static int LogPortscanAlert(Packet *p, char *msg, uint32_t event_id,
uint32_t event_ref, uint32_t gen_id, uint32_t sig_id)
{
char timebuf[TIMEBUF_SIZE];
snort_ip_p src_addr;
snort_ip_p dst_addr;
if(!p->iph_api)
return -1;
/* Do not log if being suppressed */
src_addr = GET_SRC_IP(p);
dst_addr = GET_DST_IP(p);
if( sfthreshold_test(gen_id, sig_id, src_addr, dst_addr, p->pkth->ts.tv_sec) )
{
return 0;
}
ts_print((struct timeval *)&p->pkth->ts, timebuf);
fprintf(g_logfile, "Time: %s\n", timebuf);
if(event_id)
fprintf(g_logfile, "event_id: %u\n", event_id);
else
fprintf(g_logfile, "event_ref: %u\n", event_ref);
fprintf(g_logfile, "%s ", inet_ntoa(GET_SRC_ADDR(p)));
fprintf(g_logfile, "-> %s %s\n", inet_ntoa(GET_DST_ADDR(p)), msg);
fprintf(g_logfile, "%.*s\n", p->dsize, p->data);
fflush(g_logfile);
return 0;
}
/*--------------------------------------------------------------------
* Function: LogIPHeader(TextLog* )
*
* Purpose: Dump the IP header info to the given TextLog
*
* Arguments: log => TextLog to print to
*
* Returns: void function
*--------------------------------------------------------------------
*/
void LogIPHeader(TextLog* log, Packet * p)
{
if(!IPH_IS_VALID(p))
{
TextLog_Print(log, "IP header truncated\n");
return;
}
if(p->frag_flag)
{
/* just print the straight IP header */
TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
TextLog_Puts(log, " -> ");
TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
}
else
{
if(GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP)
{
/* just print the straight IP header */
TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
TextLog_Puts(log, " -> ");
TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
}
else
{
if (!BcObfuscate())
{
/* print the header complete with port information */
TextLog_Puts(log, inet_ntoa(GET_SRC_ADDR(p)));
TextLog_Print(log, ":%d -> ", p->sp);
TextLog_Puts(log, inet_ntoa(GET_DST_ADDR(p)));
TextLog_Print(log, ":%d", p->dp);
}
else
{
/* print the header complete with port information */
if(IS_IP4(p))
TextLog_Print(log, "xxx.xxx.xxx.xxx:%d -> xxx.xxx.xxx.xxx:%d", p->sp, p->dp);
else if(IS_IP6(p))
TextLog_Print(log, "x:x:x:x:x:x:x:x:%d -> x:x:x:x:x:x:x:x:%d", p->sp, p->dp);
}
}
}
if(!BcOutputDataLink())
{
TextLog_NewLine(log);
}
else
{
TextLog_Putc(log, ' ');
}
TextLog_Print(log, "%s TTL:%u TOS:0x%X ID:%u IpLen:%u DgmLen:%u",
protocol_names[GET_IPH_PROTO(p)],
GET_IPH_TTL(p),
GET_IPH_TOS(p),
IS_IP6(p) ? ntohl(GET_IPH_ID(p)) : ntohs((uint16_t)GET_IPH_ID(p)),
GET_IPH_HLEN(p) << 2,
GET_IP_DGMLEN(p));
/* print the reserved bit if it's set */
if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x8000) >> 15) == 1)
TextLog_Puts(log, " RB");
/* printf more frags/don't frag bits */
if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x4000) >> 14) == 1)
TextLog_Puts(log, " DF");
if((uint8_t)((ntohs(GET_IPH_OFF(p)) & 0x2000) >> 13) == 1)
TextLog_Puts(log, " MF");
TextLog_NewLine(log);
/* print IP options */
if(p->ip_option_count != 0)
{
LogIpOptions(log, p);
}
/* print fragment info if necessary */
if(p->frag_flag)
{
TextLog_Print(log, "Frag Offset: 0x%04X Frag Size: 0x%04X\n",
(p->frag_offset & 0x1FFF),
GET_IP_PAYLEN(p));
}
}
static int event_to_source_target(Packet *p, idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
if ( !p )
return 0;
if ( ! IPH_IS_VALID(p) )
return 0;
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if (barnyard2_conf->interface != NULL) {
ret = idmef_source_new_interface(source, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, PRINT_INTERFACE(barnyard2_conf->interface));
}
ret = idmef_source_new_service(source, &service);
if ( ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->sp);
idmef_service_set_ip_version(service, GET_IPH_VER(p));
idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
ret = idmef_source_new_node(source, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p)));
prelude_string_set_ref(string, saddr);
ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
if (barnyard2_conf->interface != NULL) {
ret = idmef_target_new_interface(target, &string);
if ( ret < 0 )
return ret;
prelude_string_set_ref(string, barnyard2_conf->interface);
}
ret = idmef_target_new_service(target, &service);
if ( ! ret < 0 )
return ret;
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->dp);
idmef_service_set_ip_version(service, GET_IPH_VER(p));
idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p));
ret = idmef_target_new_node(target, &node);
if ( ret < 0 )
return ret;
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
return ret;
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
return ret;
SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p)));
prelude_string_set_ref(string, daddr);
return 0;
}
void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg)
{
OpSyslog_Data *syslogContext = NULL;
Unified2EventCommon *iEvent = NULL;
SigNode *sn = NULL;
ClassType *cn = NULL;
char sip[16] = {0};
char dip[16] = {0};
if( (p == NULL) ||
(event == NULL) ||
(arg == NULL))
{
LogMessage("OpSyslog_Alert(): Invoked with Packet[0x%x] Event[0x%x] Event Type [%u] Context pointer[0x%x]\n",
p,
event,
event_type,
arg);
return;
}
if(event_type != UNIFIED2_IDS_EVENT)
{
LogMessage("OpSyslog_Alert(): Is currently unable to handle Event Type [%u] \n",
event_type);
return;
}
syslogContext = (OpSyslog_Data *)arg;
iEvent = event;
memset(syslogContext->payload,'\0',(SYSLOG_MAX_QUERY_SIZE));
memset(syslogContext->formatBuffer,'\0',(SYSLOG_MAX_QUERY_SIZE));
syslogContext->payload_current_pos = 0;
syslogContext->format_current_pos = 0;
switch(syslogContext->operation_mode)
{
case 0: /* Ze Classic (Requested) */
if(IPH_IS_VALID(p))
{
if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip))
{
FatalError("[%s()], strlcpy() error , bailing \n",
__FUNCTION__);
return;
}
if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip))
{
FatalError("[%s()], strlcpy() error , bailing \n",
__FUNCTION__);
return;
}
}
sn = GetSigByGidSid(ntohl(iEvent->generator_id),
ntohl(iEvent->signature_id));
cn = ClassTypeLookupById(barnyard2_conf,
ntohl(iEvent->classification_id));
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"[%u:%u:%u] ",
ntohl(iEvent->generator_id),
ntohl(iEvent->signature_id),
ntohl(iEvent->signature_revision))) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if(sn != NULL)
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"%s ",
sn->msg)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
else
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"ALERT ")) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if(cn != NULL)
{
if( cn->name )
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"[Classification: %s] [Priority: %d]:",
cn->name,
ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
else if( ntohl(((Unified2EventCommon *)event)->priority_id) != 0 )
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"[Priority: %d]:",
ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
if( (IPH_IS_VALID(p)) &&
(((GET_IPH_PROTO(p) != IPPROTO_TCP &&
GET_IPH_PROTO(p) != IPPROTO_UDP &&
GET_IPH_PROTO(p) != IPPROTO_ICMP) ||
p->frag_flag)))
{
if(!BcAlertInterface())
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" {%s} %s -> %s",
protocol_names[GET_IPH_PROTO(p)],
sip, dip)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
else
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" <%s> {%s} %s -> %s",
barnyard2_conf->interface,
protocol_names[GET_IPH_PROTO(p)],
sip, dip)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
}
else
{
if(BcAlertInterface())
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" <%s> {%s} %s:%i -> %s:%i",
barnyard2_conf->interface,
protocol_names[GET_IPH_PROTO(p)], sip,
p->sp, dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
else
{
if(protocol_names[GET_IPH_PROTO(p)])
{
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
" {%s} %s:%i -> %s:%i",
protocol_names[GET_IPH_PROTO(p)], sip, p->sp,
dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("[%s()], failed call to snprintf \n",
__FUNCTION__);
}
}
}
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
break;
case 1: /* Ze verbose */
if(Syslog_FormatTrigger(syslogContext, iEvent,0) )
{
LogMessage("WARNING: Unable to append Trigger header.\n");
return;
}
/* Support for portscan ip */
if(p->iph)
{
if(Syslog_FormatIPHeaderAlert(syslogContext, p) )
{
LogMessage("WARNING: Unable to append Trigger header.\n");
return;
}
}
if(p->iph)
{
/* build the protocol specific header information */
switch(p->iph->ip_proto)
{
case IPPROTO_TCP:
Syslog_FormatTCPHeaderAlert(syslogContext, p);
break;
case IPPROTO_UDP:
Syslog_FormatUDPHeaderAlert(syslogContext, p);
break;
case IPPROTO_ICMP:
Syslog_FormatICMPHeaderAlert(syslogContext, p);
break;
}
}
/* CHECKME: -elz will update formating later on .. */
if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE,
"\n")) >= SYSLOG_MAX_QUERY_SIZE)
{
/* XXX */
FatalError("Couldn't finalize payload string ....\n");
}
if( OpSyslog_Concat(syslogContext))
{
/* XXX */
FatalError("OpSyslog_Concat(): Failed \n");
}
break;
default:
FatalError("[%s()]: Unknown operation_mode ... bailing \n",
__FUNCTION__);
break;
}
if(NetSend(syslogContext))
{
NetClose(syslogContext);
if(syslogContext->local_logging != 1)
{
FatalError("NetSend(): call failed for host:port '%s:%u' bailing...\n", syslogContext->server, syslogContext->port);
}
}
return;
}
