static int Syslog_FormatTCPHeaderLog(OpSyslog_Data *data, Packet *p) { unsigned int th_win, th_sum, th_flags, th_ack, th_seq, th_urp, th_off, th_x2; th_win=th_sum=th_flags=th_ack=th_seq=th_urp=th_off=th_x2=0; if( (data == NULL) || (p == NULL) || (p->tcph == NULL)) { /* XXX */ return 1; } if(p->tcph) { if(p->tcph->th_seq) th_seq = ntohl(p->tcph->th_seq); if(p->tcph->th_ack) th_ack = ntohl(p->tcph->th_ack); if(TCP_OFFSET(p->tcph)) th_off = TCP_OFFSET(p->tcph); if(TCP_X2(p->tcph)) th_x2 = TCP_X2(p->tcph); if(p->tcph->th_flags) th_flags = p->tcph->th_flags; if(p->tcph->th_win) th_win = ntohs(p->tcph->th_win); if(p->tcph->th_sum) th_sum = ntohs(p->tcph->th_sum); if(p->tcph->th_urp) th_urp = ntohs(p->tcph->th_urp); } if( (data->format_current_pos += snprintf(data->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u%c%u", p->sp,data->field_separators, p->dp, data->field_separators, th_seq, data->field_separators, th_ack, data->field_separators, th_off, data->field_separators, th_x2, data->field_separators, th_flags, data->field_separators, th_win, data->field_separators, th_sum, data->field_separators, th_urp)) > SYSLOG_MAX_QUERY_SIZE) { /* XXX */ return 1; } return OpSyslog_Concat(data); }
static int packet_to_data(Packet *p, Event *event, idmef_alert_t *alert) { int i; if ( ! p ) return 0; add_int_data(alert, "snort_rule_sid", event->sig_id); add_int_data(alert, "snort_rule_rev", event->sig_rev); if ( p->iph ) { add_int_data(alert, "ip_ver", IP_VER(p->iph)); add_int_data(alert, "ip_hlen", IP_HLEN(p->iph)); add_int_data(alert, "ip_tos", p->iph->ip_tos); add_int_data(alert, "ip_len", ntohs(p->iph->ip_len)); add_int_data(alert, "ip_id", ntohs(p->iph->ip_id)); add_int_data(alert, "ip_off", ntohs(p->iph->ip_off)); add_int_data(alert, "ip_ttl", p->iph->ip_ttl); add_int_data(alert, "ip_proto", p->iph->ip_proto); add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum)); for ( i = 0; i < p->ip_option_count; i++ ) { add_int_data(alert, "ip_option_code", p->ip_options[i].code); add_byte_data(alert, "ip_option_data", p->ip_options[i].data, p->ip_options[i].len); } } if ( p->tcph ) { add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq)); add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack)); add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph)); add_int_data(alert, "tcp_res", TCP_X2(p->tcph)); add_int_data(alert, "tcp_flags", p->tcph->th_flags); add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win)); add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum)); add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp)); for ( i = 0; i < p->tcp_option_count; i++ ) { add_int_data(alert, "tcp_option_code", p->tcp_options[i].code); add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len); } } else if ( p->udph ) { add_int_data(alert, "udp_len", ntohs(p->udph->uh_len)); add_int_data(alert, "udp_sum", ntohs(p->udph->uh_chk)); } else if ( p->icmph ) { add_int_data(alert, "icmp_type", p->icmph->type); add_int_data(alert, "icmp_code", p->icmph->code); add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum)); switch ( p->icmph->type ) { case ICMP_ECHO: case ICMP_ECHOREPLY: case ICMP_INFO_REQUEST: case ICMP_INFO_REPLY: case ICMP_ADDRESS: case ICMP_TIMESTAMP: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESSREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask)); break; case ICMP_REDIRECT: add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr)); break; case ICMP_ROUTER_ADVERTISE: add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs); add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa); add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime)); break; case ICMP_TIMESTAMPREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime); add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime); add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime); break; } } add_byte_data(alert, "payload", p->data, p->dsize); return 0; }
static int packet_to_data(Packet *p, void *event, idmef_alert_t *alert) { int i; if ( ! p ) return 0; add_int_data(alert, "snort_rule_sid", ntohl(((Unified2EventCommon *)event)->signature_id)); add_int_data(alert, "snort_rule_rev", ntohl(((Unified2EventCommon *)event)->signature_revision)); if ( IPH_IS_VALID(p) ) { add_int_data(alert, "ip_ver", GET_IPH_VER(p)); add_int_data(alert, "ip_hlen", GET_IPH_HLEN(p)); add_int_data(alert, "ip_tos", GET_IPH_TOS(p)); add_int_data(alert, "ip_len", ntohs(GET_IPH_LEN(p))); #ifdef SUP_IP6 // XXX-IPv6 need fragmentation ID #else add_int_data(alert, "ip_id", ntohs(p->iph->ip_id)); #endif #ifdef SUP_IP6 // XXX-IPv6 need fragmentation offset #else add_int_data(alert, "ip_off", ntohs(p->iph->ip_off)); #endif add_int_data(alert, "ip_ttl", GET_IPH_TTL(p)); add_int_data(alert, "ip_proto", GET_IPH_PROTO(p)); #ifdef SUP_IP6 // XXX-IPv6 need checksum #else add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum)); #endif for ( i = 0; i < p->ip_option_count; i++ ) { add_int_data(alert, "ip_option_code", p->ip_options[i].code); add_byte_data(alert, "ip_option_data", p->ip_options[i].data, p->ip_options[i].len); } } if ( p->tcph ) { add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq)); add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack)); add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph)); add_int_data(alert, "tcp_res", TCP_X2(p->tcph)); add_int_data(alert, "tcp_flags", p->tcph->th_flags); add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win)); add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum)); add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp)); for ( i = 0; i < p->tcp_option_count; i++ ) { add_int_data(alert, "tcp_option_code", p->tcp_options[i].code); add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len); } } else if ( p->udph ) { add_int_data(alert, "udp_len", ntohs(p->udph->uh_len)); add_int_data(alert, "udp_sum", ntohs(p->udph->uh_chk)); } else if ( p->icmph ) { add_int_data(alert, "icmp_type", p->icmph->type); add_int_data(alert, "icmp_code", p->icmph->code); add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum)); switch ( p->icmph->type ) { case ICMP_ECHO: case ICMP_ECHOREPLY: case ICMP_INFO_REQUEST: case ICMP_INFO_REPLY: case ICMP_ADDRESS: case ICMP_TIMESTAMP: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESSREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask)); break; case ICMP_REDIRECT: #ifndef SUP_IP6 add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr)); #else { sfip_t gwaddr; sfip_set_raw(&gwaddr, (void *)&p->icmph->s_icmp_gwaddr.s_addr, AF_INET); add_string_data(alert, "icmp_gwaddr", inet_ntoa(&gwaddr)); } #endif break; case ICMP_ROUTER_ADVERTISE: add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs); add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa); add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime)); break; case ICMP_TIMESTAMPREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime); add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime); add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime); break; } } add_byte_data(alert, "payload", p->data, p->dsize); return 0; }