int add_string_additional_data(idmef_alert_t *alert, const char *meaning, const char *ptr){ int ret; prelude_string_t *str; idmef_additional_data_t *ad; idmef_data_t *data; ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; idmef_additional_data_set_type(ad, IDMEF_ADDITIONAL_DATA_TYPE_STRING); idmef_additional_data_new_data(ad, &data); ret = idmef_data_set_char_string_ref(data, ptr); if ( ret < 0) return ret; ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0) return ret; ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) return ret; return 0; }
static int add_int_data(idmef_alert_t *alert, const char *meaning, uint32_t data) { int ret; prelude_string_t *str; idmef_additional_data_t *ad; ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; idmef_additional_data_set_integer(ad, data); ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { ErrorMessage("%s: error creating additional-data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting integer data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } return 0; }
/** * \brief Add integer data, to be stored in the Additional Data * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765). * * \return 0 if ok */ static int AddIntData(idmef_alert_t *alert, const char *meaning, uint32_t data) { int ret; prelude_string_t *str; idmef_additional_data_t *ad; SCEnter(); ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) SCReturnInt(ret); idmef_additional_data_set_integer(ad, data); ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { SCLogDebug("%s: error creating additional-data meaning: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { SCLogDebug("%s: error setting integer data meaning: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } SCReturnInt(0); }
/** * \brief Create event impact description (see section * 4.2.6.1 of RFC 4765). * The impact contains the severity, completion (succeeded or failed) * and basic classification of the attack type. * Here, we don't set the completion since we don't know it (default * is unknown). * * \return 0 if ok */ static int EventToImpact(PacketAlert *pa, Packet *p, idmef_alert_t *alert) { int ret; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; SCEnter(); ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) SCReturnInt(ret); ret = idmef_assessment_new_impact(assessment, &impact); if ( ret < 0 ) SCReturnInt(ret); if ( (unsigned int)pa->s->prio < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( (unsigned int)pa->s->prio < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( (unsigned int)pa->s->prio < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if (p->action & ACTION_DROP) { idmef_action_t *action; ret = idmef_action_new(&action); if ( ret < 0 ) SCReturnInt(ret); idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED); idmef_assessment_set_action(assessment, action, 0); } if (pa->s->class_msg) { ret = idmef_impact_new_description(impact, &str); if ( ret < 0 ) SCReturnInt(ret); prelude_string_set_ref(str, pa->s->class_msg); } SCReturnInt(0); }
static int event_to_impact(void *event, idmef_alert_t *alert) { int ret; ClassType *cn; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; /* store and convert once */ /*TODO: detemine required return code for event being NULL */ u_int32_t event_priority = ntohl(((Unified2EventCommon *)event)->priority_id); ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) return ret; ret = idmef_assessment_new_impact(assessment, &impact); if ( ret < 0 ) return ret; if ( event_priority < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( event_priority < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( event_priority < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id)); if ( cn != NULL ) { ret = idmef_impact_new_description(impact, &str); if ( ret < 0 ) return ret; prelude_string_set_ref(str, cn->name); } return 0; }
static int event_to_impact(Event *event, idmef_alert_t *alert) { int ret; ClassType *classtype; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) return ret; ret = idmef_assessment_new_impact(assessment, &impact); if ( ret < 0 ) return ret; if ( event->priority < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( event->priority < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( event->priority < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if ( ! otn_tmp ) return 0; classtype = otn_tmp->sigInfo.classType; if ( classtype ) { ret = idmef_impact_new_description(impact, &str); if ( ret < 0 ) return ret; prelude_string_set_ref(str, classtype->name); } return 0; }
int add_int_additional_data(idmef_alert_t *alert, const char *meaning, int data){ int ret; prelude_string_t *str; idmef_additional_data_t *ad; ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; idmef_additional_data_set_integer(ad, data); ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0) return ret; ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) return ret; return 0; }
/** * \brief Add binary data, to be stored in the Additional Data * field of the IDMEF alert (see section 4.2.4.6 of RFC 4765). * * \return 0 if ok */ static int AddByteData(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size) { int ret; prelude_string_t *str; idmef_additional_data_t *ad; SCEnter(); if ( ! data || ! size ) SCReturnInt(0); ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) SCReturnInt(0); ret = idmef_additional_data_set_byte_string_ref(ad, data, size); if ( ret < 0 ) { SCLogDebug("%s: error setting byte string data: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { SCLogDebug("%s: error creating additional-data meaning: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { SCLogDebug("%s: error setting byte string data meaning: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(-1); } SCReturnInt(0); }
static int add_byte_data(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size) { int ret; prelude_string_t *str; idmef_additional_data_t *ad; if ( ! data || ! size ) return 0; ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_additional_data_set_byte_string_ref(ad, data, size); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { ErrorMessage("%s: error creating additional-data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } return 0; }
static int event_to_source_target(Packet *p, idmef_alert_t *alert) { int ret; idmef_node_t *node; idmef_source_t *source; idmef_target_t *target; idmef_address_t *address; idmef_service_t *service; prelude_string_t *string; static char saddr[128], daddr[128]; if ( !p ) return 0; if ( ! p->iph ) return 0; ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if ( pv.interface ) { ret = idmef_source_new_interface(source, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, pv.interface); } ret = idmef_source_new_service(source, &service); if ( ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); idmef_service_set_ip_version(service, IP_VER(p->iph)); idmef_service_set_iana_protocol_number(service, p->iph->ip_proto); ret = idmef_source_new_node(source, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(p->iph->ip_src)); prelude_string_set_ref(string, saddr); ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if ( pv.interface ) { ret = idmef_target_new_interface(target, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, pv.interface); } ret = idmef_target_new_service(target, &service); if ( ! ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); idmef_service_set_ip_version(service, IP_VER(p->iph)); idmef_service_set_iana_protocol_number(service, p->iph->ip_proto); ret = idmef_target_new_node(target, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(p->iph->ip_dst)); prelude_string_set_ref(string, daddr); return 0; }
void prelude_logging(const char *filename, const char *virname, const char *virhash, int virsize){ int ret; idmef_message_t *idmef = NULL; idmef_alert_t *alert; idmef_classification_t *class; prelude_string_t *str; idmef_target_t *target; idmef_file_t *file; ret = idmef_message_new(&idmef); if ( ret < 0 ) goto err; ret = idmef_message_new_alert(idmef, &alert); if ( ret < 0 ) goto err; ret = idmef_alert_new_classification(alert, &class); if ( ret < 0 ) goto err; ret = idmef_classification_new_text(class, &str); if ( ret < 0 ) goto err; prelude_string_set_constant(str, "Virus Found"); ret = idmef_alert_new_target(alert, &target, 0); if ( ret < 0 ) goto err; ret = idmef_target_new_file(target, &file, 0); if ( ret < 0 ) goto err; ret = idmef_file_new_path(file, &str); if ( ret < 0 ) goto err; prelude_string_set_ref(str, filename); if ( virname != NULL ) { ret = add_string_additional_data(alert, "virname", virname); if ( ret < 0 ) goto err; } if ( virhash != NULL){ ret = add_string_additional_data(alert, "virhash", virhash); if ( ret < 0 ) goto err; } ret = add_int_additional_data(alert, "virsize", virsize); if ( ret < 0 ) goto err; logg("le client : %s", prelude_client_get_config_filename(prelude_client)); prelude_client_send_idmef(prelude_client, idmef); idmef_message_destroy(idmef); return; err: if (idmef != NULL) idmef_message_destroy(idmef); logg("%s error: %s", prelude_strsource(ret), prelude_strerror(ret)); return; }
