static int LogPortscanAlert(Packet *p, char *msg, uint32_t event_id, uint32_t event_ref, uint32_t gen_id, uint32_t sig_id) { char timebuf[TIMEBUF_SIZE]; snort_ip_p src_addr; snort_ip_p dst_addr; if(!p->iph_api) return -1; /* Do not log if being suppressed */ src_addr = GET_SRC_IP(p); dst_addr = GET_DST_IP(p); if( sfthreshold_test(gen_id, sig_id, src_addr, dst_addr, p->pkth->ts.tv_sec) ) { return 0; } ts_print((struct timeval *)&p->pkth->ts, timebuf); fprintf(g_logfile, "Time: %s\n", timebuf); if(event_id) fprintf(g_logfile, "event_id: %u\n", event_id); else fprintf(g_logfile, "event_ref: %u\n", event_ref); fprintf(g_logfile, "%s ", inet_ntoa(GET_SRC_ADDR(p))); fprintf(g_logfile, "-> %s %s\n", inet_ntoa(GET_DST_ADDR(p)), msg); fprintf(g_logfile, "%.*s\n", p->dsize, p->data); fflush(g_logfile); return 0; }
/*-------------------------------------------------------------------- * Function: LogIPHeader(TextLog* ) * * Purpose: Dump the IP header info to the given TextLog * * Arguments: log => TextLog to print to * * Returns: void function *-------------------------------------------------------------------- */ void LogIPHeader(TextLog* log, Packet * p) { if(!IPH_IS_VALID(p)) { TextLog_Print(log, "IP header truncated\n"); return; } if(p->frag_flag) { /* just print the straight IP header */ TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); TextLog_Puts(log, " -> "); TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); } else { if(GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP) { /* just print the straight IP header */ TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); TextLog_Puts(log, " -> "); TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); } else { if (!BcObfuscate()) { /* print the header complete with port information */ TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p))); TextLog_Print(log, ":%d -> ", p->sp); TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p))); TextLog_Print(log, ":%d", p->dp); } else { /* print the header complete with port information */ if(IS_IP4(p)) TextLog_Print(log, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp); else if(IS_IP6(p)) TextLog_Print(log, "x:x:x:x:x:x:x:x:%d -> x:x:x:x:x:x:x:x:%d", p->sp, p->dp); } } } if(!BcOutputDataLink()) { TextLog_NewLine(log); } else { TextLog_Putc(log, ' '); } TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u", protocol_names[GET_IPH_PROTO(p)], GET_IPH_TTL(p), GET_IPH_TOS(p), IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)), GET_IPH_HLEN(p) << 2, GET_IP_DGMLEN(p)); /* print the reserved bit if it's set */ if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x8000) >> 15) == 1) TextLog_Puts(log, " RB"); /* printf more frags/don't frag bits */ if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x4000) >> 14) == 1) TextLog_Puts(log, " DF"); if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x2000) >> 13) == 1) TextLog_Puts(log, " MF"); TextLog_NewLine(log); /* print IP options */ if(p->ip_option_count != 0) { LogIpOptions(log, p); } /* print fragment info if necessary */ if(p->frag_flag) { TextLog_Print(log, "Frag Offset: 0x%04X Frag Size: 0x%04X\n", (p->frag_offset & 0x1FFF), GET_IP_PAYLEN(p)); } }
static int event_to_source_target(Packet *p, idmef_alert_t *alert) { int ret; idmef_node_t *node; idmef_source_t *source; idmef_target_t *target; idmef_address_t *address; idmef_service_t *service; prelude_string_t *string; static char saddr[128], daddr[128]; if ( !p ) return 0; if ( ! IPH_IS_VALID(p) ) return 0; ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if (barnyard2_conf->interface != NULL) { ret = idmef_source_new_interface(source, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, PRINT_INTERFACE(barnyard2_conf->interface)); } ret = idmef_source_new_service(source, &service); if ( ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); ret = idmef_source_new_node(source, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p))); prelude_string_set_ref(string, saddr); ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if (barnyard2_conf->interface != NULL) { ret = idmef_target_new_interface(target, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, barnyard2_conf->interface); } ret = idmef_target_new_service(target, &service); if ( ! ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); ret = idmef_target_new_node(target, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p))); prelude_string_set_ref(string, daddr); return 0; }
void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg) { OpSyslog_Data *syslogContext = NULL; Unified2EventCommon *iEvent = NULL; SigNode *sn = NULL; ClassType *cn = NULL; char sip[16] = {0}; char dip[16] = {0}; if( (p == NULL) || (event == NULL) || (arg == NULL)) { LogMessage("OpSyslog_Alert(): Invoked with Packet[0x%x] Event[0x%x] Event Type [%u] Context pointer[0x%x]\n", p, event, event_type, arg); return; } if(event_type != UNIFIED2_IDS_EVENT) { LogMessage("OpSyslog_Alert(): Is currently unable to handle Event Type [%u] \n", event_type); return; } syslogContext = (OpSyslog_Data *)arg; iEvent = event; memset(syslogContext->payload,'\0',(SYSLOG_MAX_QUERY_SIZE)); memset(syslogContext->formatBuffer,'\0',(SYSLOG_MAX_QUERY_SIZE)); syslogContext->payload_current_pos = 0; syslogContext->format_current_pos = 0; switch(syslogContext->operation_mode) { case 0: /* Ze Classic (Requested) */ if(IPH_IS_VALID(p)) { if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip)) { FatalError("[%s()], strlcpy() error , bailing \n", __FUNCTION__); return; } if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip)) { FatalError("[%s()], strlcpy() error , bailing \n", __FUNCTION__); return; } } sn = GetSigByGidSid(ntohl(iEvent->generator_id), ntohl(iEvent->signature_id)); cn = ClassTypeLookupById(barnyard2_conf, ntohl(iEvent->classification_id)); if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "[%u:%u:%u] ", ntohl(iEvent->generator_id), ntohl(iEvent->signature_id), ntohl(iEvent->signature_revision))) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } if(sn != NULL) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "%s ", sn->msg)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } else { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "ALERT ")) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } if(cn != NULL) { if( cn->name ) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "[Classification: %s] [Priority: %d]:", cn->name, ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } else if( ntohl(((Unified2EventCommon *)event)->priority_id) != 0 ) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "[Priority: %d]:", ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } if( (IPH_IS_VALID(p)) && (((GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP && GET_IPH_PROTO(p) != IPPROTO_ICMP) || p->frag_flag))) { if(!BcAlertInterface()) { if(protocol_names[GET_IPH_PROTO(p)]) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, " {%s} %s -> %s", protocol_names[GET_IPH_PROTO(p)], sip, dip)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } else { if(protocol_names[GET_IPH_PROTO(p)]) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, " <%s> {%s} %s -> %s", barnyard2_conf->interface, protocol_names[GET_IPH_PROTO(p)], sip, dip)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } } else { if(BcAlertInterface()) { if(protocol_names[GET_IPH_PROTO(p)]) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, " <%s> {%s} %s:%i -> %s:%i", barnyard2_conf->interface, protocol_names[GET_IPH_PROTO(p)], sip, p->sp, dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } else { if(protocol_names[GET_IPH_PROTO(p)]) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, " {%s} %s:%i -> %s:%i", protocol_names[GET_IPH_PROTO(p)], sip, p->sp, dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } break; case 1: /* Ze verbose */ if(Syslog_FormatTrigger(syslogContext, iEvent,0) ) { LogMessage("WARNING: Unable to append Trigger header.\n"); return; } /* Support for portscan ip */ if(p->iph) { if(Syslog_FormatIPHeaderAlert(syslogContext, p) ) { LogMessage("WARNING: Unable to append Trigger header.\n"); return; } } if(p->iph) { /* build the protocol specific header information */ switch(p->iph->ip_proto) { case IPPROTO_TCP: Syslog_FormatTCPHeaderAlert(syslogContext, p); break; case IPPROTO_UDP: Syslog_FormatUDPHeaderAlert(syslogContext, p); break; case IPPROTO_ICMP: Syslog_FormatICMPHeaderAlert(syslogContext, p); break; } } /* CHECKME: -elz will update formating later on .. */ if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "\n")) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("Couldn't finalize payload string ....\n"); } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } break; default: FatalError("[%s()]: Unknown operation_mode ... bailing \n", __FUNCTION__); break; } if(NetSend(syslogContext)) { NetClose(syslogContext); if(syslogContext->local_logging != 1) { FatalError("NetSend(): call failed for host:port '%s:%u' bailing...\n", syslogContext->server, syslogContext->port); } } return; }