/* output function */
static int OpAlertConsole(void *context, void *data)
{
char timestamp[256];
UnifiedAlertRecord *alert = (UnifiedAlertRecord *)data;
ClassType *class;
Sid *sid = NULL;
char sip[16];
char dip[16];
if(!data)
return -1;
sid = GetSid(alert->event.sig_generator, alert->event.sig_id);
class = GetClassType(alert->event.classification);
if(RenderTimeval(&alert->ts, timestamp, 256) == -1)
{
/* could not render the timeval */
LogMessage("ERROR: OpAlertFast failed to render timeval\n");
return -1;
}
snprintf(sip, 16, "%u.%u.%u.%u",
(alert->sip >> 24) & 0xff,
(alert->sip >> 16) & 0xff,
(alert->sip >> 8) & 0xff,
alert->sip & 0xff);
snprintf(dip, 16, "%u.%u.%u.%u",
(alert->dip >> 24) & 0xff,
(alert->dip >> 16) & 0xff,
(alert->dip >> 8) & 0xff,
alert->dip & 0xff);
if(alert->protocol == IPPROTO_TCP ||
alert->protocol == IPPROTO_UDP)
{
fprintf(stdout, "%s {%s} %s:%d -> %s:%d\n"
"[**] [%d:%d:%d] %s [**]\n"
"[Classification: %s] [Priority: %d]\n", timestamp,
protocol_names[alert->protocol], sip, alert->sp,
dip, alert->dp, alert->event.sig_generator,
alert->event.sig_id, alert->event.sig_rev,
sid ? sid->msg : "ALERT",
class ? class->name : "Unknown",
alert->event.priority);
}
int OpAcidDb_Log(void *context, void *data)
{
char timestamp[TIMEBUF_SIZE];
Sid *sid = NULL;
ClassType *class_type;
UnifiedLogRecord *record = (UnifiedLogRecord *)data;
OpAcidDb_Data *op_data = (OpAcidDb_Data *)context;
u_int32_t acid_sig_id;
Packet p;
#if 0 /* this is broken */
/* skip tagged packets, since the db does not have a mechanism to
* deal with them properly
*/
if(record->log.event.event_reference)
{
LogMessage("Skipping tagged packet %i\n", record->log.event.event_reference);
return 0;
}
#endif
RenderTimestamp(record->log.pkth.ts.tv_sec, timestamp, TIMEBUF_SIZE);
sid = GetSid(record->log.event.sig_generator, record->log.event.sig_id);
if(sid == NULL)
sid = FakeSid(record->log.event.sig_generator, record->log.event.sig_id);
class_type = GetClassType(record->log.event.classification);
if((acid_sig_id = AcidDbGetSigId(op_data, sid, class_type,
record->log.event.priority)) == 0)
{
FatalError("op_acid_db: Failed to retrieve ACID DB sig id\n");
}
/* Insert data into the event table */
if(snprintf(sql_buffer, MAX_QUERY_SIZE,
"INSERT INTO event(sid, cid, signature, timestamp) "
"VALUES('%u', '%u', '%u', '%s')",
op_data->sensor_id, op_data->event_id, acid_sig_id,
timestamp) < MAX_QUERY_SIZE)
{
//LogMessage("SQL: %s\n", sql_buffer);
Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */
}
/* decode the packet */
if(DecodePacket(&p, &record->log.pkth, record->pkt + 2) == 0)
{
if(p.iph)
{
/* Insert ip header information */
InsertIPData(op_data, &p);
/* store layer 4 data for non fragmented packets */
if(!(p.pkt_flags & PKT_FRAG_FLAG))
{
switch(p.iph->ip_proto)
{
case IPPROTO_ICMP:
InsertICMPData(op_data, &p);
break;
case IPPROTO_TCP:
InsertTCPData(op_data, &p);
break;
case IPPROTO_UDP:
InsertUDPData(op_data, &p);
break;
}
}
/* Insert payload data */
if(op_data->detail)
InsertPayloadData(op_data, &p);
}
}
++op_data->event_id;
return 0;
}
int OpAcidDb_Alert(void *context, void *data)
{
char timestamp[TIMEBUF_SIZE];
Sid *sid = NULL;
ClassType *class_type = NULL;
UnifiedAlertRecord *record = (UnifiedAlertRecord *)data;
OpAcidDb_Data *op_data = (OpAcidDb_Data *)context;
u_int32_t acid_sig_id;
RenderTimestamp(record->ts.tv_sec, timestamp, TIMEBUF_SIZE);
sid = GetSid(record->event.sig_generator, record->event.sig_id);
if(sid == NULL)
sid = FakeSid(record->event.sig_generator, record->event.sig_id);
if(!(class_type = GetClassType(record->event.classification))
&& record->event.classification != 0)
{
LogMessage("WARNING: No ClassType found for classification '%i'\n",
record->event.classification);
}
if((acid_sig_id = AcidDbGetSigId(op_data, sid, class_type,
record->event.priority)) == 0)
{
FatalError("op_acid_db: Failed to retrieve ACID DB sig id\n");
}
/* Insert data into the event table */
if(snprintf(sql_buffer, MAX_QUERY_SIZE,
"INSERT INTO event(sid, cid, signature, timestamp) "
"VALUES('%u', '%u', '%u', '%s')",
op_data->sensor_id, op_data->event_id, acid_sig_id,
timestamp) < MAX_QUERY_SIZE)
{
//LogMessage("SQL: %s\n", sql_buffer);
Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */
}
/* insert data into the ip header table */
if(snprintf(sql_buffer, MAX_QUERY_SIZE,
"INSERT INTO iphdr(sid, cid, ip_src, ip_dst, ip_proto) "
"VALUES('%u', '%u', '%u', '%u', '%u')",
op_data->sensor_id, op_data->event_id, record->sip,
record->dip, record->protocol) < MAX_QUERY_SIZE)
{
Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */
}
/* build the protocol specific header information */
switch(record->protocol)
{
case IPPROTO_TCP:
if(snprintf(sql_buffer, MAX_QUERY_SIZE,
"INSERT INTO tcphdr (sid, cid, tcp_sport, tcp_dport, "
"tcp_flags) VALUES('%u', '%u', '%u', '%u', 0)",
op_data->sensor_id, op_data->event_id, record->sp,
record->dp) < MAX_QUERY_SIZE)
{
Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */
}
break;
case IPPROTO_UDP:
if(snprintf(sql_buffer, MAX_QUERY_SIZE,
"INSERT INTO udphdr (sid, cid, udp_sport, udp_dport) "
"VALUES('%u', '%u', '%u', '%u')",
op_data->sensor_id, op_data->event_id, record->sp,
record->dp) < MAX_QUERY_SIZE)
{
Insert(op_data, sql_buffer, NULL); /* XXX: Error checking */
}
break;
case IPPROTO_ICMP:
if(snprintf(sql_buffer, MAX_QUERY_SIZE,
"INSERT INTO icmphdr (sid, cid, icmp_type, icmp_code) "
"VALUES('%u', '%u', '%u', '%u')",
op_data->sensor_id, op_data->event_id, record->sp,
record->dp) < MAX_QUERY_SIZE)
{
Insert(op_data, sql_buffer, NULL); /* XXX: Error Checking */
}
break;
}
++op_data->event_id;
return 0;
}
/* output function */
static int OpAlertSyslog2(void *context, void *data)
{
UnifiedAlertRecord *record;
OpAlertSyslog2_Data *op_data;
struct tm *tm;
char src[16];
char dest[16];
ClassType *class_type = NULL;
Sid *sid = NULL;
int length;
int rval;
if(!data || !context)
return -1;
record = (UnifiedAlertRecord *)data;
op_data = (OpAlertSyslog2_Data *)context;
sid = GetSid(record->event.sig_generator, record->event.sig_id);
class_type = GetClassType(record->event.classification);
/* convert alert timestamp to struct tm using gmtime */
if(pv.localtime)
tm = localtime(&record->ts.tv_sec);
else
tm = gmtime(&record->ts.tv_sec);
memcpy(op_data->message_buffer + op_data->month_offset,
month_values[tm->tm_mon], MONTH_LENGTH);
strftime(op_data->message_buffer + op_data->timestamp_offset,
TIMESTAMP_LENGTH + 1, "%e %H:%M:%S", tm);
op_data->message_buffer[op_data->timestamp_offset + TIMESTAMP_LENGTH] = ' ';
snprintf(src, 16, "%u.%u.%u.%u", (record->sip & 0xff000000) >> 24,
(record->sip & 0x00ff0000) >> 16, (record->sip & 0x0000ff00) >> 8,
record->sip & 0x000000ff);
snprintf(dest, 16, "%u.%u.%u.%u", (record->dip & 0xff000000) >> 24,
(record->dip & 0x00ff0000) >> 16, (record->dip & 0x0000ff00) >> 8,
record->dip & 0x000000ff);
switch(record->protocol)
{
case IPPROTO_TCP:
case IPPROTO_UDP:
length = snprintf(op_data->message_buffer + op_data->header_length,
MESSAGE_LENGTH - op_data->header_length,
"[%d:%d:%d] %s [Classification: %s] "
"[Priority: %d] {%s} %s:%d -> %s:%d",
record->event.sig_generator, record->event.sig_id,
record->event.sig_rev, sid != NULL ? sid->msg : "ALERT",
class_type != NULL ? class_type->name : "Unknown",
record->event.priority, protocol_names[record->protocol],
src, record->sp, dest, record->dp);
break;
case IPPROTO_ICMP:
length = snprintf(op_data->message_buffer + op_data->header_length,
MESSAGE_LENGTH - op_data->header_length,
"[%d:%d:%d] %s [Classification: %s] "
"[Priority: %d] {%s} %s -> %s",
record->event.sig_generator, record->event.sig_id,
record->event.sig_rev, sid != NULL ? sid->msg : "ALERT",
class_type != NULL ? class_type->name : "Unknown",
record->event.priority, protocol_names[record->protocol],
src, dest);
break;
default:
length = snprintf(op_data->message_buffer + op_data->header_length,
MESSAGE_LENGTH - op_data->header_length,
"[%d:%d:%d] %s [Classification: %s] "
"[Priority: %d] {%s} %s -> %s",
record->event.sig_generator, record->event.sig_id,
record->event.sig_rev, sid != NULL ? sid->msg : "ALERT",
class_type != NULL ? class_type->name : "Unknown",
record->event.priority, protocol_names[record->protocol],
src, dest);
break;
}
if((rval = sendto(op_data->socket, op_data->message_buffer,
op_data->header_length + length, 0,
(struct sockaddr *)&op_data->sin,
sizeof(op_data->sin))) == -1)
LogMessage("%s: sendto error %u: %s\n", errno, strerror(errno));
return 0;
}
/*
* read or write I/O to a file
* buffer is allocated by the procedure. path is UTF-8
*/
BOOL FileIo(BOOL save, char* path, char** buffer, DWORD* size)
{
SECURITY_ATTRIBUTES s_attr, *ps = NULL;
SECURITY_DESCRIPTOR s_desc;
PSID sid = NULL;
HANDLE handle;
BOOL r;
BOOL ret = FALSE;
// Change the owner from admin to regular user
sid = GetSid();
if ( (sid != NULL)
&& InitializeSecurityDescriptor(&s_desc, SECURITY_DESCRIPTOR_REVISION)
&& SetSecurityDescriptorOwner(&s_desc, sid, FALSE) ) {
s_attr.nLength = sizeof(SECURITY_ATTRIBUTES);
s_attr.bInheritHandle = FALSE;
s_attr.lpSecurityDescriptor = &s_desc;
ps = &s_attr;
} else {
dprintf("could not set security descriptor: %s", WindowsErrorString());
}
if (!save) {
*buffer = NULL;
}
handle = CreateFileU(path, save?GENERIC_WRITE:GENERIC_READ, FILE_SHARE_READ,
ps, save?CREATE_ALWAYS:OPEN_EXISTING, 0, NULL);
if (handle == INVALID_HANDLE_VALUE) {
dprintf("Could not %s file '%s'", save?"create":"open", path);
goto out;
}
if (save) {
r = WriteFile(handle, *buffer, *size, size, NULL);
} else {
*size = GetFileSize(handle, NULL);
*buffer = (char*)malloc(*size);
if (*buffer == NULL) {
dprintf("Could not allocate buffer for reading file");
goto out;
}
r = ReadFile(handle, *buffer, *size, size, NULL);
}
if (!r) {
dprintf("I/O Error: %s", WindowsErrorString());
goto out;
}
dsprintf("%s '%s'", save?"Saved file as":"Opened file", path);
ret = TRUE;
out:
CloseHandle(handle);
if (!ret) {
// Only leave a buffer allocated if successful
*size = 0;
if (!save) {
safe_free(*buffer);
}
}
return ret;
}
bool AddLockMemoryPrivilege()
{
CPolicy policy;
LSA_OBJECT_ATTRIBUTES attr;
attr.Length = sizeof(attr);
attr.RootDirectory = NULL;
attr.ObjectName = NULL;
attr.Attributes = 0;
attr.SecurityDescriptor = NULL;
attr.SecurityQualityOfService = NULL;
if (policy.Open(NULL, &attr,
// GENERIC_WRITE)
POLICY_ALL_ACCESS)
// STANDARD_RIGHTS_REQUIRED,
// GENERIC_READ | GENERIC_EXECUTE | POLICY_VIEW_LOCAL_INFORMATION | POLICY_LOOKUP_NAMES)
!= 0)
return false;
LSA_UNICODE_STRING userRights;
UString s = GetUnicodeString(SE_LOCK_MEMORY_NAME);
SetLsaString((LPWSTR)(LPCWSTR)s, &userRights);
WCHAR userName[256 + 2];
DWORD size = 256;
if (!GetUserNameW(userName, &size))
return false;
PSID psid = GetSid(userName);
if (psid == NULL)
return false;
bool res = false;
/*
PLSA_UNICODE_STRING userRightsArray;
ULONG countOfRights;
NTSTATUS status = policy.EnumerateAccountRights(psid, &userRightsArray, &countOfRights);
if (status != 0)
return false;
bool finded = false;
for (ULONG i = 0; i < countOfRights; i++)
{
LSA_UNICODE_STRING &ur = userRightsArray[i];
if (ur.Length != s.Length() * sizeof(WCHAR))
continue;
if (wcsncmp(ur.Buffer, s, s.Length()) != 0)
continue;
finded = true;
res = true;
break;
}
if (!finded)
*/
{
/*
LSA_ENUMERATION_INFORMATION *enums;
ULONG countReturned;
NTSTATUS status = policy.EnumerateAccountsWithUserRight(&userRights, &enums, &countReturned);
if (status == 0)
{
for (ULONG i = 0; i < countReturned; i++)
MyLookupSids(policy, enums[i].Sid);
if (enums)
::LsaFreeMemory(enums);
res = true;
}
*/
NTSTATUS status = policy.AddAccountRights(psid, &userRights);
if (status == 0)
res = true;
// ULONG res = LsaNtStatusToWinError(status);
}
HeapFree(GetProcessHeap(), 0, psid);
return res;
}
/* sguil only uses log */
int OpSguil_Log(void *context, void *data)
{
char timestamp[TIMEBUF_SIZE];
char syslogMessage[SYSLOG_BUF];
char eventInfo[SYSLOG_BUF];
//int MAX_INSERT_LEN = 1024;
char insertColumns[MAX_QUERY_SIZE];
char insertValues[MAX_QUERY_SIZE];
char valuesTemp[MAX_QUERY_SIZE];
char ipInfo[38];
char portInfo[16];
char *esc_message;
Sid *sid = NULL;
ClassType *class_type;
UnifiedLogRecord *record = (UnifiedLogRecord *)data;
OpSguil_Data *op_data = (OpSguil_Data *)context;
Packet p;
bzero(syslogMessage, SYSLOG_BUF);
bzero(insertColumns, MAX_QUERY_SIZE);
bzero(insertValues, MAX_QUERY_SIZE);
#if 0 /* this is broken */
/* skip tagged packets, since the db does not have a mechanism to
* deal with them properly
*/
if(record->log.event.event_reference)
{
LogMessage("Skipping tagged packet %i\n", record->log.event.event_reference);
return 0;
}
#endif
RenderTimestamp(record->log.pkth.ts.tv_sec, timestamp, TIMEBUF_SIZE);
//fprintf(stdout, "Timestamp: %lu\n", GetMilliseconds());
//fflush(stdout);
sid = GetSid(record->log.event.sig_generator, record->log.event.sig_id);
if(sid == NULL)
sid = FakeSid(record->log.event.sig_generator, record->log.event.sig_id);
class_type = GetClassType(record->log.event.classification);
//sgBeginTransaction(op_data); /* XXX: Error checking */
/* Build the event insert. */
snprintf(insertColumns, MAX_QUERY_SIZE,
"INSERT INTO event (status, sid, cid, signature_id, signature_rev, signature, timestamp, priority, class");
esc_message = malloc(strlen(sid->msg)*2+1);
mysql_real_escape_string(op_data->mysql, esc_message, sid->msg, strlen(sid->msg));
if(class_type == NULL)
{
snprintf(valuesTemp, MAX_QUERY_SIZE,
"VALUES ('0', '%u', '%u', '%d', '%d', '%s', '%s', '%u', 'unknown'",
op_data->sensor_id, op_data->event_id, sid->sid, sid->rev, esc_message, timestamp,
record->log.event.priority);
snprintf(eventInfo, SYSLOG_BUF, "RTEvent |0|%u|unknown|%s|%s|%u|%u|%s",
record->log.event.priority,
pv.hostname, timestamp, op_data->sensor_id, op_data->event_id,
sid->msg);
}
else
{
snprintf(valuesTemp, MAX_QUERY_SIZE,
"VALUES ('0', '%u', '%u', '%d', '%d', '%s', '%s', '%u', '%s'",
op_data->sensor_id, op_data->event_id, sid->sid, sid->rev, esc_message, timestamp,
record->log.event.priority, class_type->type);
snprintf(eventInfo, SYSLOG_BUF, "RTEvent |0|%u|%s|%s|%s|%u|%u|%s",
record->log.event.priority, class_type->type,
pv.hostname, timestamp, op_data->sensor_id, op_data->event_id,
sid->msg);
}
free(esc_message);
insertValues[0] = '\0';
strcat(insertValues, valuesTemp);
syslogMessage[0] = '\0';
strcat(syslogMessage, eventInfo);
/* decode the packet */
if(DecodePacket(&p, &record->log.pkth, record->pkt + 2) == 0)
{
if(p.iph)
{
/* Insert ip header information */
//InsertIPData(op_data, &p);
strcat(insertColumns,
",src_ip, dst_ip, ip_proto, ip_ver, ip_hlen, ip_tos, ip_len, ip_id, ip_flags, ip_off, ip_ttl, ip_csum");
snprintf(valuesTemp, MAX_QUERY_SIZE,
",'%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u', '%u'",
ntohl(p.iph->ip_src.s_addr), ntohl(p.iph->ip_dst.s_addr), p.iph->ip_proto, IP_VER(p.iph),
IP_HLEN(p.iph), p.iph->ip_tos, ntohs(p.iph->ip_len), ntohs(p.iph->ip_id),
#if defined(WORDS_BIGENDIAN)
((p.iph->ip_off & 0xE000) >> 13),
htons(p.iph->ip_off & 0x1FFF),
#else
((p.iph->ip_off & 0x00E0) >> 5),
htons(p.iph->ip_off & 0xFF1F),
#endif
p.iph->ip_ttl,
htons(p.iph->ip_csum) < MAX_QUERY_SIZE);
strcat(insertValues, valuesTemp);
/* SYSLOG - Changed to SguilSendEvent*/
snprintf(ipInfo, 38, "|%u.%u.%u.%u|%u.%u.%u.%u|%u",
#if defined(WORDS_BIGENDIAN)
(p.iph->ip_src.s_addr & 0xff000000) >> 24,
(p.iph->ip_src.s_addr & 0x00ff0000) >> 16,
(p.iph->ip_src.s_addr & 0x0000ff00) >> 8,
(p.iph->ip_src.s_addr & 0x000000ff),
(p.iph->ip_dst.s_addr & 0xff000000) >> 24,
(p.iph->ip_dst.s_addr & 0x00ff0000) >> 16,
(p.iph->ip_dst.s_addr & 0x0000ff00) >> 8,
(p.iph->ip_dst.s_addr & 0x000000ff),
#else
(p.iph->ip_src.s_addr & 0x000000ff),
(p.iph->ip_src.s_addr & 0x0000ff00) >> 8,
(p.iph->ip_src.s_addr & 0x00ff0000) >> 16,
(p.iph->ip_src.s_addr & 0xff000000) >> 24,
(p.iph->ip_dst.s_addr & 0x000000ff),
(p.iph->ip_dst.s_addr & 0x0000ff00) >> 8,
(p.iph->ip_dst.s_addr & 0x00ff0000) >> 16,
(p.iph->ip_dst.s_addr & 0xff000000) >> 24,
#endif
p.iph->ip_proto);
strcat(syslogMessage, ipInfo);
/* store layer 4 data for non fragmented packets */
if(!(p.pkt_flags & PKT_FRAG_FLAG))
{
switch(p.iph->ip_proto)
{
case IPPROTO_ICMP:
snprintf(portInfo, 16, "|||");
if(!p.icmph)
break;
strcat(insertColumns,
", icmp_type, icmp_code)");
snprintf(valuesTemp, MAX_QUERY_SIZE,
", '%u', '%u')", p.icmph->icmp_type,
p.icmph->icmp_code);
strcat(insertValues, valuesTemp);
strcat(insertColumns, insertValues);
sgInsert(op_data, insertColumns, NULL);
sgInsertICMPData(op_data, &p);
break;
case IPPROTO_TCP:
strcat(insertColumns,
", src_port, dst_port)");
snprintf(valuesTemp, MAX_QUERY_SIZE,
", '%u', '%u')", p.sp, p.dp);
strcat(insertValues, valuesTemp);
strcat(insertColumns, insertValues);
sgInsert(op_data, insertColumns, NULL);
sgInsertTCPData(op_data, &p);
snprintf(portInfo, 16, "|%u|%u|",
p.sp, p.dp);
break;
case IPPROTO_UDP:
strcat(insertColumns,
", src_port, dst_port)");
snprintf(valuesTemp, MAX_QUERY_SIZE,
", '%u', '%u')", p.sp, p.dp);
strcat(insertValues, valuesTemp);
strcat(insertColumns, insertValues);
sgInsert(op_data, insertColumns, NULL);
sgInsertUDPData(op_data, &p);
snprintf(portInfo, 16, "|%u|%u|",
p.sp, p.dp);
break;
}
strcat(syslogMessage, portInfo);
}
else
{
strcat(syslogMessage, "|||");
}
/* Insert payload data */
sgInsertPayloadData(op_data, &p);
}
else
{
