📄 log.c
字号:
break;
default:
break;
}
}
/* dump the application layer data */
if (pv.data_flag && !pv.verbose_bytedump_flag)
{
if (pv.char_data_flag)
PrintCharData(fp, p->data, p->dsize);
else
PrintNetData(fp, p->data, p->dsize);
}
else if(pv.verbose_bytedump_flag)
{
PrintNetData(fp, p->pkt, p->pkth->caplen);
}
fprintf(fp, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n\n");
}
/***************************************************************************
* Function: OpenAlertSock
* Purpose: Connect to linux socket for alert logging..
* Arguments: none..
*
**************************************************************************/
void OpenAlertSock()
{
char *srv=UNSOCK_FILE;
if (access(srv,W_OK))
ErrorMessage("WARNING: %s file doesn't exist or isn't writable!\n",srv);
bzero((char *)&alertaddr,sizeof(alertaddr));
bcopy((const void *)srv,(void *)alertaddr.sun_path,strlen(srv)); /* we trust what we define */
alertaddr.sun_family=AF_UNIX;
if ((alertsd=socket(AF_UNIX,SOCK_DGRAM,0))<0)
{
FatalError("socket() call failed: %s", strerror(errno));
}
}
/****************************************************************************
*
* Function: OpenAlertFile(char *)
*
* Purpose: Set up the file pointer/file for alerting
*
* Arguments: filearg => the filename to open
*
* Returns: file handle
*
***************************************************************************/
FILE *OpenAlertFile(char *filearg)
{
char filename[STD_BUF];
FILE *file;
if(filearg == NULL)
{
if(!pv.daemon_flag)
{
sprintf(filename, "%s/alert", pv.log_dir);
}
else
{
sprintf(filename, "%s/%s", pv.log_dir, DEFAULT_DAEMON_ALERT_FILE);
}
}
else
{
strncpy(filename, filearg, STD_BUF-1);
}
#ifdef DEBUG
printf("Opening alert file: %s\n", filename);
#endif
if ((file = fopen(filename, "a")) == NULL)
{
FatalError("ERROR in OpenAlertFile() => fopen() alert file: %s\n",
strerror(errno));
}
setvbuf(file,(char *)NULL,_IOLBF,(size_t)0);
return file;
}
/****************************************************************************
*
* Function: ClearDumpBuf()
*
* Purpose: Clear out the buffer that PrintNetData() generates
*
* Arguments: None.
*
* Returns: void function
*
***************************************************************************/
void ClearDumpBuf()
{
if (data_dump_buffer != NULL && dump_ready)
free(data_dump_buffer);
data_dump_buffer = NULL;
dump_ready = 0;
}
void FullAlert(Packet *p, char *msg, void *arg)
{
AlertFull(p, msg, alert);
return;
}
/****************************************************************************
*
* Function: FullAlert(char *)
*
* Purpose: Write a full and informative alert message
*
* Arguments: p => packet. (could be NULL)
* msg => the message to send
*
* Returns: void function
*
***************************************************************************/
void AlertFull(Packet *p, char *msg, FILE *file)
{
char timestamp[23];
if (msg != NULL)
{
fwrite("[**] ", 5, 1, file);
fwrite(msg, strlen(msg), 1, file);
fwrite(" [**]\n", 6, 1, file);
}
else
{
fwrite("[**] Snort Alert! [**]", 22, 1, file);
}
#ifdef DEBUG
printf("Logging Alert data!\n");
#endif
bzero((char *)timestamp, 23);
ts_print((struct timeval*)(p==NULL?NULL:&p->pkth->ts), timestamp);
/* dump the timestamp */
fwrite(timestamp, 22, 1, file);
if (p)
{
/* print the packet header to the alert file */
if (pv.show2hdr_flag)
{
Print2ndHeader(file, p);
}
PrintIPHeader(file, p);
/*if this isn't a fragment, print the other header info */
if (!p->frag_flag)
{
switch (p->iph->ip_proto)
{
case IPPROTO_TCP:
PrintTCPHeader(file, p);
break;
case IPPROTO_UDP:
PrintUDPHeader(file, p);
break;
case IPPROTO_ICMP:
PrintICMPHeader(file, p);
break;
default: break;
}
}
} /* End of if(p) */
fputc('\n', file);
return;
}
void FastAlert(Packet *p, char *msg, void *arg)
{
AlertFast(p, msg, alert);
return;
}
/****************************************************************************
*
* Function: FastAlert(Packet *, char *)
*
* Purpose: Write a minimal alert message to the alert file
*
* Arguments: p => pointer to the packet data struct (could be NULL)
* msg => the message to print in the alert
*
* Returns: void function
*
***************************************************************************/
void AlertFast(Packet *p, char *msg, FILE *file)
{
char timestamp[23];
bzero((char *)timestamp, 23);
ts_print((struct timeval*)(p==NULL?NULL:&p->pkth->ts), timestamp);
/* dump the timestamp */
fwrite(timestamp, 22, 1, file);
if (msg != NULL)
{
fwrite(" [**] ", 6, 1, file);
fwrite(msg, strlen(msg), 1, file);
fwrite(" [**] ", 6, 1, file);
}
/* print the packet header to the alert file */
if (p)
{
if (p->frag_flag)
{
/* just print the straight IP header */
fputs(inet_ntoa(p->iph->ip_src), file);
fwrite(" -> ", 4, 1, file);
fputs(inet_ntoa(p->iph->ip_dst), file);
}
else
{
switch (p->iph->ip_proto)
{
case IPPROTO_UDP:
case IPPROTO_TCP:
/* print the header complete with port information */
fputs(inet_ntoa(p->iph->ip_src), file);
fprintf(file, ":%d -> ", p->sp);
fputs(inet_ntoa(p->iph->ip_dst), file);
fprintf(file, ":%d", p->dp);
break;
case IPPROTO_ICMP:
default:
/* just print the straight IP header */
fputs(inet_ntoa(p->iph->ip_src), file);
fwrite(" -> ", 4, 1, file);
fputs(inet_ntoa(p->iph->ip_dst), file);
}
}
} /* end of if (p) */
fputc('\n', file);
return;
}
/****************************************************************************
*
* Function: SyslogAlert(Packet *, char *)
*
* Purpose: Send the current alert to syslog
*
* Arguments: p => pointer to the packet data struct
* msg => the message to print in the alert
*
* Returns: void function
*
***************************************************************************/
void SyslogAlert(Packet *p, char *msg, void *arg)
{
char sip[16];
char dip[16];
/* have to do this since inet_ntoa is fucked up and writes to
a static memory location */
if (p)
{
strncpy(sip, inet_ntoa(p->iph->ip_src), 16);
strncpy(dip, inet_ntoa(p->iph->ip_dst), 16);
if ((p->iph->ip_proto != IPPROTO_TCP &&
p->iph->ip_proto != IPPROTO_UDP) || p->frag_flag)
{
if (msg != NULL)
{
/* ICMP packets don't get port info... */
syslog(LOG_AUTHPRIV|LOG_ALERT, "%s: %s -> %s", msg,
sip, dip);
}
else
{
/* ICMP packets don't get port info... */
syslog(LOG_AUTHPRIV|LOG_ALERT, "ALERT: %s -> %s",
sip, dip);
}
}
else
{
if (msg != NULL)
{
syslog(LOG_AUTHPRIV|LOG_ALERT, "%s: %s:%i -> %s:%i", msg,
sip, p->sp, dip, p->dp);
}
else
{
syslog(LOG_AUTHPRIV|LOG_ALERT, "ALERT: %s:%i -> %s:%i",
sip, p->sp, dip, p->dp);
}
}
}
else /* p == NULL */
syslog(LOG_AUTHPRIV|LOG_ALERT,"%s",msg==NULL?"ALERT!":msg);
return;
}
/****************************************************************************
*
* Function: SmbAlert(Packet *, char *)
*
* Purpose: Send the current alert to a waiting WinPopup client
*
* Arguments: p => pointer to the packet data struct
* msg => the message to print in the alert
*
* Returns: void function
*
***************************************************************************/
#ifdef ENABLE_SMB_ALERTS
void SmbAlert(Packet *p, char *msg, void *args)
{
char command_line[2048];
FILE *output;
FILE *workstations;
char *tempmsg;
char workfile[STD_BUF];
char tempwork[STD_BUF];
char timestamp[23];
int msg_str_size;
int str_size;
bzero((char *)timestamp, 23);
ts_print((struct timeval *)(p==NULL?NULL:&p->pkth->ts), timestamp);
#ifdef DEBUG
printf("Generating SMB alert!\n");
#endif
/* set the workstation name filename */
sprintf(workfile, "%s", pv.smbmsg_dir);
/* message size + IP addrs + ports + pad space */
msg_str_size = strlen(msg) + 32 + 10 + 150;
if((tempmsg = (char *) calloc(msg_str_size, sizeof(char))) == NULL)
{
FatalError("[!] ERROR: SmbAlert() unable to allocate space for tempmsg: %s\n", strerror(errno));
}
/* open the message file and the workstation names file */
if((workstations = fopen(workfile,"r")) != NULL)
{
/* clear the read buffers */
bzero((char *)workfile, STD_BUF);
if(p != NULL)
{
if(p->frag_flag || (p->iph->ip_proto != IPPROTO_TCP
&& p->iph->ip_proto != IPPROTO_UDP))
{
/* write the alert message into the buffer */
sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n%s %s->", msg, timestamp, inet_ntoa(p->iph->ip_src));
str_size = strlen(tempmsg);
sprintf(tempmsg+str_size, "%s", inet_ntoa(p->iph->ip_dst));
}
else
{
/* write the alert message into the buffer */
sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n%s:%d -> ", msg, timestamp, inet_ntoa(p->iph->ip_src), p->sp);
str_size = strlen(tempmsg);
sprintf(tempmsg+str_size, "%s:%d", inet_ntoa(p->iph->ip_dst), p->dp);
}
}
else
{
/* write the alert message into the buffer - this part is for alerts with NULL packets (like portscans)*/
sprintf(tempmsg, "SNORT ALERT - Possible Network Attack or Probe:\n [**] %s [**]\n", msg);
}
bzero((char *)tempwork, STD_BUF);
bzero((char *)command_line, 2048);
/* read in the name of each workstation to send the message to */
while ((fgets(tempwork, STD_BUF-1, workstations)) != NULL)
{
/* if the line isn't blank */
if (tempwork[0] != 0x0A)
{
/* chop the <CR> */
strip(tempwork);
if(strlen(tempmsg) + strlen(tempwork) + 50 < 2048)
{
/* build the command line */
sprintf(command_line, "echo \"%s\" | smbclient -U Snort -M %s", tempmsg, tempwork);
/* run the command */
output = popen(command_line,"r");
pclose(output);
}
else
{
ErrorMessage("[!] WARNING: Unable to send alert to %s, command buffer size exceeded!\n", tempwork);
}
#ifdef DEBUG
printf("Sending WinPopup alert to: %s\n", tempwork);
printf("Command Line: %s\n", command_line);
#endif
bzero((char *)tempwork, STD_BUF);
bzero((char *)command_line, 2048);
}
}
fclose(workstations);
}
free(tempmsg);
}
#endif
/****************************************************************************
*
* Function: UnixSockAlert(char *)
*
* Purpose: pack all the alert,related data into struct and send it
* out to monitoring program. (note if no monitoring program is running
* alert will very likely be lost.
*
* Arguments: msg => the message to send (do we still need it?)
*
* Returns: void function
*
***************************************************************************/
void UnixSockAlert(Packet *p, char *msg, void *arg)
{
static Alertpkt alertpkt;
#ifdef DEBUG
printf("Logging Alert data!\n");
#endif
bzero((char *)&alertpkt,sizeof(alertpkt));
if (p)
{
bcopy((const void *)p->pkth,(void *)&alertpkt.pkth,sizeof(struct pcap_pkthdr));
bcopy((const void *)p->pkt,alertpkt.pkt,
alertpkt.pkth.caplen > SNAPLEN? SNAPLEN : alertpkt.pkth.caplen);
}
else
alertpkt.val|=NOPACKET_STRUCT;
bcopy((const void *)msg,(void *)alertpkt.alertmsg,strlen(msg) > 255 ? 256: strlen(msg)+1);
/* some data which will help monitoring utility to dissect packet */
if (!(alertpkt.val & NOPACKET_STRUCT))
{
alertpkt.dlthdr=(char *)p->eh-(char *)p->pkt;
/* we don't log any headers besides eth yet */
alertpkt.nethdr=(char *)p->iph-(char *)p->pkt;
switch (p->iph->ip_proto)
{
case IPPROTO_TCP:
alertpkt.transhdr=(char *)p->tcph-(char *)p->pkt;
break;
case IPPROTO_UDP:
alertpkt.transhdr=(char *)p->udph-(char *)p->pkt;
break;
case IPPROTO_ICMP:
alertpkt.transhdr=(char *)p->icmph-(char *)p->pkt;
break;
default:
/* alertpkt.transhdr is null due to initial bzero */
alertpkt.val|=NO_TRANSHDR;
}
alertpkt.data=p->data - p->pkt;
}
if (sendto(alertsd,(const void *)&alertpkt,sizeof(Alertpkt),
0,(struct sockaddr *)&alertaddr,sizeof(alertaddr))==-1)
{
/* whatever we do to sign that some alerts could be missed */
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -