static void LogFilestoreLogCreateMetaFile(Packet *p, File *ff, char *filename, int ipver) { char metafilename[PATH_MAX] = ""; snprintf(metafilename, sizeof(metafilename), "%s.meta", filename); FILE *fp = fopen(metafilename, "w+"); if (fp != NULL) { char timebuf[64]; CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); fprintf(fp, "TIME: %s\n", timebuf); if (p->pcap_cnt > 0) { fprintf(fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt); } char srcip[46], dstip[46]; Port sp, dp; switch (ipver) { case AF_INET: PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); break; case AF_INET6: PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); break; default: strlcpy(srcip, "<unknown>", sizeof(srcip)); strlcpy(dstip, "<unknown>", sizeof(dstip)); break; } sp = p->sp; dp = p->dp; fprintf(fp, "SRC IP: %s\n", srcip); fprintf(fp, "DST IP: %s\n", dstip); fprintf(fp, "PROTO: %" PRIu32 "\n", p->proto); if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) { fprintf(fp, "SRC PORT: %" PRIu16 "\n", sp); fprintf(fp, "DST PORT: %" PRIu16 "\n", dp); } fprintf(fp, "HTTP URI: "); LogFilestoreMetaGetUri(fp, p, ff); fprintf(fp, "\n"); fprintf(fp, "HTTP HOST: "); LogFilestoreMetaGetHost(fp, p, ff); fprintf(fp, "\n"); fprintf(fp, "HTTP REFERER: "); LogFilestoreMetaGetReferer(fp, p, ff); fprintf(fp, "\n"); fprintf(fp, "FILENAME: "); PrintRawUriFp(fp, ff->name, ff->name_len); fprintf(fp, "\n"); fclose(fp); } }
static void LogFilestoreMetaGetUri(FILE *fp, Packet *p, File *ff) { HtpState *htp_state = (HtpState *)p->flow->alstate; if (htp_state != NULL) { htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, ff->txid); if (tx != NULL && tx->request_uri_normalized != NULL) { PrintRawUriFp(fp, (uint8_t *)bstr_ptr(tx->request_uri_normalized), bstr_len(tx->request_uri_normalized)); return; } } fprintf(fp, "<unknown>"); }
static void LogFilestoreMetaGetHost(FILE *fp, const Packet *p, const File *ff) { HtpState *htp_state = (HtpState *)p->flow->alstate; if (htp_state != NULL) { htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid); if (tx != NULL && tx->request_hostname != NULL) { PrintRawUriFp(fp, (uint8_t *)bstr_ptr(tx->request_hostname), bstr_len(tx->request_hostname)); return; } } fprintf(fp, "<unknown>"); }
static void LogFilestoreMetaGetSmtp(FILE *fp, const Packet *p, const File *ff) { SMTPState *state = (SMTPState *) p->flow->alstate; if (state != NULL) { SMTPTransaction *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_SMTP, state, ff->txid); if (tx == NULL || tx->msg_tail == NULL) return; /* Message Id */ if (tx->msg_tail->msg_id != NULL) { fprintf(fp, "MESSAGE-ID: "); PrintRawUriFp(fp, (uint8_t *) tx->msg_tail->msg_id, tx->msg_tail->msg_id_len); fprintf(fp, "\n"); } /* Sender */ MimeDecField *field = MimeDecFindField(tx->msg_tail, "from"); if (field != NULL) { fprintf(fp, "SENDER: "); PrintRawUriFp(fp, (uint8_t *) field->value, field->value_len); fprintf(fp, "\n"); } } }
static void LogFilestoreMetaGetUri(FILE *fp, const Packet *p, const File *ff) { HtpState *htp_state = (HtpState *)p->flow->alstate; if (htp_state != NULL) { htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid); if (tx != NULL) { HtpTxUserData *tx_ud = htp_tx_get_user_data(tx); if (tx_ud->request_uri_normalized != NULL) { PrintRawUriFp(fp, bstr_ptr(tx_ud->request_uri_normalized), bstr_len(tx_ud->request_uri_normalized)); } return; } } fprintf(fp, "<unknown>"); }
static void LogFilestoreMetaGetUserAgent(FILE *fp, const Packet *p, const File *ff) { HtpState *htp_state = (HtpState *)p->flow->alstate; if (htp_state != NULL) { htp_tx_t *tx = AppLayerParserGetTx(IPPROTO_TCP, ALPROTO_HTTP, htp_state, ff->txid); if (tx != NULL) { htp_header_t *h = NULL; h = (htp_header_t *)htp_table_get_c(tx->request_headers, "User-Agent"); if (h != NULL) { PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value)); return; } } } fprintf(fp, "<unknown>"); }
static void LogFilestoreMetaGetReferer(FILE *fp, Packet *p, File *ff) { HtpState *htp_state = (HtpState *)p->flow->alstate; if (htp_state != NULL) { htp_tx_t *tx = list_get(htp_state->connp->conn->transactions, ff->txid); if (tx != NULL) { table_t *headers; headers = tx->request_headers; htp_header_t *h = NULL; table_iterator_reset(headers); while (table_iterator_next(headers, (void **)&h) != NULL) { if (bstr_len(h->name) >= 7 && SCMemcmpLowercase((uint8_t *)"referer", (uint8_t *)bstr_ptr(h->name), bstr_len(h->name)) == 0) { PrintRawUriFp(fp, (uint8_t *)bstr_ptr(h->value), bstr_len(h->value)); return; } } } } fprintf(fp, "<unknown>"); }
void EngineAnalysisFP(Signature *s, char *line) { int fast_pattern_set = 0; int fast_pattern_only_set = 0; int fast_pattern_chop_set = 0; DetectContentData *fp_cd = NULL; SigMatch *mpm_sm = s->mpm_sm; if (mpm_sm != NULL) { fp_cd = (DetectContentData *)mpm_sm->ctx; if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN) { fast_pattern_set = 1; if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN_ONLY) { fast_pattern_only_set = 1; } else if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { fast_pattern_chop_set = 1; } } } fprintf(fp_engine_analysis_FD, "== Sid: %u ==\n", s->id); fprintf(fp_engine_analysis_FD, "%s\n", line); fprintf(fp_engine_analysis_FD, " Fast Pattern analysis:\n"); if (fp_cd == NULL) { fprintf(fp_engine_analysis_FD, " No content present\n"); fprintf(fp_engine_analysis_FD, "\n"); return; } fprintf(fp_engine_analysis_FD, " Fast pattern matcher: "); int list_type = SigMatchListSMBelongsTo(s, mpm_sm); if (list_type == DETECT_SM_LIST_PMATCH) fprintf(fp_engine_analysis_FD, "content\n"); else if (list_type == DETECT_SM_LIST_UMATCH) fprintf(fp_engine_analysis_FD, "http uri content\n"); else if (list_type == DETECT_SM_LIST_HRUDMATCH) fprintf(fp_engine_analysis_FD, "http raw uri content\n"); else if (list_type == DETECT_SM_LIST_HHDMATCH) fprintf(fp_engine_analysis_FD, "http header content\n"); else if (list_type == DETECT_SM_LIST_HRHDMATCH) fprintf(fp_engine_analysis_FD, "http raw header content\n"); else if (list_type == DETECT_SM_LIST_HMDMATCH) fprintf(fp_engine_analysis_FD, "http method content\n"); else if (list_type == DETECT_SM_LIST_HCDMATCH) fprintf(fp_engine_analysis_FD, "http cookie content\n"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(fp_engine_analysis_FD, "http client body content\n"); else if (list_type == DETECT_SM_LIST_HSBDMATCH) fprintf(fp_engine_analysis_FD, "http server body content\n"); else if (list_type == DETECT_SM_LIST_HSCDMATCH) fprintf(fp_engine_analysis_FD, "http stat code content\n"); else if (list_type == DETECT_SM_LIST_HSMDMATCH) fprintf(fp_engine_analysis_FD, "http stat msg content\n"); else if (list_type == DETECT_SM_LIST_HUADMATCH) fprintf(fp_engine_analysis_FD, "http user agent content\n"); int flags_set = 0; fprintf(fp_engine_analysis_FD, " Flags:"); if (fp_cd->flags & DETECT_CONTENT_OFFSET) { fprintf(fp_engine_analysis_FD, " Offset"); flags_set = 1; } if (fp_cd->flags & DETECT_CONTENT_DEPTH) { fprintf(fp_engine_analysis_FD, " Depth"); flags_set = 1; } if (fp_cd->flags & DETECT_CONTENT_WITHIN) { fprintf(fp_engine_analysis_FD, " Within"); flags_set = 1; } if (fp_cd->flags & DETECT_CONTENT_DISTANCE) { fprintf(fp_engine_analysis_FD, " Distance"); flags_set = 1; } if (fp_cd->flags & DETECT_CONTENT_NOCASE) { fprintf(fp_engine_analysis_FD, " Nocase"); flags_set = 1; } if (fp_cd->flags & DETECT_CONTENT_NEGATED) { fprintf(fp_engine_analysis_FD, " Negated"); flags_set = 1; } if (flags_set == 0) fprintf(fp_engine_analysis_FD, " None"); fprintf(fp_engine_analysis_FD, "\n"); fprintf(fp_engine_analysis_FD, " Fast pattern set: %s\n", fast_pattern_set ? "yes" : "no"); fprintf(fp_engine_analysis_FD, " Fast pattern only set: %s\n", fast_pattern_only_set ? "yes" : "no"); fprintf(fp_engine_analysis_FD, " Fast pattern chop set: %s\n", fast_pattern_chop_set ? "yes" : "no"); if (fast_pattern_chop_set) { fprintf(fp_engine_analysis_FD, " Fast pattern offset, length: %u, %u\n", fp_cd->fp_chop_offset, fp_cd->fp_chop_len); } uint16_t patlen = fp_cd->content_len; uint8_t *pat = SCMalloc(fp_cd->content_len + 1); if (unlikely(pat == NULL)) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); exit(EXIT_FAILURE); } memcpy(pat, fp_cd->content, fp_cd->content_len); pat[fp_cd->content_len] = '\0'; fprintf(fp_engine_analysis_FD, " Original content: "); PrintRawUriFp(fp_engine_analysis_FD, pat, patlen); fprintf(fp_engine_analysis_FD, "\n"); if (fast_pattern_chop_set) { SCFree(pat); patlen = fp_cd->fp_chop_len; pat = SCMalloc(fp_cd->fp_chop_len + 1); if (unlikely(pat == NULL)) { exit(EXIT_FAILURE); } memcpy(pat, fp_cd->content + fp_cd->fp_chop_offset, fp_cd->fp_chop_len); pat[fp_cd->fp_chop_len] = '\0'; fprintf(fp_engine_analysis_FD, " Final content: "); PrintRawUriFp(fp_engine_analysis_FD, pat, patlen); fprintf(fp_engine_analysis_FD, "\n"); } else { fprintf(fp_engine_analysis_FD, " Final content: "); PrintRawUriFp(fp_engine_analysis_FD, pat, patlen); fprintf(fp_engine_analysis_FD, "\n"); } SCFree(pat); fprintf(fp_engine_analysis_FD, "\n"); return; }
static void EngineAnalysisRulesPrintFP(Signature *s) { DetectContentData *fp_cd = NULL; SigMatch *mpm_sm = s->mpm_sm; if (mpm_sm != NULL) { fp_cd = (DetectContentData *)mpm_sm->ctx; } if (fp_cd == NULL) { return; } uint16_t patlen = fp_cd->content_len; uint8_t *pat = SCMalloc(fp_cd->content_len + 1); if (unlikely(pat == NULL)) { SCLogError(SC_ERR_MEM_ALLOC, "Error allocating memory"); exit(EXIT_FAILURE); } memcpy(pat, fp_cd->content, fp_cd->content_len); pat[fp_cd->content_len] = '\0'; if (fp_cd->flags & DETECT_CONTENT_FAST_PATTERN_CHOP) { SCFree(pat); patlen = fp_cd->fp_chop_len; pat = SCMalloc(fp_cd->fp_chop_len + 1); if (unlikely(pat == NULL)) { exit(EXIT_FAILURE); } memcpy(pat, fp_cd->content + fp_cd->fp_chop_offset, fp_cd->fp_chop_len); pat[fp_cd->fp_chop_len] = '\0'; fprintf(rule_engine_analysis_FD, " Fast Pattern \""); PrintRawUriFp(rule_engine_analysis_FD, pat, patlen); } else { fprintf(rule_engine_analysis_FD, " Fast Pattern \""); PrintRawUriFp(rule_engine_analysis_FD, pat, patlen); } SCFree(pat); fprintf(rule_engine_analysis_FD, "\" on \""); int list_type = SigMatchListSMBelongsTo(s, mpm_sm); if (list_type == DETECT_SM_LIST_PMATCH) { int payload = 0; int stream = 0; if (SignatureHasPacketContent(s)) payload = 1; if (SignatureHasStreamContent(s)) stream = 1; fprintf(rule_engine_analysis_FD, "%s", payload ? (stream ? "payload and reassembled stream" : "payload") : "reassembled stream"); } else if (list_type == DETECT_SM_LIST_UMATCH) fprintf(rule_engine_analysis_FD, "http uri content"); else if (list_type == DETECT_SM_LIST_HRUDMATCH) fprintf(rule_engine_analysis_FD, "http raw uri content"); else if (list_type == DETECT_SM_LIST_HHDMATCH) fprintf(rule_engine_analysis_FD, "http header content"); else if (list_type == DETECT_SM_LIST_HRHDMATCH) fprintf(rule_engine_analysis_FD, "http raw header content"); else if (list_type == DETECT_SM_LIST_HMDMATCH) fprintf(rule_engine_analysis_FD, "http method content"); else if (list_type == DETECT_SM_LIST_HCDMATCH) fprintf(rule_engine_analysis_FD, "http cookie content"); else if (list_type == DETECT_SM_LIST_HCBDMATCH) fprintf(rule_engine_analysis_FD, "http client body content"); else if (list_type == DETECT_SM_LIST_HSBDMATCH) fprintf(rule_engine_analysis_FD, "http server body content"); else if (list_type == DETECT_SM_LIST_HSCDMATCH) fprintf(rule_engine_analysis_FD, "http stat code content"); else if (list_type == DETECT_SM_LIST_HSMDMATCH) fprintf(rule_engine_analysis_FD, "http stat msg content"); else if (list_type == DETECT_SM_LIST_HUADMATCH) fprintf(rule_engine_analysis_FD, "http user agent content"); else if (list_type == DETECT_SM_LIST_DNSQUERY_MATCH) fprintf(rule_engine_analysis_FD, "dns query name content"); fprintf(rule_engine_analysis_FD, "\" buffer.\n"); return; }
static void LogFilestoreLogCreateMetaFile(const Packet *p, const File *ff, char *base_filename, int ipver) { if (!FileWriteMeta()) return; char metafilename[PATH_MAX] = ""; if (snprintf(metafilename, sizeof(metafilename), "%s.meta%s", base_filename, g_working_file_suffix) == sizeof(metafilename)) return; FILE *fp = fopen(metafilename, "w+"); if (fp != NULL) { char timebuf[64]; CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); fprintf(fp, "TIME: %s\n", timebuf); if (p->pcap_cnt > 0) { fprintf(fp, "PCAP PKT NUM: %"PRIu64"\n", p->pcap_cnt); } char srcip[46], dstip[46]; Port sp, dp; switch (ipver) { case AF_INET: PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, sizeof(srcip)); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, sizeof(dstip)); break; case AF_INET6: PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); break; default: strlcpy(srcip, "<unknown>", sizeof(srcip)); strlcpy(dstip, "<unknown>", sizeof(dstip)); break; } sp = p->sp; dp = p->dp; fprintf(fp, "SRC IP: %s\n", srcip); fprintf(fp, "DST IP: %s\n", dstip); fprintf(fp, "PROTO: %" PRIu32 "\n", p->proto); if (PKT_IS_TCP(p) || PKT_IS_UDP(p)) { fprintf(fp, "SRC PORT: %" PRIu16 "\n", sp); fprintf(fp, "DST PORT: %" PRIu16 "\n", dp); } fprintf(fp, "APP PROTO: %s\n", AppProtoToString(p->flow->alproto)); /* Only applicable to HTTP traffic */ if (p->flow->alproto == ALPROTO_HTTP) { fprintf(fp, "HTTP URI: "); LogFilestoreMetaGetUri(fp, p, ff); fprintf(fp, "\n"); fprintf(fp, "HTTP HOST: "); LogFilestoreMetaGetHost(fp, p, ff); fprintf(fp, "\n"); fprintf(fp, "HTTP REFERER: "); LogFilestoreMetaGetReferer(fp, p, ff); fprintf(fp, "\n"); fprintf(fp, "HTTP USER AGENT: "); LogFilestoreMetaGetUserAgent(fp, p, ff); fprintf(fp, "\n"); } else if (p->flow->alproto == ALPROTO_SMTP) { /* Only applicable to SMTP */ LogFilestoreMetaGetSmtp(fp, p, ff); } fprintf(fp, "FILENAME: "); PrintRawUriFp(fp, ff->name, ff->name_len); fprintf(fp, "\n"); fclose(fp); } }