spo_alert_syslog.c

Linux snort-2.4.4源代码

        {
            data->options |= LOG_PERROR;
        }
        else
#endif
#ifdef LOG_PID 
        if(!strcasecmp("LOG_PID", tmp))
        {
            data->options |= LOG_PID;
        }
        else
#endif
#ifdef LOG_NOWAIT
        if(!strcasecmp("LOG_NOWAIT", tmp))
        {
            data->options |= LOG_NOWAIT;
        }
        else
#endif
        /* possible openlog facilities */

#ifdef LOG_AUTHPRIV 
        if(!strcasecmp("LOG_AUTHPRIV", tmp))
        {
            data->facility = LOG_AUTHPRIV;
        }
        else
#endif
#ifdef LOG_AUTH 
        if(!strcasecmp("LOG_AUTH", tmp))
        {
            data->facility = LOG_AUTH;
        }
        else
#endif
#ifdef LOG_DAEMON 
        if(!strcasecmp("LOG_DAEMON", tmp))
        {
            data->facility = LOG_DAEMON;
        }
        else
#endif
#ifdef LOG_LOCAL0 
        if(!strcasecmp("LOG_LOCAL0", tmp))
        {
            data->facility = LOG_LOCAL0;
        }
        else
#endif
#ifdef LOG_LOCAL1 
        if(!strcasecmp("LOG_LOCAL1", tmp))
        {
            data->facility = LOG_LOCAL1;
        }
        else
#endif
#ifdef LOG_LOCAL2 
        if(!strcasecmp("LOG_LOCAL2", tmp))
        {
            data->facility = LOG_LOCAL2;
        }
        else
#endif
#ifdef LOG_LOCAL3 
        if(!strcasecmp("LOG_LOCAL3", tmp))
        {
            data->facility = LOG_LOCAL3;
        }
        else
#endif
#ifdef LOG_LOCAL4 
        if(!strcasecmp("LOG_LOCAL4", tmp))
        {
            data->facility = LOG_LOCAL4;
        }
        else
#endif
#ifdef LOG_LOCAL5 
        if(!strcasecmp("LOG_LOCAL5", tmp))
        {
            data->facility = LOG_LOCAL5;
        }
        else
#endif
#ifdef LOG_LOCAL6 
        if(!strcasecmp("LOG_LOCAL6", tmp))
        {
            data->facility = LOG_LOCAL6;
        }
        else
#endif
#ifdef LOG_LOCAL7 
        if(!strcasecmp("LOG_LOCAL7", tmp))
        {
            data->facility = LOG_LOCAL7;
        }
        else
#endif
#ifdef LOG_USER 
        if(!strcasecmp("LOG_USER", tmp))
        {
            data->facility = LOG_USER;
        }
        else
#endif

        /* possible syslog priorities */

#ifdef LOG_EMERG 
        if(!strcasecmp("LOG_EMERG", tmp))
        {
            data->priority = LOG_EMERG;
        }
        else
#endif
#ifdef LOG_ALERT 
        if(!strcasecmp("LOG_ALERT", tmp))
        {
            data->priority = LOG_ALERT;
        }
        else
#endif
#ifdef LOG_CRIT 
        if(!strcasecmp("LOG_CRIT", tmp))
        {
            data->priority = LOG_CRIT;
        }
        else
#endif
#ifdef LOG_ERR 
        if(!strcasecmp("LOG_ERR", tmp))
        {
            data->priority = LOG_ERR;
        }
        else
#endif
#ifdef LOG_WARNING 
        if(!strcasecmp("LOG_WARNING", tmp))
        {
            data->priority = LOG_WARNING;
        }
        else
#endif
#ifdef LOG_NOTICE 
        if(!strcasecmp("LOG_NOTICE", tmp))
        {
            data->priority = LOG_NOTICE;
        }
        else
#endif
#ifdef LOG_INFO 
        if(!strcasecmp("LOG_INFO", tmp))
        {
            data->priority = LOG_INFO;
        }
        else
#endif
#ifdef LOG_DEBUG 
        if(!strcasecmp("LOG_DEBUG", tmp))
        {
            data->priority = LOG_DEBUG;
        }
        else
#endif
        {
            LogMessage("WARNING %s (%d) => Unrecognized syslog "
                    "facility/priority: %s\n",
                    file_name, file_line, tmp);
        }
    }
    mSplitFree(&facility_toks, num_facility_toks);

    return data;
}


/*
 * Function: PreprocFunction(Packet *)
 *
 * Purpose: Perform the preprocessor's intended function.  This can be
 *          simple (statistics collection) or complex (IP defragmentation)
 *          as you like.  Try not to destroy the performance of the whole
 *          system by trying to do too much....
 *
 * Arguments: p => pointer to the current packet data struct 
 *
 * Returns: void function
 *
 */
extern OptTreeNode *otn_tmp;
void AlertSyslog(Packet *p, char *msg, void *arg, Event *event)
{
    char sip[16];
    char dip[16];
    char pri_data[STD_BUF];
    char ip_data[STD_BUF];
    char event_data[STD_BUF];
#define SYSLOG_BUF  1024
    char event_string[SYSLOG_BUF];
    SyslogData *data = (SyslogData *)arg;


    bzero(event_string, SYSLOG_BUF);

    if(p && p->iph)
    {
        /*
         * have to do this since inet_ntoa is fucked up and writes to a static
         * memory location
         */
        strlcpy(sip, inet_ntoa(p->iph->ip_src), 16);
        strlcpy(dip, inet_ntoa(p->iph->ip_dst), 16);

        if(event != NULL)
        {
            snprintf(event_data, STD_BUF-1, "[%lu:%lu:%lu] ", 
                    (unsigned long) event->sig_generator,
                    (unsigned long) event->sig_id, 
                    (unsigned long) event->sig_rev);
            strlcat(event_string, event_data, SYSLOG_BUF);
        }

        if(msg != NULL)
        {
            strlcat(event_string, msg, SYSLOG_BUF);
        }
        else
        {
            strlcat(event_string, "ALERT", SYSLOG_BUF);
        }

        if(otn_tmp != NULL)
        {
            if(otn_tmp->sigInfo.classType)
            {
                snprintf(pri_data, STD_BUF-1, " [Classification: %s] "
                        "[Priority: %d]:", otn_tmp->sigInfo.classType->name,
                        otn_tmp->sigInfo.priority); 
                strlcat(event_string, pri_data, SYSLOG_BUF);
            }
            else if(otn_tmp->sigInfo.priority != 0)
            {
                snprintf(pri_data, STD_BUF-1, "[Priority: %d]:", 
                        otn_tmp->sigInfo.priority); 
                strlcat(event_string, pri_data, SYSLOG_BUF);
            }
        }

        if((p->iph->ip_proto != IPPROTO_TCP &&
                    p->iph->ip_proto != IPPROTO_UDP) || 
                p->frag_flag)
        {
            if(!pv.alert_interface_flag)
            {
                snprintf(ip_data, STD_BUF-1, " {%s} %s -> %s",  
                        protocol_names[p->iph->ip_proto], sip, dip);
            }
            else
            {
                snprintf(ip_data, STD_BUF-1, " <%s> {%s} %s -> %s",  
                        PRINT_INTERFACE(pv.interface), 
                        protocol_names[p->iph->ip_proto], 
                        sip, dip);
            }
        }
        else
        {
            if(pv.alert_interface_flag)
            {
                snprintf(ip_data, STD_BUF-1, " <%s> {%s} %s:%i -> %s:%i",
                        PRINT_INTERFACE(pv.interface), 
                        protocol_names[p->iph->ip_proto], sip,
                        p->sp, dip, p->dp);
            }
            else
            {
                snprintf(ip_data, STD_BUF-1, " {%s} %s:%i -> %s:%i",
                        protocol_names[p->iph->ip_proto], sip, p->sp, 
                        dip, p->dp);
            }
        }

        strlcat(event_string, ip_data, SYSLOG_BUF);

        syslog(data->priority, "%s", event_string);

    }
    else  
    {
        syslog(data->priority, "%s", msg == NULL ? "ALERT!" : msg);
    }

    return;

}


void AlertSyslogCleanExit(int signal, void *arg)
{
    SyslogData *data = (SyslogData *)arg;
    DEBUG_WRAP(DebugMessage(DEBUG_LOG, "AlertSyslogCleanExit\n"););
    /* free memory from SyslogData */
    free(data);
}

void AlertSyslogRestart(int signal, void *arg)
{
    SyslogData *data = (SyslogData *)arg;
    DEBUG_WRAP(DebugMessage(DEBUG_LOG, "AlertSyslogRestartFunc\n"););
    /* free memory from SyslogData */
    free(data);
}