,"SMTP Attachment Filename: %.*s\n", len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_MAILFROM: fprintf(out_file,"SMTP MAIL FROM Addresses: %.*s\n", len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_RCPTTO: fprintf(out_file,"SMTP RCPT TO Addresses: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_SMTP_EMAIL_HDRS: fprintf(out_file,"SMTP EMAIL HEADERS: \n%.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_HTTP_URI: fprintf(out_file,"HTTP URI: %.*s\n", len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData)); break; case EVENT_INFO_HTTP_HOSTNAME: fprintf(out_file,"HTTP Hostname: "); data = record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData); for(i=0; i < len; i++) { if(iscntrl(data[i])) fprintf(out_file,"%c",'.'); else fprintf(out_file,"%c",data[i]); } fprintf(out_file,"\n"); break; case EVENT_INFO_IPV6_SRC: memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); fprintf(out_file,"IPv6 Source Address: %s\n", ip6buf); break; case EVENT_INFO_IPV6_DST: memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr)); inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN); fprintf(out_file,"IPv6 Destination Address: %s\n", ip6buf); break; default : break; } }