op_alert_csv.c

知名的开源IDS的日志工具

/* $Id: op_alert_csv.c,v 1.9 2004/03/16 04:18:20 andrewbaker Exp $ */
/*
** Copyright (C) 2001-2002 Andrew R. Baker <andrewb@snort.org>
**
** This program is distributed under the terms of version 1.0 of the 
** Q Public License.  See LICENSE.QPL for further details.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
**
*/

/* 
 * BUGS:
 *
 *   Strings are not properly escaped.  (embedded '"' will cause bad things)
 * 
 * TODO:
 *
 * Allow multiple timestamp printing formats
 *
 * Suggestions?
 *
 *
 * Keyword list:
 *  sig_gen         - signature generator
 *  sig_id          - signature id
 *  sig_rev         - signatrue revision
 *  sid             - SID triplet
 *  class           - class id
 *  classname       - textual name of class
 *  priority        - priority id
 *  event_id        - event id
 *  event_reference - event reference
 *  ref_tv_sec      - reference seconds
 *  ref_tv_usec     - reference microseconds
 *  tv_sec          - event seconds
 *  tv_usec         - event microseconds
 *  timestamp       - prettified timestamp (2001-01-01 01:02:03) in UTC
 *  src             - src address as a u_int32_t
 *  srcip           - src address as a dotted quad
 *  dst             - dst address as a u_int32_t
 *  dstip           - dst address as a dotted quad
 *  sport_itype     - source port or ICMP type (or 0)
 *  sport           - source port (if UDP or TCP)
 *  itype           - ICMP type (if ICMP)
 *  dport_icode     - dest port or ICMP code (or 0)
 *  dport           - dest port
 *  icode           - ICMP code (if ICMP)
 *  proto           - protocol number
 *  protoname       - protocol name
 *  flags           - flags from UnifiedAlertRecord
 *  msg             - message text
 *  hostname        - hostname (from barnyard.conf)
 *  interface       - interface (from barnyard.conf)
 */ 
 

/*  I N C L U D E S  *****************************************************/
#include <sys/types.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <syslog.h>
#include <errno.h>

#include "strlcpyu.h"
#include "ConfigFile.h"
#include "plugbase.h"
#include "op_plugbase.h"
#include "mstring.h"
#include "util.h"
#include "sid.h"
#include "classification.h"
#include "input-plugins/dp_alert.h"
#include "barnyard.h"


/* KEYWORD DEFINES */
#define CSV_SIG_GEN          1 
#define CSV_SIG_ID           2 
#define CSV_SIG_REV          3 
#define CSV_SID              4 
#define CSV_CLASS            5
#define CSV_CLASSNAME        6 
#define CSV_PRIORITY         7 
#define CSV_NONE             8
#define CSV_EVENT_ID         9 
#define CSV_EVENT_REFERENCE 10 
#define CSV_REF_TV_SEC      11 
#define CSV_REF_TV_USEC     12 
#define CSV_TV_SEC          13 
#define CSV_TV_USEC         14 
#define CSV_TIMESTAMP       15 
#define CSV_SRC             16 
#define CSV_SRCIP           17 
#define CSV_DST             18 
#define CSV_DSTIP           19 
#define CSV_SPORT_ITYPE     20 
#define CSV_SPORT           21 
#define CSV_ITYPE           22 
#define CSV_DPORT_ICODE     23 
#define CSV_DPORT           24 
#define CSV_ICODE           25 
#define CSV_PROTO           26 
#define CSV_PROTONAME       27 
#define CSV_FLAGS           28
#define CSV_MSG             29
#define CSV_HOSTNAME        30
#define CSV_INTERFACE       31
        
#define MAX_KEY_VALUE 31

struct keyword_value
{
    char *keyword;
    int value;
};

struct keyword_value format_keys[] =
{
    { "", 0 },
    { "sig_gen", CSV_SIG_GEN },
    { "sig_id", CSV_SIG_ID },
    { "sig_rev", CSV_SIG_REV },
    { "sid", CSV_SID },
    { "class", CSV_CLASS },
    { "classname", CSV_CLASSNAME },
    { "priority", CSV_PRIORITY },
    { "",        CSV_NONE },
    { "event_id",CSV_EVENT_ID },
    { "event_reference", CSV_EVENT_REFERENCE },
    { "ref_tv_sec", CSV_REF_TV_SEC },
    { "ref_tv_usec", CSV_REF_TV_USEC },
    { "tv_sec", CSV_TV_SEC },
    { "tv_usec", CSV_TV_USEC },
    { "timestamp", CSV_TIMESTAMP },
    { "src", CSV_SRC },
    { "srcip", CSV_SRCIP },
    { "dst", CSV_DST },
    { "dstip", CSV_DSTIP },
    { "sport_itype", CSV_SPORT_ITYPE },
    { "sport", CSV_SPORT },
    { "itype", CSV_ITYPE },
    { "dport_icode", CSV_DPORT_ICODE },
    { "dport", CSV_DPORT },
    { "icode", CSV_ICODE },
    { "proto", CSV_PROTO },
    { "protoname", CSV_PROTONAME },
    { "flags", CSV_FLAGS },
    { "msg", CSV_MSG },
    { "hostname", CSV_HOSTNAME },
    { "interface", CSV_INTERFACE },
    { NULL, -1 },
};

/*  D A T A   S T R U C T U R E S  **************************************/
typedef struct _OpAlertCSV_Data 
{
    char *filepath;
    FILE *file;
    int num_entries;
    u_int32_t *entry_defs;
} OpAlertCSV_Data;


/* Output Plugin API */
static int OpAlertCSV_Setup(OutputPlugin *, char *args);
static int OpAlertCSV_Exit(OutputPlugin *);
static int OpAlertCSV_Start(OutputPlugin *, void *);
static int OpAlertCSV_Stop(OutputPlugin *);
static int OpAlertCSV(void *, void *);
static int OpAlertCSV_LogConfig(OutputPlugin *);

static OpAlertCSV_Data *OpAlertCSV_ParseArgs(char *);
static void OpAlertCSV_ParseCustomFormat(OpAlertCSV_Data *data, char *format);
static char *CSVEscape(char *);

/* init routine makes this processor available for dataprocessor directives */
void OpAlertCSV_Init()
{
    OutputPlugin *outputPlugin;
    
    outputPlugin = RegisterOutputPlugin("alert_csv", "alert");

    outputPlugin->setupFunc = OpAlertCSV_Setup;
    outputPlugin->exitFunc = OpAlertCSV_Exit;
    outputPlugin->startFunc = OpAlertCSV_Start;
    outputPlugin->stopFunc = OpAlertCSV_Stop;
    outputPlugin->outputFunc = OpAlertCSV;
    outputPlugin->logConfigFunc = OpAlertCSV_LogConfig;
}
    

static char csv_format_string[8192];

static char *CreateFormatString(OpAlertCSV_Data *data)
{
    int i = 0;
    char *offset = csv_format_string;
    int space_left = 8192;
    char *format_string;
    int used = 0;

    if(!data)
        return NULL;

    if(data->num_entries == 0)
    {
        return "sig_gen,sig_id,sig_rev,class,priority,event_id,tv_sec,"
            "tv_usec,src,dst,sport_itype,dport_icode,protocol";
    }

    memset(csv_format_string, 0, 8192);

    /* Create the format string */
    for(i = 0; i < data->num_entries; i++)
    {
        if(i > 0)
        {
            format_string = ", %s";
        }
        else
        {
            format_string = "%s";
        }
        if(data->entry_defs[i] <= 0 || data->entry_defs[i] >= MAX_KEY_VALUE)
        {
            used = snprintf(offset, space_left, "NULL");
        }
        else
        {
            used = snprintf(offset, space_left, format_string, 
                    format_keys[data->entry_defs[i]]);
        }
        if(used >= space_left)
            return csv_format_string;

        space_left -= used;
        offset += used;
    }
    return csv_format_string;
}

static int OpAlertCSV_LogConfig(OutputPlugin *outputPlugin)
{
    OpAlertCSV_Data *data = NULL;

    if(!outputPlugin || !outputPlugin->data)
        return -1;

    data = (OpAlertCSV_Data *)outputPlugin->data;

    LogMessage("OpAlertCSV configured\n");
    LogMessage("  Filepath: %s\n", data->filepath);
    LogMessage("  Format: %s\n", CreateFormatString(data));
    
    return 0;
}


/* Setup the output plugin, process any arguments, link the functions to
 * the output functional node
 */
static int OpAlertCSV_Setup(OutputPlugin *outputPlugin, char *args)
{
    /* setup the run time context for this output plugin */
    outputPlugin->data = OpAlertCSV_ParseArgs(args);

    return 0;
}

/* Inverse of the setup function, free memory allocated in Setup 
 * can't free the outputPlugin since it is also the list node itself
 */
static int OpAlertCSV_Exit(OutputPlugin *outputPlugin)
{
    OpAlertCSV_Data *data = (OpAlertCSV_Data *)outputPlugin->data;
    
    if(data != NULL)
    {
        if(data->filepath != NULL)
            free(data->filepath);
        if(data->entry_defs != NULL)
            free(data->entry_defs);
    }
    
    return 0;
}

/* 
 * this function gets called at start time, you should open any output files
 * or establish DB connections, etc, here
 */
static int OpAlertCSV_Start(OutputPlugin *outputPlugin, void *spool_header)
{
    OpAlertCSV_Data *data = (OpAlertCSV_Data *)outputPlugin->data;

    if(data == NULL)
        FatalError("ERROR: Unable to find context for AlertCSV startup!\n");

    if(pv.verbose >= 2)
        OpAlertCSV_LogConfig(outputPlugin);
    
    /* Open file */
    if((data->file = fopen(data->filepath, "a")) == NULL)
    {
        FatalError("ERROR: Unable to open '%s' (%s)\n", data->filepath, 
                strerror(errno));
    }
    
    return 0;
}

static int OpAlertCSV_Stop(OutputPlugin *outputPlugin)
{
    OpAlertCSV_Data *data = (OpAlertCSV_Data *)outputPlugin->data;

    if(data == NULL)
        FatalError("ERROR: Unable to find context for AlertCSV startup!\n");
    
    /* close file */
    fclose(data->file);

    return 0;
}

/* 
 * this is the primary output function for the plugin, this is what gets called
 * for every record read 
 */
static int OpAlertCSV(void *context, void *data)
{
    int i = 0;
    Sid *sid = NULL;
    ClassType *class_type = NULL;
    char timestamp[TIMEBUF_SIZE];
    UnifiedAlertRecord *record = (UnifiedAlertRecord *)data;
    OpAlertCSV_Data *op_data = (OpAlertCSV_Data *)context;
    FILE *file = op_data->file;
    char *escaped_string;

    if(op_data->num_entries == 0)
    {    
        /* default output mode */
        fprintf(op_data->file, "%u,%u,%u,%u,%u,%u,%lu,%lu,%u,%u,%u,%u,%u,%u\n", 
                record->event.sig_generator,
                record->event.sig_id, record->event.sig_rev, 
                record->event.classification, record->event.priority,