static int event_to_impact(void *event, idmef_alert_t *alert) { int ret; ClassType *cn; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; /* store and convert once */ /*TODO: detemine required return code for event being NULL */ u_int32_t event_priority = ntohl(((Unified2EventCommon *)event)->priority_id); ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) return ret; ret = idmef_assessment_new_impact(assessment, &impact); if ( ret < 0 ) return ret; if ( event_priority < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( event_priority < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( event_priority < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); cn = ClassTypeLookupById(barnyard2_conf, ntohl(((Unified2EventCommon *)event)->classification_id)); if ( cn != NULL ) { ret = idmef_impact_new_description(impact, &str); if ( ret < 0 ) return ret; prelude_string_set_ref(str, cn->name); } return 0; }
/*-------------------------------------------------------------------- * Function: LogPriorityData() * * Purpose: Prints out priority data associated with an alert * * Arguments: log => pointer to TextLog to write the data to * doNewLine => tack a \n to the end of the line or not (bool) * * Returns: void function *-------------------------------------------------------------------- */ void LogPriorityData(TextLog* log, uint32_t cid, uint32_t priority, bool doNewLine) { ClassType *cn = ClassTypeLookupById(barnyard2_conf, cid); if ( cn != NULL ) { TextLog_Print( log, "[Classification: %s] [Priority: %d] ", cn->name, priority ); } else { TextLog_Print(log, "[Priority: %d] ", priority); } if ( doNewLine ) TextLog_NewLine(log); }
void OpSyslog_Alert(Packet *p, void *event, uint32_t event_type, void *arg) { OpSyslog_Data *syslogContext = NULL; Unified2EventCommon *iEvent = NULL; SigNode *sn = NULL; ClassType *cn = NULL; char sip[16] = {0}; char dip[16] = {0}; if( (p == NULL) || (event == NULL) || (arg == NULL)) { LogMessage("OpSyslog_Alert(): Invoked with Packet[0x%x] Event[0x%x] Event Type [%u] Context pointer[0x%x]\n", p, event, event_type, arg); return; } if(event_type != UNIFIED2_IDS_EVENT) { LogMessage("OpSyslog_Alert(): Is currently unable to handle Event Type [%u] \n", event_type); return; } syslogContext = (OpSyslog_Data *)arg; iEvent = event; memset(syslogContext->payload,'\0',(SYSLOG_MAX_QUERY_SIZE)); memset(syslogContext->formatBuffer,'\0',(SYSLOG_MAX_QUERY_SIZE)); syslogContext->payload_current_pos = 0; syslogContext->format_current_pos = 0; switch(syslogContext->operation_mode) { case 0: /* Ze Classic (Requested) */ if(IPH_IS_VALID(p)) { if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip)) { FatalError("[%s()], strlcpy() error , bailing \n", __FUNCTION__); return; } if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip)) { FatalError("[%s()], strlcpy() error , bailing \n", __FUNCTION__); return; } } sn = GetSigByGidSid(ntohl(iEvent->generator_id), ntohl(iEvent->signature_id)); cn = ClassTypeLookupById(barnyard2_conf, ntohl(iEvent->classification_id)); if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "[%u:%u:%u] ", ntohl(iEvent->generator_id), ntohl(iEvent->signature_id), ntohl(iEvent->signature_revision))) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } if(sn != NULL) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "%s ", sn->msg)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } else { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "ALERT ")) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } if(cn != NULL) { if( cn->name ) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "[Classification: %s] [Priority: %d]:", cn->name, ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } else if( ntohl(((Unified2EventCommon *)event)->priority_id) != 0 ) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "[Priority: %d]:", ntohl(((Unified2EventCommon *)event)->priority_id))) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } if( (IPH_IS_VALID(p)) && (((GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP && GET_IPH_PROTO(p) != IPPROTO_ICMP) || p->frag_flag))) { if(!BcAlertInterface()) { if(protocol_names[GET_IPH_PROTO(p)]) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, " {%s} %s -> %s", protocol_names[GET_IPH_PROTO(p)], sip, dip)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } else { if(protocol_names[GET_IPH_PROTO(p)]) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, " <%s> {%s} %s -> %s", barnyard2_conf->interface, protocol_names[GET_IPH_PROTO(p)], sip, dip)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } } else { if(BcAlertInterface()) { if(protocol_names[GET_IPH_PROTO(p)]) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, " <%s> {%s} %s:%i -> %s:%i", barnyard2_conf->interface, protocol_names[GET_IPH_PROTO(p)], sip, p->sp, dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } else { if(protocol_names[GET_IPH_PROTO(p)]) { if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, " {%s} %s:%i -> %s:%i", protocol_names[GET_IPH_PROTO(p)], sip, p->sp, dip, p->dp)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("[%s()], failed call to snprintf \n", __FUNCTION__); } } } } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } break; case 1: /* Ze verbose */ if(Syslog_FormatTrigger(syslogContext, iEvent,0) ) { LogMessage("WARNING: Unable to append Trigger header.\n"); return; } /* Support for portscan ip */ if(p->iph) { if(Syslog_FormatIPHeaderAlert(syslogContext, p) ) { LogMessage("WARNING: Unable to append Trigger header.\n"); return; } } if(p->iph) { /* build the protocol specific header information */ switch(p->iph->ip_proto) { case IPPROTO_TCP: Syslog_FormatTCPHeaderAlert(syslogContext, p); break; case IPPROTO_UDP: Syslog_FormatUDPHeaderAlert(syslogContext, p); break; case IPPROTO_ICMP: Syslog_FormatICMPHeaderAlert(syslogContext, p); break; } } /* CHECKME: -elz will update formating later on .. */ if( (syslogContext->format_current_pos += snprintf(syslogContext->formatBuffer,SYSLOG_MAX_QUERY_SIZE, "\n")) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ FatalError("Couldn't finalize payload string ....\n"); } if( OpSyslog_Concat(syslogContext)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } break; default: FatalError("[%s()]: Unknown operation_mode ... bailing \n", __FUNCTION__); break; } if(NetSend(syslogContext)) { NetClose(syslogContext); if(syslogContext->local_logging != 1) { FatalError("NetSend(): call failed for host:port '%s:%u' bailing...\n", syslogContext->server, syslogContext->port); } } return; }
static int Syslog_FormatTrigger(OpSyslog_Data *syslogData, Unified2EventCommon *pEvent,int opType) { char tSigBuf[256] = {0}; char *timestamp_string = NULL; SigNode *sn = NULL; ClassType *cn = NULL; //ReferenceNode *rn = NULL; if( (syslogData == NULL) || (pEvent == NULL)) { /* XXX */ return 1; } switch(opType) { case 0: /* Alert */ if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[ALERT]: [%s] }", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ return 1; } break; case 1: /* Log */ if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"[SNORTIDS[LOG]: [%s] ]", syslogData->sensor_name)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ return 1; } break; default: /* XXX */ LogMessage("Syslog_FormatTrigger(): Unknown [%d] operation mode \n",opType); return 1; break; } if( OpSyslog_Concat(syslogData)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } if( (timestamp_string = GetTimestampByComponent( ntohl(pEvent->event_second), ntohl(pEvent->event_microsecond), GetLocalTimezone())) == NULL) { /* XXX */ /* Something went wrong ...we create a little string? */ if( (timestamp_string = malloc(256)) == NULL) { /* XXX */ return 1; } memset(timestamp_string,'\0',256); snprintf(timestamp_string,256,"sec:[%u] msec:[%u] Second away from UTC:[%u] ", ntohl(pEvent->event_second), ntohl(pEvent->event_microsecond), GetLocalTimezone()); } snprintf(tSigBuf,256,"Snort Alert [%u:%u:%u]", ntohl(pEvent->generator_id), ntohl(pEvent->signature_id), ntohl(pEvent->signature_revision)); sn = GetSigByGidSid(ntohl(pEvent->generator_id), ntohl(pEvent->signature_id)); cn = ClassTypeLookupById(barnyard2_conf, ntohl(pEvent->classification_id)); if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%s%c%u%c%s", timestamp_string,syslogData->field_separators, ntohl(pEvent->priority_id),syslogData->field_separators, sn != NULL ? sn->msg : tSigBuf)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ free(timestamp_string); return 1; } if( OpSyslog_Concat(syslogData)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } if(cn) { if( (syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%s", cn->type)) >= SYSLOG_MAX_QUERY_SIZE) { /* XXX */ free(timestamp_string); return 1; } } else { if( ( syslogData->format_current_pos += snprintf(syslogData->formatBuffer,SYSLOG_MAX_QUERY_SIZE,"%s", "[Unknown Classification]") >= SYSLOG_MAX_QUERY_SIZE)) { /* XXX */ free(timestamp_string); return 1; } } if( OpSyslog_Concat(syslogData)) { /* XXX */ FatalError("OpSyslog_Concat(): Failed \n"); } /*CHECKME: -elz Need to investigate */ //Syslog_FormatReference(syslogData, sn->refs); free(timestamp_string); return 0; }