/**
* \brief Create event impact description (see section
* 4.2.6.1 of RFC 4765).
* The impact contains the severity, completion (succeeded or failed)
* and basic classification of the attack type.
* Here, we don't set the completion since we don't know it (default
* is unknown).
*
* \return 0 if ok
*/
static int EventToImpact(PacketAlert *pa, Packet *p, idmef_alert_t *alert)
{
int ret;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
SCEnter();
ret = idmef_alert_new_assessment(alert, &assessment);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_assessment_new_impact(assessment, &impact);
if ( ret < 0 )
SCReturnInt(ret);
if ( (unsigned int)pa->s->prio < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( (unsigned int)pa->s->prio < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( (unsigned int)pa->s->prio < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else
severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
if (p->action & ACTION_DROP) {
idmef_action_t *action;
ret = idmef_action_new(&action);
if ( ret < 0 )
SCReturnInt(ret);
idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED);
idmef_assessment_set_action(assessment, action, 0);
}
if (pa->s->class_msg) {
ret = idmef_impact_new_description(impact, &str);
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(str, pa->s->class_msg);
}
SCReturnInt(0);
}
/**
* \brief Create event impact description (see section
* 4.2.6.1 of RFC 4765).
* The impact contains the severity, completion (succeeded or failed)
* and basic classification of the attack type.
* Here, we don't set the completion since we don't know it (default
* is unknown).
*
* \return 0 if ok
*/
static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert)
{
int ret;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
SCEnter();
ret = idmef_alert_new_assessment(alert, &assessment);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating assessment: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_assessment_new_impact(assessment, &impact);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating assessment impact: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
if ( (unsigned int)pa->s->prio < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( (unsigned int)pa->s->prio < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( (unsigned int)pa->s->prio < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else
severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
if (PACKET_TEST_ACTION(p, ACTION_DROP) ||
PACKET_TEST_ACTION(p, ACTION_REJECT) ||
PACKET_TEST_ACTION(p, ACTION_REJECT_DST) ||
PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH) ) {
idmef_action_t *action;
ret = idmef_action_new(&action);
if (unlikely(ret < 0))
SCReturnInt(ret);
idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED);
idmef_assessment_set_action(assessment, action, 0);
}
if (pa->s->class_msg) {
ret = idmef_impact_new_description(impact, &str);
if (unlikely(ret < 0))
SCReturnInt(ret);
prelude_string_set_ref(str, pa->s->class_msg);
}
SCReturnInt(0);
}
