char *inet_ntoax(sfip_t *ip) #endif { static char ip_buf1[INET6_ADDRSTRLEN]; static char ip_buf2[INET6_ADDRSTRLEN]; static int buf_num = 0; int buf_size = INET6_ADDRSTRLEN; char *ip_buf; #ifndef SUP_IP6 uint32_t ip = ip_addr.s_addr; #endif if (buf_num) ip_buf = ip_buf2; else ip_buf = ip_buf1; buf_num ^= 1; ip_buf[0] = 0; #ifndef SUP_IP6 SnortSnprintf(ip_buf, buf_size, "%s", inet_ntoa(*((struct in_addr *)&ip))); #else SnortSnprintf(ip_buf, buf_size, "%s", inet_ntoa(ip)); #endif return ip_buf; }
int main( int argc, char ** argv ) { int i,n=10; KMAP * km; char * p; char str[80]; printf("usage: kmap nkeys (default=10)\n\n"); km = KMapNew( free ); /* use 'free' to free 'userdata' */ KMapSetNoCase(km,1); //need to add xlat.... if( argc > 1 ) { n = atoi(argv[1]); } for(i=1;i<=n;i++) { SnortSnprintf(str, sizeof(str), "KeyWord%d",i); KMapAdd( km, str, 0 /* strlen(str) */, strupr(strdup(str)) ); printf("Adding Key=%s\n",str); } printf("xmem: %u bytes, %d chars\n",xmalloc_bytes(),km->nchars); printf("\nKey Find test...\n"); for(i=1;i<=n;i++) { SnortSnprintf(str, sizeof(str), "KeyWord%d",i); p = (char*) KMapFind( km, str, 0 /*strlen(str) */ ); if(p)printf("key=%s, data=%*s\n",str,strlen(str),p); else printf("'%s' NOT found.\n",str); } KMapSetNoCase(km,0); // this should fail all key searches printf("\nKey Find test2...\n"); for(i=1;i<=n;i++) { SnortSnprintf(str, sizeof(str), "KeyWord%d",i); p = (char*) KMapFind( km, str, 0 /*strlen(str) */ ); if(p)printf("key=%s, data=%*s\n",str,strlen(str),p); else printf("'%s' NOT found.\n",str); } printf("\nKey FindFirst/Next test...\n"); for(p = (char*) KMapFindFirst(km); p; p=(char*)KMapFindNext(km) ) printf("data=%s\n",p); printf("\nKey FindFirst/Next test done.\n"); KMapDelete( km ); printf("xmem: %u bytes\n",xmalloc_bytes()); printf("normal pgm finish.\n"); return 0; }
char *print_interface(char *szInterface) { static char device[128]; if (szInterface == NULL) return("NULL"); /* Device always ends with a double \0, so this way to determine its length should be always valid */ if(IsTextUnicode(szInterface, wcslen((wchar_t *)szInterface), NULL)) SnortSnprintf(device, 128, "%S", (wchar_t *)szInterface); else SnortSnprintf(device, 128, "%s", szInterface); return(device); }
int ipset_print( IPSET * ipc ) { char ip_str[80]; PORTRANGE * pr; if( !ipc ) return 0; { IP_PORT * p; printf("IPSET\n"); for( p =(IP_PORT*)sflist_first( &ipc->ip_list ); p!=0; p =(IP_PORT*)sflist_next( &ipc->ip_list ) ) { SnortSnprintf(ip_str, 80, "%s", sfip_to_str(&p->ip)); printf("CIDR BLOCK: %c%s", p->notflag ? '!' : ' ', ip_str); for( pr=(PORTRANGE*)sflist_first(&p->portset.port_list); pr != 0; pr=(PORTRANGE*)sflist_next(&p->portset.port_list) ) { printf(" %d", pr->port_lo); if ( pr->port_hi != pr->port_lo ) printf("-%d", pr->port_hi); } printf("\n"); } } return 0; }
/**print the ignored rule list. */ static void printIgnoredRules( IgnoredRuleList *pIgnoredRuleList, int any_any_flow ) { char six_sids = 0; int sids_ignored = 0; char buf[STD_BUF]; IgnoredRuleList *ignored_rule; IgnoredRuleList *next_ignored_rule; buf[0] = '\0'; for (ignored_rule = pIgnoredRuleList; ignored_rule != NULL; ) { if (any_any_flow == 0) { if (six_sids == 1) { SnortSnprintfAppend(buf, STD_BUF-1, "\n"); LogMessage("%s", buf); six_sids = 0; } if (sids_ignored == 0) { SnortSnprintf(buf, STD_BUF-1, " %d:%d", ignored_rule->otn->sigInfo.generator, ignored_rule->otn->sigInfo.id); } else { SnortSnprintfAppend(buf, STD_BUF-1, ", %d:%d", ignored_rule->otn->sigInfo.generator, ignored_rule->otn->sigInfo.id); } sids_ignored++; if (sids_ignored %6 == 0) { /* Have it print next time through */ six_sids = 1; sids_ignored = 0; } } next_ignored_rule = ignored_rule->next; free(ignored_rule); ignored_rule = next_ignored_rule; } if (sids_ignored || six_sids) { SnortSnprintfAppend(buf, STD_BUF-1, "\n"); LogMessage("%s", buf); } }
int ip4_sprintx( char * s, int slen, void * ip4 ) { int rc; unsigned char * ip = (unsigned char *) ip4; rc = SnortSnprintf(s, slen, "%d.%d.%d.%d", ip[3], ip[2], ip[1], ip[0]); if( rc != SNORT_SNPRINTF_SUCCESS ) return -1; return 0; }
int ip6_sprintx( char * s, int slen, void * ip6 ) { int rc; unsigned short * ps = (unsigned short *) ip6; rc = SnortSnprintf(s, slen, "%.1x:%.1x:%.1x:%.1x:%.1x:%.1x:%.1x:%.1x", ps[7], ps[6], ps[5], ps[4], ps[3], ps[2], ps[1], ps[0]); if( rc != SNORT_SNPRINTF_SUCCESS ) return -1; return 0; }
// XXX this implementation is just used to support // Snort's underlying implementation better SFIP_RET sfvt_define(vartable_t *table, char *name, char *value) { char *buf; int len; sfip_var_t *ipret = NULL; SFIP_RET ret; if(!name || !value) return SFIP_ARG_ERR; len = strlen(name) + strlen(value) + 2; if((buf = (char*)malloc(len)) == NULL) { return SFIP_FAILURE; } SnortSnprintf(buf, len, "%s %s", name, value); ret = sfvt_add_str(table, buf, &ipret); if ((ret == SFIP_SUCCESS) || (ret == SFIP_DUPLICATE)) ipret->value = sfvt_expand_value(table, value); free(buf); return ret; }
/** ** This routine makes the portscan payload for the events. The listed ** info is: ** - priority count (number of error transmissions RST/ICMP UNREACH) ** - connection count (number of protocol connections SYN) ** - ip count (number of IPs that communicated with host) ** - ip range (low to high range of IPs) ** - port count (number of port changes that occurred on host) ** - port range (low to high range of ports connected too) ** ** @return integer ** ** @retval -1 buffer not large enough ** @retval 0 successful */ static int MakeProtoInfo(PS_PROTO *proto, u_char *buffer, u_int *total_size) { int dsize; sfip_t *ip1, *ip2; if(!total_size || !buffer) return -1; dsize = (g_tmp_pkt->max_dsize - *total_size); if(dsize < PROTO_BUFFER_SIZE) return -1; ip1 = &proto->low_ip; ip2 = &proto->high_ip; if(proto->alerts == PS_ALERT_PORTSWEEP || proto->alerts == PS_ALERT_PORTSWEEP_FILTERED) { SnortSnprintf((char *)buffer, PROTO_BUFFER_SIZE, "Priority Count: %d\n" "Connection Count: %d\n" "IP Count: %d\n" "Scanned IP Range: %s:", proto->priority_count, proto->connection_count, proto->u_ip_count, inet_ntoa(ip1)); /* Now print the high ip into the buffer. This saves us * from having to copy the results of inet_ntoa (which is * a static buffer) to avoid the reuse of that buffer when * more than one use of inet_ntoa is within the same printf. */ SnortSnprintfAppend((char *)buffer, PROTO_BUFFER_SIZE, "%s\n" "Port/Proto Count: %d\n" "Port/Proto Range: %d:%d\n", inet_ntoa(ip2), proto->u_port_count, proto->low_p, proto->high_p); } else { SnortSnprintf((char *)buffer, PROTO_BUFFER_SIZE, "Priority Count: %d\n" "Connection Count: %d\n" "IP Count: %d\n" "Scanner IP Range: %s:", proto->priority_count, proto->connection_count, proto->u_ip_count, inet_ntoa(ip1) ); /* Now print the high ip into the buffer. This saves us * from having to copy the results of inet_ntoa (which is * a static buffer) to avoid the reuse of that buffer when * more than one use of inet_ntoa is within the same printf. */ SnortSnprintfAppend((char *)buffer, PROTO_BUFFER_SIZE, "%s\n" "Port/Proto Count: %d\n" "Port/Proto Range: %d:%d\n", inet_ntoa(ip2), proto->u_port_count, proto->low_p, proto->high_p); } dsize = SnortStrnlen((const char *)buffer, PROTO_BUFFER_SIZE); *total_size += dsize; /* ** Set the payload size. This is protocol independent. */ g_tmp_pkt->dsize = dsize; return 0; }
static int event_to_source_target(Packet *p, idmef_alert_t *alert) { int ret; idmef_node_t *node; idmef_source_t *source; idmef_target_t *target; idmef_address_t *address; idmef_service_t *service; prelude_string_t *string; static char saddr[128], daddr[128]; if ( !p ) return 0; if ( ! p->iph ) return 0; ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if ( pv.interface ) { ret = idmef_source_new_interface(source, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, pv.interface); } ret = idmef_source_new_service(source, &service); if ( ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); idmef_service_set_ip_version(service, IP_VER(p->iph)); idmef_service_set_iana_protocol_number(service, p->iph->ip_proto); ret = idmef_source_new_node(source, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(p->iph->ip_src)); prelude_string_set_ref(string, saddr); ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if ( pv.interface ) { ret = idmef_target_new_interface(target, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, pv.interface); } ret = idmef_target_new_service(target, &service); if ( ! ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); idmef_service_set_ip_version(service, IP_VER(p->iph)); idmef_service_set_iana_protocol_number(service, p->iph->ip_proto); ret = idmef_target_new_node(target, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(p->iph->ip_dst)); prelude_string_set_ref(string, daddr); return 0; }
static int event_to_source_target(Packet *p, idmef_alert_t *alert) { int ret; idmef_node_t *node; idmef_source_t *source; idmef_target_t *target; idmef_address_t *address; idmef_service_t *service; prelude_string_t *string; static char saddr[128], daddr[128]; if ( !p ) return 0; if ( ! IPH_IS_VALID(p) ) return 0; ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if (barnyard2_conf->interface != NULL) { ret = idmef_source_new_interface(source, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, PRINT_INTERFACE(barnyard2_conf->interface)); } ret = idmef_source_new_service(source, &service); if ( ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); ret = idmef_source_new_node(source, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p))); prelude_string_set_ref(string, saddr); ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if (barnyard2_conf->interface != NULL) { ret = idmef_target_new_interface(target, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, barnyard2_conf->interface); } ret = idmef_target_new_service(target, &service); if ( ! ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); ret = idmef_target_new_node(target, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p))); prelude_string_set_ref(string, daddr); return 0; }