📄 op_alert_syslog2.c
字号:
/*** Copyright (C) 2003 Sourcefire, Inc. (www.sourcefire.com)** Copyright (C) 2001-2002 Andrew R. Baker <andrewb@snort.org>** ** This program is distributed under the terms of version 1.0 of the ** Q Public License. See LICENSE.QPL for further details.**** This program is distributed in the hope that it will be useful,** but WITHOUT ANY WARRANTY; without even the implied warranty of** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.**** Author(s): Andrew R. Baker <andrewb@sourcefire.com>**** Based on op_alert_syslog.c*/#ifdef HAVE_CONFIG_H#include "config.h"#endif#include <sys/types.h>#include <string.h>#include <stdlib.h>#include <unistd.h>#include <ctype.h>#include <time.h>#include <netinet/in.h>#include <errno.h>#include <netdb.h>extern int h_errno;#include <sys/socket.h>#include <arpa/inet.h>#include "output-plugins/op_plugbase.h"#include "util.h"#include "barnyard.h"#include "input-plugins/dp_alert.h"#include "mstring.h"#include "classification.h"#include "sid.h"#define MODULE_NAME "alert_syslog2"typedef struct _OpAlertSyslog2_Data { /* Runtime configuration */ char *message_buffer; int header_length; int month_offset; int timestamp_offset; int socket; struct sockaddr_in sin; u_int8_t priority; /* Configuration arguments */ char *tag; char *hostname; char *syslog_host; int facility; int severity; int syslog_port; u_int8_t pid_flag;} OpAlertSyslog2_Data;#define MESSAGE_LENGTH 1024#define MONTH_LENGTH 3#define TIMESTAMP_LENGTH 11/* Message Template: * * <PRI>xxx xx xx:xx:xx xxxxxxxx xxxxx[xxxxx]: * * template len - the length of the template * month offset - the offset where the month begins * month length - the length of bytes for the month * timestamp offset - the offset where the timestamp begins * timestamp length - the length of bytes for the timestamp * msg offset *//* Values to use for the month portion of the message. We cannot use * strftime for this */char *month_values[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"};/* Plugin entry functions */static int OpAlertSyslog2_Setup(OutputPlugin *, char *args);static int OpAlertSyslog2_Exit(OutputPlugin *);static int OpAlertSyslog2_Start(OutputPlugin *, void *);static int OpAlertSyslog2_Stop(OutputPlugin *);static int OpAlertSyslog2(void *, void *);static int OpAlertSyslog2_LogConfig(OutputPlugin *);static OpAlertSyslog2_Data *OpAlertSyslog2_ParseArgs(char *args);static int IsValidHostname(char *hostname);static int IsValidSyslogTag(char *syslog_tag);struct keyword_value{ char *keyword; int value;};struct keyword_value facility_map[] = { { "KERN", 0 }, { "USER", 1 }, { "MAIL", 2 }, { "DAEMON", 3 }, { "AUTH", 4 }, { "SYSLOG", 5 }, { "LPR", 6 }, { "NEWS", 7 }, { "UUCP", 8 }, { "CRON", 9 }, { "AUTHPRIV", 10 }, { "FTP", 11 }, { "NTP", 12 }, { "AUDIT", 13 }, { "ALERT", 14 }, { "CLOCK", 15 }, { "LOCAL0", 16 }, { "LOCAL1", 17 }, { "LOCAL2", 18 }, { "LOCAL3", 19 }, { "LOCAL4", 20 }, { "LOCAL5", 21 }, { "LOCAL6", 22 }, { "LOCAL7", 23 }, { NULL, -1 }};#define DEFAULT_FACILITY 23#define MAX_FACILITY 23struct keyword_value severity_map[] = { { "EMERG", 0 }, { "ALERT", 1 }, { "CRIT", 2 }, { "ERROR", 3 }, { "WARN", 4 }, { "NOTICE", 5 }, { "INFO", 6 }, { "DEBUG", 7 }, { NULL, -1 }};#define DEFAULT_SEVERITY 5#define MAX_SEVERITY 7#define DEFAULT_SYSLOG_PORT 514#define DEFAULT_SYSLOG_HOST "localhost"/* init routine makes this processor available for dataprocessor directives */void OpAlertSyslog2_Init(){ OutputPlugin *outputPlugin; /* Register the output plugin */ outputPlugin = RegisterOutputPlugin(MODULE_NAME, "alert"); /* Set the functions */ outputPlugin->setupFunc = OpAlertSyslog2_Setup; outputPlugin->exitFunc = OpAlertSyslog2_Exit; outputPlugin->startFunc = OpAlertSyslog2_Start; outputPlugin->stopFunc = OpAlertSyslog2_Stop; outputPlugin->outputFunc = OpAlertSyslog2; outputPlugin->logConfigFunc = OpAlertSyslog2_LogConfig;}static int OpAlertSyslog2_LogConfig(OutputPlugin *outputPlugin){ OpAlertSyslog2_Data *data = NULL; if(!outputPlugin || !outputPlugin->data) return -1; data = (OpAlertSyslog2_Data *)outputPlugin->data; LogMessage("OpAlertSyslog2 configured\n"); LogMessage(" Syslog Host/Port: %s:%u/udp\n", data->syslog_host, data->syslog_port); LogMessage(" Syslog Facility: %s(%i)\n", facility_map[data->facility], data->facility); LogMessage(" Syslog Severity: %s(%i)\n", severity_map[data->severity], data->severity); LogMessage(" Hostname: %s\n", data->hostname); if(data->pid_flag) LogMessage(" Tag: %s[%u]\n", data->tag, getpid()); else LogMessage(" Tag: %s\n", data->tag); return 0;}/* Instantiate the output plugin */static int OpAlertSyslog2_Setup(OutputPlugin *outputPlugin, char *args){ /* setup the run time context for this output plugin */ if(!