📄 spo_alert_prelude.c
字号:
/******* Copyright (C) 2005 PreludeIDS Technologies. All Rights Reserved.* Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>** This file is part of the Snort program.** This program is free software; you can redistribute it and/or modify* it under the terms of the GNU General Public License as published by* the Free Software Foundation; either version 2, or (at your option)* any later version.** This program is distributed in the hope that it will be useful,* but WITHOUT ANY WARRANTY; without even the implied warranty of* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the* GNU General Public License for more details.** You should have received a copy of the GNU General Public License* along with this program; see the file COPYING. If not, write to* the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.******/#ifdef HAVE_CONFIG_H #include "config.h"#endif#ifdef HAVE_LIBPRELUDE#include <stdio.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <libprelude/prelude.h>#include "event.h"#include "decode.h"#include "plugbase.h"#include "spo_plugbase.h"#include "parser.h"#include "debug.h"#include "util.h"#include "mstring.h"#include "snort.h"#define ANALYZER_CLASS "NIDS"#define ANALYZER_MODEL "Snort"#define ANALYZER_MANUFACTURER "http://www.snort.org"#define DEFAULT_ANALYZER_NAME "snort"extern PV pv;extern OptTreeNode *otn_tmp;static char *init_args = NULL;static unsigned int info_priority = 4;static unsigned int low_priority = 3;static unsigned int mid_priority = 2;static prelude_bool_t initialized = FALSE;static int setup_analyzer(idmef_analyzer_t *analyzer){ int ret; prelude_string_t *string; ret = idmef_analyzer_new_model(analyzer, &string); if ( ret < 0 ) return ret; prelude_string_set_constant(string, ANALYZER_MODEL); ret = idmef_analyzer_new_class(analyzer, &string); if ( ret < 0 ) return ret; prelude_string_set_constant(string, ANALYZER_CLASS); ret = idmef_analyzer_new_manufacturer(analyzer, &string); if ( ret < 0 ) return ret; prelude_string_set_constant(string, ANALYZER_MANUFACTURER); ret = idmef_analyzer_new_version(analyzer, &string); if ( ret < 0 ) return ret; prelude_string_set_constant(string, VERSION); return 0;}static idmef_reference_origin_t reference_to_origin(const char *name){ int i, ret; struct { const char *name; idmef_reference_origin_t origin; } tbl[] = { { "cve", IDMEF_REFERENCE_ORIGIN_CVE }, { "bugtraq", IDMEF_REFERENCE_ORIGIN_BUGTRAQID }, { "osvdb", IDMEF_REFERENCE_ORIGIN_OSVDB }, { NULL, 0 } }; for ( i = 0; tbl[i].name; i++ ) { ret = strcmp(tbl[i].name, name); if ( ret == 0 ) return tbl[i].origin; } return IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC;}static int event_to_source_target(Packet *p, idmef_alert_t *alert){ int ret; idmef_node_t *node; idmef_source_t *source; idmef_target_t *target; idmef_address_t *address; idmef_service_t *service; prelude_string_t *string; static char saddr[128], daddr[128]; if ( !p ) return 0; if ( ! p->iph ) return 0; ret = idmef_alert_new_source(alert, &source, -1); if ( ret < 0 ) return ret; ret = idmef_source_new_service(source, &service); if ( ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); idmef_service_set_ip_version(service, IP_VER(p->iph)); idmef_service_set_iana_protocol_number(service, p->iph->ip_proto); ret = idmef_source_new_node(source, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, -1); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; snprintf(saddr, sizeof(saddr), "%s", inet_ntoa(p->iph->ip_src)); prelude_string_set_ref(string, saddr); ret = idmef_alert_new_target(alert, &target, -1); if ( ret < 0 ) return ret; ret = idmef_target_new_service(target, &service); if ( ! ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); idmef_service_set_ip_version(service, IP_VER(p->iph)); idmef_service_set_iana_protocol_number(service, p->iph->ip_proto); ret = idmef_target_new_node(target, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, -1); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; snprintf(daddr, sizeof(daddr), "%s", inet_ntoa(p->iph->ip_dst)); prelude_string_set_ref(string, daddr); return 0;}static int add_byte_data(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size){ int ret; prelude_string_t *str; idmef_additional_data_t *ad; if ( ! data || ! size ) return 0; ret = idmef_alert_new_additional_data(alert, &ad, -1); if ( ret < 0 ) return ret; ret = idmef_additional_data_set_byte_string_ref(ad, data, size); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { ErrorMessage("%s: error creating additional-data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); } return -1;}static int add_int_data(idmef_alert_t *alert, const char *meaning, uint32_t data){ int ret; prelude_string_t *str; idmef_additional_data_t *ad; ret = idmef_alert_new_additional_data(alert, &ad, -1); if ( ret < 0 ) return ret; idmef_additional_data_set_integer(ad, data); ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { ErrorMessage("%s: error creating additional-data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting integer data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } return 0;}static int packet_to_data(Packet *p, Event *event, idmef_alert_t *alert){ if ( !p ) return 0; add_int_data(alert, "sid", event->sig_id); if ( p->iph ) { add_int_data(alert, "ip_mf", p->mf); add_int_data(alert, "ip_df", p->df); add_int_data(alert, "ip_rf", p->rf); add_int_data(alert, "ip_off", p->frag_offset); add_int_data(alert, "ip_hlen", IP_HLEN(p->iph)); add_int_data(alert, "ip_tos", p->iph->ip_tos); add_int_data(alert, "ip_len", ntohs(p->iph->ip_len)); add_int_data(alert, "ip_id", ntohs(p->iph->ip_id)); add_int_data(alert, "ip_flags", p->frag_flag); add_int_data(alert, "ip_off", ntohs(p->frag_offset)); add_int_data(alert, "ip_ttl", p->iph->ip_ttl); add_int_data(alert, "ip_proto", p->iph->ip_proto); add_int_data(alert, "ip_csum", ntohs(p->iph->ip_csum)); } if ( p->tcph ) { add_int_data(alert, "th_seq", ntohl(p->tcph->th_seq)); add_int_data(alert, "th_ack", ntohl(p->tcph->th_ack)); add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph)); add_int_data(alert, "tcp_res", TCP_X2(p->tcph)); add_int_data(alert, "tcp_flags", p->tcph->th_flags); add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win)); add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum)); add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp)); } else if ( p->udph ) { add_int_data(alert, "udp_len", ntohl(p->udph->uh_len)); add_int_data(alert, "udp_chk", ntohl(p->udph->uh_chk)); } add_byte_data(alert, "payload", p->data, p->dsize); return 0;}static int event_to_impact(Event *event, idmef_alert_t *alert){ int ret; ClassType *classtype; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -