static inline int _Active_DoReset(Packet *p)
{
#ifdef ACTIVE_RESPONSE
if ( !Active_IsEnabled() )
return 0;
if ( Active_PacketWouldBeDropped() )
return 0;
if ( !IPH_IS_VALID(p) )
return 0;
switch ( GET_IPH_PROTO(p) )
{
case IPPROTO_TCP:
if ( Active_IsRSTCandidate(p) )
Active_QueueReject();
break;
// FIXTHIS send unr to udp/icmp4/icmp6 only or for all non-tcp?
case IPPROTO_UDP:
case IPPROTO_ICMP:
case IPPROTO_ICMPV6:
if ( Active_IsUNRCandidate(p) )
Active_QueueReject();
break;
}
#endif
return 0;
}
int Active_ForceDropAction(Packet *p)
{
// explicitly drop packet
Active_ForceDropPacket();
switch ( GET_IPH_PROTO(p) )
{
case IPPROTO_TCP:
case IPPROTO_UDP:
_Active_DoIgnoreSession(p);
}
return 0;
}
int Active_ForceDropAction(Packet *p)
{
if ( !IsIP(p) )
return 0;
// explicitly drop packet
Active_ForceDropPacket();
switch ( GET_IPH_PROTO(p) )
{
case IPPROTO_TCP:
case IPPROTO_UDP:
Active_DropSession();
_Active_ForceIgnoreSession(p);
}
return 0;
}
void Active_KillSession (Packet* p, EncodeFlags* pf)
{
EncodeFlags flags = pf ? *pf : ENC_FLAG_FWD;
switch ( GET_IPH_PROTO(p) )
{
case IPPROTO_TCP:
Active_SendReset(p, 0);
if ( flags & ENC_FLAG_FWD )
Active_SendReset(p, ENC_FLAG_FWD);
break;
case IPPROTO_UDP:
Active_SendUnreach(p, ENC_UNR_PORT);
break;
}
}
void Active_KillSession (Packet* p, EncodeFlags* pf)
{
EncodeFlags flags = pf ? *pf : ENC_FLAG_FWD;
switch ( GET_IPH_PROTO(p) )
{
case IPPROTO_TCP:
Active_SendReset(p, 0);
if ( flags & ENC_FLAG_FWD )
Active_SendReset(p, ENC_FLAG_FWD);
break;
default:
if ( Active_PacketForceDropped() )
Active_SendUnreach(p, ENC_UNR_FW);
else
Active_SendUnreach(p, ENC_UNR_PORT);
break;
}
}
int GetSessionCount(Packet *p)
{
if (IPH_IS_VALID(p))
{
if (GET_IPH_PROTO(p) == IPPROTO_TCP)
{
if (sessionHashTable)
return sessionHashTable->count;
else
return 0;
}
else
{
if (udpSessionHashTable)
return udpSessionHashTable->count;
else
return 0;
}
}
return 0;
}
int Active_DropAction (Packet* p)
{
Active_IgnoreSession(p);
#ifdef ACTIVE_RESPONSE
if ( !Active_IsEnabled() )
return 0;
switch ( GET_IPH_PROTO(p) )
{
case IPPROTO_TCP:
if ( Active_IsRSTCandidate(p) )
Active_QueueReject();
break;
case IPPROTO_UDP:
if ( Active_IsUNRCandidate(p) )
Active_QueueReject();
break;
}
#endif
return 0;
}
/*
* Check header option specified against packet
*
* Return 1 if check is true (e.g. data matches)
* Return 0 if check is not true.
*/
ENGINE_LINKAGE int checkHdrOpt(void *p, HdrOptCheck *optData)
{
SFSnortPacket *pkt = (SFSnortPacket *)p;
/* Header field will be extracted from its native
* 1 or 2 bytes, converted to host byte order,
* and placed in a 4 byte value for easy comparison
*/
uint32_t value = 0;
if ((optData->hdrField & IP_HDR_OPTCHECK_MASK) && (!pkt->ip4_header))
return RULE_NOMATCH;
if ((optData->hdrField & TCP_HDR_OPTCHECK_MASK) &&
(!pkt->ip4_header || !pkt->tcp_header))
return RULE_NOMATCH;
if ((optData->hdrField & ICMP_HDR_OPTCHECK_MASK) &&
(!IPH_IS_VALID(pkt) || !pkt->icmp_header))
return RULE_NOMATCH;
switch (optData->hdrField)
{
/* IP Header Checks */
case IP_HDR_ID:
value = IS_IP6(pkt) ? ntohl(GET_IPH_ID(pkt)) : ntohs((uint16_t)GET_IPH_ID(pkt));
break;
case IP_HDR_PROTO:
//value = pkt->ip4_header->proto;
value = GET_IPH_PROTO(pkt);
break;
case IP_HDR_FRAGBITS:
return checkBits(optData->value, optData->op, ((ntohs(GET_IPH_OFF(pkt)) & 0xe000) & ~optData->mask_value));
break;
case IP_HDR_FRAGOFFSET:
value = ntohs(GET_IPH_OFF((pkt))) & 0x1FFF;
break;
case IP_HDR_TOS:
//value = pkt->ip4_header->type_service;
value = GET_IPH_TOS(pkt);
break;
case IP_HDR_TTL:
//value = pkt->ip4_header->time_to_live;
value = GET_IPH_TTL(pkt);
break;
case IP_HDR_OPTIONS:
return checkOptions(optData->value, optData->op, pkt->ip_options, pkt->num_ip_options);
break;
/* TCP Header checks */
case TCP_HDR_ACK:
value = ntohl(pkt->tcp_header->acknowledgement);
break;
case TCP_HDR_SEQ:
value = ntohl(pkt->tcp_header->sequence);
break;
case TCP_HDR_FLAGS:
return checkBits(optData->value, optData->op, (pkt->tcp_header->flags & ~optData->mask_value));
break;
case TCP_HDR_WIN:
value = ntohs(pkt->tcp_header->window);
break;
case TCP_HDR_OPTIONS:
return checkOptions(optData->value, optData->op, pkt->tcp_options, pkt->num_tcp_options);
break;
/* ICMP Header checks */
case ICMP_HDR_CODE:
value = pkt->icmp_header->code;
break;
case ICMP_HDR_TYPE:
value = pkt->icmp_header->type;
break;
case ICMP_HDR_ID:
if ((pkt->icmp_header->code == ICMP_ECHO_REQUEST) ||
(pkt->icmp_header->code == ICMP_ECHO_REPLY))
{
value = ntohs(pkt->icmp_header->icmp_header_union.echo.id);
}
else
{
return RULE_NOMATCH;
}
break;
case ICMP_HDR_SEQ:
if ((pkt->icmp_header->code == ICMP_ECHO_REQUEST) ||
(pkt->icmp_header->code == ICMP_ECHO_REPLY))
{
value = ntohs(pkt->icmp_header->icmp_header_union.echo.seq);
}
else
{
return RULE_NOMATCH;
}
break;
default:
return RULE_NOMATCH;
break;
}
return checkField(optData->op, value, optData->value);
}
int GetLWSessionKey(Packet *p, SessionKey *key)
{
uint16_t sport;
uint16_t dport;
int proto;
/* Because the key is going to be used for hash lookups,
* the lower of the values of the IP address field is
* stored in the key->ip_l and the port for that ip is
* stored in key->port_l.
*/
if (!key)
return 0;
#ifdef SUP_IP6
if (IS_IP4(p))
{
uint32_t *src;
uint32_t *dst;
proto = p->ip4h->ip_proto;
switch (proto)
{
case IPPROTO_TCP:
case IPPROTO_UDP:
sport = p->sp;
dport = p->dp;
break;
case IPPROTO_ICMP:
default:
sport = dport = 0;
break;
}
src = p->ip4h->ip_src.ip32;
dst = p->ip4h->ip_dst.ip32;
/* These comparisons are done in this fashion for performance reasons */
if (*src < *dst)
{
COPY4(key->ip_l, src);
COPY4(key->ip_h, dst);
key->port_l = sport;
key->port_h = dport;
}
else if (*src == *dst)
{
COPY4(key->ip_l, src);
COPY4(key->ip_h, dst);
if (sport < dport)
{
key->port_l = sport;
key->port_h = dport;
}
else
{
key->port_l = dport;
key->port_h = sport;
}
}
else
{
COPY4(key->ip_l, dst);
key->port_l = dport;
COPY4(key->ip_h, src);
key->port_h = sport;
}
# ifdef MPLS
if (ScMplsOverlappingIp() && (p->mpls != NULL) &&
isPrivateIP(*src) && isPrivateIP(*dst))
{
key->mplsLabel = p->mplsHdr.label;
}
else
{
key->mplsLabel = 0;
}
# endif
}
else
{
/* IPv6 */
sfip_t *src;
sfip_t *dst;
proto = p->ip6h->next;
switch (proto)
{
case IPPROTO_TCP:
case IPPROTO_UDP:
sport = p->sp;
dport = p->dp;
break;
case IPPROTO_ICMP:
default:
sport = dport = 0;
break;
}
src = &p->ip6h->ip_src;
dst = &p->ip6h->ip_dst;
if (sfip_fast_lt6(src, dst))
{
COPY4(key->ip_l, src->ip32);
key->port_l = sport;
COPY4(key->ip_h, dst->ip32);
key->port_h = dport;
}
else if (sfip_fast_eq6(src, dst))
{
COPY4(key->ip_l, src->ip32);
COPY4(key->ip_h, dst->ip32);
if (sport < dport)
{
key->port_l = sport;
key->port_h = dport;
}
else
{
key->port_l = dport;
key->port_h = sport;
}
}
else
{
COPY4(key->ip_l, dst->ip32);
key->port_l = dport;
COPY4(key->ip_h, src->ip32);
key->port_h = sport;
}
# ifdef MPLS
if (ScMplsOverlappingIp() && (p->mpls != NULL))
{
key->mplsLabel = p->mplsHdr.label;
}
else
{
key->mplsLabel = 0;
}
# endif
}
#else
proto = GET_IPH_PROTO(p);
switch (proto)
{
case IPPROTO_TCP:
case IPPROTO_UDP:
sport = p->sp;
dport = p->dp;
break;
case IPPROTO_ICMP:
default:
sport = dport = 0;
break;
}
/* These comparisons are done in this fashion for performance reasons */
if (IP_LESSER(GET_SRC_IP(p), GET_DST_IP(p)))
{
IP_COPY_VALUE(key->ip_l, GET_SRC_IP(p));
key->port_l = sport;
IP_COPY_VALUE(key->ip_h, GET_DST_IP(p));
key->port_h = dport;
}
else if (IP_EQUALITY(GET_SRC_IP(p), GET_DST_IP(p)))
{
IP_COPY_VALUE(key->ip_l, GET_SRC_IP(p));
IP_COPY_VALUE(key->ip_h, GET_DST_IP(p));
if (sport < dport)
{
key->port_l = sport;
key->port_h = dport;
}
else
{
key->port_l = dport;
key->port_h = sport;
}
}
else
{
IP_COPY_VALUE(key->ip_l, GET_DST_IP(p));
key->port_l = dport;
IP_COPY_VALUE(key->ip_h, GET_SRC_IP(p));
key->port_h = sport;
}
# ifdef MPLS
if (ScMplsOverlappingIp() && (p->mpls != NULL) &&
isPrivateIP(key->ip_l) && isPrivateIP(key->ip_h))
{
key->mplsLabel = p->mplsHdr.label;
}
else
{
key->mplsLabel = 0;
}
# endif
#endif
key->protocol = proto;
if (p->vh && !ScVlanAgnostic())
key->vlan_tag = (uint16_t)VTH_VLAN(p->vh);
else
key->vlan_tag = 0;
key->pad = 0;
#ifdef MPLS
key->mplsPad = 0;
#endif
return 1;
}
void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
{
OpSyslog_Data *syslogContext = NULL;
Unified2EventCommon *iEvent = NULL;
SigNode *sn = NULL;
ClassType *cn = NULL;
char sip[16] = {0};
char dip[16] = {0};
if( (p == NULL) ||
(event == NULL) ||
(arg == NULL))
{
LogMessage("OpSyslog_Alert(): Invoked with Packet[0x%x] Event[0x%x] Event Type [%u] Context pointer[0x%x]\n",
p,
event,
event_type,
arg);
return;
}
if(event_type != UNIFIED2_IDS_EVENT)
{
LogMessage("OpSyslog_Alert(): Is currently unable to handle Event Type [%u] \n",
event_type);
return;
}
syslogContext = (OpSyslog_Data *)arg;
iEvent = event;
memset(syslogContext->payload,'\0',(SYSLOG_MAX_QUERY_SIZE));
memset(syslogContext->formatBuffer,'\0',(SYSLOG_MAX_QUERY_SIZE));
syslogContext->payload_current_pos = 0;
syslogContext->format_current_pos = 0;
switch(syslogContext->operation_mode)
{
case 0: /* Ze Classic (Requested) */
if(IPH_IS_VALID(p))
{
if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip))
{
FatalError("[%s()], strlcpy() error , bailing \n",
__FUNCTION__);
return;
}
if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip))
{
FatalError("[%s()], strlcpy() error , bailing \n",
__FUNCTION__);
return;
}
}
sn = GetSigByGidSid(ntohl(iEvent->generator_id),
ntohl(iEvent->signature_id));
cn = ClassTypeLookupById(barnyard2_conf,
ntohl(iEvent->classification_id));
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"[%u:%u:%u] ",
ntohl(iEvent->generator_id),
ntohl(iEvent->signature_id),
ntohl(iEvent->signature_revision))) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if(sn != NULL)
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"%s ",
sn->msg)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
else
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"ALERT ")) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if(cn != NULL)
{
if( cn->name )
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"[Classification: %s] [Priority: %d]:",
cn->name,
ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
else if( ntohl(((Unified2EventCommon *)event)->priority_id) != 0 )
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"[Priority: %d]:",
ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if( (IPH_IS_VALID(p)) &&
(((GET_IPH_PROTO(p) != IPPROTO_TCP &&
GET_IPH_PROTO(p) != IPPROTO_UDP &&
GET_IPH_PROTO(p) != IPPROTO_ICMP) ||
p->frag_flag)))
{
if(!BcAlertInterface())
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" {%s} %s -> %s",
protocol_names[GET_IPH_PROTO(p)],
sip, dip)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
else
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" <%s> {%s} %s -> %s",
barnyard2_conf->interface,
protocol_names[GET_IPH_PROTO(p)],
sip, dip)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
}
else
{
if(BcAlertInterface())
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" <%s> {%s} %s:%i -> %s:%i",
barnyard2_conf->interface,
protocol_names[GET_IPH_PROTO(p)], sip,
p->sp, dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
else
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" {%s} %s:%i -> %s:%i",
protocol_names[GET_IPH_PROTO(p)], sip, p->sp,
dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
break;
case 1: /* Ze verbose */
if(Syslog_FormatTrigger(syslogContext, iEvent,0) )
{
LogMessage("WARNING: Unable to append Trigger header.\n");
return;
}
/* Support for portscan ip */
if(p->iph)
{
if(Syslog_FormatIPHeaderAlert(syslogContext, p) )
{
LogMessage("WARNING: Unable to append Trigger header.\n");
return;
}
}
if(p->iph)
{
/* build the protocol specific header information */
switch(p->iph->ip_proto)
{
case IPPROTO_TCP:
Syslog_FormatTCPHeaderAlert(syslogContext, p);
break;
case IPPROTO_UDP:
Syslog_FormatUDPHeaderAlert(syslogContext, p);
break;
case IPPROTO_ICMP:
Syslog_FormatICMPHeaderAlert(syslogContext, p);
break;
}
}
/* CHECKME: -elz will update formating later on .. */
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"\n")) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("Couldn't finalize payload string ....\n");
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
break;
default:
FatalError("[%s()]: Unknown operation_mode ... bailing \n",
__FUNCTION__);
break;
}
if(NetSend(syslogContext))
{
NetClose(syslogContext);
if(syslogContext->local_logging != 1)
{
FatalError("NetSend(): call failed for host:port '%s:%u' bailing...\n", syslogContext->server, syslogContext->port);
}
}
return;
}
static int event_to_source_target(Packet *p, idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
if ( !p )
return 0;
if ( ! IPH_IS_VALID(p) )
return 0;
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if (barnyard2_conf->interface != NULL) {
ret = idmef_source_new_interface(source, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, PRINT_INTERFACE(barnyard2_conf->interface));
}
ret = idmef_source_new_service(source, &service);
if ( ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->sp);
idmef_service_set_ip_version(service, GET_IPH_VER(p));
idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
ret = idmef_source_new_node(source, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p)));
prelude_string_set_ref(string, saddr);
ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if (barnyard2_conf->interface != NULL) {
ret = idmef_target_new_interface(target, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, barnyard2_conf->interface);
}
ret = idmef_target_new_service(target, &service);
if ( ! ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->dp);
idmef_service_set_ip_version(service, GET_IPH_VER(p));
idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
ret = idmef_target_new_node(target, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p)));
prelude_string_set_ref(string, daddr);
return 0;
}
/*--------------------------------------------------------------------
* Function: LogICMPEmbeddedIP(TextLog* , Packet *)
*
* Purpose: Prints the original/encapsulated IP header + 64 bits of the
* original IP payload in an ICMP packet
*
* Arguments: log => pointer to TextLog
* p => packet struct
*
* Returns: void function
*--------------------------------------------------------------------
*/
static void LogICMPEmbeddedIP(TextLog* log, Packet *p)
{
Packet op;
Packet *orig_p;
uint32_t orig_ip_hlen;
if (log == NULL || p == NULL)
return;
memset((char*)&op, 0, sizeof(op));
orig_p = &op;
orig_p->iph = p->orig_iph;
orig_p->tcph = p->orig_tcph;
orig_p->udph = p->orig_udph;
orig_p->sp = p->orig_sp;
orig_p->dp = p->orig_dp;
orig_p->icmph = p->orig_icmph;
#ifdef SUP_IP6
orig_p->iph_api = p->orig_iph_api;
orig_p->ip4h = p->orig_ip4h;
orig_p->ip6h = p->orig_ip6h;
orig_p->family = p->orig_family;
#endif
if(orig_p->iph != NULL)
{
TextLog_Print(log, "\n** ORIGINAL DATAGRAM DUMP:\n");
LogIPHeader(log, orig_p);
orig_ip_hlen = IP_HLEN(p->orig_iph) << 2;
switch(GET_IPH_PROTO(orig_p))
{
case IPPROTO_TCP:
if(orig_p->tcph != NULL)
TextLog_Print(log, "Seq: 0x%lX\n",
(u_long)ntohl(orig_p->tcph->th_seq));
break;
case IPPROTO_UDP:
if(orig_p->udph != NULL)
TextLog_Print(log, "Len: %d Csum: %d\n",
ntohs(orig_p->udph->uh_len) - UDP_HEADER_LEN,
ntohs(orig_p->udph->uh_chk));
break;
case IPPROTO_ICMP:
if(orig_p->icmph != NULL)
LogEmbeddedICMPHeader(log, orig_p->icmph);
break;
default:
TextLog_Print(log, "Protocol: 0x%X (unknown or "
"header truncated)", GET_IPH_PROTO(orig_p));
break;
} /* switch */
/* if more than 8 bytes of original IP payload sent */
if (p->dsize - orig_ip_hlen > 8)
{
TextLog_Print(log, "(%d more bytes of original packet)\n",
p->dsize - orig_ip_hlen - 8);
}
TextLog_Puts(log, "** END OF DUMP");
}
else
{
TextLog_Puts(log, "\nORIGINAL DATAGRAM TRUNCATED");
}
}
/*--------------------------------------------------------------------
* Function: LogIPHeader(TextLog* )
*
* Purpose: Dump the IP header info to the given TextLog
*
* Arguments: log => TextLog to print to
*
* Returns: void function
*--------------------------------------------------------------------
*/
void LogIPHeader(TextLog* log, Packet * p)
{
if(!IPH_IS_VALID(p))
{
TextLog_Print(log, "IP header truncated\n");
return;
}
if(p->frag_flag)
{
/* just print the straight IP header */
TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
TextLog_Puts(log, " -> ");
TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
}
else
{
if(GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP)
{
/* just print the straight IP header */
TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
TextLog_Puts(log, " -> ");
TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
}
else
{
if (!BcObfuscate())
{
/* print the header complete with port information */
TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
TextLog_Print(log, ":%d -> ", p->sp);
TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
TextLog_Print(log, ":%d", p->dp);
}
else
{
/* print the header complete with port information */
if(IS_IP4(p))
TextLog_Print(log, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp);
else if(IS_IP6(p))
TextLog_Print(log, "x:x:x:x:x:x:x:x:%d -> x:x:x:x:x:x:x:x:%d", p->sp, p->dp);
}
}
}
if(!BcOutputDataLink())
{
TextLog_NewLine(log);
}
else
{
TextLog_Putc(log, ' ');
}
TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u",
protocol_names[GET_IPH_PROTO(p)],
GET_IPH_TTL(p),
GET_IPH_TOS(p),
IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)),
GET_IPH_HLEN(p) << 2,
GET_IP_DGMLEN(p));
/* print the reserved bit if it's set */
if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x8000) >> 15) == 1)
TextLog_Puts(log, " RB");
/* printf more frags/don't frag bits */
if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x4000) >> 14) == 1)
TextLog_Puts(log, " DF");
if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x2000) >> 13) == 1)
TextLog_Puts(log, " MF");
TextLog_NewLine(log);
/* print IP options */
if(p->ip_option_count != 0)
{
LogIpOptions(log, p);
}
/* print fragment info if necessary */
if(p->frag_flag)
{
TextLog_Print(log, "Frag Offset: 0x%04X Frag Size: 0x%04X\n",
(p->frag_offset & 0x1FFF),
GET_IP_PAYLEN(p));
}
}
const char *GetProtocolName(void* p)
{
Packet *packet = (Packet *)p;
return (protocol_names[GET_IPH_PROTO(packet)]);
}
static int packet_to_data(Packet *p, void *event, idmef_alert_t *alert)
{
int i;
if ( ! p )
return 0;
add_int_data(alert, "snort_rule_sid", ntohl(((Unified2EventCommon *)event)->signature_id));
add_int_data(alert, "snort_rule_rev", ntohl(((Unified2EventCommon *)event)->signature_revision));
if ( IPH_IS_VALID(p) ) {
add_int_data(alert, "ip_ver", GET_IPH_VER(p));
add_int_data(alert, "ip_hlen", GET_IPH_HLEN(p));
add_int_data(alert, "ip_tos", GET_IPH_TOS(p));
add_int_data(alert, "ip_len", ntohs(GET_IPH_LEN(p)));
#ifdef SUP_IP6
// XXX-IPv6 need fragmentation ID
#else
add_int_data(alert, "ip_id", ntohs(p->iph->ip_id));
#endif
#ifdef SUP_IP6
// XXX-IPv6 need fragmentation offset
#else
add_int_data(alert, "ip_off", ntohs(p->iph->ip_off));
#endif
add_int_data(alert, "ip_ttl", GET_IPH_TTL(p));
add_int_data(alert, "ip_proto", GET_IPH_PROTO(p));
#ifdef SUP_IP6
// XXX-IPv6 need checksum
#else
add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum));
#endif
for ( i = 0; i < p->ip_option_count; i++ ) {
add_int_data(alert, "ip_option_code", p->ip_options[i].code);
add_byte_data(alert, "ip_option_data",
p->ip_options[i].data, p->ip_options[i].len);
}
}
if ( p->tcph ) {
add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq));
add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack));
add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph));
add_int_data(alert, "tcp_res", TCP_X2(p->tcph));
add_int_data(alert, "tcp_flags", p->tcph->th_flags);
add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win));
add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum));
add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp));
for ( i = 0; i < p->tcp_option_count; i++ ) {
add_int_data(alert, "tcp_option_code", p->tcp_options[i].code);
add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len);
}
}
else if ( p->udph ) {
add_int_data(alert, "udp_len", ntohs(p->udph->uh_len));
add_int_data(alert, "udp_sum", ntohs(p->udph->uh_chk));
}
else if ( p->icmph ) {
add_int_data(alert, "icmp_type", p->icmph->type);
add_int_data(alert, "icmp_code", p->icmph->code);
add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum));
switch ( p->icmph->type ) {
case ICMP_ECHO:
case ICMP_ECHOREPLY:
case ICMP_INFO_REQUEST:
case ICMP_INFO_REPLY:
case ICMP_ADDRESS:
case ICMP_TIMESTAMP:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
break;
case ICMP_ADDRESSREPLY:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask));
break;
case ICMP_REDIRECT:
#ifndef SUP_IP6
add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr));
#else
{
sfip_t gwaddr;
sfip_set_raw(&gwaddr, (void *)&p->icmph->s_icmp_gwaddr.s_addr, AF_INET);
add_string_data(alert, "icmp_gwaddr", inet_ntoa(&gwaddr));
}
#endif
break;
case ICMP_ROUTER_ADVERTISE:
add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs);
add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa);
add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime));
break;
case ICMP_TIMESTAMPREPLY:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id));
add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq));
add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime);
add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime);
add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime);
break;
}
}
add_byte_data(alert, "payload", p->data, p->dsize);
return 0;
}
int GetSessionKey(Packet *p, SessionHashKey *key)
{
ip_p srcIp, dstIp;
u_int16_t srcPort, dstPort;
if (!key)
return 0;
memset(key, 0, sizeof(SessionHashKey));
srcIp = GET_SRC_IP(p);
dstIp = GET_DST_IP(p);
if (p->tcph)
{
srcPort = p->tcph->th_sport;
dstPort = p->tcph->th_dport;
}
#ifdef STREAM4_UDP
else if (p->udph)
{
srcPort = p->udph->uh_sport;
dstPort = p->udph->uh_dport;
}
#endif
else
{
srcPort = 0;
dstPort = 0;
}
if (IP_LESSER(srcIp, dstIp))
{
IP_COPY_VALUE(key->lowIP, srcIp);
key->port = srcPort;
IP_COPY_VALUE(key->highIP, dstIp);
key->port2 = dstPort;
}
else if (IP_EQUALITY(srcIp, dstIp))
{
IP_COPY_VALUE(key->lowIP, srcIp);
IP_COPY_VALUE(key->highIP, dstIp);
if (srcPort < dstPort)
{
key->port = srcPort;
key->port2 = dstPort;
}
else
{
key->port2 = srcPort;
key->port = dstPort;
}
}
else
{
IP_COPY_VALUE(key->lowIP, dstIp);
key->port = dstPort;
IP_COPY_VALUE(key->highIP, srcIp);
key->port2 = srcPort;
}
key->proto = GET_IPH_PROTO(p);
#ifdef _LP64
key->pad1 = key->pad2 = 0;
#endif
return 1;
}
/** *
* @param sip - source IP address
* @param dip - destination IP address
* @param sport - server sport number
* @param file_sig - file signature
* @param expiry - session expiry in seconds.
*/
int file_resume_block_add_file(void *pkt, uint32_t file_sig, uint32_t timeout,
File_Verdict verdict, uint32_t file_type_id, uint8_t *signature)
{
FileHashKey hashKey;
SFXHASH_NODE *hash_node = NULL;
FileNode *node;
FileNode new_node;
sfaddr_t* srcIP;
sfaddr_t* dstIP;
Packet *p = (Packet*)pkt;
time_t now = p->pkth->ts.tv_sec;
srcIP = GET_SRC_IP(p);
dstIP = GET_DST_IP(p);
sfaddr_copy_to_raw(&hashKey.dip, dstIP);
sfaddr_copy_to_raw(&hashKey.sip, srcIP);
hashKey.file_sig = file_sig;
#ifdef HAVE_DAQ_DP_ADD_DC
{
DAQ_DC_Params params;
memset(¶ms, 0, sizeof(params));
params.flags = DAQ_DC_ALLOW_MULTIPLE | DAQ_DC_PERSIST;
params.timeout_ms = 5 * 60 * 1000; /* 5 minutes */
if (p->packet_flags & PKT_FROM_CLIENT)
DAQ_Add_Dynamic_Protocol_Channel(p, srcIP, 0, dstIP, p->dp, GET_IPH_PROTO(p),
¶ms);
else if (p->packet_flags & PKT_FROM_SERVER)
DAQ_Add_Dynamic_Protocol_Channel(p, dstIP, 0, srcIP, p->sp, GET_IPH_PROTO(p),
¶ms);
}
#endif
hash_node = sfxhash_find_node(fileHash, &hashKey);
if (hash_node)
{
if (!(node = hash_node->data))
sfxhash_free_node(fileHash, hash_node);
}
else
node = NULL;
if (node)
{
node->expires = now + timeout;
updateFileNode(node, verdict, file_type_id, signature);
}
else
{
DEBUG_WRAP(DebugMessage(DEBUG_FILE, "Adding file node\n"););
updateFileNode(&new_node, verdict, file_type_id, signature);
/*
* use the time that we keep files around
* since this info would effectively be invalid
* after that anyway because the file that
* caused this will be gone.
*/
new_node.expires = now + timeout;
/* Add it to the table */
if (sfxhash_add(fileHash, &hashKey, &new_node) != SFXHASH_OK)
{
/* Uh, shouldn't get here...
* There is already a node or couldn't alloc space
* for key. This means bigger problems, but fail
* gracefully.
*/
DEBUG_WRAP(DebugMessage(DEBUG_FILE,
"Failed to add file node to hash table\n"););