void CaptureStatsUpdate(ThreadVars *tv, CaptureStats *s, const Packet *p) { if (unlikely(PACKET_TEST_ACTION(p, (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)))) { StatsIncr(tv, s->counter_ips_rejected); } else if (unlikely(PACKET_TEST_ACTION(p, ACTION_DROP))) { StatsIncr(tv, s->counter_ips_blocked); } else if (unlikely(p->flags & PKT_STREAM_MODIFIED)) { StatsIncr(tv, s->counter_ips_replaced); } else { StatsIncr(tv, s->counter_ips_accepted); } }
int RejectSendIPv4TCP(ThreadVars *tv, Packet *p, void *data) { if (PACKET_TEST_ACTION(p, ACTION_REJECT)) { return RejectSendLibnet11L3IPv4TCP(tv, p, data, REJECT_DIR_SRC); } else if (PACKET_TEST_ACTION(p, ACTION_REJECT_DST)) { return RejectSendLibnet11L3IPv4TCP(tv, p, data, REJECT_DIR_DST); } else if(PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH)) { if (RejectSendLibnet11L3IPv4TCP(tv, p, data, REJECT_DIR_SRC) == 0 && RejectSendLibnet11L3IPv4TCP(tv, p, data, REJECT_DIR_DST) == 0) { return 0; } else { return 1; } } return 0; }
/** * \brief Check if we need to drop-log this packet * * \param tv Pointer the current thread variables * \param p Pointer the packet which is tested * * \retval bool TRUE or FALSE */ static int LogDropCondition(ThreadVars *tv, const Packet *p) { if (!EngineModeIsIPS()) { SCLogDebug("engine is not running in inline mode, so returning"); return FALSE; } if (PKT_IS_PSEUDOPKT(p)) { SCLogDebug("drop log doesn't log pseudo packets"); return FALSE; } if (p->flow != NULL) { int ret = FALSE; FLOWLOCK_RDLOCK(p->flow); if (p->flow->flags & FLOW_ACTION_DROP) { if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED)) ret = TRUE; else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED)) ret = TRUE; } FLOWLOCK_UNLOCK(p->flow); return ret; } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) { return TRUE; } return FALSE; }
/** * \brief Check if we need to drop-log this packet * * \param tv Pointer the current thread variables * \param p Pointer the packet which is tested * * \retval bool TRUE or FALSE */ static int JsonDropLogCondition(ThreadVars *tv, const Packet *p) { if (!EngineModeIsIPS()) { SCLogDebug("engine is not running in inline mode, so returning"); return FALSE; } if (PKT_IS_PSEUDOPKT(p)) { SCLogDebug("drop log doesn't log pseudo packets"); return FALSE; } if (g_droplog_flows_start && p->flow != NULL) { int ret = FALSE; /* for a flow that will be dropped fully, log just once per direction */ if (p->flow->flags & FLOW_ACTION_DROP) { if (PKT_IS_TOSERVER(p) && !(p->flow->flags & FLOW_TOSERVER_DROP_LOGGED)) ret = TRUE; else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED)) ret = TRUE; } /* if drop is caused by signature, log anyway */ if (p->alerts.drop.action != 0) ret = TRUE; return ret; } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) { return TRUE; } return FALSE; }
TmEcode RespondRejectFunc(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) { int ret = 0; /* ACTION_REJECT defaults to rejecting the SRC */ if (!(PACKET_TEST_ACTION(p, ACTION_REJECT)) && !(PACKET_TEST_ACTION(p, ACTION_REJECT_DST)) && !(PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH))) { return TM_ECODE_OK; } if (PKT_IS_IPV4(p)) { if (PKT_IS_TCP(p)) { ret = RejectSendIPv4TCP(tv, p, data); } else if(PKT_IS_UDP(p)) { ret = RejectSendIPv4ICMP(tv, p, data); } else { return TM_ECODE_OK; } } else if (PKT_IS_IPV6(p)) { if (PKT_IS_TCP(p)) { ret = RejectSendIPv6TCP(tv, p, data); } else if(PKT_IS_UDP(p)){ ret = RejectSendIPv6ICMP(tv, p, data); } else { return TM_ECODE_OK; } } else { /* we're only supporting IPv4 and IPv6 */ return TM_ECODE_OK; } if (ret) return TM_ECODE_FAILED; else return TM_ECODE_OK; }
void AlertJsonHeader(const Packet *p, const PacketAlert *pa, json_t *js) { char *action = "allowed"; /* use packet action if rate_filter modified the action */ if (unlikely(pa->flags & PACKET_ALERT_RATE_FILTER_MODIFIED)) { if (PACKET_TEST_ACTION(p, (ACTION_DROP|ACTION_REJECT| ACTION_REJECT_DST|ACTION_REJECT_BOTH))) { action = "blocked"; } } else { if (pa->action & (ACTION_REJECT|ACTION_REJECT_DST|ACTION_REJECT_BOTH)) { action = "blocked"; } else if ((pa->action & ACTION_DROP) && EngineModeIsIPS()) { action = "blocked"; } } /* Add tx_id to root element for correlation with other events. */ json_object_del(js, "tx_id"); if (pa->flags & PACKET_ALERT_FLAG_TX) json_object_set_new(js, "tx_id", json_integer(pa->tx_id)); json_t *ajs = json_object(); if (ajs == NULL) { json_decref(js); return; } json_object_set_new(ajs, "action", json_string(action)); json_object_set_new(ajs, "gid", json_integer(pa->s->gid)); json_object_set_new(ajs, "signature_id", json_integer(pa->s->id)); json_object_set_new(ajs, "rev", json_integer(pa->s->rev)); json_object_set_new(ajs, "signature", json_string((pa->s->msg) ? pa->s->msg : "")); json_object_set_new(ajs, "category", json_string((pa->s->class_msg) ? pa->s->class_msg : "")); json_object_set_new(ajs, "severity", json_integer(pa->s->prio)); if (p->tenant_id > 0) json_object_set_new(ajs, "tenant_id", json_integer(p->tenant_id)); /* alert */ json_object_set_new(js, "alert", ajs); }
/** * \brief NFQ verdict function */ TmEcode NFQSetVerdict(Packet *p) { int iter = 0; int ret = 0; uint32_t verdict = NF_ACCEPT; /* we could also have a direct pointer but we need to have a ref counf in this case */ NFQQueueVars *t = g_nfq_q + p->nfq_v.nfq_index; /** \todo add a test on validity of the entry NFQQueueVars could have been * wipeout */ p->nfq_v.verdicted = 1; /* can't verdict a "fake" packet */ if (PKT_IS_PSEUDOPKT(p)) { return TM_ECODE_OK; } //printf("%p verdicting on queue %" PRIu32 "\n", t, t->queue_num); NFQMutexLock(t); if (t->qh == NULL) { /* Somebody has started a clean-up, we leave */ NFQMutexUnlock(t); return TM_ECODE_OK; } if (PACKET_TEST_ACTION(p, ACTION_DROP)) { verdict = NF_DROP; #ifdef COUNTERS t->dropped++; #endif /* COUNTERS */ } else { switch (nfq_config.mode) { default: case NFQ_ACCEPT_MODE: verdict = NF_ACCEPT; break; case NFQ_REPEAT_MODE: verdict = NF_REPEAT; break; case NFQ_ROUTE_MODE: verdict = ((uint32_t) NF_QUEUE) | nfq_config.next_queue; break; } if (p->flags & PKT_STREAM_MODIFIED) { #ifdef COUNTERS t->replaced++; #endif /* COUNTERS */ } #ifdef COUNTERS t->accepted++; #endif /* COUNTERS */ } ret = NFQVerdictCacheAdd(t, p, verdict); if (ret == 0) { NFQMutexUnlock(t); return TM_ECODE_OK; } do { switch (nfq_config.mode) { default: case NFQ_ACCEPT_MODE: case NFQ_ROUTE_MODE: if (p->flags & PKT_MARK_MODIFIED) { #ifdef HAVE_NFQ_SET_VERDICT2 if (p->flags & PKT_STREAM_MODIFIED) { ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict, p->nfq_v.mark, GET_PKT_LEN(p), GET_PKT_DATA(p)); } else { ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict, p->nfq_v.mark, 0, NULL); } #else /* fall back to old function */ if (p->flags & PKT_STREAM_MODIFIED) { ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict, htonl(p->nfq_v.mark), GET_PKT_LEN(p), GET_PKT_DATA(p)); } else { ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict, htonl(p->nfq_v.mark), 0, NULL); } #endif /* HAVE_NFQ_SET_VERDICT2 */ } else { if (p->flags & PKT_STREAM_MODIFIED) { ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict, GET_PKT_LEN(p), GET_PKT_DATA(p)); } else { ret = nfq_set_verdict(t->qh, p->nfq_v.id, verdict, 0, NULL); } } break; case NFQ_REPEAT_MODE: #ifdef HAVE_NFQ_SET_VERDICT2 if (p->flags & PKT_STREAM_MODIFIED) { ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict, (nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask), GET_PKT_LEN(p), GET_PKT_DATA(p)); } else { ret = nfq_set_verdict2(t->qh, p->nfq_v.id, verdict, (nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask), 0, NULL); } #else /* fall back to old function */ if (p->flags & PKT_STREAM_MODIFIED) { ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict, htonl((nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask)), GET_PKT_LEN(p), GET_PKT_DATA(p)); } else { ret = nfq_set_verdict_mark(t->qh, p->nfq_v.id, verdict, htonl((nfq_config.mark & nfq_config.mask) | (p->nfq_v.mark & ~nfq_config.mask)), 0, NULL); } #endif /* HAVE_NFQ_SET_VERDICT2 */ break; } } while ((ret < 0) && (iter++ < NFQ_VERDICT_RETRY_TIME)); NFQMutexUnlock(t); if (ret < 0) { SCLogWarning(SC_ERR_NFQ_SET_VERDICT, "nfq_set_verdict of %p failed %" PRId32 ": %s", p, ret, strerror(errno)); return TM_ECODE_FAILED; } return TM_ECODE_OK; }
/** \brief test if the action is drop then packet should be logged */ int LogDropLogTest01() { int result = 0; EngineModeSetIPS(); uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n" "Host: one.example.org\r\n"; uint16_t buflen = strlen((char *)buf); Packet *p = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx; LogDropLogThread dlt; LogFileCtx *logfile_ctx = LogFileNewCtx(); if (logfile_ctx == NULL) { printf("Could not create new LogFileCtx\n"); return 0; } memset (&dlt, 0, sizeof(LogDropLogThread)); dlt.file_ctx = logfile_ctx; dlt.file_ctx->fp = stdout; memset(&th_v, 0, sizeof(th_v)); p = UTHBuildPacket(buf, buflen, IPPROTO_TCP); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { return result; } de_ctx->flags |= DE_QUIET; FILE *fd = SCClassConfGenerateValidDummyClassConfigFD01(); SCClassConfLoadClassficationConfigFile(de_ctx, fd); de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any " "(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)"); SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); if (p->alerts.cnt == 1 && (PACKET_TEST_ACTION(p, ACTION_DROP))) result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0); if (LogDropCondition(NULL, p) == TRUE) LogDropLogger(NULL, &dlt, p); if (dlt.drop_cnt == 0) { printf("Packet should be logged but its not\n"); result = 0; } SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineCtxFree(de_ctx); UTHFreePackets(&p, 1); EngineModeSetIDS(); return result; }
/** * \brief This function sets the Verdict and processes the packet * * * \param tv pointer to ThreadVars * \param p pointer to the Packet */ TmEcode IPFWSetVerdict(ThreadVars *tv, IPFWThreadVars *ptv, Packet *p) { uint32_t verdict; struct pollfd IPFWpoll; IPFWQueueVars *nq = NULL; SCEnter(); if (p == NULL) { SCLogWarning(SC_ERR_INVALID_ARGUMENT, "Packet is NULL"); SCReturnInt(TM_ECODE_FAILED); } nq = IPFWGetQueue(p->ipfw_v.ipfw_index); if (nq == NULL) { SCLogWarning(SC_ERR_INVALID_ARGUMENT, "No thread found"); SCReturnInt(TM_ECODE_FAILED); } IPFWpoll.fd = nq->fd; IPFWpoll.events = POLLWRNORM; if (PACKET_TEST_ACTION(p, ACTION_DROP)) { verdict = IPFW_DROP; } else { verdict = IPFW_ACCEPT; } if (verdict == IPFW_ACCEPT) { SCLogDebug("IPFW Verdict is to Accept"); ptv->accepted++; /* For divert sockets, accepting means writing the * packet back to the socket for ipfw to pick up */ SCLogDebug("IPFWSetVerdict writing to socket %d, %p, %u", nq->fd, GET_PKT_DATA(p),GET_PKT_LEN(p)); #if 0 while ((poll(&IPFWpoll,1,IPFW_SOCKET_POLL_MSEC)) < 1) { /* Did we receive a signal to shutdown */ if (TmThreadsCheckFlag(tv, THV_KILL) || TmThreadsCheckFlag(tv, THV_PAUSE)) { SCLogInfo("Received ThreadShutdown: IPFW divert socket writing interrupted"); SCReturnInt(TM_ECODE_OK); } } #endif IPFWMutexLock(nq); if (sendto(nq->fd, GET_PKT_DATA(p), GET_PKT_LEN(p), 0,(struct sockaddr *)&nq->ipfw_sin, nq->ipfw_sinlen) == -1) { int r = errno; switch (r) { default: SCLogWarning(SC_WARN_IPFW_XMIT,"Write to ipfw divert socket failed: %s",strerror(r)); IPFWMutexUnlock(nq); SCReturnInt(TM_ECODE_FAILED); case EHOSTDOWN: case ENETDOWN: break; } } IPFWMutexUnlock(nq); SCLogDebug("Sent Packet back into IPFW Len: %d",GET_PKT_LEN(p)); } /* end IPFW_ACCEPT */ if (verdict == IPFW_DROP) { SCLogDebug("IPFW SetVerdict is to DROP"); ptv->dropped++; /** \todo For divert sockets, dropping means not writing the packet back to the socket. * Need to see if there is some better way to free the packet from the queue */ } /* end IPFW_DROP */ SCReturnInt(TM_ECODE_OK); }
/** * \test drops */ static int DetectDetectionFilterTestSig3(void) { Packet *p = NULL; Signature *s = NULL; ThreadVars th_v; DetectEngineThreadCtx *det_ctx; int result = 0; int alerts = 0; int drops = 0; struct timeval ts; HostInitConfig(HOST_QUIET); memset (&ts, 0, sizeof(struct timeval)); TimeGet(&ts); memset(&th_v, 0, sizeof(th_v)); p = UTHBuildPacketReal(NULL, 0, IPPROTO_TCP, "1.1.1.1", "2.2.2.2", 1024, 80); DetectEngineCtx *de_ctx = DetectEngineCtxInit(); if (de_ctx == NULL) { goto end; } de_ctx->flags |= DE_QUIET; s = de_ctx->sig_list = SigInit(de_ctx,"drop tcp any any -> any 80 (msg:\"detection_filter Test 2\"; detection_filter: track by_dst, count 2, seconds 60; sid:10;)"); if (s == NULL) { goto end; } SigGroupBuild(de_ctx); DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx); TimeGet(&p->ts); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); alerts = PacketAlertCheck(p, 10); drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0); p->action = 0; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); alerts += PacketAlertCheck(p, 10); drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0); p->action = 0; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); alerts += PacketAlertCheck(p, 10); drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0); p->action = 0; TimeSetIncrementTime(200); TimeGet(&p->ts); SigMatchSignatures(&th_v, de_ctx, det_ctx, p); alerts += PacketAlertCheck(p, 10); drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0); p->action = 0; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); alerts += PacketAlertCheck(p, 10); drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0); p->action = 0; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); alerts += PacketAlertCheck(p, 10); drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0); p->action = 0; SigMatchSignatures(&th_v, de_ctx, det_ctx, p); alerts += PacketAlertCheck(p, 10); drops += ((PACKET_TEST_ACTION(p, ACTION_DROP))?1:0); p->action = 0; if (alerts == 3 && drops == 3) result = 1; else { if (alerts != 3) printf("alerts: %d != 3: ", alerts); if (drops != 3) printf("drops: %d != 3: ", drops); } SigGroupCleanup(de_ctx); SigCleanSignatures(de_ctx); DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx); DetectEngineCtxFree(de_ctx); end: UTHFreePackets(&p, 1); HostShutdown(); return result; }
/** * \brief Log the dropped packets in netfilter format when engine is running * in inline mode * * \param tv Pointer the current thread variables * \param p Pointer the packet which is being logged * \param data Pointer to the droplog struct * \param pq Pointer the packet queue * \param postpq Pointer the packet queue where this packet will be sent * * \return return TM_EODE_OK on success */ TmEcode LogDropLogNetFilter (ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq) { LogDropLogThread *dlt = (LogDropLogThread *)data; uint16_t proto = 0; char timebuf[64]; if (!(PACKET_TEST_ACTION(p, ACTION_DROP)) || PKT_IS_PSEUDOPKT(p)) { return TM_ECODE_OK; } CreateTimeString(&p->ts, timebuf, sizeof(timebuf)); SCMutexLock(&dlt->file_ctx->fp_mutex); char srcip[46] = ""; char dstip[46] = ""; if (PKT_IS_IPV4(p)) { PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, 16); PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, 16); fprintf(dlt->file_ctx->fp, "%s: IN= OUT= SRC=%s DST=%s LEN=%"PRIu16" " "TOS=0x%02"PRIu8" TTL=%"PRIu8" ID=%"PRIu16"", timebuf, srcip, dstip, IPV4_GET_IPLEN(p), IPV4_GET_IPTOS(p), IPV4_GET_IPTTL(p), IPV4_GET_IPID(p)); proto = IPV4_GET_IPPROTO(p); } else if (PKT_IS_IPV6(p)) { PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip)); PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip)); fprintf(dlt->file_ctx->fp, "%s: IN= OUT= SRC=%s DST=%s LEN=%"PRIu16"" " TC=%"PRIu32" HOPLIMIT=%"PRIu8" FLOWLBL=%"PRIu32"", timebuf, srcip, dstip, IPV6_GET_PLEN(p), IPV6_GET_CLASS(p), IPV6_GET_HLIM(p), IPV6_GET_FLOW(p)); proto = IPV6_GET_L4PROTO(p); } if (SCProtoNameValid(proto) == TRUE) { fprintf(dlt->file_ctx->fp, " PROTO=%s",known_proto[proto]); } else { fprintf(dlt->file_ctx->fp, " PROTO=%03"PRIu16"",proto); } switch (proto) { case IPPROTO_TCP: fprintf(dlt->file_ctx->fp, " SPT=%"PRIu16" DPT=%"PRIu16" " "SEQ=%"PRIu32" ACK=%"PRIu32" WINDOW=%"PRIu32"", GET_TCP_SRC_PORT(p), GET_TCP_DST_PORT(p), TCP_GET_SEQ(p), TCP_GET_ACK(p), TCP_GET_WINDOW(p)); fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_SYN(p) ? " SYN" : ""); fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_ACK(p) ? " ACK" : ""); fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_PUSH(p) ? " PSH" : ""); fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_RST(p) ? " RST" : ""); fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_URG(p) ? " URG" : ""); fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_FIN(p) ? " FIN" : ""); fprintf(dlt->file_ctx->fp, " RES=0x%02"PRIu8" URGP=%"PRIu16"", TCP_GET_RAW_X2(p->tcph), TCP_GET_URG_POINTER(p)); break; case IPPROTO_UDP: fprintf(dlt->file_ctx->fp, " SPT=%"PRIu16" DPT=%"PRIu16"" " LEN=%"PRIu16"", UDP_GET_SRC_PORT(p), UDP_GET_DST_PORT(p), UDP_GET_LEN(p)); break; case IPPROTO_ICMP: if (PKT_IS_ICMPV4(p)) { fprintf(dlt->file_ctx->fp, " TYPE=%"PRIu16" CODE=%"PRIu16"" " ID=%"PRIu16" SEQ=%"PRIu16"", ICMPV4_GET_TYPE(p), ICMPV4_GET_CODE(p), ICMPV4_GET_ID(p), ICMPV4_GET_SEQ(p)); } else if(PKT_IS_ICMPV6(p)) { fprintf(dlt->file_ctx->fp, " TYPE=%"PRIu16" CODE=%"PRIu16"" " ID=%"PRIu16" SEQ=%"PRIu16"", ICMPV6_GET_TYPE(p), ICMPV6_GET_CODE(p), ICMPV6_GET_ID(p), ICMPV6_GET_SEQ(p)); } break; default: fprintf(dlt->file_ctx->fp," Unknown protocol"); } fprintf(dlt->file_ctx->fp,"\n"); fflush(dlt->file_ctx->fp); dlt->drop_cnt++; SCMutexUnlock(&dlt->file_ctx->fp_mutex); return TM_ECODE_OK; }
/** * \brief Create event impact description (see section * 4.2.6.1 of RFC 4765). * The impact contains the severity, completion (succeeded or failed) * and basic classification of the attack type. * Here, we don't set the completion since we don't know it (default * is unknown). * * \return 0 if ok */ static int EventToImpact(const PacketAlert *pa, const Packet *p, idmef_alert_t *alert) { int ret; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; SCEnter(); ret = idmef_alert_new_assessment(alert, &assessment); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating assessment: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } ret = idmef_assessment_new_impact(assessment, &impact); if (unlikely(ret < 0)) { SCLogDebug("%s: error creating assessment impact: %s.", prelude_strsource(ret), prelude_strerror(ret)); SCReturnInt(ret); } if ( (unsigned int)pa->s->prio < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( (unsigned int)pa->s->prio < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( (unsigned int)pa->s->prio < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if (PACKET_TEST_ACTION(p, ACTION_DROP) || PACKET_TEST_ACTION(p, ACTION_REJECT) || PACKET_TEST_ACTION(p, ACTION_REJECT_DST) || PACKET_TEST_ACTION(p, ACTION_REJECT_BOTH) ) { idmef_action_t *action; ret = idmef_action_new(&action); if (unlikely(ret < 0)) SCReturnInt(ret); idmef_action_set_category(action, IDMEF_ACTION_CATEGORY_BLOCK_INSTALLED); idmef_assessment_set_action(assessment, action, 0); } if (pa->s->class_msg) { ret = idmef_impact_new_description(impact, &str); if (unlikely(ret < 0)) SCReturnInt(ret); prelude_string_set_ref(str, pa->s->class_msg); } SCReturnInt(0); }