int add_string_additional_data(idmef_alert_t *alert, const char *meaning, const char *ptr){
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
idmef_data_t *data;
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
idmef_additional_data_set_type(ad, IDMEF_ADDITIONAL_DATA_TYPE_STRING);
idmef_additional_data_new_data(ad, &data);
ret = idmef_data_set_char_string_ref(data, ptr);
if ( ret < 0)
return ret;
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0)
return ret;
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 )
return ret;
return 0;
}
static int add_int_data(idmef_alert_t *alert, const char *meaning, uint32_t data)
{
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
idmef_additional_data_set_integer(ad, data);
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0 ) {
ErrorMessage("%s: error creating additional-data meaning: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 ) {
ErrorMessage("%s: error setting integer data meaning: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
return 0;
}
/**
* \brief Add integer data, to be stored in the Additional Data
* field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
*
* \return 0 if ok
*/
static int AddIntData(idmef_alert_t *alert, const char *meaning, uint32_t data)
{
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
SCEnter();
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
idmef_additional_data_set_integer(ad, data);
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0 ) {
SCLogDebug("%s: error creating additional-data meaning: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 ) {
SCLogDebug("%s: error setting integer data meaning: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
SCReturnInt(0);
}
/**
* \brief Create event impact description (see section
* 4.2.6.1 of RFC 4765).
* The impact contains the severity, completion (succeeded or failed)
* and basic classification of the attack type.
* Here, we don't set the completion since we don't know it (default
* is unknown).
*
* \return 0 if ok
*/
static int EventToImpact(PacketAlert *pa, Packet *p, idmef_alert_t *alert)
{
int ret;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
SCEnter();
ret = idmef_alert_new_assessment(alert, &assessment);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_assessment_new_impact(assessment, &impact);
if ( ret < 0 )
SCReturnInt(ret);
if ( (unsigned int)pa->s->prio < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( (unsigned int)pa->s->prio < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( (unsigned int)pa->s->prio < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else
severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
if (p->action & ACTION_DROP) {
idmef_action_t *action;
ret = idmef_action_new(&action);
if ( ret < 0 )
SCReturnInt(ret);
idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED);
idmef_assessment_set_action(assessment, action, 0);
}
if (pa->s->class_msg) {
ret = idmef_impact_new_description(impact, &str);
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(str, pa->s->class_msg);
}
SCReturnInt(0);
}
static int event_to_impact(void *event, idmef_alert_t *alert)
{
int ret;
ClassType *cn;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
/* store and convert once */
/*TODO: detemine required return code for event being NULL */
u_int32_t event_priority = ntohl(((Unified2EventCommon *)event)->priority_id);
ret = idmef_alert_new_assessment(alert, &assessment);
if ( ret < 0 )
return ret;
ret = idmef_assessment_new_impact(assessment, &impact);
if ( ret < 0 )
return ret;
if ( event_priority < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( event_priority < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( event_priority < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
if ( cn != NULL ) {
ret = idmef_impact_new_description(impact, &str);
if ( ret < 0 )
return ret;
prelude_string_set_ref(str, cn->name);
}
return 0;
}
static int event_to_impact(Event *event, idmef_alert_t *alert)
{
int ret;
ClassType *classtype;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
ret = idmef_alert_new_assessment(alert, &assessment);
if ( ret < 0 )
return ret;
ret = idmef_assessment_new_impact(assessment, &impact);
if ( ret < 0 )
return ret;
if ( event->priority < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( event->priority < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( event->priority < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
if ( ! otn_tmp )
return 0;
classtype = otn_tmp->sigInfo.classType;
if ( classtype ) {
ret = idmef_impact_new_description(impact, &str);
if ( ret < 0 )
return ret;
prelude_string_set_ref(str, classtype->name);
}
return 0;
}
int add_int_additional_data(idmef_alert_t *alert, const char *meaning, int data){
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
idmef_additional_data_set_integer(ad, data);
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0)
return ret;
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 )
return ret;
return 0;
}
/**
* \brief Add binary data, to be stored in the Additional Data
* field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
*
* \return 0 if ok
*/
static int AddByteData(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size)
{
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
SCEnter();
if ( ! data || ! size )
SCReturnInt(0);
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(0);
ret = idmef_additional_data_set_byte_string_ref(ad, data, size);
if ( ret < 0 ) {
SCLogDebug("%s: error setting byte string data: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0 ) {
SCLogDebug("%s: error creating additional-data meaning: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 ) {
SCLogDebug("%s: error setting byte string data meaning: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(-1);
}
SCReturnInt(0);
}
static int add_byte_data(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size)
{
int ret;
prelude_string_t *str;
idmef_additional_data_t *ad;
if ( ! data || ! size )
return 0;
ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_additional_data_set_byte_string_ref(ad, data, size);
if ( ret < 0 ) {
ErrorMessage("%s: error setting byte string data: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
ret = idmef_additional_data_new_meaning(ad, &str);
if ( ret < 0 ) {
ErrorMessage("%s: error creating additional-data meaning: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
ret = prelude_string_set_ref(str, meaning);
if ( ret < 0 ) {
ErrorMessage("%s: error setting byte string data meaning: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
return -1;
}
return 0;
}
static int event_to_source_target(Packet *p, idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
if ( !p )
return 0;
if ( ! p->iph )
return 0;
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if ( pv.interface ) {
ret = idmef_source_new_interface(source, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, pv.interface);
}
ret = idmef_source_new_service(source, &service);
if ( ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->sp);
idmef_service_set_ip_version(service, IP_VER(p->iph));
idmef_service_set_iana_protocol_number(service, p->iph->ip_proto);
ret = idmef_source_new_node(source, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(p->iph->ip_src));
prelude_string_set_ref(string, saddr);
ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if ( pv.interface ) {
ret = idmef_target_new_interface(target, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, pv.interface);
}
ret = idmef_target_new_service(target, &service);
if ( ! ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->dp);
idmef_service_set_ip_version(service, IP_VER(p->iph));
idmef_service_set_iana_protocol_number(service, p->iph->ip_proto);
ret = idmef_target_new_node(target, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(p->iph->ip_dst));
prelude_string_set_ref(string, daddr);
return 0;
}
void prelude_logging(const char *filename, const char *virname, const char *virhash, int virsize){
int ret;
idmef_message_t *idmef = NULL;
idmef_alert_t *alert;
idmef_classification_t *class;
prelude_string_t *str;
idmef_target_t *target;
idmef_file_t *file;
ret = idmef_message_new(&idmef);
if ( ret < 0 )
goto err;
ret = idmef_message_new_alert(idmef, &alert);
if ( ret < 0 )
goto err;
ret = idmef_alert_new_classification(alert, &class);
if ( ret < 0 )
goto err;
ret = idmef_classification_new_text(class, &str);
if ( ret < 0 )
goto err;
prelude_string_set_constant(str, "Virus Found");
ret = idmef_alert_new_target(alert, &target, 0);
if ( ret < 0 )
goto err;
ret = idmef_target_new_file(target, &file, 0);
if ( ret < 0 )
goto err;
ret = idmef_file_new_path(file, &str);
if ( ret < 0 )
goto err;
prelude_string_set_ref(str, filename);
if ( virname != NULL ) {
ret = add_string_additional_data(alert, "virname", virname);
if ( ret < 0 )
goto err;
}
if ( virhash != NULL){
ret = add_string_additional_data(alert, "virhash", virhash);
if ( ret < 0 )
goto err;
}
ret = add_int_additional_data(alert, "virsize", virsize);
if ( ret < 0 )
goto err;
logg("le client : %s", prelude_client_get_config_filename(prelude_client));
prelude_client_send_idmef(prelude_client, idmef);
idmef_message_destroy(idmef);
return;
err:
if (idmef != NULL)
idmef_message_destroy(idmef);
logg("%s error: %s", prelude_strsource(ret), prelude_strerror(ret));
return;
}
static int event_to_source_target(Packet *p, idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
if ( !p )
return 0;
if ( ! IPH_IS_VALID(p) )
return 0;
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if (barnyard2_conf->interface != NULL) {
ret = idmef_source_new_interface(source, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, PRINT_INTERFACE(barnyard2_conf->interface));
}
ret = idmef_source_new_service(source, &service);
if ( ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->sp);
idmef_service_set_ip_version(service, GET_IPH_VER(p));
idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
ret = idmef_source_new_node(source, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p)));
prelude_string_set_ref(string, saddr);
ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if (barnyard2_conf->interface != NULL) {
ret = idmef_target_new_interface(target, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, barnyard2_conf->interface);
}
ret = idmef_target_new_service(target, &service);
if ( ! ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->dp);
idmef_service_set_ip_version(service, GET_IPH_VER(p));
idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
ret = idmef_target_new_node(target, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p)));
prelude_string_set_ref(string, daddr);
return 0;
}
/**
* \brief Add Source and Target fields to the IDMEF alert.
* These objects contains IP addresses, source and destination
* ports (see sections 4.2.4.3 and 4.2.4.4 of RFC 4765).
*
* \return 0 if ok
*/
static int EventToSourceTarget(Packet *p, idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
uint8_t ip_vers;
uint8_t ip_proto;
SCEnter();
if ( !p )
SCReturnInt(0);
if ( ! IPH_IS_VALID(p) )
SCReturnInt(0);
if (PKT_IS_IPV4(p)) {
ip_vers = 4;
ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
} else if (PKT_IS_IPV6(p)) {
ip_vers = 6;
ip_proto = IPV6_GET_L4PROTO(p);
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
} else
SCReturnInt(0);
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_source_new_service(source, &service);
if ( ret < 0 )
SCReturnInt(ret);
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->sp);
idmef_service_set_ip_version(service, ip_vers);
idmef_service_set_iana_protocol_number(service, ip_proto);
ret = idmef_source_new_node(source, &node);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(string, saddr);
ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_target_new_service(target, &service);
if ( ret < 0 )
SCReturnInt(ret);
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->dp);
idmef_service_set_ip_version(service, ip_vers);
idmef_service_set_iana_protocol_number(service, ip_proto);
ret = idmef_target_new_node(target, &node);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(string, daddr);
SCReturnInt(0);
}
/**
* \brief Create event impact description (see section
* 4.2.6.1 of RFC 4765).
* The impact contains the severity, completion (succeeded or failed)
* and basic classification of the attack type.
* Here, we don't set the completion since we don't know it (default
* is unknown).
*
* \return 0 if ok
*/
static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert)
{
int ret;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
SCEnter();
ret = idmef_alert_new_assessment(alert, &assessment);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating assessment: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_assessment_new_impact(assessment, &impact);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating assessment impact: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
if ( (unsigned int)pa->s->prio < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( (unsigned int)pa->s->prio < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( (unsigned int)pa->s->prio < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else
severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
if (PACKET_TEST_ACTION(p, ACTION_DROP) ||
PACKET_TEST_ACTION(p, ACTION_REJECT) ||
PACKET_TEST_ACTION(p, ACTION_REJECT_DST) ||
PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH) ) {
idmef_action_t *action;
ret = idmef_action_new(&action);
if (unlikely(ret < 0))
SCReturnInt(ret);
idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED);
idmef_assessment_set_action(assessment, action, 0);
}
if (pa->s->class_msg) {
ret = idmef_impact_new_description(impact, &str);
if (unlikely(ret < 0))
SCReturnInt(ret);
prelude_string_set_ref(str, pa->s->class_msg);
}
SCReturnInt(0);
}
