void IpAddrSetPrint(char *prefix, IpAddrSet *ipAddrSet) { struct in_addr in; int ret; while(ipAddrSet) { buffer[0] = '\0'; if(ipAddrSet->addr_flags & EXCEPT_IP) { ret = SnortSnprintfAppend(&buffer[0], sizeof(buffer), "NOT "); if (ret != SNORT_SNPRINTF_SUCCESS) return; } in.s_addr = ipAddrSet->ip_addr; ret = SnortSnprintfAppend(&buffer[0], sizeof(buffer), "%s/", inet_ntoa(in)); if (ret != SNORT_SNPRINTF_SUCCESS) return; in.s_addr = ipAddrSet->netmask; ret = SnortSnprintfAppend(&buffer[0], sizeof(buffer), "%s", inet_ntoa(in)); if (ret != SNORT_SNPRINTF_SUCCESS) return; if (prefix) LogMessage("%s%s\n", prefix, buffer); else LogMessage("%s%s\n", buffer); ipAddrSet = ipAddrSet->next; } }
void IpAddrSetPrint(char *prefix, IpAddrSet *ipAddrSet) { IpAddrNode *iplist, *neglist; struct in_addr in; int ret; if(!ipAddrSet) return; iplist = ipAddrSet->iplist; neglist = ipAddrSet->neg_iplist; while(iplist) { buffer[0] = '\0'; in.s_addr = iplist->ip_addr; ret = SnortSnprintfAppend(buffer, sizeof(buffer), "%s/", inet_ntoa(in)); if (ret != SNORT_SNPRINTF_SUCCESS) return; in.s_addr = iplist->netmask; ret = SnortSnprintfAppend(buffer, sizeof(buffer), "%s", inet_ntoa(in)); if (ret != SNORT_SNPRINTF_SUCCESS) return; if (prefix) LogMessage("%s%s\n", prefix, buffer); else LogMessage("%s\n", buffer); iplist = iplist->next; } while(neglist) { buffer[0] = '\0'; in.s_addr = neglist->ip_addr; ret = SnortSnprintfAppend(buffer, sizeof(buffer), "NOT %s/", inet_ntoa(in)); if (ret != SNORT_SNPRINTF_SUCCESS) return; in.s_addr = neglist->netmask; ret = SnortSnprintfAppend(buffer, sizeof(buffer), "%s", inet_ntoa(in)); if (ret != SNORT_SNPRINTF_SUCCESS) return; if (prefix) LogMessage("%s%s\n", prefix, buffer); else LogMessage("%s\n", buffer); neglist = neglist->next; } }
/**print the ignored rule list. */ static void printIgnoredRules( IgnoredRuleList *pIgnoredRuleList, int any_any_flow ) { char six_sids = 0; int sids_ignored = 0; char buf[STD_BUF]; IgnoredRuleList *ignored_rule; IgnoredRuleList *next_ignored_rule; buf[0] = '\0'; for (ignored_rule = pIgnoredRuleList; ignored_rule != NULL; ) { if (any_any_flow == 0) { if (six_sids == 1) { SnortSnprintfAppend(buf, STD_BUF-1, "\n"); LogMessage("%s", buf); six_sids = 0; } if (sids_ignored == 0) { SnortSnprintf(buf, STD_BUF-1, " %d:%d", ignored_rule->otn->sigInfo.generator, ignored_rule->otn->sigInfo.id); } else { SnortSnprintfAppend(buf, STD_BUF-1, ", %d:%d", ignored_rule->otn->sigInfo.generator, ignored_rule->otn->sigInfo.id); } sids_ignored++; if (sids_ignored %6 == 0) { /* Have it print next time through */ six_sids = 1; sids_ignored = 0; } } next_ignored_rule = ignored_rule->next; free(ignored_rule); ignored_rule = next_ignored_rule; } if (sids_ignored || six_sids) { SnortSnprintfAppend(buf, STD_BUF-1, "\n"); LogMessage("%s", buf); } }
/** ** This routine makes the portscan payload for the events. The listed ** info is: ** - priority count (number of error transmissions RST/ICMP UNREACH) ** - connection count (number of protocol connections SYN) ** - ip count (number of IPs that communicated with host) ** - ip range (low to high range of IPs) ** - port count (number of port changes that occurred on host) ** - port range (low to high range of ports connected too) ** ** @return integer ** ** @retval -1 buffer not large enough ** @retval 0 successful */ static int MakeProtoInfo(PS_PROTO *proto, u_char *buffer, u_int *total_size) { int dsize; sfip_t *ip1, *ip2; if(!total_size || !buffer) return -1; dsize = (g_tmp_pkt->max_dsize - *total_size); if(dsize < PROTO_BUFFER_SIZE) return -1; ip1 = &proto->low_ip; ip2 = &proto->high_ip; if(proto->alerts == PS_ALERT_PORTSWEEP || proto->alerts == PS_ALERT_PORTSWEEP_FILTERED) { SnortSnprintf((char *)buffer, PROTO_BUFFER_SIZE, "Priority Count: %d\n" "Connection Count: %d\n" "IP Count: %d\n" "Scanned IP Range: %s:", proto->priority_count, proto->connection_count, proto->u_ip_count, inet_ntoa(ip1)); /* Now print the high ip into the buffer. This saves us * from having to copy the results of inet_ntoa (which is * a static buffer) to avoid the reuse of that buffer when * more than one use of inet_ntoa is within the same printf. */ SnortSnprintfAppend((char *)buffer, PROTO_BUFFER_SIZE, "%s\n" "Port/Proto Count: %d\n" "Port/Proto Range: %d:%d\n", inet_ntoa(ip2), proto->u_port_count, proto->low_p, proto->high_p); } else { SnortSnprintf((char *)buffer, PROTO_BUFFER_SIZE, "Priority Count: %d\n" "Connection Count: %d\n" "IP Count: %d\n" "Scanner IP Range: %s:", proto->priority_count, proto->connection_count, proto->u_ip_count, inet_ntoa(ip1) ); /* Now print the high ip into the buffer. This saves us * from having to copy the results of inet_ntoa (which is * a static buffer) to avoid the reuse of that buffer when * more than one use of inet_ntoa is within the same printf. */ SnortSnprintfAppend((char *)buffer, PROTO_BUFFER_SIZE, "%s\n" "Port/Proto Count: %d\n" "Port/Proto Range: %d:%d\n", inet_ntoa(ip2), proto->u_port_count, proto->low_p, proto->high_p); } dsize = SnortStrnlen((const char *)buffer, PROTO_BUFFER_SIZE); *total_size += dsize; /* ** Set the payload size. This is protocol independent. */ g_tmp_pkt->dsize = dsize; return 0; }
// prnMode = 0: init output format // prnMode = 1: term output format (with header and count of filtered events) // prnMode = 2: term output format (count only) static int print_thd_node( THD_NODE *p , PrintFormat type, unsigned* prnMode ) { char buf[STD_BUF+1]; memset(buf, 0, STD_BUF+1); switch( type ) { case PRINT_GLOBAL: if(p->type == THD_TYPE_SUPPRESS ) return 0; if(p->sig_id != 0 ) return 0; break; case PRINT_LOCAL: if(p->type == THD_TYPE_SUPPRESS ) return 0; if(p->sig_id == 0 || p->gen_id == 0 ) return 0; break; case PRINT_SUPPRESS: if(p->type != THD_TYPE_SUPPRESS ) return 0; break; } /* SnortSnprintfAppend(buf, STD_BUF, "| thd-id=%d", p->thd_id ); */ if ( *prnMode && !p->filtered ) return 1; if( p->gen_id == 0 ) { SnortSnprintfAppend(buf, STD_BUF, "| gen-id=global"); } else { SnortSnprintfAppend(buf, STD_BUF, "| gen-id=%-6d", p->gen_id ); } if( p->sig_id == 0 ) { SnortSnprintfAppend(buf, STD_BUF, " sig-id=global" ); } else { SnortSnprintfAppend(buf, STD_BUF, " sig-id=%-10d", p->sig_id ); } switch ( p->type ) { case THD_TYPE_LIMIT: SnortSnprintfAppend(buf, STD_BUF, " type=Limit "); break; case THD_TYPE_THRESHOLD: SnortSnprintfAppend(buf, STD_BUF, " type=Threshold"); break; case THD_TYPE_BOTH: SnortSnprintfAppend(buf, STD_BUF, " type=Both "); break; case THD_TYPE_SUPPRESS: if ( *prnMode ) SnortSnprintfAppend(buf, STD_BUF, " type=Suppress "); break; } switch ( p->tracking ) { case THD_TRK_NONE: SnortSnprintfAppend(buf, STD_BUF, " tracking=none"); break; case THD_TRK_SRC: SnortSnprintfAppend(buf, STD_BUF, " tracking=src"); break; case THD_TRK_DST: SnortSnprintfAppend(buf, STD_BUF, " tracking=dst"); break; } if( p->type == THD_TYPE_SUPPRESS ) { if ( p->tracking != THD_TRK_NONE ) { // TBD output suppress node ip addr set SnortSnprintfAppend(buf, STD_BUF, "-ip=%-16s", "<list>"); } } else { SnortSnprintfAppend(buf, STD_BUF, " count=%-3d", p->count); SnortSnprintfAppend(buf, STD_BUF, " seconds=%-3d", p->seconds); } if ( *prnMode ) { if ( *prnMode == 1 ) { LogMessage("+-----------------------[filtered events]--------------------------------------\n"); *prnMode = 2; } SnortSnprintfAppend(buf, STD_BUF, " filtered=" STDu64, p->filtered); } LogMessage("%s\n", buf); return 1; }