📄 spo_xml.c
字号:
void flush_data(XmlData *d)
{
if((d->host == NULL) && (!d->port) && (d->protocol != NULL))
fflush(d->fptr);
d->count = 0;
if(d->root) freetag(d->root);
if((d->host == NULL) && (!d->port) && (d->protocol == NULL))
d->root = NULL;
else
d->root = newtag("report");
}
void freetag(Tag * root)
{
int x;
for(x=0; x < root->tags ; x++)
{
#ifdef DEBUG
printf(XMLMOD": Freeing tag (%s) %p\n", root->tag[x]->name, root->tag[x]);
#endif
freetag(root->tag[x]);
}
free(root->name);
free(root->value);
free(root->tag);
for(x=0; x < root->opts ; x++)
{
#ifdef DEBUG
printf(XMLMOD": Freeing opt (%s) %p\n", root->opt[x]->name, root->opt[x]);
#endif
if(root->opt[x]->value) free(root->opt[x]->value);
if(root->opt[x]->name) free(root->opt[x]->name);
free(root->opt[x]);
}
free(root->opt);
free(root);
}
char *tag2string(char *buf, int size, Tag * ptr, int depth)
{
int x;
char *start;
start = buf;
buf[0] = '\n'; buf++;
for(x=0; x < (depth); x++)
{
buf[0] = ' '; buf++;
}
snprintf(buf, MAX_LEFT, "<%s", ptr->name);
buf += strlen(buf);
for(x=0; x < ptr->opts; x++)
{
if(ptr->opt[x]->value[0] == '\0')
snprintf(buf, MAX_LEFT, " %s=\"%d\"", ptr->opt[x]->name, 0);
else
snprintf(buf, MAX_LEFT, " %s=\"%s\"", ptr->opt[x]->name, ptr->opt[x]->value);
buf += strlen(buf);
}
if((ptr->value) || (ptr->tag))
{
strncpy(buf, ">", MAX_LEFT);
buf += strlen(buf);
if(ptr->tag)
for(x=0; x < ptr->tags; x++)
{
if(ptr->tag[x])
{
strncpy(buf, tag2string(buf, MAX_LEFT, ptr->tag[x], depth + INDENT), MAX_LEFT);
buf += strlen(buf);
}
}
if(ptr->value)
{
snprintf(buf, MAX_LEFT, "%s", ptr->value);
buf += strlen(buf);
}
if(ptr->tag)
{
buf[0] = '\n'; buf++;
for(x=0;x < (depth); x++)
{
buf[0] = ' '; buf++;
}
snprintf(buf, MAX_LEFT, "</%s>", ptr->name);
buf += strlen(buf);
}
else
snprintf(buf, MAX_LEFT, "</%s>", ptr->name);
buf += strlen(buf);
}
else
{
strncpy(buf, "/>", MAX_LEFT);
buf += strlen(buf);
}
return start;
}
Tag * addtag(Tag *parent, Tag *child)
{
if(!parent->tag)
{
parent->tag = (Tag **)malloc(sizeof(Tag*));
}
parent->tag = (Tag **)realloc(parent->tag, sizeof(Tag*) * (parent->tags + 1));
parent->tag[parent->tags] = child;
parent->tags++;
return parent;
}
Tag * newtag(char * name)
{
Tag * ptr;
ptr = (Tag *)malloc(sizeof(Tag));
ptr->name = (char *)malloc(strlen(name) + 1);
strncpy(ptr->name, name, strlen(name) + 1);
ptr->value = NULL;
ptr->tag = NULL;
ptr->opt = NULL;
ptr->tags = 0;
ptr->opts = 0;
return ptr;
}
Tag * addopt(Tag * tag, char * name, char * value)
{
if(!tag->opt)
{
tag->opt = (Attribute **)malloc(sizeof(Attribute *));
}
tag->opt = (Attribute **) realloc(tag->opt, sizeof(Attribute*) * (tag->opts + 1));
tag->opt[tag->opts] = (Attribute *)malloc(sizeof(Attribute));
tag->opt[tag->opts]->name = name;
tag->opt[tag->opts]->value = value;
tag->opts++;
return tag;
}
Tag * addvalue(Tag * tag, char * val)
{
if(tag->value)
{
free(tag->value);
}
if(val)
{
tag->value = val;
strcpy(tag->value, val);
}
return tag;
}
Tag *snml(XmlData *d, Packet *p, char *msg)
{
Tag *root, *sensor, *packet, *iphdr, *tmp, *option;
int i;
int sanitized_src;
int sanitized_dst;
sanitized_src = srcSanitized(d,p);
sanitized_dst = dstSanitized(d,p);
tmp = NULL;
root = newtag("event");
addopt(root, str2s("version"), str2s("1.0"));
sensor = newtag("sensor");
switch(d->encoding)
{
case ENCODING_HEX:
addopt(sensor, str2s("encoding"), str2s("hex")); break;
case ENCODING_BASE64:
addopt(sensor, str2s("encoding"), str2s("base64")); break;
case ENCODING_ASCII:
addopt(sensor, str2s("encoding"), str2s("ascii")); break;
}
switch(d->detail)
{
case DETAIL_FAST:
addopt(sensor, str2s("detail"), str2s("fast")); break;
case DETAIL_FULL:
addopt(sensor, str2s("detail"), str2s("full")); break;
}
if(pv.readmode_flag)
{
tmp = newtag("file");
addvalue(tmp, str2s(pv.readfile));
}
else
{
tmp = newtag("ipaddr");
addvalue(tmp, str2s(d->sensor_ip));
addopt(tmp, str2s("version"), int2s(4));
if(pv.interface)
{
addtag(sensor, addvalue(newtag("interface"), str2s(pv.interface)));
}
}
addtag(sensor, tmp);
addtag(sensor, addvalue(newtag("hostname"), str2s(d->sensor_hostname)));
if(pv.pcap_cmd) addtag(sensor, addvalue(newtag("filter"), str2s(pv.pcap_cmd)));
addtag(root, sensor);
addtag(root, addvalue(newtag("signature"), str2s(msg)));
if(p)
{
addtag(root, addvalue(newtag("timestamp"), GetTimestamp((time_t *)&p->pkth->ts.tv_sec, d->tz)));
packet = newtag("packet");
iphdr = newtag("iphdr");
if(p->iph->ip_proto == IPPROTO_ICMP)
{
tmp = newtag("icmphdr");
addopt(tmp, str2s("type"), int2s(p->icmph->type));
addopt(tmp, str2s("code"), int2s(p->icmph->code));
if(d->detail == DETAIL_FULL)
{
addopt(tmp, str2s("csum"), int2s(p->icmph->csum));
if(p->ext)
{
if(p->ext->id)
addopt(tmp, str2s("id"), int2s(ntohs(p->ext->id)));
if(p->ext->seqno)
addopt(tmp, str2s("seq"), int2s(ntohs(p->ext->seqno)));
}
}
}
else if(p->iph->ip_proto == IPPROTO_TCP)
{
tmp = newtag("tcphdr");
addopt(tmp, str2s("sport"), int2s(ntohs(p->tcph->th_sport)));
addopt(tmp, str2s("dport"), int2s(ntohs(p->tcph->th_dport)));
addopt(tmp, str2s("flags"), int2s(p->tcph->th_flags));
if(d->detail == DETAIL_FULL)
{
addopt(tmp, str2s("seq"), int2s(ntohl(p->tcph->th_seq)));
addopt(tmp, str2s("ack"), int2s(ntohl(p->tcph->th_ack)));
if(p->tcph->th_off) addopt(tmp, str2s("off"), int2s(p->tcph->th_off));
if(p->tcph->th_x2) addopt(tmp, str2s("res"), int2s(p->tcph->th_x2));
addopt(tmp, str2s("win"), int2s(ntohs(p->tcph->th_win)));
addopt(tmp, str2s("csum"), int2s(ntohs(p->tcph->th_sum)));
if(ntohs(p->tcph->th_urp)) addopt(tmp, str2s("urp"), int2s(ntohs(p->tcph->th_urp)));
for(i=0 ; i < (int)p->tcp_option_count; i++)
{
option = newtag("option");
addopt(option, str2s("code"), int2s(p->tcp_options[i].code));
if(p->tcp_options[i].len)
{
addopt(option, str2s("len"), int2s(p->tcp_options[i].len));
if((d->encoding == ENCODING_HEX) || (d->encoding == ENCODING_ASCII))
addvalue(option, hex(p->tcp_options[i].data, p->tcp_options[i].len));
else
addvalue(option, base64(p->tcp_options[i].data, p->tcp_options[i].len));
}
addtag(tmp, option);
}
}
}
else if(p->iph->ip_proto == IPPROTO_UDP)
{
tmp = newtag("udphdr");
addopt(tmp, str2s("sport"), int2s(ntohs(p->udph->uh_sport)));
addopt(tmp, str2s("dport"), int2s(ntohs(p->udph->uh_dport)));
if(d->detail == DETAIL_FULL)
{
addopt(tmp, str2s("len"), int2s(ntohs(p->udph->uh_len)));
addopt(tmp, str2s("csum"), int2s(ntohs(p->udph->uh_chk)));
}
}
if(d->detail == DETAIL_FULL)
{
if(!(sanitized_src || sanitized_dst))
{
if(p->dsize)
{
switch(d->encoding)
{
case ENCODING_ASCII:
addtag(tmp, addvalue(newtag("data"), ascii(p->data, p->dsize))); break;
case ENCODING_HEX:
addtag(tmp, addvalue(newtag("data"), hex(p->data, p->dsize))); break;
case ENCODING_BASE64:
addtag(tmp, addvalue(newtag("data"), base64(p->data, p->dsize))); break;
}
}
}
}
addtag(iphdr, tmp);
if(d->detail == DETAIL_FULL)
{
for(i=0 ; i < (int)p->ip_option_count; i++)
{
option = newtag("option");
addopt(option, str2s("code"), int2s(p->ip_options[i].code));
if(p->ip_options[i].len)
{
addopt(option, str2s("len"), int2s(p->ip_options[i].len));
if((d->encoding == ENCODING_HEX) || (d->encoding == ENCODING_ASCII))
addvalue(option, hex(p->ip_options[i].data, p->ip_options[i].len));
else
addvalue(option, base64(p->ip_options[i].data, p->ip_options[i].len));
}
addtag(iphdr, option);
}
}
if(sanitized_src)
addopt(iphdr, str2s("saddr"), str2s("xxx.xxx.xxx.xxx"));
else
addopt(iphdr, str2s("saddr"), str2s(inet_ntoa(p->iph->ip_src)));
if(sanitized_dst)
addopt(iphdr, str2s("daddr"), str2s("xxx.xxx.xxx.xxx"));
else
addopt(iphdr, str2s("daddr"), str2s(inet_ntoa(p->iph->ip_dst)));
if(p->iph->ip_proto) addopt(iphdr, str2s("proto"), int2s(p->iph->ip_proto));
if(d->detail == DETAIL_FULL)
{
if(p->iph->ip_ver) addopt(iphdr, str2s("ver"), int2s(p->iph->ip_ver));
if(p->iph->ip_hlen) addopt(iphdr, str2s("hlen"), int2s(p->iph->ip_hlen));
if(p->iph->ip_tos) addopt(iphdr, str2s("tos"), int2s(p->iph->ip_tos));
if(p->iph->ip_len) addopt(iphdr, str2s("len"), int2s(ntohs(p->iph->ip_len)));
if(p->iph->ip_id) addopt(iphdr, str2s("id"), int2s(ntohs(p->iph->ip_id)));
if(p->frag_flag) addopt(iphdr, str2s("flags"), int2s(p->frag_flag));
if(p->frag_offset) addopt(iphdr, str2s("off"), int2s(ntohs(p->frag_offset)));
if(p->iph->ip_ttl) addopt(iphdr, str2s("ttl"), int2s(p->iph->ip_ttl));
if(p->iph->ip_csum) addopt(iphdr, str2s("csum"), int2s(ntohs(p->iph->ip_csum)));
}
addtag(packet, iphdr);
addtag(root, packet);
}
else
{
addtag(root, addvalue(newtag("timestamp"), GetCurrentTimestamp()));
}
return root;
}
void XmlExit(int signal, void *arg)
{
XmlData *d = (XmlData *)arg;
#ifdef DEBUG
printf(XMLMOD":LogXmlExit\n");
#endif
send_data(d);
flush_data(d);
if((d->host == NULL) || (!d->port) || (d->protocol == NULL))
{
fprintf(d->fptr, "%s", SNORTML_FILE_END);
fclose(d->fptr);
}
#ifdef ENABLE_SSL
X509_free(d->issuer_cert);
free(d->collector_name);
if(d->ssl_trace > 0)
fclose (d->ssl_trace);
#ifdef ENABLE_SESSION_RESUME
SSL_CTX_free (d->ctx);
#endif
#endif
#ifdef ENABLE_SNORT_TIMING
SNORT_TIME_END();
#endif
}
void XmlRestart(int signal, void *arg)
{
XmlData *d = (XmlData *)arg;
#ifdef DEBUG
printf(XMLMOD":LogXmlRestart\n");
#endif
send_data(d);
flush_data(d);
if((d->host == NULL) || (!d->port) || (d->protocol == NULL))
{
fprintf(d->fptr, "%s", SNORTML_FILE_END);
fclose(d->fptr);
}
#ifdef ENABLE_SSL
if(d->ssl_trace > 0)
fclose (d->ssl_trace);
X509_free(d->issuer_cert);
free(d->collector_name);
#ifdef ENABLE_SESSION_RESUME
SSL_CTX_free (d->ctx);
#endif
#endif
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -