static int DecideHighEntropyFlow(FlowRecord * flow_record) { int i = 0; int j = 0; int SEQSys = 0; int SkipPacket = 0; int repeat_packet = 0; int TotalPktNumber = 0; int TotalEncrypt = 0; int TotalNonEncrypt = 0; int SequentEncrypt = 0; int EncryptPktAfterSeq = 0; int NonEncryptPktAfterSeq = 0; int TotalZeroPayload = 0; int ZeroPayloadAfterSeq = 0; //printf("DecideHighEntropyFlow\n"); if(flow_record->have_payload != 1) { return 0; } //the flow record has been labeled if(flow_record->labeled != -1) { return 0; } for(i=0; i < flow_record->packet_count; i++) { if(i >= PktsLimit) { break; } repeat_packet = 0; TotalPktNumber++; /*check whether packet has high entropy*/ if(flow_record->pkt_entropy[i] == 1) { TotalEncrypt++; SequentEncrypt++; /*the first encrypted packet*/ if(SequentEncrypt == 1) { EncryptPktAfterSeq++; ZeroPayloadAfterSeq = 0; } else if(SequentEncrypt < SEQ_HIGH_ENTROPY) { EncryptPktAfterSeq++; } else if(SequentEncrypt == SEQ_HIGH_ENTROPY) { /*set the flow as have N sequential high entropy packets*/ SEQSys = 1; SkipPacket = TotalPktNumber - SEQ_HIGH_ENTROPY - ZeroPayloadAfterSeq; EncryptPktAfterSeq = SequentEncrypt; } else if(SequentEncrypt > SEQ_HIGH_ENTROPY) { EncryptPktAfterSeq++; } } /*the packet has low entropy*/ else if( flow_record->pkt_entropy[i] == -1 ) { TotalNonEncrypt++; /*the flow doesn't have N sequential high entropy packets*/ if(SequentEncrypt < SEQ_HIGH_ENTROPY) { EncryptPktAfterSeq = 0; NonEncryptPktAfterSeq = 0; ZeroPayloadAfterSeq = 0; SequentEncrypt = 0; } /*the flow has N sequential high entropy packets*/ else if(SequentEncrypt >= SEQ_HIGH_ENTROPY) { NonEncryptPktAfterSeq++; } } else if(flow_record->pkt_entropy[i] == 0) { TotalZeroPayload++; ZeroPayloadAfterSeq++; } } if((SEQSys == 1) && ( EncryptPktAfterSeq * 100 > ( EncryptPktAfterSeq + NonEncryptPktAfterSeq) * HEPercent)) { flow_record->labeled = 1; OptTreeNode * otn = OtnLookup(snort_conf->otn_map, GENERATOR_SPP_ENTROPY, HE_TRAFFIC_DETECT); char log_timestamp[TIMEBUF_SIZE]; struct timeval log_timeval; char proto[16]; log_timeval.tv_sec = flow_record->first_sec; log_timeval.tv_usec = flow_record->first_usec; ts_print(&log_timeval, log_timestamp); if(flow_record->proto == 6) { strcpy(proto, "TCP"); } else if(flow_record->proto == 17) { strcpy(proto, "UDP"); } fprintf(LOG_FILE_DESCRIPTOR, "\n[**] [%d:%d:%d] %s [**]\n[Classification: %s] [Priority: %d]\n %s %s %s:%d <-> %s:%d\n", otn->sigInfo.generator, otn->sigInfo.id, otn->sigInfo.rev, otn->sigInfo.message, otn->sigInfo.classType->name, otn->sigInfo.priority, log_timestamp, proto, flow_record->src_ip, flow_record->src_port, flow_record->dst_ip, flow_record->dst_port); TotalEncryptFlows++; return 1; } else { flow_record->labeled = 0; TotalNonEncryptFlows++; return -1; } return 0; }
/* * Changed so events are inserted in action config order 'drop alert ...', * and sub sorted in each action group by priority or content length. * The sub sorting is done in fpFinalSelect inf fpdetect.c. Once the * events are inserted they can all be logged, as we only insert * g_event_queue.log_events into the queue. * ... Jan '06 */ int SnortEventqAdd(unsigned int gid, unsigned int sid, unsigned int rev, unsigned int classification, unsigned int pri, char *msg, void *rule_info) { EventNode *en; en = (EventNode *)sfeventq_event_alloc(snort_conf->event_queue); if(!en) return -1; en->gid = gid; en->sid = sid; en->rev = rev; en->classification = classification; en->priority = pri; en->msg = msg; en->rule_info = rule_info; /* * Check if we have a preprocessor or decoder event * Preprocessors and decoders may be configured to inspect * and alert in their principle configuration (legacy code) * this test than checks if the rule otn says they should * be enabled or not. The rule itself will decide if it should * be an alert or a drop (sdrop) condition. */ #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS { struct _OptTreeNode * potn; /* every event should have a rule/otn */ potn = OtnLookup(snort_conf->otn_map, gid, sid); /* * if no rule otn exists for this event, than it was * not enabled via rules */ if (potn == NULL) { if (ScAutoGenPreprocDecoderOtns()) { /* Generate an OTN if configured to do so.... */ potn = GenerateSnortEventOtn(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg); if (potn != NULL) OtnLookupAdd(snort_conf->otn_map, potn); } } if (potn == NULL) { /* no otn found/created - do not add it to the queue */ return 0; } } #endif if (sfeventq_add(snort_conf->event_queue, (void *)en)) { return -1; } return 0; }
void ppm_pkt_log(ppm_cfg_t *ppm_cfg, Packet* p) { int filterEvent = 0; if (!ppm_cfg->max_pkt_ticks) return; ppm_cfg->pkt_event_cnt++; if (ppm_cfg->pkt_log & PPM_LOG_ALERT) { OptTreeNode* potn; Event ev; /* make sure we have an otn already in our table for this event */ potn = OtnLookup(snort_conf->otn_map, GENERATOR_PPM, PPM_EVENT_PACKET_ABORTED); if (potn == NULL) { /* have to make one */ potn = GenerateSnortEventOtn(GENERATOR_PPM, /* GID */ PPM_EVENT_PACKET_ABORTED, /* SID */ 1, /* Rev */ 0, /* classification */ 3, /* priority (low) */ PPM_EVENT_PACKET_ABORTED_STR /* msg string */); if (potn == NULL) return; OtnLookupAdd(snort_conf->otn_map, potn); } SetEvent(&ev, potn->sigInfo.generator, /* GID */ potn->sigInfo.id, /* SID */ potn->sigInfo.rev, /* Rev */ potn->sigInfo.class_id, /* classification */ potn->sigInfo.priority, /* priority (low) */ #if !defined(FEAT_OPEN_APPID) 0); #else /* defined(FEAT_OPEN_APPID) */ 0, NULL); #endif /* defined(FEAT_OPEN_APPID) */ if ( IPH_IS_VALID(p) ) { filterEvent = sfthreshold_test( potn->event_data.sig_generator, potn->event_data.sig_id, GET_SRC_IP(p), GET_DST_IP(p), p->pkth->ts.tv_sec); } else { snort_ip cleared; IP_CLEAR(cleared); filterEvent = sfthreshold_test( potn->event_data.sig_generator, potn->event_data.sig_id, IP_ARG(cleared), IP_ARG(cleared), p->pkth->ts.tv_sec); } if(filterEvent < 0) filterEvent = 0; else AlertAction(p, potn, &ev); }
static int LogSnortEvents(void *event, void *user) { Packet *p; EventNode *en; OTNX *otnx; struct _OptTreeNode * potn; SNORT_EVENTQ_USER *snort_user; if(!event || !user) return 0; en = (EventNode *)event; snort_user = (SNORT_EVENTQ_USER *)user; p = (Packet *)snort_user->pkt; /* ** Log rule events differently because we have to. */ if(en->rule_info) { otnx = (OTNX *)en->rule_info; if(!otnx->otn || !getRuntimeRtnFromOtn(otnx->otn)) return 0; snort_user->rule_alert = otnx->otn->sigInfo.rule_flushing; fpLogEvent(getRuntimeRtnFromOtn(otnx->otn), otnx->otn, p); } else { /* Look up possible decoder and preprocessor event otn */ potn = OtnLookup(snort_conf->otn_map, en->gid, en->sid); if (potn == NULL) { #ifdef PREPROCESSOR_AND_DECODER_RULE_EVENTS if (ScAutoGenPreprocDecoderOtns()) { /* Generate an OTN if configured to do so.... */ potn = GenerateSnortEventOtn(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg); } #else /* Always generate an OTN.... */ potn = GenerateSnortEventOtn(en->gid, en->sid, en->rev, en->classification, en->priority, en->msg); #endif if (potn != NULL) { OtnLookupAdd(snort_conf->otn_map, potn); } } if( potn ) { char *tmp = potn->sigInfo.message; snort_user->rule_alert = potn->sigInfo.rule_flushing; potn->sigInfo.message = en->msg; fpLogEvent( getRuntimeRtnFromOtn(potn), potn, p ); potn->sigInfo.message = tmp; } } sfthreshold_reset(); return 0; }