📄 spo_alert_prelude.c
字号:
idmef_impact_severity_t severity; ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) return ret; ret = idmef_assessment_new_impact(assessment, &impact); if ( ret < 0 ) return ret; if ( event->priority < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( event->priority < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( event->priority < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if ( ! otn_tmp ) return 0; classtype = otn_tmp->sigInfo.classType; if ( classtype ) { ret = idmef_impact_new_description(impact, &str); if ( ret < 0 ) return ret; prelude_string_set_ref(str, classtype->name); } return 0;}static int event_to_reference(Event *event, idmef_classification_t *class){ int ret; ReferenceNode *refs; prelude_string_t *str; idmef_reference_t *ref; ReferenceSystemNode *system; ret = idmef_classification_new_ident(class, &str); if ( ret < 0 ) return ret; ret = prelude_string_sprintf(str, "%u", event->sig_id); if ( ret < 0 ) return ret; /* * return if we have no information about the rule. */ if ( ! otn_tmp ) return 0; for ( refs = otn_tmp->sigInfo.refs; refs != NULL; refs = refs->next ) { system = refs->system; if ( ! system ) continue; ret = idmef_classification_new_reference(class, &ref, -1); if ( ret < 0 ) return ret; ret = idmef_reference_new_name(ref, &str); if ( ret < 0 ) return ret; idmef_reference_set_origin(ref, reference_to_origin(system->name)); if ( idmef_reference_get_origin(ref) != IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC ) prelude_string_set_ref(str, refs->id); else prelude_string_set_constant(str, "url"); ret = idmef_reference_new_url(ref, &str); if ( ret < 0 ) return ret; prelude_string_sprintf(str, "%s%s", system->url, refs->id); } return 0;}void snort_alert_prelude(Packet *p, char *msg, void *data, Event *event){ int ret; idmef_time_t *time; idmef_alert_t *alert; prelude_string_t *str; idmef_message_t *idmef; idmef_classification_t *class; prelude_client_t *client = data; if ( !p ) return; ret = idmef_message_new(&idmef); if ( ret < 0 ) return; ret = idmef_message_new_alert(idmef, &alert); if ( ret < 0 ) goto err; ret = idmef_alert_new_classification(alert, &class); if ( ret < 0 ) goto err; ret = idmef_classification_new_text(class, &str); if ( ret < 0 ) goto err; prelude_string_set_ref(str, msg); ret = event_to_impact(event, alert); if ( ret < 0 ) goto err; ret = event_to_reference(event, class); if ( ret < 0 ) goto err; ret = event_to_source_target(p, alert); if ( ret < 0 ) goto err; ret = packet_to_data(p, event, alert); if ( ret < 0 ) goto err; ret = idmef_alert_new_detect_time(alert, &time); if ( ret < 0 ) goto err; idmef_time_set_from_timeval(time, &p->pkth->ts); ret = idmef_time_new_from_gettimeofday(&time); if ( ret < 0 ) goto err; idmef_alert_set_create_time(alert, time); idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(client)), 0); prelude_client_send_idmef(client, idmef); err: idmef_message_destroy(idmef);}void snort_alert_prelude_clean_exit(int signal, void *data){ }void snort_alert_prelude_restart(int signal, void *data){ /* * This function might be called from a signal handler, * and there is no way to know about it since signal is * always SIGQUIT. * * As calling a function from a signal handler is not secure * we won't do it. */}static void parse_args(char *args, char **profile){ int i, tokens, ret; char **args_table, *value, *key; args_table = mSplit(args, " ", 4, &tokens, '\\'); for ( i = 0; i < tokens; i++ ) { key = args_table[i]; strtok(key, "="); value = strtok(NULL, ""); if ( ! value ) FatalError("spo_alert_prelude: missing value for keyword '%s'.\n", key); ret = strcasecmp("profile", key); if ( ret == 0 ) { if ( *profile ) free(*profile); *profile = strdup(value); continue; } ret = strcasecmp("info", key); if ( ret == 0 ) { info_priority = atoi(value); continue; } ret = strcasecmp("low", key); if ( ret == 0 ) { low_priority = atoi(value); continue; } ret = strcasecmp("medium", key); if ( ret == 0 ) { mid_priority = atoi(value); continue; } FatalError("spo_alert_prelude: Invalid parameter found: '%s'.\n", key); } mSplitFree(&args_table, tokens);}void AlertPreludeSetupAfterSetuid(void){ int ret; char *profile = NULL; prelude_client_t *client; prelude_client_flags_t flags; if ( ! initialized ) return; parse_args(init_args, &profile); free(init_args); ret = prelude_thread_init(NULL); if ( ret < 0 ) FatalError("%s: Unable to initialize the Prelude thread subsystem: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); ret = prelude_init(NULL, NULL); if ( ret < 0 ) FatalError("%s: Unable to initialize the Prelude library: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); ret = prelude_client_new(&client, profile ? profile : DEFAULT_ANALYZER_NAME); if ( profile ) free(profile); if ( ret < 0 ) FatalError("%s: Unable to create a prelude client object: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); flags = PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER; ret = prelude_client_set_flags(client, prelude_client_get_flags(client) | flags); if ( ret < 0 ) FatalError("%s: Unable to set asynchronous send and timer: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); setup_analyzer(prelude_client_get_analyzer(client)); ret = prelude_client_start(client); if ( ret < 0 ) { if ( prelude_client_is_setup_needed(ret) ) prelude_client_print_setup_error(client); FatalError("%s: Unable to initialize prelude client: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); } AddFuncToOutputList(snort_alert_prelude, NT_OUTPUT_ALERT, client); /* * The CleanExit and Restart callback function are not registed * since theses might be called from a signal handler, and there * is no way to know about it since their signal argument is set to an * unsignificant value. * * As calling function other than the very restricted set of function * guaranteed to be reentrant defined in POSIX.1 from a signal handler * is not safe, we can't do it. * * Snort should really check for the signal to be set from the main program * loop and call the signal handling function from there, rather than doing * it in the signal handler itself, which could easily lead to crash since * most of the preprocessor function use non reentrant function from the * callback in question. */}void snort_alert_prelude_init(unsigned char *args){ /* * Do nothing here. Wait until AlertPreludeSetupAfterSetuid is called. */ if ( args ) init_args = strdup((char *) args); initialized = TRUE;}void AlertPreludeSetup(void){ RegisterOutputPlugin("alert_prelude", NT_OUTPUT_ALERT, snort_alert_prelude_init);}#endif /* HAVE_LIBPRELUDE */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -