📄 op_logdump.c
字号:
/* $Id: op_logdump.c,v 1.11 2004/04/03 19:57:32 andrewbaker Exp $ *//* ** Copyright (C) 2001-2002 Andrew R. Baker <andrewb@snort.org>** Copyright (C) 2001 Martin Roesch <roesch@sourcefire.com>**** This program is distributed under the terms of version 1.0 of the ** Q Public License. See LICENSE.QPL for further details.**** This program is distributed in the hope that it will be useful,** but WITHOUT ANY WARRANTY; without even the implied warranty of** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.***/#include "config.h"#include <stdio.h>#include <string.h>#ifdef SOLARIS #include <strings.h>#endif#include <stdlib.h>#include <errno.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <netdb.h>#include "barnyard.h"#include "plugbase.h"#include "op_plugbase.h"#include "util.h"#include "mstring.h"#include "sid.h"#include "classification.h"#include "op_decode.h"#include "input-plugins/dp_log.h"typedef struct _LogDumpData{ char *filename; char *filepath; FILE *file;} LogDumpData;/* Output plug-in API functions */static int OpLogDump_Setup(OutputPlugin *, char *);static int OpLogDump_Exit(OutputPlugin *);static int OpLogDump_Start(OutputPlugin *, void *);static int OpLogDump_Stop(OutputPlugin *);static int OpLogDump(void *, void *);static int OpLogDump_LogConfig(OutputPlugin *);/* Internal functions */static void ParseLogDumpArgs(char *, OutputPlugin *);static FILE *OpenLogFile(char *);static int PrintIPHeader(FILE *, Packet *);static void PrintTCPHeader(FILE *, Packet *);static void PrintUDPHeader(FILE *, Packet *);static void PrintICMPHeader(FILE *, Packet *);static void PrintTcpOptions(FILE *, Packet *);static void PrintIpOptions(FILE *, Packet *);/* init routine makes this processor available for dataprocessor directives */void OpLogDump_Init(){ OutputPlugin *outputPlugin; outputPlugin = RegisterOutputPlugin("log_dump", "log"); outputPlugin->setupFunc = OpLogDump_Setup; outputPlugin->exitFunc = OpLogDump_Exit; outputPlugin->startFunc = OpLogDump_Start; outputPlugin->stopFunc = OpLogDump_Stop; outputPlugin->outputFunc = OpLogDump; outputPlugin->logConfigFunc = OpLogDump_LogConfig;}int OpLogDump_LogConfig(OutputPlugin *outputPlugin){ LogDumpData *data = NULL; if(!outputPlugin || !outputPlugin->data) return -1; data = (LogDumpData *)outputPlugin->data; LogMessage("OpLogDump configured\n"); LogMessage(" Filename: %s\n", data->filename); return 0;}/* link the output processor functions to an output function node */int OpLogDump_Setup(OutputPlugin *outputPlugin, char *args){ ParseLogDumpArgs(args, outputPlugin); return 0;}int OpLogDump_Exit(OutputPlugin *outputPlugin){ LogDumpData *data = (LogDumpData *)outputPlugin->data; if(data != NULL && data->filename != NULL) free(data->filename); return 0;}int OpLogDump_Start(OutputPlugin *outputPlugin, void *spool_header){ LogDumpData *data = (LogDumpData *)outputPlugin->data; if(data == NULL) FatalError("ERROR: Unable to find context for log dump startup!\n"); if(pv.verbose >= 2) OpLogDump_LogConfig(outputPlugin); data->filepath = ProcessFileOption(data->filename); data->file = OpenLogFile(data->filepath); return 0;}int OpLogDump_Stop(OutputPlugin *outputPlugin){ LogDumpData *data = (LogDumpData *)outputPlugin->data; if(data != NULL) { fflush(data->file); fclose(data->file); } if(data->filepath) free(data->filepath); data->filepath = NULL; return 0;}int OpLogDump(void *data, void *logdata){ UnifiedLogRecord *ad = (UnifiedLogRecord *)logdata; LogDumpData *afd = (LogDumpData *)data; Packet p; Sid *tmp = NULL; ClassType *ct = NULL; tmp = GetSid(ad->log.event.sig_generator, ad->log.event.sig_id); ct = GetClassType(ad->log.event.classification); fprintf(afd->file, "[**] [%d:%d:%d] %s [**]\n[Classification: %s] " "[Priority: %d]\n", ad->log.event.sig_generator, ad->log.event.sig_id, ad->log.event.sig_rev, tmp != NULL?tmp->msg:"ALERT", ct != NULL?ct->name:"Unknown", ad->log.event.priority); PrintXref(ad->log.event.sig_generator, ad->log.event.sig_id, afd->file); fprintf(afd->file, "Event ID: %lu Event Reference: %lu\n", (unsigned long) ad->log.event.event_id, (unsigned long) ad->log.event.event_reference); if(ad->log.pkth.caplen != 0) { if(DecodePacket(&p, &ad->log.pkth, ad->pkt + 2) != 0) { fprintf(afd->file, "Linktype %i not decoded. Raw packet dumped\n", linktype); PrintNetData(afd->file, ad->pkt + 2, ad->log.pkth.caplen); ClearDumpBuf(); } else { if(p.iph != NULL) { if(PrintIPHeader(afd->file, &p) == -1) goto exit; switch(p.iph->ip_proto) { case IPPROTO_TCP: PrintTCPHeader(afd->file, &p); break; case IPPROTO_UDP: PrintUDPHeader(afd->file, &p); break; case IPPROTO_ICMP: PrintICMPHeader(afd->file, &p); break; default: break; } } if(p.dsize) { PrintNetData(afd->file, p.data, p.dsize); ClearDumpBuf(); } } }exit: fprintf(afd->file, "=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n\n"); fflush(afd->file); return 0;}/* initialize the output processor for this particular instantiation */void ParseLogDumpArgs(char *args, OutputPlugin *outputPlugin){ char **toks; int num_toks; LogDumpData *data; data = (LogDumpData *)SafeAlloc(sizeof(LogDumpData)); if(args == NULL) { data->filename = strdup("dump.log"); outputPlugin->data = (LogDumpData *) data; return; } toks = mSplit(args, " ", 2, &num_toks, 0); data->filename = strdup(toks[0]); FreeToks(toks, num_toks); outputPlugin->data = (LogDumpData *) data; return;}int PrintIPHeader(FILE * fp, Packet * p){ char timestamp[256]; if(p->iph == NULL) { fprintf(fp, "IP header truncated\n"); return -1; } if(RenderTimeval(&p->pkth->ts, timestamp, 256) == -1) { LogMessage("ERROR: OpLogDump failed to render timeval\n"); return -1; } fprintf(fp, "%s ", timestamp); if(p->pkt_flags & PKT_FRAG_FLAG) { /* just print the straight IP header */ fputs(inet_ntoa(p->iph->ip_src), fp); fwrite(" -> ", 4, 1, fp); fputs(inet_ntoa(p->iph->ip_dst), fp); } else { if(p->iph->ip_proto != IPPROTO_TCP && p->iph->ip_proto != IPPROTO_UDP) { /* just print the straight IP header */ fputs(inet_ntoa(p->iph->ip_src), fp); fwrite(" -> ", 4, 1, fp); fputs(inet_ntoa(p->iph->ip_dst), fp); } else { /* print the header complete with port information */ fputs(inet_ntoa(p->iph->ip_src), fp); fprintf(fp, ":%d -> ", p->sp); fputs(inet_ntoa(p->iph->ip_dst), fp); fprintf(fp, ":%d", p->dp); } } fputc('\n', fp); fprintf(fp, "%s TTL:%d TOS:0x%X ID:%d IpLen:%d DgmLen:%d", protocol_names[p->iph->ip_proto], p->iph->ip_ttl, p->iph->ip_tos, ntohs(p->iph->ip_id), IP_HLEN(p->iph) << 2, ntohs(p->iph->ip_len)); /* print the reserved bit if it's set */ if(p->pkt_flags & PKT_RB_FLAG) { fprintf(fp, " RB"); } if(p->pkt_flags & PKT_DF_FLAG) fprintf(fp, " DF"); if(p->pkt_flags & PKT_MF_FLAG) fprintf(fp, " MF"); fputc('\n', fp); /* print IP options */ if(p->ip_option_count != 0) { PrintIpOptions(fp, p); } /* print fragment info if necessary */ if(p->pkt_flags & PKT_FRAG_FLAG) { fprintf(fp, "Frag Offset: 0x%X Frag Size: 0x%X", (p->frag_offset & 0xFFFF), p->dsize); fputc('\n', fp); } return 0;}void PrintTCPHeader(FILE * fp, Packet * p){ char tcpFlags[9]; if(p->tcph == NULL) { fprintf(fp, "TCP header truncated\n"); return; } /* print TCP flags */ CreateTCPFlagString(p, tcpFlags); fwrite(tcpFlags, 8, 1, fp); /* We don't care about the NULL */ /* print other TCP info */ fprintf(fp, " Seq: 0x%lX Ack: 0x%lX Win: 0x%X TcpLen: %d", (u_long) ntohl(p->tcph->th_seq), (u_long) ntohl(p->tcph->th_ack), ntohs(p->tcph->th_win), TCP_OFFSET(p->tcph) << 2); if((p->tcph->th_flags & TH_URG) != 0) { fprintf(fp, " UrgPtr: 0x%X\n", (u_int16_t) ntohs(p->tcph->th_urp)); } else { fputc((int) '\n', fp); } /* dump the TCP options */ if(p->tcp_option_count != 0) { PrintTcpOptions(fp, p); }}void PrintUDPHeader(FILE * fp, Packet * p){ if(p->udph == NULL) { fprintf(fp, "UDP header truncated\n"); return; } /* not much to do here... */ fprintf(fp, "Len: %d\n", ntohs(p->udph->uh_len));}void PrintICMPHeader(FILE * fp, Packet * p){ if(p->icmph == NULL) { fprintf(fp, "ICMP header truncated\n"); return; } fprintf(fp, "Type:%d Code:%d ", p->icmph->icmp_type, p->icmph->icmp_code);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -