static void event3_dump(u2record *record)
{
uint8_t *field;
int i;
Serial_Unified2IDSEvent event;
memcpy(&event, record->data, sizeof(Serial_Unified2IDSEvent));
/* network to host ordering */
/* In the event structure, only the last 40 bits are not 32 bit fields */
/* The first 11 fields need to be convertted */
field = (uint8_t*)&event;
for(i=0; i<11; i++, field+=4) {
*(uint32_t*)field = ntohl(*(uint32_t*)field);
}
/* last 3 fields, with the exception of the last most since it's just one byte */
*(uint16_t*)field = ntohs(*(uint16_t*)field); /* sport_itype */
field += 2;
*(uint16_t*)field = ntohs(*(uint16_t*)field); /* dport_icode */
field +=6;
*(uint32_t*)field = ntohl(*(uint32_t*)field); /* mpls_label */
field += 4;
/* policy_id and vlanid */
for(i=0; i<2; i++, field+=2) {
*(uint16_t*)field = ntohs(*(uint16_t*)field);
}
/* done changing the network ordering */
printf("\n(Event)\n"
"\tsensor id: %u\tevent id: %u\tevent second: %u\tevent microsecond: %u\n"
"\tsig id: %u\tgen id: %u\trevision: %u\t classification: %u\n"
"\tpriority: %u\tip source: %u.%u.%u.%u\tip destination: %u.%u.%u.%u\n"
"\tsrc port: %u\tdest port: %u\tprotocol: %u\timpact_flag: %u\tblocked: %u\n"
"\tmpls label: %u\tvland id: %u\tpolicy id: %u\tappid: %s\n",
event.sensor_id, event.event_id,
event.event_second, event.event_microsecond,
event.signature_id, event.generator_id,
event.signature_revision, event.classification_id,
event.priority_id, TO_IP(event.ip_source),
TO_IP(event.ip_destination), event.sport_itype,
event.dport_icode, event.protocol,
event.impact_flag, event.blocked,
event.mpls_label, event.vlanId, event.pad2, event.app_name);
}
static void extradata_dump(const u2record *record,FILE *out_file) {
uint8_t *field, *data;
int i;
int len = 0;
SerialUnified2ExtraData event;
Unified2ExtraDataHdr eventHdr;
uint32_t ip;
char ip6buf[INET6_ADDRSTRLEN+1];
struct in6_addr ipAddr;
memcpy(&eventHdr, record->data, sizeof(Unified2ExtraDataHdr));
memcpy(&event, record->data + sizeof(Unified2ExtraDataHdr) , sizeof(SerialUnified2ExtraData));
/* network to host ordering */
field = (uint8_t*)&eventHdr;
for(i=0; i<2; i++, field+=4) {
*(uint32_t*)field = ntohl(*(uint32_t*)field);
}
field = (uint8_t*)&event;
for(i=0; i<6; i++, field+=4) {
*(uint32_t*)field = ntohl(*(uint32_t*)field);
}
fprintf(out_file,"\n(ExtraDataHdr)\n"
"\tevent type: %u\tevent length: %u\n",
eventHdr.event_type, eventHdr.event_length);
fprintf(out_file,"\n(ExtraData)\n"
"\tsensor id: %u\tevent id: %u\tevent second: %u\n"
"\ttype: %u\tdatatype: %u\tbloblength: %u\t",
event.sensor_id, event.event_id,
event.event_second, event.type,
event.data_type, event.blob_length);
len = event.blob_length - sizeof(event.blob_length) - sizeof(event.data_type);
switch(event.type)
{
case EVENT_INFO_XFF_IPV4:
memcpy(&ip, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(uint32_t));
ip = ntohl(ip);
fprintf(out_file,"Original Client IP: %u.%u.%u.%u\n",
TO_IP(ip));
break;
case EVENT_INFO_XFF_IPV6:
memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr));
inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN);
fprintf(out_file,"Original Client IP: %s\n",
ip6buf);
break;
case EVENT_INFO_GZIP_DATA:
fprintf(out_file,"GZIP Decompressed Data: %.*s\n",
len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData));
break;
case EVENT_INFO_JSNORM_DATA:
fprintf(out_file,"Normalized JavaScript Data: %.*s\n",
len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData));
break;
case EVENT_INFO_SMTP_FILENAME:
fprintf(out_file,"SMTP Attachment Filename: %.*s\n",
len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData));
break;
case EVENT_INFO_SMTP_MAILFROM:
fprintf(out_file,"SMTP MAIL FROM Addresses: %.*s\n",
len,record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData));
break;
case EVENT_INFO_SMTP_RCPTTO:
fprintf(out_file,"SMTP RCPT TO Addresses: %.*s\n",
len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData));
break;
case EVENT_INFO_SMTP_EMAIL_HDRS:
fprintf(out_file,"SMTP EMAIL HEADERS: \n%.*s\n",
len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData));
break;
case EVENT_INFO_HTTP_URI:
fprintf(out_file,"HTTP URI: %.*s\n",
len, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData));
break;
case EVENT_INFO_HTTP_HOSTNAME:
fprintf(out_file,"HTTP Hostname: ");
data = record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData);
for(i=0; i < len; i++)
{
if(iscntrl(data[i]))
fprintf(out_file,"%c",'.');
else
fprintf(out_file,"%c",data[i]);
}
fprintf(out_file,"\n");
break;
case EVENT_INFO_IPV6_SRC:
memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr));
inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN);
fprintf(out_file,"IPv6 Source Address: %s\n",
ip6buf);
break;
case EVENT_INFO_IPV6_DST:
memcpy(&ipAddr, record->data + sizeof(Unified2ExtraDataHdr) + sizeof(SerialUnified2ExtraData), sizeof(struct in6_addr));
inet_ntop(AF_INET6, &ipAddr, ip6buf, INET6_ADDRSTRLEN);
fprintf(out_file,"IPv6 Destination Address: %s\n",
ip6buf);
break;
default :
break;
}
}
