/**
* \brief Create event impact description (see section
* 4.2.6.1 of RFC 4765).
* The impact contains the severity, completion (succeeded or failed)
* and basic classification of the attack type.
* Here, we don't set the completion since we don't know it (default
* is unknown).
*
* \return 0 if ok
*/
static int EventToImpact(PacketAlert *pa, Packet *p, idmef_alert_t *alert)
{
int ret;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
SCEnter();
ret = idmef_alert_new_assessment(alert, &assessment);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_assessment_new_impact(assessment, &impact);
if ( ret < 0 )
SCReturnInt(ret);
if ( (unsigned int)pa->s->prio < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( (unsigned int)pa->s->prio < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( (unsigned int)pa->s->prio < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else
severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
if (p->action & ACTION_DROP) {
idmef_action_t *action;
ret = idmef_action_new(&action);
if ( ret < 0 )
SCReturnInt(ret);
idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED);
idmef_assessment_set_action(assessment, action, 0);
}
if (pa->s->class_msg) {
ret = idmef_impact_new_description(impact, &str);
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(str, pa->s->class_msg);
}
SCReturnInt(0);
}
static int event_to_impact(void *event, idmef_alert_t *alert)
{
int ret;
ClassType *cn;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
/* store and convert once */
/*TODO: detemine required return code for event being NULL */
u_int32_t event_priority = ntohl(((Unified2EventCommon *)event)->priority_id);
ret = idmef_alert_new_assessment(alert, &assessment);
if ( ret < 0 )
return ret;
ret = idmef_assessment_new_impact(assessment, &impact);
if ( ret < 0 )
return ret;
if ( event_priority < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( event_priority < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( event_priority < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id));
if ( cn != NULL ) {
ret = idmef_impact_new_description(impact, &str);
if ( ret < 0 )
return ret;
prelude_string_set_ref(str, cn->name);
}
return 0;
}
static int event_to_impact(Event *event, idmef_alert_t *alert)
{
int ret;
ClassType *classtype;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
ret = idmef_alert_new_assessment(alert, &assessment);
if ( ret < 0 )
return ret;
ret = idmef_assessment_new_impact(assessment, &impact);
if ( ret < 0 )
return ret;
if ( event->priority < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( event->priority < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( event->priority < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
if ( ! otn_tmp )
return 0;
classtype = otn_tmp->sigInfo.classType;
if ( classtype ) {
ret = idmef_impact_new_description(impact, &str);
if ( ret < 0 )
return ret;
prelude_string_set_ref(str, classtype->name);
}
return 0;
}
/**
* \brief Create event impact description (see section
* 4.2.6.1 of RFC 4765).
* The impact contains the severity, completion (succeeded or failed)
* and basic classification of the attack type.
* Here, we don't set the completion since we don't know it (default
* is unknown).
*
* \return 0 if ok
*/
static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert)
{
int ret;
prelude_string_t *str;
idmef_impact_t *impact;
idmef_assessment_t *assessment;
idmef_impact_severity_t severity;
SCEnter();
ret = idmef_alert_new_assessment(alert, &assessment);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating assessment: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
ret = idmef_assessment_new_impact(assessment, &impact);
if (unlikely(ret < 0)) {
SCLogDebug("%s: error creating assessment impact: %s.",
prelude_strsource(ret), prelude_strerror(ret));
SCReturnInt(ret);
}
if ( (unsigned int)pa->s->prio < mid_priority )
severity = IDMEF_IMPACT_SEVERITY_HIGH;
else if ( (unsigned int)pa->s->prio < low_priority )
severity = IDMEF_IMPACT_SEVERITY_MEDIUM;
else if ( (unsigned int)pa->s->prio < info_priority )
severity = IDMEF_IMPACT_SEVERITY_LOW;
else
severity = IDMEF_IMPACT_SEVERITY_INFO;
idmef_impact_set_severity(impact, severity);
if (PACKET_TEST_ACTION(p, ACTION_DROP) ||
PACKET_TEST_ACTION(p, ACTION_REJECT) ||
PACKET_TEST_ACTION(p, ACTION_REJECT_DST) ||
PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH) ) {
idmef_action_t *action;
ret = idmef_action_new(&action);
if (unlikely(ret < 0))
SCReturnInt(ret);
idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED);
idmef_assessment_set_action(assessment, action, 0);
}
if (pa->s->class_msg) {
ret = idmef_impact_new_description(impact, &str);
if (unlikely(ret < 0))
SCReturnInt(ret);
prelude_string_set_ref(str, pa->s->class_msg);
}
SCReturnInt(0);
}