📄 spo_alert_prelude.c
字号:
add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); break; case ICMP_ADDRESSREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); add_int_data(alert, "icmp_mask", (uint32_t) ntohl(p->icmph->s_icmp_mask)); break; case ICMP_REDIRECT: add_string_data(alert, "icmp_gwaddr", inet_ntoa(p->icmph->s_icmp_gwaddr)); break; case ICMP_ROUTER_ADVERTISE: add_int_data(alert, "icmp_num_addrs", p->icmph->s_icmp_num_addrs); add_int_data(alert, "icmp_wpa", p->icmph->s_icmp_wpa); add_int_data(alert, "icmp_lifetime", ntohs(p->icmph->s_icmp_lifetime)); break; case ICMP_TIMESTAMPREPLY: add_int_data(alert, "icmp_id", ntohs(p->icmph->s_icmp_id)); add_int_data(alert, "icmp_seq", ntohs(p->icmph->s_icmp_seq)); add_int_data(alert, "icmp_otime", p->icmph->s_icmp_otime); add_int_data(alert, "icmp_rtime", p->icmph->s_icmp_rtime); add_int_data(alert, "icmp_ttime", p->icmph->s_icmp_ttime); break; } } add_byte_data(alert, "payload", p->data, p->dsize); return 0;}static int event_to_impact(Event *event, idmef_alert_t *alert){ int ret; ClassType *classtype; prelude_string_t *str; idmef_impact_t *impact; idmef_assessment_t *assessment; idmef_impact_severity_t severity; ret = idmef_alert_new_assessment(alert, &assessment); if ( ret < 0 ) return ret; ret = idmef_assessment_new_impact(assessment, &impact); if ( ret < 0 ) return ret; if ( event->priority < mid_priority ) severity = IDMEF_IMPACT_SEVERITY_HIGH; else if ( event->priority < low_priority ) severity = IDMEF_IMPACT_SEVERITY_MEDIUM; else if ( event->priority < info_priority ) severity = IDMEF_IMPACT_SEVERITY_LOW; else severity = IDMEF_IMPACT_SEVERITY_INFO; idmef_impact_set_severity(impact, severity); if ( ! otn_tmp ) return 0; classtype = otn_tmp->sigInfo.classType; if ( classtype ) { ret = idmef_impact_new_description(impact, &str); if ( ret < 0 ) return ret; prelude_string_set_ref(str, classtype->name); } return 0;}static int add_snort_reference(idmef_classification_t *class, int gen_id, int sig_id){ int ret; prelude_string_t *str; idmef_reference_t *ref; if ( sig_id >= SNORT_MAX_OWNED_SID ) return 0; ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_reference_new_name(ref, &str); if ( ret < 0 ) return ret; idmef_reference_set_origin(ref, IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC); if ( gen_id == 0 ) ret = prelude_string_sprintf(str, "%u", sig_id); else ret = prelude_string_sprintf(str, "%u:%u", gen_id, sig_id); if ( ret < 0 ) return ret; ret = idmef_reference_new_meaning(ref, &str); if ( ret < 0 ) return ret; ret = prelude_string_sprintf(str, "Snort Signature ID"); if ( ret < 0 ) return ret; ret = idmef_reference_new_url(ref, &str); if ( ret < 0 ) return ret; if ( gen_id == 0 ) ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u", sig_id); else ret = prelude_string_sprintf(str, ANALYZER_SID_URL "%u:%u", gen_id, sig_id); return ret;}static int event_to_reference(Event *event, idmef_classification_t *class){ int ret; ReferenceNode *refs; prelude_string_t *str; idmef_reference_t *ref; ReferenceSystemNode *system; ret = idmef_classification_new_ident(class, &str); if ( ret < 0 ) return ret; if ( event->sig_generator == 0 ) ret = prelude_string_sprintf(str, "%u", event->sig_id); else ret = prelude_string_sprintf(str, "%u:%u", event->sig_generator, event->sig_id); if ( ret < 0 ) return ret; ret = add_snort_reference(class, event->sig_generator, event->sig_id); if ( ret < 0 ) return ret; /* * return if we have no information about the rule. */ if ( ! otn_tmp ) return 0; for ( refs = otn_tmp->sigInfo.refs; refs != NULL; refs = refs->next ) { system = refs->system; if ( ! system ) continue; ret = idmef_classification_new_reference(class, &ref, IDMEF_LIST_APPEND); if ( ret < 0 ) return ret; ret = idmef_reference_new_name(ref, &str); if ( ret < 0 ) return ret; idmef_reference_set_origin(ref, reference_to_origin(system->name)); if ( idmef_reference_get_origin(ref) != IDMEF_REFERENCE_ORIGIN_VENDOR_SPECIFIC ) prelude_string_set_ref(str, refs->id); else prelude_string_set_constant(str, "url"); ret = idmef_reference_new_url(ref, &str); if ( ret < 0 ) return ret; prelude_string_sprintf(str, "%s%s", system->url ? system->url : "", refs->id ? refs->id : ""); } return 0;}void snort_alert_prelude(Packet *p, char *msg, void *data, Event *event){ int ret; idmef_time_t *time; idmef_alert_t *alert; prelude_string_t *str; idmef_message_t *idmef; idmef_classification_t *class; prelude_client_t *client = data; if ( !p ) return; ret = idmef_message_new(&idmef); if ( ret < 0 ) return; ret = idmef_message_new_alert(idmef, &alert); if ( ret < 0 ) goto err; ret = idmef_alert_new_classification(alert, &class); if ( ret < 0 ) goto err; ret = idmef_classification_new_text(class, &str); if ( ret < 0 ) goto err; prelude_string_set_ref(str, msg); ret = event_to_impact(event, alert); if ( ret < 0 ) goto err; ret = event_to_reference(event, class); if ( ret < 0 ) goto err; ret = event_to_source_target(p, alert); if ( ret < 0 ) goto err; ret = packet_to_data(p, event, alert); if ( ret < 0 ) goto err; ret = idmef_alert_new_detect_time(alert, &time); if ( ret < 0 ) goto err; idmef_time_set_from_timeval(time, &p->pkth->ts); ret = idmef_time_new_from_gettimeofday(&time); if ( ret < 0 ) goto err; idmef_alert_set_create_time(alert, time); idmef_alert_set_analyzer(alert, idmef_analyzer_ref(prelude_client_get_analyzer(client)), IDMEF_LIST_PREPEND); prelude_client_send_idmef(client, idmef); err: idmef_message_destroy(idmef);}static void snort_alert_prelude_clean_exit(int signal, void *data){ /* * A Snort sensor reporting to Prelude shall never go offline, * which is why we use PRELUDE_CLIENT_EXIT_STATUS_FAILURE. */ prelude_client_destroy(data, PRELUDE_CLIENT_EXIT_STATUS_FAILURE); /* * Free libprelude relevant data and synchronize asynchronous thread. */ prelude_deinit();}static void parse_args(char *args, char **profile){ int i, tokens, ret; char **args_table, *value, *key; args_table = mSplit(args, " ", 4, &tokens, '\\'); for ( i = 0; i < tokens; i++ ) { key = args_table[i]; strtok(key, "="); value = strtok(NULL, ""); if ( ! value ) FatalError("spo_alert_prelude: missing value for keyword '%s'.\n", key); ret = strcasecmp("profile", key); if ( ret == 0 ) { if ( *profile ) free(*profile); *profile = strdup(value); continue; } ret = strcasecmp("info", key); if ( ret == 0 ) { info_priority = atoi(value); continue; } ret = strcasecmp("low", key); if ( ret == 0 ) { low_priority = atoi(value); continue; } ret = strcasecmp("medium", key); if ( ret == 0 ) { mid_priority = atoi(value); continue; } FatalError("spo_alert_prelude: Invalid parameter found: '%s'.\n", key); } mSplitFree(&args_table, tokens);}void AlertPreludeSetupAfterSetuid(void){ int ret; char *profile = NULL; prelude_client_t *client; prelude_client_flags_t flags; if ( ! initialized ) return; parse_args(init_args, &profile); free(init_args); ret = prelude_thread_init(NULL); if ( ret < 0 ) FatalError("%s: Unable to initialize the Prelude thread subsystem: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); ret = prelude_init(NULL, NULL); if ( ret < 0 ) FatalError("%s: Unable to initialize the Prelude library: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); ret = prelude_client_new(&client, profile ? profile : DEFAULT_ANALYZER_NAME); if ( profile ) free(profile); if ( ret < 0 ) FatalError("%s: Unable to create a prelude client object: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); flags = PRELUDE_CLIENT_FLAGS_ASYNC_SEND|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER; ret = prelude_client_set_flags(client, prelude_client_get_flags(client) | flags); if ( ret < 0 ) FatalError("%s: Unable to set asynchronous send and timer: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); setup_analyzer(prelude_client_get_analyzer(client)); ret = prelude_client_start(client); if ( ret < 0 ) { if ( prelude_client_is_setup_needed(ret) ) prelude_client_print_setup_error(client); FatalError("%s: Unable to initialize prelude client: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); } AddFuncToOutputList(snort_alert_prelude, NT_OUTPUT_ALERT, client); AddFuncToCleanExitList(snort_alert_prelude_clean_exit, client); AddFuncToRestartList(snort_alert_prelude_clean_exit, client);}void snort_alert_prelude_init(unsigned char *args){ /* * Do nothing here. Wait until AlertPreludeSetupAfterSetuid is called. */ if ( args ) init_args = strdup((char *) args); initialized = TRUE;}void AlertPreludeSetup(void){ RegisterOutputPlugin("alert_prelude", NT_OUTPUT_ALERT, snort_alert_prelude_init);}#endif /* HAVE_LIBPRELUDE */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -