static int event_to_impact(void *event, idmef_alert_t *alert)
{
int ret;
ClassType *cn;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
/* store and convert once */
/*TODO: detemine required return code for event being NULL */
u_int32_t event_priority = ntohl(((Unified2EventCommon *)event)->priority_id);
ret = idmef_alert_new_assessment(alert, &assessment);
if ( ret < 0 )
return ret;
ret = idmef_assessment_new_impact(assessment, &impact);
if ( ret < 0 )
return ret;
if ( event_priority < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( event_priority < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( event_priority < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
if ( cn != NULL ) {
ret = idmef_impact_new_description(impact, &str);
if ( ret < 0 )
return ret;
prelude_string_set_ref(str, cn->name);
}
return 0;
}
/*--------------------------------------------------------------------
* Function: LogPriorityData()
*
* Purpose: Prints out priority data associated with an alert
*
* Arguments: log => pointer to TextLog to write the data to
* doNewLine => tack a \n to the end of the line or not (bool)
*
* Returns: void function
*--------------------------------------------------------------------
*/
void LogPriorityData(TextLog* log, uint32_t cid, uint32_t priority, bool doNewLine)
{
ClassType *cn = ClassTypeLookupById(barnyard2_conf, cid);
if ( cn != NULL )
{
TextLog_Print(
log, "[Classification: %s] [Priority: %d] ",
cn->name, priority
);
}
else
{
TextLog_Print(log, "[Priority: %d] ", priority);
}
if ( doNewLine )
TextLog_NewLine(log);
}
void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
{
OpSyslog_Data *syslogContext = NULL;
Unified2EventCommon *iEvent = NULL;
SigNode *sn = NULL;
ClassType *cn = NULL;
char sip[16] = {0};
char dip[16] = {0};
if( (p == NULL) ||
(event == NULL) ||
(arg == NULL))
{
LogMessage("OpSyslog_Alert(): Invoked with Packet[0x%x] Event[0x%x] Event Type [%u] Context pointer[0x%x]\n",
p,
event,
event_type,
arg);
return;
}
if(event_type != UNIFIED2_IDS_EVENT)
{
LogMessage("OpSyslog_Alert(): Is currently unable to handle Event Type [%u] \n",
event_type);
return;
}
syslogContext = (OpSyslog_Data *)arg;
iEvent = event;
memset(syslogContext->payload,'\0',(SYSLOG_MAX_QUERY_SIZE));
memset(syslogContext->formatBuffer,'\0',(SYSLOG_MAX_QUERY_SIZE));
syslogContext->payload_current_pos = 0;
syslogContext->format_current_pos = 0;
switch(syslogContext->operation_mode)
{
case 0: /* Ze Classic (Requested) */
if(IPH_IS_VALID(p))
{
if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip))
{
FatalError("[%s()], strlcpy() error , bailing \n",
__FUNCTION__);
return;
}
if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip))
{
FatalError("[%s()], strlcpy() error , bailing \n",
__FUNCTION__);
return;
}
}
sn = GetSigByGidSid(ntohl(iEvent->generator_id),
ntohl(iEvent->signature_id));
cn = ClassTypeLookupById(barnyard2_conf,
ntohl(iEvent->classification_id));
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"[%u:%u:%u] ",
ntohl(iEvent->generator_id),
ntohl(iEvent->signature_id),
ntohl(iEvent->signature_revision))) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if(sn != NULL)
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"%s ",
sn->msg)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
else
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"ALERT ")) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if(cn != NULL)
{
if( cn->name )
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"[Classification: %s] [Priority: %d]:",
cn->name,
ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
else if( ntohl(((Unified2EventCommon *)event)->priority_id) != 0 )
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"[Priority: %d]:",
ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if( (IPH_IS_VALID(p)) &&
(((GET_IPH_PROTO(p) != IPPROTO_TCP &&
GET_IPH_PROTO(p) != IPPROTO_UDP &&
GET_IPH_PROTO(p) != IPPROTO_ICMP) ||
p->frag_flag)))
{
if(!BcAlertInterface())
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" {%s} %s -> %s",
protocol_names[GET_IPH_PROTO(p)],
sip, dip)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
else
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" <%s> {%s} %s -> %s",
barnyard2_conf->interface,
protocol_names[GET_IPH_PROTO(p)],
sip, dip)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
}
else
{
if(BcAlertInterface())
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" <%s> {%s} %s:%i -> %s:%i",
barnyard2_conf->interface,
protocol_names[GET_IPH_PROTO(p)], sip,
p->sp, dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
else
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" {%s} %s:%i -> %s:%i",
protocol_names[GET_IPH_PROTO(p)], sip, p->sp,
dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
break;
case 1: /* Ze verbose */
if(Syslog_FormatTrigger(syslogContext, iEvent,0) )
{
LogMessage("WARNING: Unable to append Trigger header.\n");
return;
}
/* Support for portscan ip */
if(p->iph)
{
if(Syslog_FormatIPHeaderAlert(syslogContext, p) )
{
LogMessage("WARNING: Unable to append Trigger header.\n");
return;
}
}
if(p->iph)
{
/* build the protocol specific header information */
switch(p->iph->ip_proto)
{
case IPPROTO_TCP:
Syslog_FormatTCPHeaderAlert(syslogContext, p);
break;
case IPPROTO_UDP:
Syslog_FormatUDPHeaderAlert(syslogContext, p);
break;
case IPPROTO_ICMP:
Syslog_FormatICMPHeaderAlert(syslogContext, p);
break;
}
}
/* CHECKME: -elz will update formating later on .. */
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"\n")) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("Couldn't finalize payload string ....\n");
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
break;
default:
FatalError("[%s()]: Unknown operation_mode ... bailing \n",
__FUNCTION__);
break;
}
if(NetSend(syslogContext))
{
NetClose(syslogContext);
if(syslogContext->local_logging != 1)
{
FatalError("NetSend(): call failed for host:port '%s:%u' bailing...\n", syslogContext->server, syslogContext->port);
}
}
return;
}
static int Syslog_FormatTrigger(OpSyslog_Data *syslogData, Unified2EventCommon *pEvent,int opType)
{
char tSigBuf[256] = {0};
char *timestamp_string = NULL;
SigNode *sn = NULL;
ClassType *cn = NULL;
//ReferenceNode *rn = NULL;
if( (syslogData == NULL) ||
(pEvent == NULL))
{
/* XXX */
return 1;
}
switch(opType)
{
case 0:
/* Alert */
if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[ALERT]: [%s] }", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
return 1;
}
break;
case 1:
/* Log */
if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[LOG]: [%s] ]", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
return 1;
}
break;
default:
/* XXX */
LogMessage("Syslog_FormatTrigger(): Unknown [%d] operation mode \n",opType);
return 1;
break;
}
if( OpSyslog_Concat(syslogData))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if( (timestamp_string = GetTimestampByComponent(
ntohl(pEvent->event_second),
ntohl(pEvent->event_microsecond),
GetLocalTimezone())) == NULL)
{
/* XXX */
/* Something went wrong ...we create a little string? */
if( (timestamp_string = malloc(256)) == NULL)
{
/* XXX */
return 1;
}
memset(timestamp_string,'\0',256);
snprintf(timestamp_string,256,"sec:[%u] msec:[%u] Second away from UTC:[%u] ",
ntohl(pEvent->event_second),
ntohl(pEvent->event_microsecond),
GetLocalTimezone());
}
snprintf(tSigBuf,256,"Snort Alert [%u:%u:%u]",
ntohl(pEvent->generator_id),
ntohl(pEvent->signature_id),
ntohl(pEvent->signature_revision));
sn = GetSigByGidSid(ntohl(pEvent->generator_id),
ntohl(pEvent->signature_id));
cn = ClassTypeLookupById(barnyard2_conf,
ntohl(pEvent->classification_id));
if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%s%c%u%c%s",
timestamp_string,syslogData->field_separators,
ntohl(pEvent->priority_id),syslogData->field_separators,
sn != NULL ? sn->msg : tSigBuf)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
free(timestamp_string);
return 1;
}
if( OpSyslog_Concat(syslogData))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if(cn)
{
if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%s",
cn->type)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
free(timestamp_string);
return 1;
}
}
else
{
if( ( syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%s",
"[Unknown Classification]") >= SYSLOG_MAX_QUERY_SIZE))
{
/* XXX */
free(timestamp_string);
return 1;
}
}
if( OpSyslog_Concat(syslogData))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
/*CHECKME: -elz Need to investigate */
//Syslog_FormatReference(syslogData, sn->refs);
free(timestamp_string);
return 0;
}
