📄 spo_alert_syslog.c
字号:
#endif /* possible openlog facilities */#ifdef LOG_AUTHPRIV if(!strcasecmp("LOG_AUTHPRIV", tmp)) { data->facility = LOG_AUTHPRIV; } else#endif#ifdef LOG_AUTH if(!strcasecmp("LOG_AUTH", tmp)) { data->facility = LOG_AUTH; } else#endif#ifdef LOG_DAEMON if(!strcasecmp("LOG_DAEMON", tmp)) { data->facility = LOG_DAEMON; } else#endif#ifdef LOG_LOCAL0 if(!strcasecmp("LOG_LOCAL0", tmp)) { data->facility = LOG_LOCAL0; } else#endif#ifdef LOG_LOCAL1 if(!strcasecmp("LOG_LOCAL1", tmp)) { data->facility = LOG_LOCAL1; } else#endif#ifdef LOG_LOCAL2 if(!strcasecmp("LOG_LOCAL2", tmp)) { data->facility = LOG_LOCAL2; } else#endif#ifdef LOG_LOCAL3 if(!strcasecmp("LOG_LOCAL3", tmp)) { data->facility = LOG_LOCAL3; } else#endif#ifdef LOG_LOCAL4 if(!strcasecmp("LOG_LOCAL4", tmp)) { data->facility = LOG_LOCAL4; } else#endif#ifdef LOG_LOCAL5 if(!strcasecmp("LOG_LOCAL5", tmp)) { data->facility = LOG_LOCAL5; } else#endif#ifdef LOG_LOCAL6 if(!strcasecmp("LOG_LOCAL6", tmp)) { data->facility = LOG_LOCAL6; } else#endif#ifdef LOG_LOCAL7 if(!strcasecmp("LOG_LOCAL7", tmp)) { data->facility = LOG_LOCAL7; } else#endif#ifdef LOG_USER if(!strcasecmp("LOG_USER", tmp)) { data->facility = LOG_USER; } else#endif /* possible syslog priorities */#ifdef LOG_EMERG if(!strcasecmp("LOG_EMERG", tmp)) { data->priority = LOG_EMERG; } else#endif#ifdef LOG_ALERT if(!strcasecmp("LOG_ALERT", tmp)) { data->priority = LOG_ALERT; } else#endif#ifdef LOG_CRIT if(!strcasecmp("LOG_CRIT", tmp)) { data->priority = LOG_CRIT; } else#endif#ifdef LOG_ERR if(!strcasecmp("LOG_ERR", tmp)) { data->priority = LOG_ERR; } else#endif#ifdef LOG_WARNING if(!strcasecmp("LOG_WARNING", tmp)) { data->priority = LOG_WARNING; } else#endif#ifdef LOG_NOTICE if(!strcasecmp("LOG_NOTICE", tmp)) { data->priority = LOG_NOTICE; } else#endif#ifdef LOG_INFO if(!strcasecmp("LOG_INFO", tmp)) { data->priority = LOG_INFO; } else#endif#ifdef LOG_DEBUG if(!strcasecmp("LOG_DEBUG", tmp)) { data->priority = LOG_DEBUG; } else#endif { LogMessage("WARNING %s (%d) => Unrecognized syslog " "facility/priority: %s\n", file_name, file_line, tmp); } } mSplitFree(&facility_toks, num_facility_toks); return data;}/* * Function: PreprocFunction(Packet *) * * Purpose: Perform the preprocessor's intended function. This can be * simple (statistics collection) or complex (IP defragmentation) * as you like. Try not to destroy the performance of the whole * system by trying to do too much.... * * Arguments: p => pointer to the current packet data struct * * Returns: void function * */extern OptTreeNode *otn_tmp;void AlertSyslog(Packet *p, char *msg, void *arg, Event *event){ char sip[16]; char dip[16]; char pri_data[STD_BUF]; char ip_data[STD_BUF]; char event_data[STD_BUF];#define SYSLOG_BUF 1024 char event_string[SYSLOG_BUF]; SyslogData *data = (SyslogData *)arg; event_string[0] = '\0'; /* Remove this check when we support IPv6 below. */ /* sip and dip char arrays need to change size for IPv6. */ if (!IS_IP4(p)) { return; } if(p && IPH_IS_VALID(p)) { if (strlcpy(sip, inet_ntoa(GET_SRC_ADDR(p)), sizeof(sip)) >= sizeof(sip)) return; if (strlcpy(dip, inet_ntoa(GET_DST_ADDR(p)), sizeof(dip)) >= sizeof(dip)) return; if(event != NULL) { if( SnortSnprintf(event_data, STD_BUF, "[%lu:%lu:%lu] ", (unsigned long) event->sig_generator, (unsigned long) event->sig_id, (unsigned long) event->sig_rev) != SNORT_SNPRINTF_SUCCESS ) return ; if( strlcat(event_string, event_data, SYSLOG_BUF) >= SYSLOG_BUF) return ; } if(msg != NULL) { if( strlcat(event_string, msg, SYSLOG_BUF) >= SYSLOG_BUF ) return ; } else { if(strlcat(event_string, "ALERT", SYSLOG_BUF) >= SYSLOG_BUF) return ; } if(otn_tmp != NULL) { if(otn_tmp->sigInfo.classType) { if( otn_tmp->sigInfo.classType->name ) { if( SnortSnprintf(pri_data, STD_BUF-1, " [Classification: %s] " "[Priority: %d]:", otn_tmp->sigInfo.classType->name, otn_tmp->sigInfo.priority) != SNORT_SNPRINTF_SUCCESS ) return ; } if( strlcat(event_string, pri_data, SYSLOG_BUF) >= SYSLOG_BUF) return ; } else if(otn_tmp->sigInfo.priority != 0) { if( SnortSnprintf(pri_data, STD_BUF, "[Priority: %d]:", otn_tmp->sigInfo.priority) != SNORT_SNPRINTF_SUCCESS ) return ; if( strlcat(event_string, pri_data, SYSLOG_BUF) >= SYSLOG_BUF) return; } } if((GET_IPH_PROTO(p) != IPPROTO_TCP && GET_IPH_PROTO(p) != IPPROTO_UDP) || p->frag_flag) { if(!pv.alert_interface_flag) { if( protocol_names[GET_IPH_PROTO(p)] ) { if( SnortSnprintf(ip_data, STD_BUF, " {%s} %s -> %s", protocol_names[GET_IPH_PROTO(p)], sip, dip) != SNORT_SNPRINTF_SUCCESS ) return; } } else { if( protocol_names[GET_IPH_PROTO(p)] && PRINT_INTERFACE(pv.interface) ) { if( SnortSnprintf(ip_data, STD_BUF, " <%s> {%s} %s -> %s", PRINT_INTERFACE(pv.interface), protocol_names[GET_IPH_PROTO(p)], sip, dip) != SNORT_SNPRINTF_SUCCESS ) return ; } } } else { if(pv.alert_interface_flag) { if( protocol_names[GET_IPH_PROTO(p)] && PRINT_INTERFACE(pv.interface) ) { if( SnortSnprintf(ip_data, STD_BUF, " <%s> {%s} %s:%i -> %s:%i", PRINT_INTERFACE(pv.interface), protocol_names[GET_IPH_PROTO(p)], sip, p->sp, dip, p->dp) != SNORT_SNPRINTF_SUCCESS ) return ; } } else { if( protocol_names[GET_IPH_PROTO(p)] ) { if( SnortSnprintf(ip_data, STD_BUF, " {%s} %s:%i -> %s:%i", protocol_names[GET_IPH_PROTO(p)], sip, p->sp, dip, p->dp) != SNORT_SNPRINTF_SUCCESS ) return ; } } } if( strlcat(event_string, ip_data, SYSLOG_BUF) >= SYSLOG_BUF) return; syslog(data->priority, "%s", event_string); } else { syslog(data->priority, "%s", msg == NULL ? "ALERT!" : msg); } return;}void AlertSyslogCleanExit(int signal, void *arg){ SyslogData *data = (SyslogData *)arg; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "AlertSyslogCleanExit\n");); /* free memory from SyslogData */ if(data) free(data);}void AlertSyslogRestart(int signal, void *arg){ SyslogData *data = (SyslogData *)arg; DEBUG_WRAP(DebugMessage(DEBUG_LOG, "AlertSyslogRestartFunc\n");); /* free memory from SyslogData */ if(data) free(data);}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -