📄 spo_alert_prelude.c
字号:
/******* Copyright (C) 2005 PreludeIDS Technologies. All Rights Reserved.* Author: Yoann Vandoorselaere <yoann.v@prelude-ids.com>** This file is part of the Snort program.** This program is free software; you can redistribute it and/or modify* it under the terms of the GNU General Public License Version 2 as* published by the Free Software Foundation. You may not use, modify or* distribute this program under any other version of the GNU General* Public License.** This program is distributed in the hope that it will be useful,* but WITHOUT ANY WARRANTY; without even the implied warranty of* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the* GNU General Public License for more details.** You should have received a copy of the GNU General Public License* along with this program; see the file COPYING. If not, write to* the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.******/#ifdef HAVE_CONFIG_H #include "config.h"#endif#ifdef HAVE_LIBPRELUDE#include <stdio.h>#include <sys/types.h>#include <sys/socket.h>#include <netinet/in.h>#include <arpa/inet.h>#include <libprelude/prelude.h>#include "event.h"#include "decode.h"#include "plugbase.h"#include "spo_plugbase.h"#include "parser.h"#include "debug.h"#include "util.h"#include "mstring.h"#include "snort.h"#define ANALYZER_CLASS "NIDS"#define ANALYZER_MODEL "Snort"#define ANALYZER_MANUFACTURER "http://www.snort.org"#define ANALYZER_SID_URL "http://www.snort.org/pub-bin/sigs.cgi?sid="#define SNORT_MAX_OWNED_SID 1000000#define DEFAULT_ANALYZER_NAME "snort"extern PV pv;extern OptTreeNode *otn_tmp;static char *init_args = NULL;static unsigned int info_priority = 4;static unsigned int low_priority = 3;static unsigned int mid_priority = 2;static prelude_bool_t initialized = FALSE;static int setup_analyzer(idmef_analyzer_t *analyzer){ int ret; prelude_string_t *string; ret = idmef_analyzer_new_model(analyzer, &string); if ( ret < 0 ) return ret; prelude_string_set_constant(string, ANALYZER_MODEL); ret = idmef_analyzer_new_class(analyzer, &string); if ( ret < 0 ) return ret; prelude_string_set_constant(string, ANALYZER_CLASS); ret = idmef_analyzer_new_manufacturer(analyzer, &string); if ( ret < 0 ) return ret; prelude_string_set_constant(string, ANALYZER_MANUFACTURER); ret = idmef_analyzer_new_version(analyzer, &string); if ( ret < 0 ) return ret; prelude_string_set_constant(string, VERSION); return 0;}static idmef_reference_origin_t reference_to_origin(const char *name){ int i, ret; struct { const char *name; idmef_reference_origin_t origin; } tbl[] = { { "cve", IDMEF_REFERENCE_ORIGIN_CVE }, { "bugtraq", IDMEF_REFERENCE_ORIGIN_BUGTRAQID }, { "osvdb", IDMEF_REFERENCE_ORIGIN_OSVDB }, { NULL, 0 } }; for ( i = 0; tbl[i].name; i++ ) { ret = strcmp(tbl[i].name, name); if ( ret == 0 ) return tbl[i].origin; } return IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC;}static int event_to_source_target(Packet *p, idmef_alert_t *alert){ int ret; idmef_node_t *node; idmef_source_t *source; idmef_target_t *target; idmef_address_t *address; idmef_service_t *service; prelude_string_t *string; static char saddr[128], daddr[128]; if ( !p ) return 0; if ( ! IPH_IS_VALID(p) ) return 0; ret = idmef_alert_new_source(alert, &source, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if ( pv.interface ) { ret = idmef_source_new_interface(source, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, pv.interface); } ret = idmef_source_new_service(source, &service); if ( ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->sp); idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); ret = idmef_source_new_node(source, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(saddr, sizeof(saddr), "%s", inet_ntoa(GET_SRC_ADDR(p))); prelude_string_set_ref(string, saddr); ret = idmef_alert_new_target(alert, &target, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; if ( pv.interface ) { ret = idmef_target_new_interface(target, &string); if ( ret < 0 ) return ret; prelude_string_set_ref(string, pv.interface); } ret = idmef_target_new_service(target, &service); if ( ! ret < 0 ) return ret; if ( p->tcph || p->udph ) idmef_service_set_port(service, p->dp); idmef_service_set_ip_version(service, GET_IPH_VER(p)); idmef_service_set_iana_protocol_number(service, GET_IPH_PROTO(p)); ret = idmef_target_new_node(target, &node); if ( ret < 0 ) return ret; ret = idmef_node_new_address(node, &address, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_address_new_address(address, &string); if ( ret < 0 ) return ret; SnortSnprintf(daddr, sizeof(daddr), "%s", inet_ntoa(GET_DST_ADDR(p))); prelude_string_set_ref(string, daddr); return 0;}static int add_byte_data(idmef_alert_t *alert, const char *meaning, const unsigned char *data, size_t size){ int ret; prelude_string_t *str; idmef_additional_data_t *ad; if ( ! data || ! size ) return 0; ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_additional_data_set_byte_string_ref(ad, data, size); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { ErrorMessage("%s: error creating additional-data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting byte string data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } return 0;}static int add_string_data(idmef_alert_t *alert, const char *meaning, const char *data){ int ret; prelude_string_t *str; idmef_additional_data_t *ad; if ( ! data ) return 0; ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_additional_data_set_string_ref(ad, data); if ( ret < 0 ) { ErrorMessage("%s: error setting string data: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { ErrorMessage("%s: error creating additional-data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting string data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } return 0;}static int add_int_data(idmef_alert_t *alert, const char *meaning, uint32_t data){ int ret; prelude_string_t *str; idmef_additional_data_t *ad; ret = idmef_alert_new_additional_data(alert, &ad, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; idmef_additional_data_set_integer(ad, data); ret = idmef_additional_data_new_meaning(ad, &str); if ( ret < 0 ) { ErrorMessage("%s: error creating additional-data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } ret = prelude_string_set_ref(str, meaning); if ( ret < 0 ) { ErrorMessage("%s: error setting integer data meaning: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); return -1; } return 0;}static int packet_to_data(Packet *p, Event *event, idmef_alert_t *alert){ int i; if ( ! p ) return 0; add_int_data(alert, "snort_rule_sid", event->sig_id); add_int_data(alert, "snort_rule_rev", event->sig_rev); if ( IPH_IS_VALID(p) ) { add_int_data(alert, "ip_ver", GET_IPH_VER(p)); add_int_data(alert, "ip_hlen", GET_IPH_HLEN(p)); add_int_data(alert, "ip_tos", GET_IPH_TOS(p)); add_int_data(alert, "ip_len", ntohs(GET_IPH_LEN(p)));#ifdef SUP_IP6// XXX-IPv6 need fragmentation ID#else add_int_data(alert, "ip_id", ntohs(p->iph->ip_id));#endif#ifdef SUP_IP6// XXX-IPv6 need fragmentation offset#else add_int_data(alert, "ip_off", ntohs(p->iph->ip_off));#endif add_int_data(alert, "ip_ttl", GET_IPH_TTL(p)); add_int_data(alert, "ip_proto", GET_IPH_PROTO(p));#ifdef SUP_IP6// XXX-IPv6 need checksum#else add_int_data(alert, "ip_sum", ntohs(p->iph->ip_csum));#endif for ( i = 0; i < p->ip_option_count; i++ ) { add_int_data(alert, "ip_option_code", p->ip_options[i].code); add_byte_data(alert, "ip_option_data", p->ip_options[i].data, p->ip_options[i].len); } } if ( p->tcph ) { add_int_data(alert, "tcp_seq", ntohl(p->tcph->th_seq)); add_int_data(alert, "tcp_ack", ntohl(p->tcph->th_ack)); add_int_data(alert, "tcp_off", TCP_OFFSET(p->tcph)); add_int_data(alert, "tcp_res", TCP_X2(p->tcph)); add_int_data(alert, "tcp_flags", p->tcph->th_flags); add_int_data(alert, "tcp_win", ntohs(p->tcph->th_win)); add_int_data(alert, "tcp_sum", ntohs(p->tcph->th_sum)); add_int_data(alert, "tcp_urp", ntohs(p->tcph->th_urp)); for ( i = 0; i < p->tcp_option_count; i++ ) { add_int_data(alert, "tcp_option_code", p->tcp_options[i].code); add_byte_data(alert, "tcp_option_data", p->tcp_options[i].data, p->tcp_options[i].len); } } else if ( p->udph ) { add_int_data(alert, "udp_len", ntohs(p->udph->uh_len)); add_int_data(alert, "udp_sum", ntohs(p->udph->uh_chk)); } else if ( p->icmph ) { add_int_data(alert, "icmp_type", p->icmph->type); add_int_data(alert, "icmp_code", p->icmph->code); add_int_data(alert, "icmp_sum", ntohs(p->icmph->csum)); switch ( p->icmph->type ) { case ICMP_ECHO: case ICMP_ECHOREPLY: case ICMP_INFO_REQUEST: case ICMP_INFO_REPLY: case ICMP_ADDRESS: case ICMP_TIMESTAMP:⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -