/* output function */ static int OpAlertConsole(void *context, void *data) { char timestamp[256]; UnifiedAlertRecord *alert = (UnifiedAlertRecord *)data; ClassType *class; Sid *sid = NULL; char sip[16]; char dip[16]; if(!data) return -1; sid = GetSid(alert->event.sig_generator, alert->event.sig_id); class = GetClassType(alert->event.classification); if(RenderTimeval(&alert->ts, timestamp, 256) == -1) { /* could not render the timeval */ LogMessage("ERROR: OpAlertFast failed to render timeval\n"); return -1; } snprintf(sip, 16, "%u.%u.%u.%u", (alert->sip >> 24) & 0xff, (alert->sip >> 16) & 0xff, (alert->sip >> 8) & 0xff, alert->sip & 0xff); snprintf(dip, 16, "%u.%u.%u.%u", (alert->dip >> 24) & 0xff, (alert->dip >> 16) & 0xff, (alert->dip >> 8) & 0xff, alert->dip & 0xff); if(alert->protocol == IPPROTO_TCP || alert->protocol == IPPROTO_UDP) { fprintf(stdout, "%s {%s} %s:%d -> %s:%d\n" "[**] [%d:%d:%d] %s [**]\n" "[Classification: %s] [Priority: %d]\n", timestamp, protocol_names[alert->protocol], sip, alert->sp, dip, alert->dp, alert->event.sig_generator, alert->event.sig_id, alert->event.sig_rev, sid ? sid->msg : "ALERT", class ? class->name : "Unknown", alert->event.priority); }
int OpAcidDb_Log(void *context, void *data) { char timestamp[TIMEBUF_SIZE]; Sid *sid = NULL; ClassType *class_type; UnifiedLogRecord *record = (UnifiedLogRecord *)data; OpAcidDb_Data *op_data = (OpAcidDb_Data *)context; u_int32_t acid_sig_id; Packet p; #if 0 /* this is broken */ /* skip tagged packets, since the db does not have a mechanism to * deal with them properly */ if(record->log.event.event_reference) { LogMessage("Skipping tagged packet %i\n", record->log.event.event_reference); return 0; } #endif RenderTimestamp(record->log.pkth.ts.tv_sec, timestamp, TIMEBUF_SIZE); sid = GetSid(record->log.event.sig_generator, record->log.event.sig_id); if(sid == NULL) sid = FakeSid(record->log.event.sig_generator, record->log.event.sig_id); class_type = GetClassType(record->log.event.classification); if((acid_sig_id = AcidDbGetSigId(op_data, sid, class_type, record->log.event.priority)) == 0) { FatalError("op_acid_db: Failed to retrieve ACID DB sig id\n"); } /* Insert data into the event table */ if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO event(sid, cid, signature, timestamp) " "VALUES('%u', '%u', '%u', '%s')", op_data->sensor_id, op_data->event_id, acid_sig_id, timestamp) < MAX_QUERY_SIZE) { //LogMessage("SQL: %s\n", sql_buffer); Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } /* decode the packet */ if(DecodePacket(&p, &record->log.pkth, record->pkt + 2) == 0) { if(p.iph) { /* Insert ip header information */ InsertIPData(op_data, &p); /* store layer 4 data for non fragmented packets */ if(!(p.pkt_flags & PKT_FRAG_FLAG)) { switch(p.iph->ip_proto) { case IPPROTO_ICMP: InsertICMPData(op_data, &p); break; case IPPROTO_TCP: InsertTCPData(op_data, &p); break; case IPPROTO_UDP: InsertUDPData(op_data, &p); break; } } /* Insert payload data */ if(op_data->detail) InsertPayloadData(op_data, &p); } } ++op_data->event_id; return 0; }
int OpAcidDb_Alert(void *context, void *data) { char timestamp[TIMEBUF_SIZE]; Sid *sid = NULL; ClassType *class_type = NULL; UnifiedAlertRecord *record = (UnifiedAlertRecord *)data; OpAcidDb_Data *op_data = (OpAcidDb_Data *)context; u_int32_t acid_sig_id; RenderTimestamp(record->ts.tv_sec, timestamp, TIMEBUF_SIZE); sid = GetSid(record->event.sig_generator, record->event.sig_id); if(sid == NULL) sid = FakeSid(record->event.sig_generator, record->event.sig_id); if(!(class_type = GetClassType(record->event.classification)) && record->event.classification != 0) { LogMessage("WARNING: No ClassType found for classification '%i'\n", record->event.classification); } if((acid_sig_id = AcidDbGetSigId(op_data, sid, class_type, record->event.priority)) == 0) { FatalError("op_acid_db: Failed to retrieve ACID DB sig id\n"); } /* Insert data into the event table */ if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO event(sid, cid, signature, timestamp) " "VALUES('%u', '%u', '%u', '%s')", op_data->sensor_id, op_data->event_id, acid_sig_id, timestamp) < MAX_QUERY_SIZE) { //LogMessage("SQL: %s\n", sql_buffer); Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } /* insert data into the ip header table */ if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO iphdr(sid, cid, ip_src, ip_dst, ip_proto) " "VALUES('%u', '%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, record->sip, record->dip, record->protocol) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } /* build the protocol specific header information */ switch(record->protocol) { case IPPROTO_TCP: if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO tcphdr (sid, cid, tcp_sport, tcp_dport, " "tcp_flags) VALUES('%u', '%u', '%u', '%u', 0)", op_data->sensor_id, op_data->event_id, record->sp, record->dp) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } break; case IPPROTO_UDP: if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO udphdr (sid, cid, udp_sport, udp_dport) " "VALUES('%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, record->sp, record->dp) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */ } break; case IPPROTO_ICMP: if(snprintf(sql_buffer, MAX_QUERY_SIZE, "INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code) " "VALUES('%u', '%u', '%u', '%u')", op_data->sensor_id, op_data->event_id, record->sp, record->dp) < MAX_QUERY_SIZE) { Insert(op_data, sql_buffer, NULL); /* XXX: Error Checking */ } break; } ++op_data->event_id; return 0; }
/* output function */ static int OpAlertSyslog2(void *context, void *data) { UnifiedAlertRecord *record; OpAlertSyslog2_Data *op_data; struct tm *tm; char src[16]; char dest[16]; ClassType *class_type = NULL; Sid *sid = NULL; int length; int rval; if(!data || !context) return -1; record = (UnifiedAlertRecord *)data; op_data = (OpAlertSyslog2_Data *)context; sid = GetSid(record->event.sig_generator, record->event.sig_id); class_type = GetClassType(record->event.classification); /* convert alert timestamp to struct tm using gmtime */ if(pv.localtime) tm = localtime(&record->ts.tv_sec); else tm = gmtime(&record->ts.tv_sec); memcpy(op_data->message_buffer + op_data->month_offset, month_values[tm->tm_mon], MONTH_LENGTH); strftime(op_data->message_buffer + op_data->timestamp_offset, TIMESTAMP_LENGTH + 1, "%e %H:%M:%S", tm); op_data->message_buffer[op_data->timestamp_offset + TIMESTAMP_LENGTH] = ' '; snprintf(src, 16, "%u.%u.%u.%u", (record->sip & 0xff000000) >> 24, (record->sip & 0x00ff0000) >> 16, (record->sip & 0x0000ff00) >> 8, record->sip & 0x000000ff); snprintf(dest, 16, "%u.%u.%u.%u", (record->dip & 0xff000000) >> 24, (record->dip & 0x00ff0000) >> 16, (record->dip & 0x0000ff00) >> 8, record->dip & 0x000000ff); switch(record->protocol) { case IPPROTO_TCP: case IPPROTO_UDP: length = snprintf(op_data->message_buffer + op_data->header_length, MESSAGE_LENGTH - op_data->header_length, "[%d:%d:%d] %s [Classification: %s] " "[Priority: %d] {%s} %s:%d -> %s:%d", record->event.sig_generator, record->event.sig_id, record->event.sig_rev, sid != NULL ? sid->msg : "ALERT", class_type != NULL ? class_type->name : "Unknown", record->event.priority, protocol_names[record->protocol], src, record->sp, dest, record->dp); break; case IPPROTO_ICMP: length = snprintf(op_data->message_buffer + op_data->header_length, MESSAGE_LENGTH - op_data->header_length, "[%d:%d:%d] %s [Classification: %s] " "[Priority: %d] {%s} %s -> %s", record->event.sig_generator, record->event.sig_id, record->event.sig_rev, sid != NULL ? sid->msg : "ALERT", class_type != NULL ? class_type->name : "Unknown", record->event.priority, protocol_names[record->protocol], src, dest); break; default: length = snprintf(op_data->message_buffer + op_data->header_length, MESSAGE_LENGTH - op_data->header_length, "[%d:%d:%d] %s [Classification: %s] " "[Priority: %d] {%s} %s -> %s", record->event.sig_generator, record->event.sig_id, record->event.sig_rev, sid != NULL ? sid->msg : "ALERT", class_type != NULL ? class_type->name : "Unknown", record->event.priority, protocol_names[record->protocol], src, dest); break; } if((rval = sendto(op_data->socket, op_data->message_buffer, op_data->header_length + length, 0, (struct sockaddr *)&op_data->sin, sizeof(op_data->sin))) == -1) LogMessage("%s: sendto error %u: %s\n", errno, strerror(errno)); return 0; }
/* * read or write I/O to a file * buffer is allocated by the procedure. path is UTF-8 */ BOOL FileIo(BOOL save, char* path, char** buffer, DWORD* size) { SECURITY_ATTRIBUTES s_attr, *ps = NULL; SECURITY_DESCRIPTOR s_desc; PSID sid = NULL; HANDLE handle; BOOL r; BOOL ret = FALSE; // Change the owner from admin to regular user sid = GetSid(); if ( (sid != NULL) && InitializeSecurityDescriptor(&s_desc, SECURITY_DESCRIPTOR_REVISION) && SetSecurityDescriptorOwner(&s_desc, sid, FALSE) ) { s_attr.nLength = sizeof(SECURITY_ATTRIBUTES); s_attr.bInheritHandle = FALSE; s_attr.lpSecurityDescriptor = &s_desc; ps = &s_attr; } else { dprintf("could not set security descriptor: %s", WindowsErrorString()); } if (!save) { *buffer = NULL; } handle = CreateFileU(path, save?GENERIC_WRITE:GENERIC_READ, FILE_SHARE_READ, ps, save?CREATE_ALWAYS:OPEN_EXISTING, 0, NULL); if (handle == INVALID_HANDLE_VALUE) { dprintf("Could not %s file '%s'", save?"create":"open", path); goto out; } if (save) { r = WriteFile(handle, *buffer, *size, size, NULL); } else { *size = GetFileSize(handle, NULL); *buffer = (char*)malloc(*size); if (*buffer == NULL) { dprintf("Could not allocate buffer for reading file"); goto out; } r = ReadFile(handle, *buffer, *size, size, NULL); } if (!r) { dprintf("I/O Error: %s", WindowsErrorString()); goto out; } dsprintf("%s '%s'", save?"Saved file as":"Opened file", path); ret = TRUE; out: CloseHandle(handle); if (!ret) { // Only leave a buffer allocated if successful *size = 0; if (!save) { safe_free(*buffer); } } return ret; }
bool AddLockMemoryPrivilege() { CPolicy policy; LSA_OBJECT_ATTRIBUTES attr; attr.Length = sizeof(attr); attr.RootDirectory = NULL; attr.ObjectName = NULL; attr.Attributes = 0; attr.SecurityDescriptor = NULL; attr.SecurityQualityOfService = NULL; if (policy.Open(NULL, &attr, // GENERIC_WRITE) POLICY_ALL_ACCESS) // STANDARD_RIGHTS_REQUIRED, // GENERIC_READ | GENERIC_EXECUTE | POLICY_VIEW_LOCAL_INFORMATION | POLICY_LOOKUP_NAMES) != 0) return false; LSA_UNICODE_STRING userRights; UString s = GetUnicodeString(SE_LOCK_MEMORY_NAME); SetLsaString((LPWSTR)(LPCWSTR)s, &userRights); WCHAR userName[256 + 2]; DWORD size = 256; if (!GetUserNameW(userName, &size)) return false; PSID psid = GetSid(userName); if (psid == NULL) return false; bool res = false; /* PLSA_UNICODE_STRING userRightsArray; ULONG countOfRights; NTSTATUS status = policy.EnumerateAccountRights(psid, &userRightsArray, &countOfRights); if (status != 0) return false; bool finded = false; for (ULONG i = 0; i < countOfRights; i++) { LSA_UNICODE_STRING &ur = userRightsArray[i]; if (ur.Length != s.Length() * sizeof(WCHAR)) continue; if (wcsncmp(ur.Buffer, s, s.Length()) != 0) continue; finded = true; res = true; break; } if (!finded) */ { /* LSA_ENUMERATION_INFORMATION *enums; ULONG countReturned; NTSTATUS status = policy.EnumerateAccountsWithUserRight(&userRights, &enums, &countReturned); if (status == 0) { for (ULONG i = 0; i < countReturned; i++) MyLookupSids(policy, enums[i].Sid); if (enums) ::LsaFreeMemory(enums); res = true; } */ NTSTATUS status = policy.AddAccountRights(psid, &userRights); if (status == 0) res = true; // ULONG res = LsaNtStatusToWinError(status); } HeapFree(GetProcessHeap(), 0, psid); return res; }
/* sguil only uses log */ int OpSguil_Log(void *context, void *data) { char timestamp[TIMEBUF_SIZE]; char syslogMessage[SYSLOG_BUF]; char eventInfo[SYSLOG_BUF]; //int MAX_INSERT_LEN = 1024; char insertColumns[MAX_QUERY_SIZE]; char insertValues[MAX_QUERY_SIZE]; char valuesTemp[MAX_QUERY_SIZE]; char ipInfo[38]; char portInfo[16]; char *esc_message; Sid *sid = NULL; ClassType *class_type; UnifiedLogRecord *record = (UnifiedLogRecord *)data; OpSguil_Data *op_data = (OpSguil_Data *)context; Packet p; bzero(syslogMessage, SYSLOG_BUF); bzero(insertColumns, MAX_QUERY_SIZE); bzero(insertValues, MAX_QUERY_SIZE); #if 0 /* this is broken */ /* skip tagged packets, since the db does not have a mechanism to * deal with them properly */ if(record->log.event.event_reference) { LogMessage("Skipping tagged packet %i\n", record->log.event.event_reference); return 0; } #endif RenderTimestamp(record->log.pkth.ts.tv_sec, timestamp, TIMEBUF_SIZE); //fprintf(stdout, "Timestamp: %lu\n", GetMilliseconds()); //fflush(stdout); sid = GetSid(record->log.event.sig_generator, record->log.event.sig_id); if(sid == NULL) sid = FakeSid(record->log.event.sig_generator, record->log.event.sig_id); class_type = GetClassType(record->log.event.classification); //sgBeginTransaction(op_data); /* XXX: Error checking */ /* Build the event insert. */ snprintf(insertColumns, MAX_QUERY_SIZE, "INSERT INTO event (status, sid, cid, signature_id, signature_rev, signature, timestamp, priority, class"); esc_message = malloc(strlen(sid->msg)*2+1); mysql_real_escape_string(op_data->mysql, esc_message, sid->msg, strlen(sid->msg)); if(class_type == NULL) { snprintf(valuesTemp, MAX_QUERY_SIZE, "VALUES ('0', '%u', '%u', '%d', '%d', '%s', '%s', '%u', 'unknown'", op_data->sensor_id, op_data->event_id, sid->sid, sid->rev, esc_message, timestamp, record->log.event.priority); snprintf(eventInfo, SYSLOG_BUF, "RTEvent |0|%u|unknown|%s|%s|%u|%u|%s", record->log.event.priority, pv.hostname, timestamp, op_data->sensor_id, op_data->event_id, sid->msg); } else { snprintf(valuesTemp, MAX_QUERY_SIZE, "VALUES ('0', '%u', '%u', '%d', '%d', '%s', '%s', '%u', '%s'", op_data->sensor_id, op_data->event_id, sid->sid, sid->rev, esc_message, timestamp, record->log.event.priority, class_type->type); snprintf(eventInfo, SYSLOG_BUF, "RTEvent |0|%u|%s|%s|%s|%u|%u|%s", record->log.event.priority, class_type->type, pv.hostname, timestamp, op_data->sensor_id, op_data->event_id, sid->msg); } free(esc_message); insertValues[0] = '\0'; strcat(insertValues, valuesTemp); syslogMessage[0] = '\0'; strcat(syslogMessage, eventInfo); /* decode the packet */ if(DecodePacket(&p, &record->log.pkth, record->pkt + 2) == 0) { if(p.iph) { /* Insert ip header information */ //InsertIPData(op_data, &p); strcat(insertColumns, ",src_ip, dst_ip, ip_proto, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum"); snprintf(valuesTemp, MAX_QUERY_SIZE, ",'%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u'", ntohl(p.iph->ip_src.s_addr), ntohl(p.iph->ip_dst.s_addr), p.iph->ip_proto, IP_VER(p.iph), IP_HLEN(p.iph), p.iph->ip_tos, ntohs(p.iph->ip_len), ntohs(p.iph->ip_id), #if defined(WORDS_BIGENDIAN) ((p.iph->ip_off & 0xE000) >> 13), htons(p.iph->ip_off & 0x1FFF), #else ((p.iph->ip_off & 0x00E0) >> 5), htons(p.iph->ip_off & 0xFF1F), #endif p.iph->ip_ttl, htons(p.iph->ip_csum) < MAX_QUERY_SIZE); strcat(insertValues, valuesTemp); /* SYSLOG - Changed to SguilSendEvent*/ snprintf(ipInfo, 38, "|%u.%u.%u.%u|%u.%u.%u.%u|%u", #if defined(WORDS_BIGENDIAN) (p.iph->ip_src.s_addr & 0xff000000) >> 24, (p.iph->ip_src.s_addr & 0x00ff0000) >> 16, (p.iph->ip_src.s_addr & 0x0000ff00) >> 8, (p.iph->ip_src.s_addr & 0x000000ff), (p.iph->ip_dst.s_addr & 0xff000000) >> 24, (p.iph->ip_dst.s_addr & 0x00ff0000) >> 16, (p.iph->ip_dst.s_addr & 0x0000ff00) >> 8, (p.iph->ip_dst.s_addr & 0x000000ff), #else (p.iph->ip_src.s_addr & 0x000000ff), (p.iph->ip_src.s_addr & 0x0000ff00) >> 8, (p.iph->ip_src.s_addr & 0x00ff0000) >> 16, (p.iph->ip_src.s_addr & 0xff000000) >> 24, (p.iph->ip_dst.s_addr & 0x000000ff), (p.iph->ip_dst.s_addr & 0x0000ff00) >> 8, (p.iph->ip_dst.s_addr & 0x00ff0000) >> 16, (p.iph->ip_dst.s_addr & 0xff000000) >> 24, #endif p.iph->ip_proto); strcat(syslogMessage, ipInfo); /* store layer 4 data for non fragmented packets */ if(!(p.pkt_flags & PKT_FRAG_FLAG)) { switch(p.iph->ip_proto) { case IPPROTO_ICMP: snprintf(portInfo, 16, "|||"); if(!p.icmph) break; strcat(insertColumns, ", icmp_type, icmp_code)"); snprintf(valuesTemp, MAX_QUERY_SIZE, ", '%u', '%u')", p.icmph->icmp_type, p.icmph->icmp_code); strcat(insertValues, valuesTemp); strcat(insertColumns, insertValues); sgInsert(op_data, insertColumns, NULL); sgInsertICMPData(op_data, &p); break; case IPPROTO_TCP: strcat(insertColumns, ", src_port, dst_port)"); snprintf(valuesTemp, MAX_QUERY_SIZE, ", '%u', '%u')", p.sp, p.dp); strcat(insertValues, valuesTemp); strcat(insertColumns, insertValues); sgInsert(op_data, insertColumns, NULL); sgInsertTCPData(op_data, &p); snprintf(portInfo, 16, "|%u|%u|", p.sp, p.dp); break; case IPPROTO_UDP: strcat(insertColumns, ", src_port, dst_port)"); snprintf(valuesTemp, MAX_QUERY_SIZE, ", '%u', '%u')", p.sp, p.dp); strcat(insertValues, valuesTemp); strcat(insertColumns, insertValues); sgInsert(op_data, insertColumns, NULL); sgInsertUDPData(op_data, &p); snprintf(portInfo, 16, "|%u|%u|", p.sp, p.dp); break; } strcat(syslogMessage, portInfo); } else { strcat(syslogMessage, "|||"); } /* Insert payload data */ sgInsertPayloadData(op_data, &p); } else {