Esempio n. 1
0
static inline int _Active_DoReset(Packet *p)
{
#ifdef ACTIVE_RESPONSE
    if ( !Active_IsEnabled() )
        return 0;

    if ( Active_PacketWouldBeDropped() )
        return 0;

    if ( !IPH_IS_VALID(p) )
        return 0;

    switch ( GET_IPH_PROTO(p) )
    {
        case IPPROTO_TCP:
            if ( Active_IsRSTCandidate(p) )
                Active_QueueReject();
            break;

        // FIXTHIS send unr to udp/icmp4/icmp6 only or for all non-tcp?
        case IPPROTO_UDP:
        case IPPROTO_ICMP:
        case IPPROTO_ICMPV6:
            if ( Active_IsUNRCandidate(p) )
                Active_QueueReject();
            break;
    }
#endif

    return 0;
}
Esempio n. 2
0
/**
**  This logic finds the index to the proto array based on the
**  portscan configuration.  We need special logic because the
**  index of the protocol changes based on the configuration.
*/
static int ps_get_proto(PS_PKT *ps_pkt, int *proto)
{
    Packet *p;

    if(!ps_pkt || !ps_pkt->pkt || !proto)
        return -1;

    p = (Packet *)ps_pkt->pkt;
    *proto = 0;

    if (portscan_eval_config->detect_scans & PS_PROTO_TCP)
    {
        if ((p->tcph != NULL)
                || ((p->icmph != NULL) && (p->icmph->type == ICMP_DEST_UNREACH)
                    && ((p->icmph->code == ICMP_PORT_UNREACH)
                        || (p->icmph->code == ICMP_PKT_FILTERED))
                    && (p->orig_tcph != NULL)))
        {
            *proto = PS_PROTO_TCP;
            return 0;
        }
    }

    if (portscan_eval_config->detect_scans & PS_PROTO_UDP)
    {
        if ((p->udph != NULL)
                || ((p->icmph != NULL) && (p->icmph->type == ICMP_DEST_UNREACH)
                    && ((p->icmph->code == ICMP_PORT_UNREACH)
                        || (p->icmph->code == ICMP_PKT_FILTERED))
                    && (p->orig_udph != NULL)))
        {
            *proto = PS_PROTO_UDP;
            return 0;
        }
    }

    if (portscan_eval_config->detect_scans & PS_PROTO_IP)
    {
        if ((IPH_IS_VALID(p) && (p->icmph == NULL))
                || ((p->icmph != NULL) && (p->icmph->type == ICMP_DEST_UNREACH)
                    && ((p->icmph->code == ICMP_PROT_UNREACH)
                        || (p->icmph->code == ICMP_PKT_FILTERED))))
        {
            *proto = PS_PROTO_IP;
            return 0;
        }
    }

    if (portscan_eval_config->detect_scans & PS_PROTO_ICMP)
    {
        if (p->icmph != NULL)
        {
            *proto = PS_PROTO_ICMP;
            return 0;
        }
    }

    return -1;
}
Esempio n. 3
0
/**
**  This function wraps the functionality in the generic HttpInspect
**  processing.  We get a Packet structure and pass this into the
**  HttpInspect module where the first stage in HttpInspect is the
**  Session Inspection stage where most of the other Snortisms are
**  taken care of.  After that, the modules should be fairly generic,
**  and that's what we're trying to do here.
**
**  @param p a Packet structure that contains Snort info about the
**  packet.
**
**  @return void
*/
static void HttpInspect(Packet *p, void *context)
{
    PROFILE_VARS;

    /*
    **  IMPORTANT:
    **  This is where we initialize any variables that can impact other
    **  aspects of detection/processing.
    **
    **  First thing that we do is reset the p->uri_count to zero, so there
    **  is no way that we would inspect a buffer that was completely bogus.
    */
    p->uri_count = 0;
    UriBufs[0].decode_flags = 0;

    /*
    **  Check for valid packet
    **  if neither header or data is good, then we just abort.
    */
    if(!IPH_IS_VALID(p) || !p->tcph || !p->data || !p->dsize)
    {
        return;
    }

    PREPROC_PROFILE_START(hiPerfStats);

    /*
    **  Pass in the configuration and the packet.
    */
    SnortHttpInspect(&GlobalConf, p);

    p->uri_count = 0;
    UriBufs[0].decode_flags = 0;

    /* XXX:
     * NOTE: this includes the HTTPInspect directly
     * calling the detection engine - 
     * to get the true HTTPInspect only stats, have another
     * var inside SnortHttpInspect that tracks the time
     * spent in Detect().
     * Subtract the ticks from this if iCallDetect == 0
     */
    PREPROC_PROFILE_END(hiPerfStats);
#ifdef PERF_PROFILING
    if (hiDetectCalled)
    {
        hiPerfStats.ticks -= hiDetectPerfStats.ticks;
        /* And Reset ticks to 0 */
        hiDetectPerfStats.ticks = 0;
        hiDetectCalled = 0;
    }
#endif

    return;
}
Esempio n. 4
0
int GetSessionCount(Packet *p)
{
    if (IPH_IS_VALID(p))
    {
        if (GET_IPH_PROTO(p) == IPPROTO_TCP)
        {
            if (sessionHashTable)
                return sessionHashTable->count;
            else
                return 0;
        }
        else
        {
            if (udpSessionHashTable)
                return udpSessionHashTable->count;
            else
                return 0;
        }
    }
    return 0;
}
Esempio n. 5
0
/**
**  Check the incoming packet to decide whether portscan detection cares
**  about this packet.  We try to ignore as many packets as possible.
*/
static int ps_filter_ignore(PS_PKT *ps_pkt)
{
    Packet  *p;
    int      reverse_pkt = 0;
    snort_ip_p scanner, scanned;

    p = (Packet *)ps_pkt->pkt;

    if(!IPH_IS_VALID(p))
        return 1;

    if(p->tcph)
    {
        if(!(portscan_eval_config->detect_scans & PS_PROTO_TCP))
            return 1;

        /*
        **  This is where we check all of snort's flags for different
        **  TCP session scenarios.  The checks cover:
        **
        **    - dropping packets in established sessions, but not the
        **      TWH packet.
        **    - dropping the SYN/ACK packet from the server on a valid
        **      connection (we'll catch the TWH later if it happens).
        */
        /*
        **  Ignore packets that are already part of an established TCP
        **  stream.
        */
        if(((p->packet_flags & (PKT_STREAM_EST | PKT_STREAM_TWH))
                == PKT_STREAM_EST) && !(p->tcph->th_flags & TH_RST))
        {
            return 1;
        }

        /*
        **  Ignore the server's initial response, unless it's to RST
        **  the connection.
        */
        /*
        if(!(p->tcph->th_flags & TH_RST) &&
           !(p->packet_flags & (PKT_STREAM_EST)) &&
            (p->packet_flags & PKT_FROM_SERVER))
        {
            return 1;
        }
        */
    }
    else if(p->udph)
    {
        if(!(portscan_eval_config->detect_scans & PS_PROTO_UDP))
            return 1;
    }
    else if(p->icmph)
    {
        if(p->icmph->type != ICMP_DEST_UNREACH &&
           !(portscan_eval_config->detect_scans & PS_PROTO_ICMP))
        {
            return 1;
        }
    }
    else
    {
        if(!(portscan_eval_config->detect_scans & PS_PROTO_IP))
            return 1;
    }

    /*
    **  Check if the packet is reversed
    */
    if((p->packet_flags & PKT_FROM_SERVER))
    {
        reverse_pkt = 1;
    }
    else if(p->icmph && p->icmph->type == ICMP_DEST_UNREACH)
    {
        reverse_pkt = 1;
    }
    else if (p->udph && p->ssnptr &&
             stream_api && stream_api->version >= STREAM_API_VERSION5)
    {
        if (stream_api->get_packet_direction(p) & PKT_FROM_SERVER)
            reverse_pkt = 1;
    }

    scanner = GET_SRC_IP(p);
    scanned = GET_DST_IP(p);

    if(reverse_pkt)
    {
        if(ps_ignore_ip(scanned, p->dp, scanner, p->sp))
            return 1;
    }
    else
    {
        if(ps_ignore_ip(scanner, p->sp, scanned, p->dp))
            return 1;
    }

    ps_pkt->reverse_pkt = reverse_pkt;

    if(portscan_eval_config->watch_ip)
    {
        if(ipset_contains(portscan_eval_config->watch_ip, scanner, &(p->sp)))
            return 0;
        if(ipset_contains(portscan_eval_config->watch_ip, scanned, &(p->dp)))
            return 0;

        return 1;
    }
    return 0;
}
/*
 * Check header option specified against packet
 *
 * Return 1 if check is true (e.g. data matches)
 * Return 0 if check is not true.
 */
ENGINE_LINKAGE int checkHdrOpt(void *p, HdrOptCheck *optData)
{
    SFSnortPacket *pkt = (SFSnortPacket *)p;
    /* Header field will be extracted from its native
     * 1 or 2 bytes, converted to host byte order,
     * and placed in a 4 byte value for easy comparison
     */
    uint32_t value = 0;

    if ((optData->hdrField & IP_HDR_OPTCHECK_MASK) && (!pkt->ip4_header))
        return RULE_NOMATCH;

    if ((optData->hdrField & TCP_HDR_OPTCHECK_MASK) &&
        (!pkt->ip4_header || !pkt->tcp_header))
        return RULE_NOMATCH;

    if ((optData->hdrField & ICMP_HDR_OPTCHECK_MASK) &&
        (!IPH_IS_VALID(pkt) || !pkt->icmp_header))
        return RULE_NOMATCH;

    switch (optData->hdrField)
    {
    /* IP Header Checks */
    case IP_HDR_ID:
        value = IS_IP6(pkt) ? ntohl(GET_IPH_ID(pkt)) : ntohs((uint16_t)GET_IPH_ID(pkt));
        break;
    case IP_HDR_PROTO:
        //value = pkt->ip4_header->proto;
        value = GET_IPH_PROTO(pkt);
        break;
    case IP_HDR_FRAGBITS:
        return checkBits(optData->value, optData->op, ((ntohs(GET_IPH_OFF(pkt)) & 0xe000) & ~optData->mask_value));
        break;
    case IP_HDR_FRAGOFFSET:
        value = ntohs(GET_IPH_OFF((pkt))) & 0x1FFF;
        break;
    case IP_HDR_TOS:
        //value = pkt->ip4_header->type_service;
        value = GET_IPH_TOS(pkt);
        break;
    case IP_HDR_TTL:
        //value = pkt->ip4_header->time_to_live;
        value = GET_IPH_TTL(pkt);
        break;
    case IP_HDR_OPTIONS:
        return checkOptions(optData->value, optData->op, pkt->ip_options, pkt->num_ip_options);
        break;

    /* TCP Header checks */
    case TCP_HDR_ACK:
        value = ntohl(pkt->tcp_header->acknowledgement);
        break;
    case TCP_HDR_SEQ:
        value = ntohl(pkt->tcp_header->sequence);
        break;
    case TCP_HDR_FLAGS:
        return checkBits(optData->value, optData->op, (pkt->tcp_header->flags & ~optData->mask_value));
        break;
    case TCP_HDR_WIN:
        value = ntohs(pkt->tcp_header->window);
        break;
    case TCP_HDR_OPTIONS:
        return checkOptions(optData->value, optData->op, pkt->tcp_options, pkt->num_tcp_options);
        break;

    /* ICMP Header checks */
    case ICMP_HDR_CODE:
        value = pkt->icmp_header->code;
        break;
    case ICMP_HDR_TYPE:
        value = pkt->icmp_header->type;
        break;
    case ICMP_HDR_ID:
        if ((pkt->icmp_header->code == ICMP_ECHO_REQUEST) ||
            (pkt->icmp_header->code == ICMP_ECHO_REPLY))
        {
            value = ntohs(pkt->icmp_header->icmp_header_union.echo.id);
        }
        else
        {
            return RULE_NOMATCH;
        }
        break;
    case ICMP_HDR_SEQ:
        if ((pkt->icmp_header->code == ICMP_ECHO_REQUEST) ||
            (pkt->icmp_header->code == ICMP_ECHO_REPLY))
        {
            value = ntohs(pkt->icmp_header->icmp_header_union.echo.seq);
        }
        else
        {
            return RULE_NOMATCH;
        }
        break;

    default:
        return RULE_NOMATCH;
        break;
    }

    return checkField(optData->op, value, optData->value);
}
Esempio n. 7
0
/* Main runtime entry point for SSH preprocessor.
 * Analyzes SSH packets for anomalies/exploits.
 *
 * PARAMETERS:
 *
 * packetp:    Pointer to current packet to process.
 * contextp:    Pointer to context block, not used.
 *
 * RETURNS:     Nothing.
 */
static void
ProcessSSH( void* ipacketp, void* contextp )
{
	SSHData* sessp = NULL;
	uint8_t source = 0;
	uint8_t dest = 0;
	uint8_t known_port = 0;
	uint8_t direction;
	SFSnortPacket* packetp;
#ifdef TARGET_BASED
    int16_t app_id = SFTARGET_UNKNOWN_PROTOCOL;
#endif
    tSfPolicyId policy_id = _dpd.getRuntimePolicy();
    PROFILE_VARS;

	packetp = (SFSnortPacket*) ipacketp;
    sfPolicyUserPolicySet (ssh_config, policy_id);

	/* Make sure this preprocessor should run. */
	if (( !packetp ) ||
	    ( !packetp->payload ) ||
	    ( !packetp->payload_size ) ||
        ( !IPH_IS_VALID(packetp) ) ||
	    ( !packetp->tcp_header ) ||
        /* check if we're waiting on stream reassembly */
        ( packetp->flags & FLAG_STREAM_INSERT))
	{
 		return;
	}

    PREPROC_PROFILE_START(sshPerfStats);

    ssh_eval_config = sfPolicyUserDataGetCurrent(ssh_config);

	/* Attempt to get a previously allocated SSH block. */
	sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_SSH);
    if (sessp != NULL)
    {
        ssh_eval_config = sfPolicyUserDataGet(sessp->config, sessp->policy_id);
        known_port = 1;
    }

    if (sessp == NULL)
    {
        /* If not doing autodetection, check the ports to make sure this is
         * running on an SSH port, otherwise no need to examine the traffic.
         */
#ifdef TARGET_BASED
        app_id = _dpd.streamAPI->get_application_protocol_id(packetp->stream_session_ptr);
        if (app_id == SFTARGET_UNKNOWN_PROTOCOL)
        {
            PREPROC_PROFILE_END(sshPerfStats);
            return;
        }

        if (app_id && (app_id != ssh_app_id))
        {
            PREPROC_PROFILE_END(sshPerfStats);
            return;
        }

        if (app_id == ssh_app_id)
        {
            known_port = 1;
        }

        if (!app_id)
        {
#endif
            source = (uint8_t)CheckSSHPort( packetp->src_port );
            dest = (uint8_t)CheckSSHPort( packetp->dst_port );

            if ( !ssh_eval_config->AutodetectEnabled && !source && !dest )
            {
                /* Not one of the ports we care about. */
                PREPROC_PROFILE_END(sshPerfStats);
                return;
            }
#ifdef TARGET_BASED
        }
#endif
        /* Check the stream session. If it does not currently
         * have our SSH data-block attached, create one.
         */
        sessp = SSHGetNewSession(packetp, policy_id);

        if ( !sessp )
        {
            /* Could not get/create the session data for this packet. */
            PREPROC_PROFILE_END(sshPerfStats);
            return;
        }

        /* See if a known server port is involved. */
        if (!known_port)
        {
            known_port = ( source || dest ? 1 : 0 );

            /* If this is a non-SSH port, but autodetect is on, we flag this
               session to reduce false positives later on. */
            if (!known_port && ssh_eval_config->AutodetectEnabled)
            {
                sessp->state_flags |= SSH_FLG_AUTODETECTED;
            }
        }
    }

    /* Don't process if we've missed packets */
    if (sessp->state_flags & SSH_FLG_MISSED_PACKETS)
        return;

    /* If we picked up mid-stream or missed any packets (midstream pick up
     * means we've already missed packets) set missed packets flag and make
     * sure we don't do any more reassembly on this session */
    if ((_dpd.streamAPI->get_session_flags(packetp->stream_session_ptr) & SSNFLAG_MIDSTREAM)
            || _dpd.streamAPI->missed_packets(packetp->stream_session_ptr, SSN_DIR_BOTH))
    {
        /* Don't turn off reassembly if autodetected since another preprocessor
         * may actually be looking at this session as well and the SSH
         * autodetect of this session may be wrong. */
        if (!(sessp->state_flags & SSH_FLG_AUTODETECTED))
        {
            _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
                    STREAM_FLPOLICY_IGNORE, SSN_DIR_BOTH,
                    STREAM_FLPOLICY_SET_ABSOLUTE);
        }

        sessp->state_flags |= SSH_FLG_MISSED_PACKETS;

        return;
    }

    /* We're interested in this session. Turn on stream reassembly. */
    if ( !(sessp->state_flags & SSH_FLG_REASSEMBLY_SET ))
    {
        _dpd.streamAPI->set_reassembly(packetp->stream_session_ptr,
                        STREAM_FLPOLICY_FOOTPRINT, SSN_DIR_BOTH, STREAM_FLPOLICY_SET_APPEND);
        sessp->state_flags |= SSH_FLG_REASSEMBLY_SET;
    }

    /* Get the direction of the packet. */
    direction = ( (packetp->flags & FLAG_FROM_SERVER ) ?
            SSH_DIR_FROM_SERVER : SSH_DIR_FROM_CLIENT );

	if ( !(sessp->state_flags & SSH_FLG_SESS_ENCRYPTED ))
	{
		/* If server and client have not performed the protocol
		 * version exchange yet, must look for version strings.
	 	 */
		if ( (sessp->state_flags & SSH_FLG_BOTH_IDSTRING_SEEN)
			!= SSH_FLG_BOTH_IDSTRING_SEEN )
		{
			if ( ProcessSSHProtocolVersionExchange( sessp,
					packetp, direction, known_port ) ==
				SSH_FAILURE )
			{
				/*Error processing protovers exchange msg */
			}

            PREPROC_PROFILE_END(sshPerfStats);
			return;
		}

		/* Expecting to see the key init exchange at this point
		 * (in SSH2) or the actual key exchange if SSH1
		 */
		if ((( sessp->state_flags & SSH_FLG_V1_KEYEXCH_DONE )
			!= SSH_FLG_V1_KEYEXCH_DONE ) &&
		     ((sessp->state_flags & SSH_FLG_V2_KEXINIT_DONE )
			!= SSH_FLG_V2_KEXINIT_DONE ))
		{
		    ProcessSSHKeyInitExchange( sessp, packetp, direction );

            PREPROC_PROFILE_END(sshPerfStats);
			return;
		}

		/* If SSH2, need to process the actual key exchange msgs.
		 * The actual key exchange type was negotiated in the
		 * key exchange init msgs. SSH1 won't arrive here.
		 */
		ProcessSSHKeyExchange( sessp, packetp, direction );
	}
	else
	{
		/* Traffic on this session is currently encrypted.
		 * Two of the major SSH exploits, SSH1 CRC-32 and
 		 * the Challenge-Response Overflow attack occur within
         * the encrypted portion of the SSH session. Therefore,
         * the only way to detect these attacks is by examining
		 * amounts of data exchanged for anomalies.
  		 */
		sessp->num_enc_pkts++;

        if ( sessp->num_enc_pkts <= ssh_eval_config->MaxEncryptedPackets )
        {
            if ( direction == SSH_DIR_FROM_CLIENT )
            {
                sessp->num_client_bytes += packetp->payload_size;

                if ( sessp->num_client_bytes >=
                     ssh_eval_config->MaxClientBytes )
                {
                    /* Probable exploit in progress.*/
                    if (sessp->version == SSH_VERSION_1)
                    {
                        if ( ssh_eval_config->EnabledAlerts & SSH_ALERT_CRC32 )
                        {
                            ALERT(SSH_EVENT_CRC32, SSH_EVENT_CRC32_STR);

                            _dpd.streamAPI->stop_inspection(
                                                            packetp->stream_session_ptr,
                                                            packetp,
                                                            SSN_DIR_BOTH, -1, 0 );
                        }
                    }
                    else
                    {
                        if (ssh_eval_config->EnabledAlerts & SSH_ALERT_RESPOVERFLOW )
                        {
                            ALERT(SSH_EVENT_RESPOVERFLOW, SSH_EVENT_RESPOVERFLOW_STR);

                            _dpd.streamAPI->stop_inspection(
                                                            packetp->stream_session_ptr,
                                                            packetp,
                                                            SSN_DIR_BOTH, -1, 0 );
                        }
                    }
                }
            }
            else
			{
				/*
				 * Have seen a server response, so
				 * this appears to be a valid exchange.
				 * Reset suspicious byte count to zero.
				 */
				sessp->num_client_bytes = 0;
			}
		}
		else
		{
			/* Have already examined more than the limit
			 * of encrypted packets. Both the Gobbles and
			 * the CRC32 attacks occur during authentication
			 * and therefore cannot be used late in an
			 * encrypted session. For performance purposes,
			 * stop examining this session.
			 */
			_dpd.streamAPI->stop_inspection(
				packetp->stream_session_ptr,
				packetp,
				SSN_DIR_BOTH, -1, 0 );

		}

	}
    PREPROC_PROFILE_END(sshPerfStats);
}
Esempio n. 8
0
void ppm_pkt_log(ppm_cfg_t *ppm_cfg, Packet* p)
{
    int filterEvent = 0;
    if (!ppm_cfg->max_pkt_ticks)
        return;

    ppm_cfg->pkt_event_cnt++;

    if (ppm_cfg->pkt_log & PPM_LOG_ALERT)
    {
        OptTreeNode* potn;
        Event ev;

        /* make sure we have an otn already in our table for this event */
        potn = OtnLookup(snort_conf->otn_map, GENERATOR_PPM, PPM_EVENT_PACKET_ABORTED);
        if (potn == NULL)
        {
            /* have to make one */
            potn = GenerateSnortEventOtn(GENERATOR_PPM, /* GID */
                                         PPM_EVENT_PACKET_ABORTED, /* SID */
                                         1, /* Rev */
                                         0, /* classification */
                                         3, /* priority (low) */
                                         PPM_EVENT_PACKET_ABORTED_STR /* msg string */);

            if (potn == NULL)
                return;

            OtnLookupAdd(snort_conf->otn_map, potn);
        }

        SetEvent(&ev,
                 potn->sigInfo.generator, /* GID */
                 potn->sigInfo.id, /* SID */
                 potn->sigInfo.rev, /* Rev */
                 potn->sigInfo.class_id, /* classification */
                 potn->sigInfo.priority, /* priority (low) */
#if !defined(FEAT_OPEN_APPID)
                 0);
#else /* defined(FEAT_OPEN_APPID) */
                 0, NULL);
#endif /* defined(FEAT_OPEN_APPID) */

        if ( IPH_IS_VALID(p) )
        {
            filterEvent = sfthreshold_test(
                        potn->event_data.sig_generator,
                        potn->event_data.sig_id,
                        GET_SRC_IP(p), GET_DST_IP(p),
                        p->pkth->ts.tv_sec);
        }
        else
        {
            snort_ip cleared;
            IP_CLEAR(cleared);

            filterEvent = sfthreshold_test(
                        potn->event_data.sig_generator,
                        potn->event_data.sig_id,
                        IP_ARG(cleared), IP_ARG(cleared),
                        p->pkth->ts.tv_sec);
        }

        if(filterEvent < 0)
            filterEvent = 0;
        else
            AlertAction(p, potn, &ev);
    }
Esempio n. 9
0
/* Main runtime entry point */
static void ProcessModbus(void *ipacketp, void *contextp)
{
    SFSnortPacket *packetp = (SFSnortPacket *)ipacketp;
    modbus_session_data_t *sessp;
    PROFILE_VARS;

    /* Sanity checks. Should this preprocessor run? */
    if (( !packetp ) ||
        ( !packetp->payload ) ||
        ( !packetp->payload_size ) ||
        ( !IPH_IS_VALID(packetp) ) ||
        ( !packetp->tcp_header ))
    {
        return;
    }

    PREPROC_PROFILE_START(modbusPerfStats);

    /* Fetch me a preprocessor config to use with this VLAN/subnet/etc.! */
    modbus_eval_config = sfPolicyUserDataGetCurrent(modbus_context_id);

    /* Look for a previously-allocated session data. */
    sessp = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_MODBUS);
    
    if (sessp == NULL)
    {
        /* No existing session. Check those ports. */
        if (ModbusPortCheck(modbus_eval_config, packetp) != MODBUS_OK)
        {
            PREPROC_PROFILE_END(modbusPerfStats);
            return;
        }
    }

    if ( !PacketHasFullPDU(packetp) )
    {
        /* If a packet is rebuilt, but not a full PDU, then it's garbage that
           got flushed at the end of a stream. */
        if ( packetp->flags & (FLAG_REBUILT_STREAM|FLAG_PDU_HEAD) )
        {
            _dpd.alertAdd(GENERATOR_SPP_MODBUS, MODBUS_BAD_LENGTH, 1, 0, 3,
                          MODBUS_BAD_LENGTH_STR, 0);
        }

        PREPROC_PROFILE_END(modbusPerfStats);
        return;
    }
    
    if (sessp == NULL)
    {
        /* Create session data and attach it to the Stream5 session */
        sessp = ModbusCreateSessionData(packetp);

        if ( !sessp )
        {
            PREPROC_PROFILE_END(modbusPerfStats);
            return;
        }
    }

    /* When pipelined Modbus PDUs appear in a single TCP segment, the
       detection engine caches the results of the rule options after
       evaluating on the first PDU. Setting this flag stops the caching. */
    packetp->flags |= FLAG_ALLOW_MULTIPLE_DETECT;

    /* Do preprocessor-specific detection stuff here */
    ModbusDecode(modbus_eval_config, packetp);

    /* That's the end! */
    PREPROC_PROFILE_END(modbusPerfStats);
}
Esempio n. 10
0
static int packet_to_data(Packet *p, void *event, idmef_alert_t *alert)
{
        int i;
        
        if ( ! p )
            return 0;

        add_int_data(alert, "snort_rule_sid", ntohl(((Unified2EventCommon *)event)->signature_id));
        add_int_data(alert, "snort_rule_rev", ntohl(((Unified2EventCommon *)event)->signature_revision));
        
        if ( IPH_IS_VALID(p) ) {
                add_int_data(alert, "ip_ver", GET_IPH_VER(p));
                add_int_data(alert, "ip_hlen", GET_IPH_HLEN(p));
                add_int_data(alert, "ip_tos", GET_IPH_TOS(p));
                add_int_data(alert, "ip_len", ntohs(GET_IPH_LEN(p)));
#ifdef SUP_IP6
// XXX-IPv6 need fragmentation ID
#else
                add_int_data(alert, "ip_id", ntohs(p->iph->ip_id));
#endif
#ifdef SUP_IP6
// XXX-IPv6 need fragmentation offset
#else
                add_int_data(alert, "ip_off", ntohs(p->iph->ip_off));
#endif
                add_int_data(alert, "ip_ttl", GET_IPH_TTL(p));
                add_int_data(alert, "ip_proto", GET_IPH_PROTO(p));
#ifdef SUP_IP6
// XXX-IPv6 need checksum
#else
                add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum));
#endif
                
                for ( i = 0; i < p->ip_option_count; i++ ) {
                        add_int_data(alert, "ip_option_code", p->ip_options[i].code);
                        add_byte_data(alert, "ip_option_data", 
                            p->ip_options[i].data, p->ip_options[i].len);        
                }
        }
        
        if ( p->tcph ) {
                add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq));
                add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack));
                
                add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph));
                add_int_data(alert, "tcp_res", TCP_X2(p->tcph));
                add_int_data(alert, "tcp_flags", p->tcph->th_flags);

                add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win));
                add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum));
                add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp));

                
                for ( i = 0; i < p->tcp_option_count; i++ ) {
                        add_int_data(alert, "tcp_option_code", p->tcp_options[i].code);
                        add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len);        
                }
        }

        else if ( p->udph ) {
                add_int_data(alert, "udp_len", ntohs(p->udph->uh_len));
                add_int_data(alert, "udp_sum", ntohs(p->udph->uh_chk));
        }

        else if ( p->icmph ) {
                add_int_data(alert, "icmp_type", p->icmph->type);
                add_int_data(alert, "icmp_code", p->icmph->code);
                add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum));

                switch ( p->icmph->type ) {
                        
                case ICMP_ECHO:
                case ICMP_ECHOREPLY:
                case ICMP_INFO_REQUEST:
                case ICMP_INFO_REPLY:
                case ICMP_ADDRESS:
                case ICMP_TIMESTAMP:
                        add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
                        add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
                        break;
                        
                case ICMP_ADDRESSREPLY:
                        add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
                        add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
                        add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask));
                        break;
                
                case ICMP_REDIRECT:
#ifndef SUP_IP6
                        add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr));
#else
                        {
                            sfip_t gwaddr;
                            sfip_set_raw(&gwaddr, (void *)&p->icmph->s_icmp_gwaddr.s_addr, AF_INET);
                            add_string_data(alert, "icmp_gwaddr", inet_ntoa(&gwaddr));
                        }
#endif
                        break;
                
                case ICMP_ROUTER_ADVERTISE:
                        add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs);
                        add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa);
                        add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime));
                        break;
                
                case ICMP_TIMESTAMPREPLY:
                        add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
                        add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
                        add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime);
                        add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime);
                        add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime);
                        break;
                }
        }

        add_byte_data(alert, "payload", p->data, p->dsize);
        
        return 0;
}
Esempio n. 11
0
static int event_to_source_target(Packet *p, idmef_alert_t *alert)
{
        int ret;
        idmef_node_t *node;
        idmef_source_t *source;
        idmef_target_t *target;
        idmef_address_t *address;
        idmef_service_t *service;
        prelude_string_t *string;
        static char saddr[128], daddr[128];

        if ( !p )
            return 0;

        if ( ! IPH_IS_VALID(p) )
                return 0;
        
        ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
        if ( ret < 0 )
                return ret;

        if (barnyard2_conf->interface != NULL) {
                ret = idmef_source_new_interface(source, &string);
                if ( ret < 0 )
                        return ret;
                prelude_string_set_ref(string, PRINT_INTERFACE(barnyard2_conf->interface));
        }
        
        ret = idmef_source_new_service(source, &service);
        if ( ret < 0 )
                return ret;

        if ( p->tcph || p->udph )
                idmef_service_set_port(service, p->sp);
        
        idmef_service_set_ip_version(service, GET_IPH_VER(p));
        idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
        
        ret = idmef_source_new_node(source, &node);
        if ( ret < 0 )
                return ret;

        ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
        if ( ret < 0 )
                return ret;

        ret = idmef_address_new_address(address, &string);
        if ( ret < 0 )
                return ret;
        
        SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p)));
        prelude_string_set_ref(string, saddr);

        ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
        if ( ret < 0 )
                return ret;

        if (barnyard2_conf->interface != NULL) {
            ret = idmef_target_new_interface(target, &string);
            if ( ret < 0 )
                return ret;
            prelude_string_set_ref(string, barnyard2_conf->interface);
        }

        ret = idmef_target_new_service(target, &service);
        if ( ! ret < 0 )
                return ret;
        
        if ( p->tcph || p->udph )                
                idmef_service_set_port(service, p->dp);
        
        idmef_service_set_ip_version(service, GET_IPH_VER(p));
        idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
        
        ret = idmef_target_new_node(target, &node);
        if ( ret < 0 )
                return ret;
        
        ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
        if ( ret < 0 )
                return ret;
        
        ret = idmef_address_new_address(address, &string);
        if ( ret < 0 )
                return ret;
                
        SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p)));
        prelude_string_set_ref(string, daddr);
        
        return 0;
}
Esempio n. 12
0
/* Main runtime entry point */
static void ProcessDNP3(void *ipacketp, void *contextp)
{
    SFSnortPacket *packetp = (SFSnortPacket *)ipacketp;
    MemBucket *tmp_bucket = NULL;
    dnp3_session_data_t *sessp = NULL;
    PROFILE_VARS;

    /* Sanity checks. Should this preprocessor run? */
    if (( !packetp ) ||
        ( !packetp->payload ) ||
        ( !packetp->payload_size ) ||
        ( !IPH_IS_VALID(packetp) ) ||
        ( !packetp->tcp_header && !packetp->udp_header ))
    {
        return;
    }

    /* If TCP, require that PAF flushes full PDUs first. */
    if (packetp->tcp_header && !PacketHasFullPDU(packetp))
        return;

    PREPROC_PROFILE_START(dnp3PerfStats);

    /* When pipelined DNP3 PDUs appear in a single TCP segment or UDP packet,
       the detection engine caches the results of the rule options after
       evaluating on the first PDU. Setting this flag stops the caching. */
    packetp->flags |= FLAG_ALLOW_MULTIPLE_DETECT;

    /* Fetch me a preprocessor config to use with this VLAN/subnet/etc.! */
    dnp3_eval_config = sfPolicyUserDataGetCurrent(dnp3_context_id);

    /* Look for a previously-allocated session data. */
    tmp_bucket = _dpd.streamAPI->get_application_data(packetp->stream_session_ptr, PP_DNP3);

    if (tmp_bucket == NULL)
    {
        /* No existing session. Check those ports. */
        if (DNP3PortCheck(dnp3_eval_config, packetp) != DNP3_OK)
        {
            PREPROC_PROFILE_END(dnp3PerfStats);
            return;
        }

        /* Create session data and attach it to the Stream5 session */
        tmp_bucket = DNP3CreateSessionData(packetp);

        if (tmp_bucket == NULL)
        {
            /* Mempool was full, don't process this session. */
            static unsigned int times_mempool_alloc_failed = 0;

            /* Print a message, but only every 1000 times.
               Don't want to flood the log if there's a lot of DNP3 traffic. */
            if (times_mempool_alloc_failed % 1000)
            {
                _dpd.logMsg("WARNING: DNP3 memcap exceeded.\n");
            }
            times_mempool_alloc_failed++;

            PREPROC_PROFILE_END(dnp3PerfStats);
            return;
        }
    }

    sessp = (dnp3_session_data_t *) tmp_bucket->data;

    /* Set reassembly direction */
    if (packetp->flags & FLAG_FROM_CLIENT)
        sessp->direction = DNP3_CLIENT;
    else
        sessp->direction = DNP3_SERVER;

    /* Do preprocessor-specific detection stuff here */
    if (packetp->tcp_header)
    {
        /* Single PDU. PAF already split them up into separate pseudo-packets. */
        DNP3FullReassembly(dnp3_eval_config, sessp, packetp,
                           (uint8_t *)packetp->payload, packetp->payload_size);
    }
    else if (packetp->udp_header)
    {
        DNP3ProcessUDP(dnp3_eval_config, sessp, packetp);
    }

    /* That's the end! */
    PREPROC_PROFILE_END(dnp3PerfStats);
}
Esempio n. 13
0
/*--------------------------------------------------------------------
 * Function: LogIPHeader(TextLog* )
 *
 * Purpose: Dump the IP header info to the given TextLog
 *
 * Arguments: log => TextLog to print to
 *
 * Returns: void function
 *--------------------------------------------------------------------
 */
void LogIPHeader(TextLog*  log, Packet * p)
{
    if(!IPH_IS_VALID(p))
    {
        TextLog_Print(log, "IP header truncated\n");
        return;
    }

    if(p->frag_flag)
    {
        /* just print the straight IP header */
        TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
        TextLog_Puts(log, " -> ");
        TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
    }
    else
    {
        if(GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP)
        {
            /* just print the straight IP header */
            TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
            TextLog_Puts(log, " -> ");
            TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
        }
        else
        {
            if (!BcObfuscate())
            {
                /* print the header complete with port information */
                TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
                TextLog_Print(log, ":%d -> ", p->sp);
                TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
                TextLog_Print(log, ":%d", p->dp);
            }
            else
            {
                /* print the header complete with port information */
                if(IS_IP4(p))
                    TextLog_Print(log, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp);
                else if(IS_IP6(p))
                    TextLog_Print(log, "x:x:x:x:x:x:x:x:%d -> x:x:x:x:x:x:x:x:%d", p->sp, p->dp);
            }
        }
    }

    if(!BcOutputDataLink())
    {
        TextLog_NewLine(log);
    }
    else
    {
        TextLog_Putc(log, ' ');
    }

    TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u",
                  protocol_names[GET_IPH_PROTO(p)],
                  GET_IPH_TTL(p),
                  GET_IPH_TOS(p),
                  IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)),
                  GET_IPH_HLEN(p) << 2,
                  GET_IP_DGMLEN(p));

    /* print the reserved bit if it's set */
    if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x8000) >> 15) == 1)
        TextLog_Puts(log, " RB");

    /* printf more frags/don't frag bits */
    if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x4000) >> 14) == 1)
        TextLog_Puts(log, " DF");

    if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x2000) >> 13) == 1)
        TextLog_Puts(log, " MF");

    TextLog_NewLine(log);

    /* print IP options */
    if(p->ip_option_count != 0)
    {
        LogIpOptions(log, p);
    }

    /* print fragment info if necessary */
    if(p->frag_flag)
    {
        TextLog_Print(log, "Frag Offset: 0x%04X   Frag Size: 0x%04X\n",
                      (p->frag_offset & 0x1FFF),
                      GET_IP_PAYLEN(p));
    }
}
Esempio n. 14
0
/**
 * \brief Add Source and Target fields to the IDMEF alert.
 * These objects contains IP addresses, source and destination
 * ports (see sections 4.2.4.3 and 4.2.4.4 of RFC 4765).
 *
 * \return 0 if ok
 */
static int EventToSourceTarget(Packet *p, idmef_alert_t *alert)
{
    int ret;
    idmef_node_t *node;
    idmef_source_t *source;
    idmef_target_t *target;
    idmef_address_t *address;
    idmef_service_t *service;
    prelude_string_t *string;
    static char saddr[128], daddr[128];
    uint8_t ip_vers;
    uint8_t ip_proto;

    SCEnter();

    if ( !p )
        SCReturnInt(0);

    if ( ! IPH_IS_VALID(p) )
        SCReturnInt(0);

    if (PKT_IS_IPV4(p)) {
        ip_vers = 4;
        ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
        PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
        PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
    } else if (PKT_IS_IPV6(p)) {
        ip_vers = 6;
        ip_proto = IPV6_GET_L4PROTO(p);
        PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
        PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
    } else
        SCReturnInt(0);

    ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
    if ( ret < 0 )
        SCReturnInt(ret);

    ret = idmef_source_new_service(source, &service);
    if ( ret < 0 )
        SCReturnInt(ret);

    if ( p->tcph || p->udph )
        idmef_service_set_port(service, p->sp);

    idmef_service_set_ip_version(service, ip_vers);
    idmef_service_set_iana_protocol_number(service, ip_proto);

    ret = idmef_source_new_node(source, &node);
    if ( ret < 0 )
        SCReturnInt(ret);

    ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
    if ( ret < 0 )
        SCReturnInt(ret);

    ret = idmef_address_new_address(address, &string);
    if ( ret < 0 )
        SCReturnInt(ret);

    prelude_string_set_ref(string, saddr);

    ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
    if ( ret < 0 )
        SCReturnInt(ret);

    ret = idmef_target_new_service(target, &service);
    if ( ret < 0 )
        SCReturnInt(ret);

    if ( p->tcph || p->udph )
        idmef_service_set_port(service, p->dp);

    idmef_service_set_ip_version(service, ip_vers);
    idmef_service_set_iana_protocol_number(service, ip_proto);

    ret = idmef_target_new_node(target, &node);
    if ( ret < 0 )
        SCReturnInt(ret);

    ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
    if ( ret < 0 )
        SCReturnInt(ret);

    ret = idmef_address_new_address(address, &string);
    if ( ret < 0 )
        SCReturnInt(ret);

    prelude_string_set_ref(string, daddr);

    SCReturnInt(0);
}
Esempio n. 15
0
void  OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
{
    OpSyslog_Data *syslogContext = NULL;    
    Unified2EventCommon *iEvent = NULL;

    SigNode                         *sn = NULL;
    ClassType                       *cn = NULL;

    
    char sip[16] = {0};
    char dip[16] = {0};
    
    if( (p == NULL) ||
	(event == NULL) ||
	(arg == NULL))
    {
	LogMessage("OpSyslog_Alert(): Invoked with Packet[0x%x] Event[0x%x] Event Type [%u] Context pointer[0x%x]\n",
		   p,
		   event,
		   event_type,
		   arg);
	return;
    }
    
    if(event_type != UNIFIED2_IDS_EVENT)
    {
        LogMessage("OpSyslog_Alert(): Is currently unable to handle Event Type [%u] \n",
                   event_type);
	return;
    }
    
    
    syslogContext = (OpSyslog_Data *)arg;
    iEvent = event;
    
    memset(syslogContext->payload,'\0',(SYSLOG_MAX_QUERY_SIZE));
    memset(syslogContext->formatBuffer,'\0',(SYSLOG_MAX_QUERY_SIZE));
    syslogContext->payload_current_pos = 0;
    syslogContext->format_current_pos = 0;

    
    switch(syslogContext->operation_mode)
    {

    case 0:  /* Ze Classic (Requested) */

	if(IPH_IS_VALID(p))
	{	
	    if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip))
	    {
		FatalError("[%s()], strlcpy() error , bailing \n",
			   __FUNCTION__);
		return;
	    }
	    
	    
	    if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip))
	    {
		FatalError("[%s()], strlcpy() error , bailing \n",
		       __FUNCTION__);
		return;
	    }
	}
	
	sn = GetSigByGidSid(ntohl(iEvent->generator_id),
			    ntohl(iEvent->signature_id));
	
	cn = ClassTypeLookupById(barnyard2_conf,
				 ntohl(iEvent->classification_id));
	
	if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
							"[%u:%u:%u] ",
							ntohl(iEvent->generator_id),
							ntohl(iEvent->signature_id),
							ntohl(iEvent->signature_revision))) >=  SYSLOG_MAX_QUERY_SIZE)
	{
	    /* XXX */
	    FatalError("[%s()], failed call to snprintf \n",
		       __FUNCTION__);
	}
	
	if( OpSyslog_Concat(syslogContext))
        {
            /* XXX */
            FatalError("OpSyslog_Concat(): Failed \n");
        }
	
	if(sn != NULL)
	{
	    if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
							    "%s ",
							    sn->msg)) >=  SYSLOG_MAX_QUERY_SIZE)
	    {
		/* XXX */
		FatalError("[%s()], failed call to snprintf \n",
			   __FUNCTION__);
	    }
	}
	else
	{
	    if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
							       "ALERT ")) >=  SYSLOG_MAX_QUERY_SIZE)
            {
                /* XXX */
                FatalError("[%s()], failed call to snprintf \n",
                           __FUNCTION__);
            }
	    
	}
	
	if( OpSyslog_Concat(syslogContext))
        {
            /* XXX */
            FatalError("OpSyslog_Concat(): Failed \n");
        }


	
	if(cn != NULL)
        {
            if( cn->name )
            {
                if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
								"[Classification: %s] [Priority: %d]:",
								cn->name,
								ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE)
		{
		    /* XXX */
		    FatalError("[%s()], failed call to snprintf \n",
			       __FUNCTION__);
		}
		
            }
        }
        else if( ntohl(((Unified2EventCommon *)event)->priority_id) != 0 )
        {
	    if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
							    "[Priority: %d]:",
							    ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE)
	    {
		/* XXX */
		FatalError("[%s()], failed call to snprintf \n",
			   __FUNCTION__);
	    }
        }
	
	if( OpSyslog_Concat(syslogContext))
        {
            /* XXX */
            FatalError("OpSyslog_Concat(): Failed \n");
        }	
	
	
	if( (IPH_IS_VALID(p)) &&	
	    (((GET_IPH_PROTO(p) != IPPROTO_TCP &&
	       GET_IPH_PROTO(p) != IPPROTO_UDP &&
	       GET_IPH_PROTO(p) != IPPROTO_ICMP) ||
	      p->frag_flag)))
	{
	    if(!BcAlertInterface())
	    {
		if(protocol_names[GET_IPH_PROTO(p)])
		{
		    if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
								       " {%s} %s -> %s",
								       protocol_names[GET_IPH_PROTO(p)],
								       sip, dip))   >= SYSLOG_MAX_QUERY_SIZE)
		    {
			/* XXX */
			FatalError("[%s()], failed call to snprintf \n",
				   __FUNCTION__);
		    }
		}
	    }
	    else
	    {
		if(protocol_names[GET_IPH_PROTO(p)])
		{
		    
		    if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
								       " <%s> {%s} %s -> %s",
								       barnyard2_conf->interface,
								       protocol_names[GET_IPH_PROTO(p)],
								       sip, dip)) >= SYSLOG_MAX_QUERY_SIZE)
		    {
			/* XXX */
			FatalError("[%s()], failed call to snprintf \n",
				   __FUNCTION__);
		    
		    }
		}
	    }
	}
	else
	{
	    if(BcAlertInterface())
	    {
		if(protocol_names[GET_IPH_PROTO(p)])
		{
		    if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
								       " <%s> {%s} %s:%i -> %s:%i",
								       barnyard2_conf->interface,
								       protocol_names[GET_IPH_PROTO(p)], sip,
								       p->sp, dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE)
		    {
			/* XXX */
			FatalError("[%s()], failed call to snprintf \n",
				   __FUNCTION__);
		    }
		}
	    }
	    else
	    {
		if(protocol_names[GET_IPH_PROTO(p)])
		{
		    if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
								       " {%s} %s:%i -> %s:%i",
								       protocol_names[GET_IPH_PROTO(p)], sip, p->sp,
								       dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE)
		    {
			/* XXX */
			FatalError("[%s()], failed call to snprintf \n",
				   __FUNCTION__);
		    }
		}
	    }
	}
	
	
	if( OpSyslog_Concat(syslogContext))
	{
	    /* XXX */
	    FatalError("OpSyslog_Concat(): Failed \n");
	}

	break;
	
    case 1: /* Ze verbose */
	
	if(Syslog_FormatTrigger(syslogContext, iEvent,0) ) 
	{
	    LogMessage("WARNING: Unable to append Trigger header.\n");
	    return;
	}
	
	/* Support for portscan ip */
	if(p->iph)
	{
	    if(Syslog_FormatIPHeaderAlert(syslogContext, p) ) 
	    {
		LogMessage("WARNING: Unable to append Trigger header.\n");
		return;
	    }
	}	
	
	if(p->iph)
	{
	    /* build the protocol specific header information */
	    switch(p->iph->ip_proto)
	    {
	    case IPPROTO_TCP:
		Syslog_FormatTCPHeaderAlert(syslogContext, p);
		break;
	    case IPPROTO_UDP:
		Syslog_FormatUDPHeaderAlert(syslogContext, p);
		break;
	    case IPPROTO_ICMP:
		Syslog_FormatICMPHeaderAlert(syslogContext, p);
		break;
	    }
	}
	
	/* CHECKME: -elz will update formating later on .. */
	if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
							   "\n")) >= SYSLOG_MAX_QUERY_SIZE)
	{
	    /* XXX */
	    FatalError("Couldn't finalize payload string ....\n");
	}
	
	if( OpSyslog_Concat(syslogContext))
	{
	    /* XXX */
	    FatalError("OpSyslog_Concat(): Failed \n");
	}
	
	break;
	
    default:
	FatalError("[%s()]: Unknown operation_mode ... bailing \n",
		   __FUNCTION__);
	break;
    }
    
    if(NetSend(syslogContext)) 
    {
	NetClose(syslogContext);
	if(syslogContext->local_logging != 1)
	{
	    FatalError("NetSend(): call failed for host:port '%s:%u' bailing...\n", syslogContext->server, syslogContext->port);
	}
    }


    return;
}