op_alert_csv.c

知名的开源IDS的日志工具

                record->event.event_id, record->ts.tv_sec, record->ts.tv_usec,
                record->sip, record->dip, record->sp, record->sp, record->dp,
                record->protocol);
    }
    for(i = 0; i < op_data->num_entries; ++i)
    {
        switch(op_data->entry_defs[i])
        {
            case CSV_SIG_GEN:
                fprintf(file, "%u", record->event.sig_generator);
                break;
            case CSV_SIG_ID:
                fprintf(file, "%u", record->event.sig_id);
                break;
            case CSV_SIG_REV:
                fprintf(file, "%u", record->event.sig_rev);
                break;
            case CSV_SID:
                fprintf(file, "%u:%u:%u", record->event.sig_generator, 
                        record->event.sig_id, record->event.sig_rev);
                break;
            case CSV_CLASS:
                fprintf(file, "%u", record->event.classification);
                break;
            case CSV_CLASSNAME:
                class_type = GetClassType(record->event.classification);
                fprintf(file, "\"%s\"", 
                        class_type != NULL ? class_type->name : "Unknown");
                break;
            case CSV_PRIORITY:
                fprintf(file, "%u", record->event.priority);
                break;
            case CSV_EVENT_ID:
                fprintf(file, "%u", record->event.event_id);
                break;
            case CSV_EVENT_REFERENCE:
                fprintf(file, "%u", record->event.event_reference);
                break;
            case CSV_REF_TV_SEC:
                fprintf(file, "%lu", record->event.ref_time.tv_sec);
                break;
            case CSV_REF_TV_USEC:
                fprintf(file, "%lu", record->event.ref_time.tv_usec);
                break;
            case CSV_TV_SEC:
                fprintf(file, "%lu", record->ts.tv_sec);
                break;
            case CSV_TV_USEC:
                fprintf(file, "%lu", record->ts.tv_usec);
                break;
            case CSV_TIMESTAMP:
                RenderTimestamp(record->ts.tv_sec, timestamp, TIMEBUF_SIZE);
                fprintf(file, "\"%s\"", timestamp);
                break;
            case CSV_SRC:
                fprintf(file, "%u", record->sip);
                break;
            case CSV_SRCIP:
                fprintf(file, "%u.%u.%u.%u", 
                        (record->sip & 0xff000000) >> 24,
                        (record->sip & 0x00ff0000) >> 16,
                        (record->sip & 0x0000ff00) >> 8,
                        record->sip & 0x000000ff);
                break;
            case CSV_DST:
                fprintf(file, "%u", record->dip);
                break;
            case CSV_DSTIP:
                fprintf(file, "%u.%u.%u.%u", 
                        (record->dip & 0xff000000) >> 24,
                        (record->dip & 0x00ff0000) >> 16,
                        (record->dip & 0x0000ff00) >> 8,
                        record->dip & 0x000000ff);
                break;
            case CSV_SPORT_ITYPE:
                fprintf(file, "%u", record->sp);
                break;
            case CSV_SPORT:
                if((record->protocol == 6) || (record->protocol == 17))
                    fprintf(file, "%u", record->sp);
                break;
            case CSV_ITYPE:
                if(record->protocol == 1)
                    fprintf(file, "%u", record->sp);
                break;
            case CSV_DPORT_ICODE:
                fprintf(file, "%u", record->dp);
                break;
            case CSV_DPORT:
                if((record->protocol == 6) || (record->protocol == 17))
                    fprintf(file, "%u", record->dp);
                break;
            case CSV_ICODE:
                if(record->protocol == 1)
                    fprintf(file, "%u", record->dp);
                break;
            case CSV_PROTO:
                fprintf(file, "%u", record->protocol);
                break;
            case CSV_PROTONAME:
                fprintf(file, "\"%s\"", protocol_names[record->protocol]);
                break;
            case CSV_FLAGS:
                fprintf(file, "%u", record->flags);
                break;
            case CSV_MSG:
                sid = GetSid(record->event.sig_generator, record->event.sig_id);
                if(sid != NULL && sid->CSVmsg == NULL)
                    sid->CSVmsg = CSVEscape(sid->msg);
                fprintf(file, "%s", sid != NULL ? sid->CSVmsg : "Snort Alert");
                break;
            case CSV_HOSTNAME:
                escaped_string = CSVEscape(pv.hostname);
                fprintf(file, "%s", pv.hostname != NULL ? escaped_string : "");
                free(escaped_string);
                break;
            case CSV_INTERFACE:
                escaped_string = CSVEscape(pv.interface);
                fprintf(file, "%s", pv.interface != NULL ? escaped_string : "");
                free(escaped_string);
                break;
        }
        if(i < op_data->num_entries - 1)
            fprintf(file, ",");
        else
            fprintf(file, "\n");
    }
    fflush(file);        
    return 0;
}

/* initialize the output processor for this particular instantiation */
OpAlertCSV_Data *OpAlertCSV_ParseArgs(char *args)
{
    OpAlertCSV_Data *data;

    data = (OpAlertCSV_Data *)SafeAlloc(sizeof(OpAlertCSV_Data));

    if(args != NULL)
    {
        char **toks;
        int num_toks;
        /* parse out your args */
        toks = mSplit(args, " ", 2, &num_toks, 0);
        switch(num_toks)
        {
            case 2:
                OpAlertCSV_ParseCustomFormat(data, toks[1]);
            case 1:
                data->filepath = strdup(toks[0]);
                break;
            case 0:
                data->filepath = strdup("csv.out");
                break;
            default:
                FatalError("ERROR %s (%d) => Invalid arguments for AlertCSV "
                        "plugin: %s\n", file_name, file_line, args);
        }       
        /* free your mSplit tokens */
        FreeToks(toks, num_toks);
    }
    else    
    {
        data->filepath = strdup("csv.out");
    }

    return data;
}


void OpAlertCSV_ParseCustomFormat(OpAlertCSV_Data *data, char *format)
{
    char **toks;
    int num_toks;
    int i;
    toks = mSplit(format, ",", 128, &num_toks, 0);
    data->num_entries = num_toks;
    data->entry_defs = (u_int32_t *)calloc(num_toks, sizeof(u_int32_t));
    for(i = 0; i < num_toks; ++i)
    {
        if(strcasecmp("sig_gen", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_SIG_GEN;
        }
        else if(strcasecmp("sig_id", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_SIG_ID;
        }
        else if(strcasecmp("sig_rev", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_SIG_REV;
        }
        else if(strcasecmp("sid", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_SID;
        }
        else if(strcasecmp("class", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_CLASS;
        }
        else if(strcasecmp("classname", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_CLASSNAME;
        }
        else if(strcasecmp("priority", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_PRIORITY;
        }
        else if(strcasecmp("event_id", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_EVENT_ID;
        }
        else if(strcasecmp("event_reference", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_EVENT_REFERENCE;
        }
        else if(strcasecmp("ref_tv_sec", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_REF_TV_SEC;
        }
        else if(strcasecmp("ref_tv_usec", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_REF_TV_USEC;
        }
        else if(strcasecmp("tv_sec", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_TV_SEC;
        }
        else if(strcasecmp("tv_usec", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_TV_USEC;
        }
        else if(strcasecmp("timestamp", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_TIMESTAMP;
        }
        else if(strcasecmp("src", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_SRC;
        }
        else if(strcasecmp("srcip", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_SRCIP;
        }
        else if(strcasecmp("dst", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_DST;
        }
        else if(strcasecmp("dstip", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_DSTIP;
        }
        else if(strcasecmp("sport_itype", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_SPORT_ITYPE;
        }
        else if(strcasecmp("sport", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_SPORT;
        }
        else if(strcasecmp("itype", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_ITYPE;
        }
        else if(strcasecmp("dport_icode", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_DPORT_ICODE;
        }
        else if(strcasecmp("dport", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_DPORT;
        }
        else if(strcasecmp("icode", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_ICODE;
        }
        else if(strcasecmp("proto", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_PROTO;
        }
        else if(strcasecmp("protoname", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_PROTONAME;
        }
        else if(strcasecmp("flags", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_FLAGS;
        }
        else if(strcasecmp("msg", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_MSG;
        }
        else if(strcasecmp("hostname", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_HOSTNAME;
        }
        else if(strcasecmp("interface", toks[i]) == 0)
        {
            data->entry_defs[i] = CSV_INTERFACE;
        }
        else
        {
            fprintf(stderr, "WARNING %s (%u) => Unrecognized keyword in "
                    "AlertCSV: %s\n", file_name, file_line, toks[i]);
        }
    }
    FreeToks(toks, num_toks);
}

char *CSVEscape(char *input)
{
    size_t strLen;
    char *buffer;
    char *current;
    if((strchr(input, ',') == NULL) && (strchr(input, '"') == NULL))
        return strdup(input);
    /* max size of escaped string is 2*size + 3, so we allocate that much */
    strLen = strlen(input);
    buffer = (char *)SafeAlloc((strLen * 2) + 3);
    current = buffer;
    *current = '"';
    ++current;
    while(*input != '\0')
    {
        switch(*input)
        {
            case '"':
                *current = '\\';
                ++current;
                *current = '"';
                ++current;
                break;
            case '\\':
                *current = '\\';
                ++current;
                *current = '\\';
                ++current;
                break;
            default:
                *current = *input;
                ++current;
                break;
        }
        ++input;
    }
    *current = '"';
    return buffer;
}