(outputPlugin->data = OpAlertSyslog2_ParseArgs(args))) { FatalError("Failed to setup %s output plugin\n", MODULE_NAME); return -1; /* XXX Eventually we will look at these result codes */ } return 0;}/* Destructor function */static int OpAlertSyslog2_Exit(OutputPlugin *outputPlugin){ OpAlertSyslog2_Data *data = (OpAlertSyslog2_Data *)outputPlugin->data; /* free that context data */ if(data) { if(data->message_buffer) free(data->message_buffer); data->message_buffer = NULL; if(data->tag) free(data->tag); data->tag = NULL; if(data->hostname) free(data->hostname); data->hostname = NULL; if(data->syslog_host) free(data->syslog_host); data->syslog_host = NULL; free(data); } data = NULL; outputPlugin->data = NULL; return 0;}/* Start function */static int OpAlertSyslog2_Start(OutputPlugin *outputPlugin, void *spool_header){ OpAlertSyslog2_Data *data = (OpAlertSyslog2_Data *)outputPlugin->data; struct hostent *host_entry = NULL; if(data == NULL) FatalError("ERROR: Unable to find context for %s\n", MODULE_NAME); if(pv.verbose >= 2) OpAlertSyslog2_LogConfig(outputPlugin); /* Lookup the remote host */ if(inet_aton(data->syslog_host, &data->sin.sin_addr) == 0) { if(!(host_entry = gethostbyname(data->syslog_host))) FatalError("%s: Unable to lookup remote host '%s': %s\n", MODULE_NAME, data->syslog_host, hstrerror(h_errno)); memcpy(&data->sin.sin_addr, host_entry->h_addr, sizeof(data->sin.sin_addr)); } data->sin.sin_family = AF_INET; data->sin.sin_port = htons(data->syslog_port); /* open a socket to the remote syslog host */ if((data->socket = socket(PF_INET, SOCK_DGRAM, 0)) == -1) FatalError("%s: Unable to create socket: %s\n", MODULE_NAME, strerror(errno)); return 0;}/* Stop function */static int OpAlertSyslog2_Stop(OutputPlugin *outputPlugin){ OpAlertSyslog2_Data *data = (OpAlertSyslog2_Data *)outputPlugin->data; if(data == NULL) FatalError("ERROR: Unable to find context for %s\n", MODULE_NAME); /* close the socket */ if(data->socket != -1) close(data->socket); data->socket = -1; return 0;}/* output function */static int OpAlertSyslog2(void *context, void *data){ UnifiedAlertRecord *record; OpAlertSyslog2_Data *op_data; struct tm *tm; char src[16]; char dest[16]; ClassType *class_type = NULL; Sid *sid = NULL; int length; int rval; if(!data || !context) return -1; record = (UnifiedAlertRecord *)data; op_data = (OpAlertSyslog2_Data *)context; sid = GetSid(record->event.sig_generator, record->event.sig_id); class_type = GetClassType(record->event.classification); /* convert alert timestamp to struct tm using gmtime */ if(pv.localtime) tm = localtime(&record->ts.tv_sec); else tm = gmtime(&record->ts.tv_sec); memcpy(op_data->message_buffer + op_data->month_offset, month_values[tm->tm_mon], MONTH_LENGTH); strftime(op_data->message_buffer + op_data->timestamp_offset, TIMESTAMP_LENGTH + 1, "%e %H:%M:%S", tm); op_data->message_buffer[op_data->timestamp_offset + TIMESTAMP_LENGTH] = ' '; snprintf(src, 16, "%u.%u.%u.%u", (record->sip & 0xff000000) >> 24, (record->sip & 0x00ff0000) >> 16, (record->sip & 0x0000ff00) >> 8, record->sip & 0x000000ff); snprintf(dest, 16, "%u.%u.%u.%u", (record->dip & 0xff000000) >> 24, (record->dip & 0x00ff0000) >> 16, (record->dip & 0x0000ff00) >> 8, record->dip & 0x000000ff); switch(record->protocol) { case IPPROTO_TCP: case IPPROTO_UDP: length = snprintf(op_data->message_buffer + op_data->header_length, MESSAGE_LENGTH - op_data->header_length, "[%d:%d:%d] %s [Classification: %s] " "[Priority: %d] {%s} %s:%d -> %s:%d", record->event.sig_generator, record->event.sig_id, record->event.sig_rev, sid != NULL ? sid->msg : "ALERT", class_type != NULL ? class_type->name : "Unknown", record->event.priority, protocol_names[record->protocol], src, record->sp, dest, record->dp); break; case IPPROTO_ICMP: length = snprintf(op_data->message_buffer + op_data->header_length, MESSAGE_LENGTH - op_data->header_length, "[%d:%d:%d] %s [Classification: %s] " "[Priority: %d] {%s} %s -> %s", record->event.sig_generator, record->event.sig_id, record->event.sig_rev, sid != NULL ? sid->msg : "ALERT", class_type != NULL ? class_type->name : "Unknown", record->event.priority, protocol_names[record->protocol], src, dest); break;⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -