char *inet_ntoax(sfip_t *ip)
#endif
{
static char ip_buf1[INET6_ADDRSTRLEN];
static char ip_buf2[INET6_ADDRSTRLEN];
static int buf_num = 0;
int buf_size = INET6_ADDRSTRLEN;
char *ip_buf;
#ifndef SUP_IP6
uint32_t ip = ip_addr.s_addr;
#endif
if (buf_num)
ip_buf = ip_buf2;
else
ip_buf = ip_buf1;
buf_num ^= 1;
ip_buf[0] = 0;
#ifndef SUP_IP6
SnortSnprintf(ip_buf, buf_size, "%s", inet_ntoa(*((struct in_addr *)&ip)));
#else
SnortSnprintf(ip_buf, buf_size, "%s", inet_ntoa(ip));
#endif
return ip_buf;
}
int main( int argc, char ** argv )
{
int i,n=10;
KMAP * km;
char * p;
char str[80];
printf("usage: kmap nkeys (default=10)\n\n");
km = KMapNew( free ); /* use 'free' to free 'userdata' */
KMapSetNoCase(km,1); //need to add xlat....
if( argc > 1 )
{
n = atoi(argv[1]);
}
for(i=1;i<=n;i++)
{
SnortSnprintf(str, sizeof(str), "KeyWord%d",i);
KMapAdd( km, str, 0 /* strlen(str) */, strupr(strdup(str)) );
printf("Adding Key=%s\n",str);
}
printf("xmem: %u bytes, %d chars\n",xmalloc_bytes(),km->nchars);
printf("\nKey Find test...\n");
for(i=1;i<=n;i++)
{
SnortSnprintf(str, sizeof(str), "KeyWord%d",i);
p = (char*) KMapFind( km, str, 0 /*strlen(str) */ );
if(p)printf("key=%s, data=%*s\n",str,strlen(str),p);
else printf("'%s' NOT found.\n",str);
}
KMapSetNoCase(km,0); // this should fail all key searches
printf("\nKey Find test2...\n");
for(i=1;i<=n;i++)
{
SnortSnprintf(str, sizeof(str), "KeyWord%d",i);
p = (char*) KMapFind( km, str, 0 /*strlen(str) */ );
if(p)printf("key=%s, data=%*s\n",str,strlen(str),p);
else printf("'%s' NOT found.\n",str);
}
printf("\nKey FindFirst/Next test...\n");
for(p = (char*) KMapFindFirst(km); p; p=(char*)KMapFindNext(km) )
printf("data=%s\n",p);
printf("\nKey FindFirst/Next test done.\n");
KMapDelete( km );
printf("xmem: %u bytes\n",xmalloc_bytes());
printf("normal pgm finish.\n");
return 0;
}
char *print_interface(char *szInterface)
{
static char device[128];
if (szInterface == NULL)
return("NULL");
/* Device always ends with a double \0, so this way to
determine its length should be always valid */
if(IsTextUnicode(szInterface, wcslen((wchar_t *)szInterface), NULL))
SnortSnprintf(device, 128, "%S", (wchar_t *)szInterface);
else
SnortSnprintf(device, 128, "%s", szInterface);
return(device);
}
int ipset_print( IPSET * ipc )
{
char ip_str[80];
PORTRANGE * pr;
if( !ipc ) return 0;
{
IP_PORT * p;
printf("IPSET\n");
for( p =(IP_PORT*)sflist_first( &ipc->ip_list );
p!=0;
p =(IP_PORT*)sflist_next( &ipc->ip_list ) )
{
SnortSnprintf(ip_str, 80, "%s", sfip_to_str(&p->ip));
printf("CIDR BLOCK: %c%s", p->notflag ? '!' : ' ', ip_str);
for( pr=(PORTRANGE*)sflist_first(&p->portset.port_list);
pr != 0;
pr=(PORTRANGE*)sflist_next(&p->portset.port_list) )
{
printf(" %d", pr->port_lo);
if ( pr->port_hi != pr->port_lo )
printf("-%d", pr->port_hi);
}
printf("\n");
}
}
return 0;
}
/**print the ignored rule list.
*/
static void printIgnoredRules(
IgnoredRuleList *pIgnoredRuleList,
int any_any_flow
)
{
char six_sids = 0;
int sids_ignored = 0;
char buf[STD_BUF];
IgnoredRuleList *ignored_rule;
IgnoredRuleList *next_ignored_rule;
buf[0] = '\0';
for (ignored_rule = pIgnoredRuleList; ignored_rule != NULL; )
{
if (any_any_flow == 0)
{
if (six_sids == 1)
{
SnortSnprintfAppend(buf, STD_BUF-1, "\n");
LogMessage("%s", buf);
six_sids = 0;
}
if (sids_ignored == 0)
{
SnortSnprintf(buf, STD_BUF-1, " %d:%d",
ignored_rule->otn->sigInfo.generator,
ignored_rule->otn->sigInfo.id);
}
else
{
SnortSnprintfAppend(buf, STD_BUF-1, ", %d:%d",
ignored_rule->otn->sigInfo.generator,
ignored_rule->otn->sigInfo.id);
}
sids_ignored++;
if (sids_ignored %6 == 0)
{
/* Have it print next time through */
six_sids = 1;
sids_ignored = 0;
}
}
next_ignored_rule = ignored_rule->next;
free(ignored_rule);
ignored_rule = next_ignored_rule;
}
if (sids_ignored || six_sids)
{
SnortSnprintfAppend(buf, STD_BUF-1, "\n");
LogMessage("%s", buf);
}
}
int ip4_sprintx( char * s, int slen, void * ip4 )
{
int rc;
unsigned char * ip = (unsigned char *) ip4;
rc = SnortSnprintf(s, slen, "%d.%d.%d.%d", ip[3], ip[2], ip[1], ip[0]);
if( rc != SNORT_SNPRINTF_SUCCESS )
return -1;
return 0;
}
int ip6_sprintx( char * s, int slen, void * ip6 )
{
int rc;
unsigned short * ps = (unsigned short *) ip6;
rc = SnortSnprintf(s, slen, "%.1x:%.1x:%.1x:%.1x:%.1x:%.1x:%.1x:%.1x",
ps[7], ps[6], ps[5], ps[4], ps[3], ps[2], ps[1], ps[0]);
if( rc != SNORT_SNPRINTF_SUCCESS )
return -1;
return 0;
}
// XXX this implementation is just used to support
// Snort's underlying implementation better
SFIP_RET sfvt_define(vartable_t *table, char *name, char *value)
{
char *buf;
int len;
sfip_var_t *ipret = NULL;
SFIP_RET ret;
if(!name || !value) return SFIP_ARG_ERR;
len = strlen(name) + strlen(value) + 2;
if((buf = (char*)malloc(len)) == NULL)
{
return SFIP_FAILURE;
}
SnortSnprintf(buf, len, "%s %s", name, value);
ret = sfvt_add_str(table, buf, &ipret);
if ((ret == SFIP_SUCCESS) || (ret == SFIP_DUPLICATE))
ipret->value = sfvt_expand_value(table, value);
free(buf);
return ret;
}
/**
** This routine makes the portscan payload for the events. The listed
** info is:
** - priority count (number of error transmissions RST/ICMP UNREACH)
** - connection count (number of protocol connections SYN)
** - ip count (number of IPs that communicated with host)
** - ip range (low to high range of IPs)
** - port count (number of port changes that occurred on host)
** - port range (low to high range of ports connected too)
**
** @return integer
**
** @retval -1 buffer not large enough
** @retval 0 successful
*/
static int MakeProtoInfo(PS_PROTO *proto, u_char *buffer, u_int *total_size)
{
int dsize;
sfip_t *ip1, *ip2;
if(!total_size || !buffer)
return -1;
dsize = (g_tmp_pkt->max_dsize - *total_size);
if(dsize < PROTO_BUFFER_SIZE)
return -1;
ip1 = &proto->low_ip;
ip2 = &proto->high_ip;
if(proto->alerts == PS_ALERT_PORTSWEEP ||
proto->alerts == PS_ALERT_PORTSWEEP_FILTERED)
{
SnortSnprintf((char *)buffer, PROTO_BUFFER_SIZE,
"Priority Count: %d\n"
"Connection Count: %d\n"
"IP Count: %d\n"
"Scanned IP Range: %s:",
proto->priority_count,
proto->connection_count,
proto->u_ip_count,
inet_ntoa(ip1));
/* Now print the high ip into the buffer. This saves us
* from having to copy the results of inet_ntoa (which is
* a static buffer) to avoid the reuse of that buffer when
* more than one use of inet_ntoa is within the same printf.
*/
SnortSnprintfAppend((char *)buffer, PROTO_BUFFER_SIZE,
"%s\n"
"Port/Proto Count: %d\n"
"Port/Proto Range: %d:%d\n",
inet_ntoa(ip2),
proto->u_port_count,
proto->low_p,
proto->high_p);
}
else
{
SnortSnprintf((char *)buffer, PROTO_BUFFER_SIZE,
"Priority Count: %d\n"
"Connection Count: %d\n"
"IP Count: %d\n"
"Scanner IP Range: %s:",
proto->priority_count,
proto->connection_count,
proto->u_ip_count,
inet_ntoa(ip1)
);
/* Now print the high ip into the buffer. This saves us
* from having to copy the results of inet_ntoa (which is
* a static buffer) to avoid the reuse of that buffer when
* more than one use of inet_ntoa is within the same printf.
*/
SnortSnprintfAppend((char *)buffer, PROTO_BUFFER_SIZE,
"%s\n"
"Port/Proto Count: %d\n"
"Port/Proto Range: %d:%d\n",
inet_ntoa(ip2),
proto->u_port_count,
proto->low_p,
proto->high_p);
}
dsize = SnortStrnlen((const char *)buffer, PROTO_BUFFER_SIZE);
*total_size += dsize;
/*
** Set the payload size. This is protocol independent.
*/
g_tmp_pkt->dsize = dsize;
return 0;
}
static int event_to_source_target(Packet *p, idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
if ( !p )
return 0;
if ( ! p->iph )
return 0;
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if ( pv.interface ) {
ret = idmef_source_new_interface(source, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, pv.interface);
}
ret = idmef_source_new_service(source, &service);
if ( ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->sp);
idmef_service_set_ip_version(service, IP_VER(p->iph));
idmef_service_set_iana_protocol_number(service, p->iph->ip_proto);
ret = idmef_source_new_node(source, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(p->iph->ip_src));
prelude_string_set_ref(string, saddr);
ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if ( pv.interface ) {
ret = idmef_target_new_interface(target, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, pv.interface);
}
ret = idmef_target_new_service(target, &service);
if ( ! ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->dp);
idmef_service_set_ip_version(service, IP_VER(p->iph));
idmef_service_set_iana_protocol_number(service, p->iph->ip_proto);
ret = idmef_target_new_node(target, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(p->iph->ip_dst));
prelude_string_set_ref(string, daddr);
return 0;
}
static int event_to_source_target(Packet *p, idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
if ( !p )
return 0;
if ( ! IPH_IS_VALID(p) )
return 0;
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if (barnyard2_conf->interface != NULL) {
ret = idmef_source_new_interface(source, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, PRINT_INTERFACE(barnyard2_conf->interface));
}
ret = idmef_source_new_service(source, &service);
if ( ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->sp);
idmef_service_set_ip_version(service, GET_IPH_VER(p));
idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
ret = idmef_source_new_node(source, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p)));
prelude_string_set_ref(string, saddr);
ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if (barnyard2_conf->interface != NULL) {
ret = idmef_target_new_interface(target, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, barnyard2_conf->interface);
}
ret = idmef_target_new_service(target, &service);
if ( ! ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->dp);
idmef_service_set_ip_version(service, GET_IPH_VER(p));
idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
ret = idmef_target_new_node(target, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p)));
prelude_string_set_ref(string, daddr);
return 0;
}
