/**
* \brief Add IPv4 header data, to be stored in the Additional Data
* field of the IDMEF alert (see section 4.2.4.6 of RFC 4765).
*
* \return 0 if ok
*/
static int PacketToDataV4(Packet *p, PacketAlert *pa, idmef_alert_t *alert)
{
SCEnter();
AddIntData(alert, "ip_ver", IPV4_GET_RAW_VER(p->ip4h));
AddIntData(alert, "ip_hlen", IPV4_GET_RAW_HLEN(p->ip4h));
AddIntData(alert, "ip_tos", IPV4_GET_RAW_IPTOS(p->ip4h));
AddIntData(alert, "ip_len", ntohs(IPV4_GET_RAW_IPLEN(p->ip4h)));
AddIntData(alert, "ip_id", ntohs(IPV4_GET_RAW_IPID(p->ip4h)));
AddIntData(alert, "ip_off", ntohs(IPV4_GET_RAW_IPOFFSET(p->ip4h)));
AddIntData(alert, "ip_ttl", IPV4_GET_RAW_IPTTL(p->ip4h));
AddIntData(alert, "ip_proto", IPV4_GET_RAW_IPPROTO(p->ip4h));
AddIntData(alert, "ip_sum", ntohs(p->ip4h->ip_csum));
SCReturnInt(0);
}
int Unified2IPv4TypeAlert (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq)
{
Unified2AlertThread *aun = (Unified2AlertThread *)data;
Unified2AlertFileHeader hdr;
AlertIPv4Unified2 *phdr = (AlertIPv4Unified2 *)(aun->data +
sizeof(Unified2AlertFileHeader));
AlertIPv4Unified2 gphdr;
PacketAlert *pa;
int offset, length;
int ret;
unsigned int event_id;
if (p->alerts.cnt == 0)
return 0;
length = (sizeof(Unified2AlertFileHeader) + sizeof(AlertIPv4Unified2));
offset = length;
memset(aun->data, 0, aun->datalen);
hdr.type = htonl(UNIFIED2_IDS_EVENT_TYPE);
hdr.length = htonl(sizeof(AlertIPv4Unified2));
/* fill the gphdr structure with the data of the packet */
memset(&gphdr, 0, sizeof(gphdr));
gphdr.sensor_id = htonl(sensor_id);
gphdr.event_id = 0;
gphdr.event_second = htonl(p->ts.tv_sec);
gphdr.event_microsecond = htonl(p->ts.tv_usec);
gphdr.src_ip = p->ip4h->s_ip_src.s_addr;
gphdr.dst_ip = p->ip4h->s_ip_dst.s_addr;
gphdr.protocol = IPV4_GET_RAW_IPPROTO(p->ip4h);
if(p->action & ACTION_DROP)
gphdr.packet_action = UNIFIED2_BLOCKED_FLAG;
else
gphdr.packet_action = 0;
/* TODO inverse order if needed, this should be done on a
* alert basis */
switch(gphdr.protocol) {
case IPPROTO_ICMP:
if(p->icmpv4h) {
gphdr.sp = htons(p->icmpv4h->type);
gphdr.dp = htons(p->icmpv4h->code);
}
break;
case IPPROTO_UDP:
case IPPROTO_TCP:
case IPPROTO_SCTP:
gphdr.sp = htons(p->sp);
gphdr.dp = htons(p->dp);
break;
default:
gphdr.sp = 0;
gphdr.dp = 0;
break;
}
uint16_t i = 0;
for (; i < p->alerts.cnt + 1; i++) {
if (i < p->alerts.cnt)
pa = &p->alerts.alerts[i];
else {
if (!(p->flags & PKT_HAS_TAG))
break;
pa = PacketAlertGetTag();
}
if (unlikely(pa->s == NULL))
continue;
/* reset length and offset */
aun->offset = offset;
aun->length = length;
memset(aun->data + aun->offset, 0, aun->datalen - aun->offset);
/* copy the part common to all alerts */
memcpy(aun->data, &hdr, sizeof(hdr));
memcpy(phdr, &gphdr, sizeof(gphdr));
/* fill the hdr structure with the alert data */
event_id = htonl(SC_ATOMIC_ADD(unified2_event_id, 1));
phdr->event_id = event_id;
phdr->generator_id = htonl(pa->s->gid);
phdr->signature_id = htonl(pa->s->id);
phdr->signature_revision = htonl(pa->s->rev);
phdr->classification_id = htonl(pa->s->class);
phdr->priority_id = htonl(pa->s->prio);
/* check and enforce the filesize limit */
SCMutexLock(&aun->file_ctx->fp_mutex);
if ((aun->file_ctx->size_current + length) > aun->file_ctx->size_limit) {
if (Unified2AlertRotateFile(tv,aun) < 0) {
aun->file_ctx->alerts += i;
SCMutexUnlock(&aun->file_ctx->fp_mutex);
return -1;
}
}
if (Unified2Write(aun) != 1) {
aun->file_ctx->alerts += i;
SCMutexUnlock(&aun->file_ctx->fp_mutex);
return -1;
}
memset(aun->data, 0, aun->length);
aun->length = 0;
aun->offset = 0;
/* Write the alert (it doesn't lock inside, since we
* already locked here for rotation check)
*/
int stream = (gphdr.protocol == IPPROTO_TCP) ?
(pa->flags & (PACKET_ALERT_FLAG_STATE_MATCH|PACKET_ALERT_FLAG_STREAM_MATCH) ? 1 : 0) : 0;
ret = Unified2PacketTypeAlert(aun, p, event_id, stream);
if (ret != 1) {
aun->file_ctx->alerts += i;
SCMutexUnlock(&aun->file_ctx->fp_mutex);
return -1;
}
fflush(aun->file_ctx->fp);
aun->file_ctx->alerts++;
SCMutexUnlock(&aun->file_ctx->fp_mutex);
}
return 0;
}
/**
* Note, this is the IP header, plus a bit of the original packet, not the whole thing!
*/
int DecodePartialIPV4( Packet* p, uint8_t* partial_packet, uint16_t len )
{
/** Check the sizes, the header must fit at least */
if (len < IPV4_HEADER_LEN) {
SCLogDebug("DecodePartialIPV4: ICMPV4_IPV4_TRUNC_PKT");
ENGINE_SET_INVALID_EVENT(p, ICMPV4_IPV4_TRUNC_PKT);
return -1;
}
IPV4Hdr *icmp4_ip4h = (IPV4Hdr*)partial_packet;
/** Check the embedded version */
if (IPV4_GET_RAW_VER(icmp4_ip4h) != 4) {
/** Check the embedded version */
SCLogDebug("DecodePartialIPV4: ICMPv4 contains Unknown IPV4 version "
"ICMPV4_IPV4_UNKNOWN_VER");
ENGINE_SET_INVALID_EVENT(p, ICMPV4_IPV4_UNKNOWN_VER);
return -1;
}
/** We need to fill icmpv4vars */
p->icmpv4vars.emb_ipv4h = icmp4_ip4h;
/** Get the IP address from the contained packet */
p->icmpv4vars.emb_ip4_src = IPV4_GET_RAW_IPSRC(icmp4_ip4h);
p->icmpv4vars.emb_ip4_dst = IPV4_GET_RAW_IPDST(icmp4_ip4h);
p->icmpv4vars.emb_ip4_hlen=IPV4_GET_RAW_HLEN(icmp4_ip4h) << 2;
switch (IPV4_GET_RAW_IPPROTO(icmp4_ip4h)) {
case IPPROTO_TCP:
if (len >= IPV4_HEADER_LEN + TCP_HEADER_LEN ) {
p->icmpv4vars.emb_tcph = (TCPHdr*)(partial_packet + IPV4_HEADER_LEN);
p->icmpv4vars.emb_sport = ntohs(p->icmpv4vars.emb_tcph->th_sport);
p->icmpv4vars.emb_dport = ntohs(p->icmpv4vars.emb_tcph->th_dport);
p->icmpv4vars.emb_ip4_proto = IPPROTO_TCP;
SCLogDebug("DecodePartialIPV4: ICMPV4->IPV4->TCP header sport: "
"%"PRIu8" dport %"PRIu8"", p->icmpv4vars.emb_sport,
p->icmpv4vars.emb_dport);
} else if (len >= IPV4_HEADER_LEN + 4) {
/* only access th_sport and th_dport */
TCPHdr *emb_tcph = (TCPHdr*)(partial_packet + IPV4_HEADER_LEN);
p->icmpv4vars.emb_tcph = NULL;
p->icmpv4vars.emb_sport = ntohs(emb_tcph->th_sport);
p->icmpv4vars.emb_dport = ntohs(emb_tcph->th_dport);
p->icmpv4vars.emb_ip4_proto = IPPROTO_TCP;
SCLogDebug("DecodePartialIPV4: ICMPV4->IPV4->TCP partial header sport: "
"%"PRIu8" dport %"PRIu8"", p->icmpv4vars.emb_sport,
p->icmpv4vars.emb_dport);
} else {
SCLogDebug("DecodePartialIPV4: Warning, ICMPV4->IPV4->TCP "
"header Didn't fit in the packet!");
p->icmpv4vars.emb_sport = 0;
p->icmpv4vars.emb_dport = 0;
}
break;
case IPPROTO_UDP:
if (len >= IPV4_HEADER_LEN + UDP_HEADER_LEN ) {
p->icmpv4vars.emb_udph = (UDPHdr*)(partial_packet + IPV4_HEADER_LEN);
p->icmpv4vars.emb_sport = ntohs(p->icmpv4vars.emb_udph->uh_sport);
p->icmpv4vars.emb_dport = ntohs(p->icmpv4vars.emb_udph->uh_dport);
p->icmpv4vars.emb_ip4_proto = IPPROTO_UDP;
SCLogDebug("DecodePartialIPV4: ICMPV4->IPV4->UDP header sport: "
"%"PRIu8" dport %"PRIu8"", p->icmpv4vars.emb_sport,
p->icmpv4vars.emb_dport);
} else {
SCLogDebug("DecodePartialIPV4: Warning, ICMPV4->IPV4->UDP "
"header Didn't fit in the packet!");
p->icmpv4vars.emb_sport = 0;
p->icmpv4vars.emb_dport = 0;
}
break;
case IPPROTO_ICMP:
if (len >= IPV4_HEADER_LEN + ICMPV4_HEADER_LEN ) {
p->icmpv4vars.emb_icmpv4h = (ICMPV4Hdr*)(partial_packet + IPV4_HEADER_LEN);
p->icmpv4vars.emb_sport = 0;
p->icmpv4vars.emb_dport = 0;
p->icmpv4vars.emb_ip4_proto = IPPROTO_ICMP;
SCLogDebug("DecodePartialIPV4: ICMPV4->IPV4->ICMP header");
}
break;
}
/* debug print */
#ifdef DEBUG
char s[16], d[16];
PrintInet(AF_INET, &(p->icmpv4vars.emb_ip4_src), s, sizeof(s));
PrintInet(AF_INET, &(p->icmpv4vars.emb_ip4_dst), d, sizeof(d));
SCLogDebug("ICMPv4 embedding IPV4 %s->%s - PROTO: %" PRIu32 " ID: %" PRIu32 "", s,d,
IPV4_GET_RAW_IPPROTO(icmp4_ip4h), IPV4_GET_RAW_IPID(icmp4_ip4h));
#endif
return 0;
}
TmEcode AlertUnifiedAlert (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
{
AlertUnifiedAlertThread *aun = (AlertUnifiedAlertThread *)data;
AlertUnifiedAlertPacketHeader hdr;
int ret;
uint8_t ethh_offset = 0;
/* the unified1 format only supports IPv4. */
if (p->alerts.cnt == 0 || !PKT_IS_IPV4(p))
return TM_ECODE_OK;
/* if we have no ethernet header (e.g. when using nfq), we have to create
* one ourselves. */
if (p->ethh == NULL) {
ethh_offset = sizeof(EthernetHdr);
}
/* fill the hdr structure with the data of the packet */
hdr.pad1 = 0;
hdr.pad2 = 0;
hdr.ts.tv_sec = hdr.ref_ts.tv_sec = p->ts.tv_sec;
hdr.ts.tv_usec = hdr.ref_ts.tv_usec = p->ts.tv_sec;
hdr.src_ip = ntohl(GET_IPV4_SRC_ADDR_U32(p)); /* addr is host order */
hdr.dst_ip = ntohl(GET_IPV4_DST_ADDR_U32(p)); /* addr is host order */
hdr.sp = p->sp;
hdr.dp = p->dp;
hdr.protocol = IPV4_GET_RAW_IPPROTO(p->ip4h);
hdr.flags = 0;
uint16_t i = 0;
for (; i < p->alerts.cnt; i++) {
PacketAlert *pa = &p->alerts.alerts[i];
/* fill the rest of the hdr structure with the data of the alert */
hdr.sig_gen = pa->gid;
hdr.sig_sid = pa->sid;
hdr.sig_rev = pa->rev;
hdr.sig_class = pa->class;
hdr.sig_prio = pa->prio;
SCMutexLock(&aun->file_ctx->fp_mutex);
/** check and enforce the filesize limit, thread safe */
if ((aun->file_ctx->size_current + sizeof(hdr)) > aun->file_ctx->size_limit) {
if (AlertUnifiedAlertRotateFile(tv,aun) < 0) {
SCMutexUnlock(&aun->file_ctx->fp_mutex);
aun->file_ctx->alerts += i;
return TM_ECODE_FAILED;
}
}
/* Then the unified header */
ret = fwrite(&hdr, sizeof(AlertUnifiedAlertPacketHeader), 1, aun->file_ctx->fp);
if (ret != 1) {
SCLogError(SC_ERR_FWRITE, "Error: fwrite failed: %s", strerror(errno));
SCMutexUnlock(&aun->file_ctx->fp_mutex);
aun->file_ctx->alerts += i;
return TM_ECODE_FAILED;
}
/* force writing to disk so barnyard will not read half
* written records and choke. */
fflush(aun->file_ctx->fp);
aun->file_ctx->size_current += sizeof(hdr);
aun->file_ctx->alerts++;
SCMutexUnlock(&aun->file_ctx->fp_mutex);
}
return TM_ECODE_OK;
}
/**
* \brief Add Source and Target fields to the IDMEF alert.
* These objects contains IP addresses, source and destination
* ports (see sections 4.2.4.3 and 4.2.4.4 of RFC 4765).
*
* \return 0 if ok
*/
static int EventToSourceTarget(Packet *p, idmef_alert_t *alert)
{
int ret;
idmef_node_t *node;
idmef_source_t *source;
idmef_target_t *target;
idmef_address_t *address;
idmef_service_t *service;
prelude_string_t *string;
static char saddr[128], daddr[128];
uint8_t ip_vers;
uint8_t ip_proto;
SCEnter();
if ( !p )
SCReturnInt(0);
if ( ! IPH_IS_VALID(p) )
SCReturnInt(0);
if (PKT_IS_IPV4(p)) {
ip_vers = 4;
ip_proto = IPV4_GET_RAW_IPPROTO(p->ip4h);
PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), saddr, sizeof(saddr));
PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), daddr, sizeof(daddr));
} else if (PKT_IS_IPV6(p)) {
ip_vers = 6;
ip_proto = IPV6_GET_L4PROTO(p);
PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), saddr, sizeof(saddr));
PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), daddr, sizeof(daddr));
} else
SCReturnInt(0);
ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_source_new_service(source, &service);
if ( ret < 0 )
SCReturnInt(ret);
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->sp);
idmef_service_set_ip_version(service, ip_vers);
idmef_service_set_iana_protocol_number(service, ip_proto);
ret = idmef_source_new_node(source, &node);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(string, saddr);
ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_target_new_service(target, &service);
if ( ret < 0 )
SCReturnInt(ret);
if ( p->tcph || p->udph )
idmef_service_set_port(service, p->dp);
idmef_service_set_ip_version(service, ip_vers);
idmef_service_set_iana_protocol_number(service, ip_proto);
ret = idmef_target_new_node(target, &node);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND);
if ( ret < 0 )
SCReturnInt(ret);
ret = idmef_address_new_address(address, &string);
if ( ret < 0 )
SCReturnInt(ret);
prelude_string_set_ref(string, daddr);
SCReturnInt(0);
}
