/** * \brief Create event impact description (see section * 4.2.6.1 of RFC 4765). * The impact contains the severity, completion (succeeded or failed) * and basic classification of the attack type. * Here, we don't set the completion since we don't know it (default * is unknown). * * \return 0 if ok */ static int EventToImpact(PacketAlert *pa, Packet *p, idmef_alert_t *alert) { int ret; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; SCEnter(); ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) SCReturnInt(ret); ret = idmef_assessment_new_impact(assessment, &impact); if ( ret < 0 ) SCReturnInt(ret); if ( (unsigned int)pa->s->prio < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( (unsigned int)pa->s->prio < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( (unsigned int)pa->s->prio < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if (p->action & ACTION_DROP) { idmef_action_t *action; ret = idmef_action_new(&action); if ( ret < 0 ) SCReturnInt(ret); idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED); idmef_assessment_set_action(assessment, action, 0); } if (pa->s->class_msg) { ret = idmef_impact_new_description(impact, &str); if ( ret < 0 ) SCReturnInt(ret); prelude_string_set_ref(str, pa->s->class_msg); } SCReturnInt(0); }
static int event_to_impact(void *event, idmef_alert_t *alert) { int ret; ClassType *cn; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; /* store and convert once */ /*TODO: detemine required return code for event being NULL */ u_int32_t event_priority = ntohl(((Unified2EventCommon *)event)->priority_id); ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) return ret; ret = idmef_assessment_new_impact(assessment, &impact); if ( ret < 0 ) return ret; if ( event_priority < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( event_priority < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( event_priority < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id)); if ( cn != NULL ) { ret = idmef_impact_new_description(impact, &str); if ( ret < 0 ) return ret; prelude_string_set_ref(str, cn->name); } return 0; }
static int event_to_impact(Event *event, idmef_alert_t *alert) { int ret; ClassType *classtype; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) return ret; ret = idmef_assessment_new_impact(assessment, &impact); if ( ret < 0 ) return ret; if ( event->priority < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( event->priority < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( event->priority < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if ( ! otn_tmp ) return 0; classtype = otn_tmp->sigInfo.classType; if ( classtype ) { ret = idmef_impact_new_description(impact, &str); if ( ret < 0 ) return ret; prelude_string_set_ref(str, classtype->name); } return 0; }
/** * \brief Create event impact description (see section * 4.2.6.1 of RFC 4765). * The impact contains the severity, completion (succeeded or failed) * and basic classification of the attack type. * Here, we don't set the completion since we don't know it (default * is unknown). * * \return 0 if ok */ static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert) { int ret; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; SCEnter(); ret = idmef_alert_new_assessment(alert, &assessment); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating assessment: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = idmef_assessment_new_impact(assessment, &impact); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating assessment impact: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } if ( (unsigned int)pa->s->prio < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( (unsigned int)pa->s->prio < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( (unsigned int)pa->s->prio < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if (PACKET_TEST_ACTION(p, ACTION_DROP) || PACKET_TEST_ACTION(p, ACTION_REJECT) || PACKET_TEST_ACTION(p, ACTION_REJECT_DST) || PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH) ) { idmef_action_t *action; ret = idmef_action_new(&action); if (unlikely(ret < 0)) SCReturnInt(ret); idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED); idmef_assessment_set_action(assessment, action, 0); } if (pa->s->class_msg) { ret = idmef_impact_new_description(impact, &str); if (unlikely(ret < 0)) SCReturnInt(ret); prelude_string_set_ref(str, pa->s->class_msg); } SCReturnInt(0); }