📄 spo_unified.c
字号:
*/static void UnifiedRestart(int signal, void *arg){ UnifiedConfig *data = (UnifiedConfig *)arg; DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified: Restart\n");); fclose(data->stream); free(data->filename); free(data);}/* Unified Alert functions (deprecated) */void UnifiedAlertInit(u_char *args){ UnifiedConfig *data; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified Alert Initialized\n");); pv.alert_plugin_active = 1; /* parse the argument list from the rules file */ data = UnifiedParseArgs(args, "snort-unified.alert"); UnifiedInitAlertFile(data); //LogMessage("UnifiedAlertFilename = %s\n", data->filename); /* Set the preprocessor function into the function list */ AddFuncToOutputList(OldUnifiedLogAlert, NT_OUTPUT_ALERT, data); AddFuncToCleanExitList(UnifiedCleanExit, data); AddFuncToRestartList(UnifiedRestart, data);}/* * Function: UnifiedInitAlertFile() * * Purpose: Initialize the unified log alert file * * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */void UnifiedInitAlertFile(UnifiedConfig *data){ time_t curr_time; /* place to stick the clock data */ char logdir[STD_BUF]; int value; UnifiedAlertFileHeader hdr; bzero(logdir, STD_BUF); curr_time = time(NULL); if(data->filename[0] == '/') value = snprintf(logdir, STD_BUF, "%s.%lu", data->filename, (unsigned long)curr_time); else value = snprintf(logdir, STD_BUF, "%s/%s.%lu", pv.log_dir, data->filename, (unsigned long)curr_time); if(value == -1) { FatalError("unified log file logging path and file name are " "too long, aborting!\n"); } DEBUG_WRAP(DebugMessage(DEBUG_LOG, "Opening %s\n", logdir);); if((data->stream = fopen(logdir, "wb+")) == NULL) { FatalError("UnifiedInitAlertFile(%s): %s\n", logdir, strerror(errno)); } hdr.magic = ALERT_MAGIC; hdr.version_major = 1; hdr.version_minor = 81; hdr.timezone = thiszone; if(fwrite((char *)&hdr, sizeof(hdr), 1, data->stream) != 1) { FatalError("UnifiedAlertInit(): %s\n", strerror(errno)); } fflush(data->stream); return;}void OldUnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event){ RealUnifiedLogAlert(p, msg, arg, event, NULL);}void UnifiedAlertRotateFile(UnifiedConfig *data){ fclose(data->stream); data->current = 0; UnifiedInitAlertFile(data);}/* Unified Packet Log functions (deprecated) */void UnifiedLogInit(u_char *args){ UnifiedConfig *UnifiedInfo; DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified Log Initialized\n");); /* tell command line loggers to go away */ pv.log_plugin_active = 1; /* parse the argument list from the rules file */ UnifiedInfo = UnifiedParseArgs(args, "snort-unified.log"); //LogMessage("UnifiedLogFilename = %s\n", UnifiedInfo->filename); UnifiedInitLogFile(UnifiedInfo); pv.log_bitmap |= LOG_UNIFIED; /* Set the preprocessor function into the function list */ AddFuncToOutputList(OldUnifiedLogPacketAlert, NT_OUTPUT_LOG, UnifiedInfo); AddFuncToCleanExitList(UnifiedCleanExit, UnifiedInfo); AddFuncToRestartList(UnifiedRestart, UnifiedInfo);}/* * Function: UnifiedInitLogFile() * * Purpose: Initialize the unified log file header * * Arguments: data => pointer to the plugin's reference data struct * * Returns: void function */void UnifiedInitLogFile(UnifiedConfig *data){ time_t curr_time; /* place to stick the clock data */ char logdir[STD_BUF]; int value; UnifiedLogFileHeader hdr; bzero(logdir, STD_BUF); curr_time = time(NULL); if(data == NULL) { FatalError("Can't get unified plugin context, that's bad\n"); } if(*(data->filename) == '/') value = snprintf(logdir, STD_BUF, "%s.%lu", data->filename, (unsigned long)curr_time); else value = snprintf(logdir, STD_BUF, "%s/%s.%lu", pv.log_dir, data->filename, (unsigned long)curr_time); if(value == -1) { FatalError("unified log file logging path and file name are " "too long, aborting!\n"); } if((data->stream = fopen(logdir, "wb")) == NULL) { FatalError("UnifiedInitLogFile(%s): %s\n", logdir, strerror(errno)); } /* write the log file header */ hdr.magic = LOG_MAGIC; hdr.version_major = SNORT_VERSION_MAJOR; hdr.version_minor = SNORT_VERSION_MINOR; hdr.timezone = thiszone; hdr.snaplen = snaplen; hdr.sigfigs = 0; hdr.linktype = datalink;#ifdef GIDS hdr.linktype = DLT_EN10MB;#endif if(fwrite((char *)&hdr, sizeof(hdr), 1, data->stream) != 1) { FatalError("UnifiedLogInit(): %s", strerror(errno)); } fflush(data->stream); return;}/* * Function: LogUnified(Packet *, char *msg, void *arg) * * Purpose: Perform the preprocessor's intended function. This can be * simple (statistics collection) or complex (IP defragmentation) * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * * Arguments: p => pointer to the current packet data struct * * Returns: void function */void OldUnifiedLogPacketAlert(Packet *p, char *msg, void *arg, Event *event){ Stream *s = NULL; StreamPacketData *spd = NULL; int first_time = 1; UnifiedLog logheader; UnifiedConfig *data = (UnifiedConfig *)arg; if(event != NULL) { logheader.event.sig_generator = event->sig_generator; logheader.event.sig_id = event->sig_id; logheader.event.sig_rev = event->sig_rev; logheader.event.classification = event->classification; logheader.event.priority = event->priority; logheader.event.event_id = event->event_id; logheader.event.event_reference = event->event_reference; logheader.event.ref_time.tv_sec = event->ref_time.tv_sec; logheader.event.ref_time.tv_usec = event->ref_time.tv_usec; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "------------\n");); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "gen: %u\n", logheader.event.sig_generator);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sid: %u\n", logheader.event.sig_id);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "rev: %u\n", logheader.event.sig_rev);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "erf: %u\n", logheader.event.event_reference);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "usc: %lu\n", logheader.event.ref_time.tv_usec);); } if(p->packet_flags & PKT_REBUILT_STREAM) { s = (Stream *) p->streamptr; /* get the first segment... */ spd = (StreamPacketData *) ubi_btFirst((ubi_btNodePtr)&s->data); /* loop thru all the packets in the stream */ while (spd != NULL ) { /* packets that are part of the currently reassembled stream * should be marked with the chuck flag */ if(spd->chuck != SEG_UNASSEMBLED) { logheader.flags = p->packet_flags; /* copy it's pktheader data into the logheader */ memcpy(&logheader.pkth, &spd->pkth, sizeof(SnortPktHeader));#ifdef GIDS /* ** Add the ethernet header size to the total pktlen. ** If the ethernet hdr is already set, then this means ** that it's a portscan packet and we don't add the ** ethernet header. */ if(!p->eh) { logheader.pkth.caplen += sizeof(EtherHdr); logheader.pkth.pktlen += sizeof(EtherHdr); }#endif /* Set reference time equal to log time for the first packet */ if (first_time) { logheader.event.ref_time.tv_sec = logheader.pkth.ts.tv_sec; logheader.event.ref_time.tv_usec = logheader.pkth.ts.tv_usec; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec);); DEBUG_WRAP(DebugMessage(DEBUG_LOG, "usc: %lu\n", logheader.event.ref_time.tv_usec);); } if(fwrite((char*)&logheader,sizeof(UnifiedLog),1,data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(UnifiedLog); if(spd->pkt) {#ifdef GIDS if(!p->eh) {#ifndef IPFW memcpy((u_char *)g_ethernet.ether_src,g_m->hw_addr,6); memset((u_char *)g_ethernet.ether_dst,0x00,6);#else memset(g_ethernet.ether_dst,0x00,6); memset(g_ethernet.ether_src,0x00,6);#endif g_ethernet.ether_type = htons(0x0800); if(fwrite((char*)&g_ethernet,sizeof(EtherHdr),1,data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(EtherHdr); }#endif if(fwrite((char*)spd->pkt,spd->pkth.caplen,1 ,data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += spd->pkth.caplen; } /* after the first logged packet modify the event headers */ if (first_time) { logheader.event.sig_generator = GENERATOR_TAG; logheader.event.sig_id = TAG_LOG_PKT; logheader.event.sig_rev = 1; logheader.event.classification = 0; logheader.event.priority = event->priority; first_time = 0; } /* Update event ID for subsequent logged packets */ logheader.event.event_id = ++event_id | pv.event_log_id; } spd = (StreamPacketData*) ubi_btNext((ubi_btNodePtr)spd); } } else { if(p) { logheader.flags = p->packet_flags; memcpy(&logheader.pkth, p->pkth, sizeof(SnortPktHeader));#ifdef GIDS /* ** Add the ethernet header size to the total pktlen. ** If the ethernet hdr is already set, then this means ** that it's a portscan packet and we don't add the ** ethernet header. */ if(!p->eh) { logheader.pkth.caplen += sizeof(EtherHdr); logheader.pkth.pktlen += sizeof(EtherHdr); }#endif } else { logheader.flags = 0; logheader.pkth.ts.tv_sec = 0; logheader.pkth.ts.tv_usec = 0; logheader.pkth.caplen = 0; logheader.pkth.pktlen = 0; } if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > data->limit) UnifiedLogRotateFile(data); fwrite((char*)&logheader, sizeof(UnifiedLog), 1, data->stream); if(p) {#ifdef GIDS if(!p->eh) {#ifndef IPFW memcpy((u_char *)g_ethernet.ether_src,g_m->hw_addr,6); memset((u_char *)g_ethernet.ether_dst,0x00,6);#else memset(g_ethernet.ether_dst,0x00,6); memset(g_ethernet.ether_src,0x00,6);#endif g_ethernet.ether_type = htons(0x0800); if(fwrite((char*)&g_ethernet,sizeof(EtherHdr),1,data->stream) != 1) FatalError("SpoUnified: write failed: %s\n", strerror(errno)); data->current += sizeof(EtherHdr); }#endif fwrite((char*)p->pkt, p->pkth->caplen, 1, data->stream); } } fflush(data->stream); data->current += sizeof(UnifiedLog) + p->pkth->caplen; }void UnifiedLogRotateFile(UnifiedConfig *data){ fclose(data->stream); data->current = 0; UnifiedInitLogFile(data);}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -