📄 spo_unified.c
字号:
/* get the first segment... */ spd = (StreamPacketData *) ubi_btFirst((ubi_btNodePtr)&s->data); /* loop thru all the packets in the stream */ if(spd != NULL ) { alertdata.ts.tv_sec = spd->pkth.ts.tv_sec; alertdata.ts.tv_usec = spd->pkth.ts.tv_usec; } } if(p->iph != NULL) { /* everything needs to be written in host order */ alertdata.sip = ntohl(p->iph->ip_src.s_addr); alertdata.dip = ntohl(p->iph->ip_dst.s_addr); if(p->iph->ip_proto == IPPROTO_ICMP) { if(p->icmph != NULL) { alertdata.sp = p->icmph->type; alertdata.dp = p->icmph->code; } } else { alertdata.sp = p->sp; alertdata.dp = p->dp; } alertdata.protocol = p->iph->ip_proto; alertdata.flags = p->packet_flags; } } /* backward compatibility stuff */ if(dHdr == NULL) { if((data->current + sizeof(UnifiedAlert)) > data->limit) UnifiedAlertRotateFile(data); } else { if((data->current + sizeof(UnifiedAlert)) > data->limit) UnifiedRotateFile(data); } if(dHdr) { if(fwrite((char *)dHdr, sizeof(DataHeader), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(DataHeader); } if(fwrite((char *)&alertdata, sizeof(UnifiedAlert), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); fflush(data->stream); data->current += sizeof(UnifiedAlert);}void UnifiedLogPacketAlert(Packet *p, char *msg, void *arg, Event *event){ DataHeader dHdr; dHdr.type = UNIFIED_TYPE_PACKET_ALERT; dHdr.length = sizeof(UnifiedLog); if(p->packet_flags & PKT_REBUILT_STREAM) { DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Reassembled packet, dumping stream packets\n");); RealUnifiedLogStreamAlert(p, msg, arg, event, &dHdr); } else { DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Logging unified packets...\n");); RealUnifiedLogPacketAlert(p, msg, arg, event, &dHdr); }}void RealUnifiedLogPacketAlert(Packet *p, char *msg, void *arg, Event *event, DataHeader *dHdr){ UnifiedLog logheader; UnifiedConfig *data = (UnifiedConfig *)arg; if(event != NULL) { logheader.event.sig_generator = event->sig_generator; logheader.event.sig_id = event->sig_id; logheader.event.sig_rev = event->sig_rev; logheader.event.classification = event->classification; logheader.event.priority = event->priority; logheader.event.event_id = event->event_id; logheader.event.event_reference = event->event_reference; logheader.event.ref_time.tv_sec = event->ref_time.tv_sec; logheader.event.ref_time.tv_usec = event->ref_time.tv_usec; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "------------\n"); DebugMessage(DEBUG_LOG, "gen: %u\n", logheader.event.sig_generator); DebugMessage(DEBUG_LOG, "sid: %u\n", logheader.event.sig_id); DebugMessage(DEBUG_LOG, "rev: %u\n", logheader.event.sig_rev); DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification); DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority); DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id); DebugMessage(DEBUG_LOG, "erf: %u\n", logheader.event.event_reference); DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec); DebugMessage(DEBUG_LOG, "usc: %lu\n", logheader.event.ref_time.tv_usec);); } if(p) { logheader.flags = p->packet_flags; /* * this will have to be fixed when we transition to the pa_engine * code (p->pkth is libpcap specific) */ memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader)); } else { logheader.flags = 0; logheader.pkth.ts.tv_sec = 0; logheader.pkth.ts.tv_usec = 0; logheader.pkth.caplen = 0; logheader.pkth.pktlen = 0; } /* backward compatibility stuff */ if(dHdr == NULL) { if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > data->limit) UnifiedLogRotateFile(data); } else { if((data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + logheader.pkth.caplen) > data->limit) UnifiedRotateFile(data); } if(dHdr) { if(fwrite((char *)dHdr, sizeof(DataHeader), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(DataHeader); } if(fwrite((char*)&logheader, sizeof(UnifiedLog), 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(UnifiedLog); if(p) { if(fwrite((char*)p->pkt, p->pkth->caplen, 1, data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += p->pkth->caplen; } fflush(data->stream);}/** * Log a set of packets stored in the stream reassembler * */void RealUnifiedLogStreamAlert(Packet *p, char *msg, void *arg, Event *event, DataHeader *dHdr){ Stream *s = NULL; StreamPacketData *spd; UnifiedLog logheader; UnifiedConfig *data = (UnifiedConfig *)arg; int once = 0; /* setup the event header */ if(event != NULL) { logheader.event.sig_generator = event->sig_generator; logheader.event.sig_id = event->sig_id; logheader.event.sig_rev = event->sig_rev; logheader.event.classification = event->classification; logheader.event.priority = event->priority; logheader.event.event_id = event->event_id; logheader.event.event_reference = event->event_reference; /* Note that ref_time is probably incorrect. * See OldUnifiedLogPacketAlert() for details. */ logheader.event.ref_time.tv_sec = event->ref_time.tv_sec; logheader.event.ref_time.tv_usec = event->ref_time.tv_usec; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "------------\n"); DebugMessage(DEBUG_LOG, "gen: %u\n", logheader.event.sig_generator); DebugMessage(DEBUG_LOG, "sid: %u\n", logheader.event.sig_id); DebugMessage(DEBUG_LOG, "rev: %u\n", logheader.event.sig_rev); DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification); DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority); DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id); DebugMessage(DEBUG_LOG, "erf: %u\n", logheader.event.event_reference); DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec); DebugMessage(DEBUG_LOG, "usc: %lu\n", logheader.event.ref_time.tv_usec);); } /* queue up the stream for logging */ if(p) { s = (Stream *) p->streamptr; /* get the first segment... */ spd = (StreamPacketData *) ubi_btFirst((ubi_btNodePtr)&s->data); /* loop thru all the packets in the stream */ do { /* packets that are part of the currently reassembled stream * should be marked with the chuck flag */ if(spd->chuck != SEG_UNASSEMBLED) { /* copy it's pktheader data into the logheader */ memcpy(&logheader.pkth, &spd->pkth, sizeof(SnortPktHeader)); /* backward compatibility stuff */ if(dHdr == NULL) { if((data->current + sizeof(UnifiedLog)+ logheader.pkth.caplen) > data->limit) { UnifiedLogRotateFile(data); } } else { if((data->current + sizeof(UnifiedLog) + sizeof(DataHeader) + logheader.pkth.caplen) > data->limit) UnifiedRotateFile(data); } if(dHdr) { if(fwrite((char*)dHdr,sizeof(DataHeader),1,data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(DataHeader); } if(fwrite((char*)&logheader,sizeof(UnifiedLog),1,data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(UnifiedLog); if(spd->pkt) { if(fwrite((char*)spd->pkt,logheader.pkth.caplen,1 ,data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += logheader.pkth.caplen; } /* after the first logged packet modify the event headers */ if(!once++) { logheader.event.sig_generator = GENERATOR_TAG; logheader.event.sig_id = TAG_LOG_PKT; logheader.event.sig_rev = 1; logheader.event.classification = 0; logheader.event.priority = event->priority; /* Note that event_id is now incorrect. * See OldUnifiedLogPacketAlert() for details. */ } } } while((spd=(StreamPacketData*)ubi_btNext((ubi_btNodePtr)spd)) !=NULL); } fflush(data->stream);} /* * Function: UnifiedParseArgs(char *) * * Purpose: Process the preprocessor arguements from the rules file and * initialize the preprocessor's data struct. This function doesn't * have to exist if it makes sense to parse the args in the init * function. * * Arguments: args => argument list * * Returns: void function * */UnifiedConfig *UnifiedParseArgs(char *args, char *default_filename){ UnifiedConfig *tmp; int limit = 0; tmp = (UnifiedConfig *)calloc(sizeof(UnifiedConfig), sizeof(char)); if(tmp == NULL) { FatalError("Unable to allocate Unified Data struct!\n"); } DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Args: %s\n", args);); if(args != NULL) { char **toks; int num_toks; int i = 0; toks = mSplit(args, ",", 31, &num_toks, '\\'); for(i = 0; i < num_toks; ++i) { char **stoks; int num_stoks; char *index = toks[i]; while(isspace((int)*index)) ++index; stoks = mSplit(index, " ", 2, &num_stoks, 0); if(strcasecmp("filename", stoks[0]) == 0) { if(num_stoks > 1 && tmp->filename == NULL) tmp->filename = strdup(stoks[1]); else LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } if(strcasecmp("limit", stoks[0]) == 0) { if(num_stoks > 1 && limit == 0) { limit = atoi(stoks[1]); } else { LogMessage("Argument Error in %s(%i): %s\n", file_name, file_line, index); } } do free(stoks[--num_stoks]); while(num_stoks); } do free(toks[--num_toks]); while(num_toks); } if(tmp->filename == NULL) tmp->filename = strdup(default_filename); //LogMessage("limit == %i\n", limit); if(limit <= 0) { limit = 128; } if(limit > 512) { LogMessage("spo_unified %s(%d)=> Lowering limit of %iMB to 512MB\n", file_name, file_line, limit); limit = 512; } /* convert the limit to "MB" */ tmp->limit = limit << 20; return tmp;}/* * Function: UnifiedCleanExitFunc() * * Purpose: Cleanup at exit time * * Arguments: signal => signal that caused this event * arg => data ptr to reference this plugin's data * * Returns: void function */static void UnifiedCleanExit(int signal, void *arg){ /* cast the arg pointer to the proper type */ UnifiedConfig *data = (UnifiedConfig *)arg; DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified: CleanExit\n");); fclose(data->stream); /* free up initialized memory */ free(data->filename); free(data);}/* * Function: Restart() * * Purpose: For restarts (SIGHUP usually) clean up structs that need it * * Arguments: signal => signal that caused this event * arg => data ptr to reference this plugin's data * * Returns: void function⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -