void IpAddrSetPrint(char *prefix, IpAddrSet *ipAddrSet)
{
struct in_addr in;
int ret;
while(ipAddrSet)
{
buffer[0] = '\0';
if(ipAddrSet->addr_flags & EXCEPT_IP)
{
ret = SnortSnprintfAppend(&buffer[0], sizeof(buffer), "NOT ");
if (ret != SNORT_SNPRINTF_SUCCESS)
return;
}
in.s_addr = ipAddrSet->ip_addr;
ret = SnortSnprintfAppend(&buffer[0], sizeof(buffer), "%s/", inet_ntoa(in));
if (ret != SNORT_SNPRINTF_SUCCESS)
return;
in.s_addr = ipAddrSet->netmask;
ret = SnortSnprintfAppend(&buffer[0], sizeof(buffer), "%s", inet_ntoa(in));
if (ret != SNORT_SNPRINTF_SUCCESS)
return;
if (prefix)
LogMessage("%s%s\n", prefix, buffer);
else
LogMessage("%s%s\n", buffer);
ipAddrSet = ipAddrSet->next;
}
}
void IpAddrSetPrint(char *prefix, IpAddrSet *ipAddrSet)
{
IpAddrNode *iplist, *neglist;
struct in_addr in;
int ret;
if(!ipAddrSet) return;
iplist = ipAddrSet->iplist;
neglist = ipAddrSet->neg_iplist;
while(iplist)
{
buffer[0] = '\0';
in.s_addr = iplist->ip_addr;
ret = SnortSnprintfAppend(buffer, sizeof(buffer), "%s/", inet_ntoa(in));
if (ret != SNORT_SNPRINTF_SUCCESS)
return;
in.s_addr = iplist->netmask;
ret = SnortSnprintfAppend(buffer, sizeof(buffer), "%s", inet_ntoa(in));
if (ret != SNORT_SNPRINTF_SUCCESS)
return;
if (prefix)
LogMessage("%s%s\n", prefix, buffer);
else
LogMessage("%s\n", buffer);
iplist = iplist->next;
}
while(neglist)
{
buffer[0] = '\0';
in.s_addr = neglist->ip_addr;
ret = SnortSnprintfAppend(buffer, sizeof(buffer), "NOT %s/", inet_ntoa(in));
if (ret != SNORT_SNPRINTF_SUCCESS)
return;
in.s_addr = neglist->netmask;
ret = SnortSnprintfAppend(buffer, sizeof(buffer), "%s", inet_ntoa(in));
if (ret != SNORT_SNPRINTF_SUCCESS)
return;
if (prefix)
LogMessage("%s%s\n", prefix, buffer);
else
LogMessage("%s\n", buffer);
neglist = neglist->next;
}
}
/**print the ignored rule list.
*/
static void printIgnoredRules(
IgnoredRuleList *pIgnoredRuleList,
int any_any_flow
)
{
char six_sids = 0;
int sids_ignored = 0;
char buf[STD_BUF];
IgnoredRuleList *ignored_rule;
IgnoredRuleList *next_ignored_rule;
buf[0] = '\0';
for (ignored_rule = pIgnoredRuleList; ignored_rule != NULL; )
{
if (any_any_flow == 0)
{
if (six_sids == 1)
{
SnortSnprintfAppend(buf, STD_BUF-1, "\n");
LogMessage("%s", buf);
six_sids = 0;
}
if (sids_ignored == 0)
{
SnortSnprintf(buf, STD_BUF-1, " %d:%d",
ignored_rule->otn->sigInfo.generator,
ignored_rule->otn->sigInfo.id);
}
else
{
SnortSnprintfAppend(buf, STD_BUF-1, ", %d:%d",
ignored_rule->otn->sigInfo.generator,
ignored_rule->otn->sigInfo.id);
}
sids_ignored++;
if (sids_ignored %6 == 0)
{
/* Have it print next time through */
six_sids = 1;
sids_ignored = 0;
}
}
next_ignored_rule = ignored_rule->next;
free(ignored_rule);
ignored_rule = next_ignored_rule;
}
if (sids_ignored || six_sids)
{
SnortSnprintfAppend(buf, STD_BUF-1, "\n");
LogMessage("%s", buf);
}
}
/**
** This routine makes the portscan payload for the events. The listed
** info is:
** - priority count (number of error transmissions RST/ICMP UNREACH)
** - connection count (number of protocol connections SYN)
** - ip count (number of IPs that communicated with host)
** - ip range (low to high range of IPs)
** - port count (number of port changes that occurred on host)
** - port range (low to high range of ports connected too)
**
** @return integer
**
** @retval -1 buffer not large enough
** @retval 0 successful
*/
static int MakeProtoInfo(PS_PROTO *proto, u_char *buffer, u_int *total_size)
{
int dsize;
sfip_t *ip1, *ip2;
if(!total_size || !buffer)
return -1;
dsize = (g_tmp_pkt->max_dsize - *total_size);
if(dsize < PROTO_BUFFER_SIZE)
return -1;
ip1 = &proto->low_ip;
ip2 = &proto->high_ip;
if(proto->alerts == PS_ALERT_PORTSWEEP ||
proto->alerts == PS_ALERT_PORTSWEEP_FILTERED)
{
SnortSnprintf((char *)buffer, PROTO_BUFFER_SIZE,
"Priority Count: %d\n"
"Connection Count: %d\n"
"IP Count: %d\n"
"Scanned IP Range: %s:",
proto->priority_count,
proto->connection_count,
proto->u_ip_count,
inet_ntoa(ip1));
/* Now print the high ip into the buffer. This saves us
* from having to copy the results of inet_ntoa (which is
* a static buffer) to avoid the reuse of that buffer when
* more than one use of inet_ntoa is within the same printf.
*/
SnortSnprintfAppend((char *)buffer, PROTO_BUFFER_SIZE,
"%s\n"
"Port/Proto Count: %d\n"
"Port/Proto Range: %d:%d\n",
inet_ntoa(ip2),
proto->u_port_count,
proto->low_p,
proto->high_p);
}
else
{
SnortSnprintf((char *)buffer, PROTO_BUFFER_SIZE,
"Priority Count: %d\n"
"Connection Count: %d\n"
"IP Count: %d\n"
"Scanner IP Range: %s:",
proto->priority_count,
proto->connection_count,
proto->u_ip_count,
inet_ntoa(ip1)
);
/* Now print the high ip into the buffer. This saves us
* from having to copy the results of inet_ntoa (which is
* a static buffer) to avoid the reuse of that buffer when
* more than one use of inet_ntoa is within the same printf.
*/
SnortSnprintfAppend((char *)buffer, PROTO_BUFFER_SIZE,
"%s\n"
"Port/Proto Count: %d\n"
"Port/Proto Range: %d:%d\n",
inet_ntoa(ip2),
proto->u_port_count,
proto->low_p,
proto->high_p);
}
dsize = SnortStrnlen((const char *)buffer, PROTO_BUFFER_SIZE);
*total_size += dsize;
/*
** Set the payload size. This is protocol independent.
*/
g_tmp_pkt->dsize = dsize;
return 0;
}
// prnMode = 0: init output format
// prnMode = 1: term output format (with header and count of filtered events)
// prnMode = 2: term output format (count only)
static int print_thd_node( THD_NODE *p , PrintFormat type, unsigned* prnMode )
{
char buf[STD_BUF+1];
memset(buf, 0, STD_BUF+1);
switch( type )
{
case PRINT_GLOBAL:
if(p->type == THD_TYPE_SUPPRESS ) return 0;
if(p->sig_id != 0 ) return 0;
break;
case PRINT_LOCAL:
if(p->type == THD_TYPE_SUPPRESS ) return 0;
if(p->sig_id == 0 || p->gen_id == 0 ) return 0;
break;
case PRINT_SUPPRESS:
if(p->type != THD_TYPE_SUPPRESS ) return 0;
break;
}
/* SnortSnprintfAppend(buf, STD_BUF, "| thd-id=%d", p->thd_id ); */
if ( *prnMode && !p->filtered )
return 1;
if( p->gen_id == 0 )
{
SnortSnprintfAppend(buf, STD_BUF, "| gen-id=global");
}
else
{
SnortSnprintfAppend(buf, STD_BUF, "| gen-id=%-6d", p->gen_id );
}
if( p->sig_id == 0 )
{
SnortSnprintfAppend(buf, STD_BUF, " sig-id=global" );
}
else
{
SnortSnprintfAppend(buf, STD_BUF, " sig-id=%-10d", p->sig_id );
}
switch ( p->type )
{
case THD_TYPE_LIMIT:
SnortSnprintfAppend(buf, STD_BUF, " type=Limit ");
break;
case THD_TYPE_THRESHOLD:
SnortSnprintfAppend(buf, STD_BUF, " type=Threshold");
break;
case THD_TYPE_BOTH:
SnortSnprintfAppend(buf, STD_BUF, " type=Both ");
break;
case THD_TYPE_SUPPRESS:
if ( *prnMode )
SnortSnprintfAppend(buf, STD_BUF, " type=Suppress ");
break;
}
switch ( p->tracking )
{
case THD_TRK_NONE:
SnortSnprintfAppend(buf, STD_BUF, " tracking=none");
break;
case THD_TRK_SRC:
SnortSnprintfAppend(buf, STD_BUF, " tracking=src");
break;
case THD_TRK_DST:
SnortSnprintfAppend(buf, STD_BUF, " tracking=dst");
break;
}
if( p->type == THD_TYPE_SUPPRESS )
{
if ( p->tracking != THD_TRK_NONE )
{
// TBD output suppress node ip addr set
SnortSnprintfAppend(buf, STD_BUF, "-ip=%-16s", "<list>");
}
}
else
{
SnortSnprintfAppend(buf, STD_BUF, " count=%-3d", p->count);
SnortSnprintfAppend(buf, STD_BUF, " seconds=%-3d", p->seconds);
}
if ( *prnMode )
{
if ( *prnMode == 1 )
{
LogMessage("+-----------------------[filtered events]--------------------------------------\n");
*prnMode = 2;
}
SnortSnprintfAppend(buf, STD_BUF, " filtered=" STDu64, p->filtered);
}
LogMessage("%s\n", buf);
return 1;
}