static int event_to_source_target(Packet *p, idmef_alert_t *alert) { int ret; idmef_node_t *node; idmef_source_t *source; idmef_target_t *target; idmef_address_t *address; idmef_service_t *service; prelude_string_t *string; static char saddr[128], daddr[128]; if ( !p ) return 0; if ( ! IPH_IS_VALID(p) ) return 0; ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if (barnyard2_conf->interface != NULL) { ret = idmef_source_new_interface(source, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, PRINT_INTERFACE(barnyard2_conf->interface)); } ret = idmef_source_new_service(source, &service); if ( ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); ret = idmef_source_new_node(source, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p))); prelude_string_set_ref(string, saddr); ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if (barnyard2_conf->interface != NULL) { ret = idmef_target_new_interface(target, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, barnyard2_conf->interface); } ret = idmef_target_new_service(target, &service); if ( ! ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); ret = idmef_target_new_node(target, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p))); prelude_string_set_ref(string, daddr); return 0; }
/** * \brief Add Source and Target fields to the IDMEF alert. * These objects contains IP addresses, source and destination * ports (see sections 4.2.4.3 and 4.2.4.4 of RFC 4765). * * \return 0 if ok */ static int EventToSourceTarget(Packet *p, idmef_alert_t *alert) { int ret; idmef_node_t *node; idmef_source_t *source; idmef_target_t *target; idmef_address_t *address; idmef_service_t *service; prelude_string_t *string; static char saddr[128], daddr[128]; uint8_t ip_vers; uint8_t ip_proto; SCEnter(); if ( !p ) SCReturnInt(0); if ( ! IPH_IS_VALID(p) ) SCReturnInt(0); if (PKT_IS_IPV4(p)) { ip_vers = 4; ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h); PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr)); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr)); } else if (PKT_IS_IPV6(p)) { ip_vers = 6; ip_proto = IPV6_GET_L4PROTO(p); PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr)); } else SCReturnInt(0); ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) SCReturnInt(ret); ret = idmef_source_new_service(source, &service); if ( ret < 0 ) SCReturnInt(ret); if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); idmef_service_set_ip_version(service, ip_vers); idmef_service_set_iana_protocol_number(service, ip_proto); ret = idmef_source_new_node(source, &node); if ( ret < 0 ) SCReturnInt(ret); ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) SCReturnInt(ret); ret = idmef_address_new_address(address, &string); if ( ret < 0 ) SCReturnInt(ret); prelude_string_set_ref(string, saddr); ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND); if ( ret < 0 ) SCReturnInt(ret); ret = idmef_target_new_service(target, &service); if ( ret < 0 ) SCReturnInt(ret); if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); idmef_service_set_ip_version(service, ip_vers); idmef_service_set_iana_protocol_number(service, ip_proto); ret = idmef_target_new_node(target, &node); if ( ret < 0 ) SCReturnInt(ret); ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) SCReturnInt(ret); ret = idmef_address_new_address(address, &string); if ( ret < 0 ) SCReturnInt(ret); prelude_string_set_ref(string, daddr); SCReturnInt(0); }
/** * \brief Create event impact description (see section * 4.2.6.1 of RFC 4765). * The impact contains the severity, completion (succeeded or failed) * and basic classification of the attack type. * Here, we don't set the completion since we don't know it (default * is unknown). * * \return 0 if ok */ static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert) { int ret; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; SCEnter(); ret = idmef_alert_new_assessment(alert, &assessment); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating assessment: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = idmef_assessment_new_impact(assessment, &impact); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating assessment impact: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } if ( (unsigned int)pa->s->prio < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( (unsigned int)pa->s->prio < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( (unsigned int)pa->s->prio < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if (PACKET_TEST_ACTION(p, ACTION_DROP) || PACKET_TEST_ACTION(p, ACTION_REJECT) || PACKET_TEST_ACTION(p, ACTION_REJECT_DST) || PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH) ) { idmef_action_t *action; ret = idmef_action_new(&action); if (unlikely(ret < 0)) SCReturnInt(ret); idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED); idmef_assessment_set_action(assessment, action, 0); } if (pa->s->class_msg) { ret = idmef_impact_new_description(impact, &str); if (unlikely(ret < 0)) SCReturnInt(ret); prelude_string_set_ref(str, pa->s->class_msg); } SCReturnInt(0); }