spo_unified.c

著名的入侵检测系统snort的最新版本的源码

   
    SafeMemcpy(write_pkt_buffer, &dHdr, sizeof(DataHeader), 
                write_pkt_buffer, write_pkt_buffer + sizeof(DataHeader) + 
                sizeof(UnifiedLog) + IP_MAXPACKET );
    SafeMemcpy(write_pkt_buffer + sizeof(DataHeader), (char *)data, length,
                write_pkt_buffer, write_pkt_buffer + 
                sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET );

    if(fwrite(write_pkt_buffer, length + sizeof(DataHeader),
              1, unifiedConfig->stream) != 1)
    {
        FatalError("SpoUnified: write failed: %s\n", strerror(errno));
    }

    fflush(unifiedConfig->stream);

    return 0;
}

void UnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event)
{
    DataHeader dHdr;
   
    /* check for a pseudo-packet, we don't want to log those */
    if(IS_IP4(p))
    {
        dHdr.type = UNIFIED_TYPE_ALERT;
        dHdr.length = sizeof(UnifiedAlert);
 
        RealUnifiedLogAlert(p, msg, arg, event, &dHdr);
    }
    else
    {
        dHdr.type = UNIFIED_TYPE_IPV6_ALERT;
        dHdr.length = sizeof(UnifiedIPv6Alert);
 
        RealUnifiedLogAlert6(p, msg, arg, event, &dHdr);
    }
}
  
int UnifiedFirstPacketCallback(struct pcap_pkthdr *pkth,
                               u_int8_t *packet_data, void *userdata)
{
    UnifiedAlert *alertdata = (UnifiedAlert*)userdata;

    /* loop thru all the packets in the stream */
    if(pkth != NULL )
    {
        alertdata->ts.tv_sec  = (u_int32_t)pkth->ts.tv_sec;
        alertdata->ts.tv_usec = (u_int32_t)pkth->ts.tv_usec;
    } 

    /* return non-zero so we only do this once */
    return 1;
}

void RealUnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event, 
        DataHeader *dHdr)
{
    UnifiedConfig *data = (UnifiedConfig *)arg;
    UnifiedAlert alertdata;

    bzero(&alertdata, sizeof(alertdata));

    if(event != NULL)
    {
        alertdata.event.sig_generator = event->sig_generator;
        alertdata.event.sig_id = event->sig_id;
        alertdata.event.sig_rev = event->sig_rev;
        alertdata.event.classification = event->classification;
        alertdata.event.priority = event->priority;
        alertdata.event.event_id = event->event_id;
        alertdata.event.event_reference = event->event_reference;
        alertdata.event.ref_time.tv_sec = event->ref_time.tv_sec;
        alertdata.event.ref_time.tv_usec = event->ref_time.tv_usec;

    }

    if(p)
    {
        alertdata.ts.tv_sec = (u_int32_t)p->pkth->ts.tv_sec;
        alertdata.ts.tv_usec = (u_int32_t)p->pkth->ts.tv_usec;
       
        if((p->packet_flags & PKT_REBUILT_STREAM) && stream_api)
        {
            DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); 

            stream_api->traverse_reassembled(p, UnifiedFirstPacketCallback, &alertdata);

       }

        if(IPH_IS_VALID(p))
        {
            /* everything needs to be written in host order */
            alertdata.sip = ntohl(p->iph->ip_src.s_addr);
            alertdata.dip = ntohl(p->iph->ip_dst.s_addr);
            if(GET_IPH_PROTO(p) == IPPROTO_ICMP)
            {
                if(p->icmph != NULL)
                {
                    alertdata.sp = p->icmph->type;
                    alertdata.dp = p->icmph->code;
                }
            }
            else
            {
                alertdata.sp = p->sp;
                alertdata.dp = p->dp;
            }
            alertdata.protocol = GET_IPH_PROTO(p);
            alertdata.flags = p->packet_flags;
        }
    }
    
    /* backward compatibility stuff */
    if(dHdr == NULL)
    {
        if((data->current + sizeof(UnifiedAlert)) > data->limit)
            UnifiedAlertRotateFile(data);
    }
    else
    {
        if((data->current + sizeof(UnifiedAlert)) > data->limit)
            UnifiedRotateFile(data);
    }

    if(dHdr)
    {
        if(fwrite((char *)dHdr, sizeof(DataHeader), 1, data->stream) != 1)
            FatalError("SpoUnified: write failed: %s\n", strerror(errno));
        data->current += sizeof(DataHeader);
    }
    
    if(fwrite((char *)&alertdata, sizeof(UnifiedAlert), 1, data->stream) != 1)
            FatalError("SpoUnified: write failed: %s\n", strerror(errno));


    fflush(data->stream);
    data->current += sizeof(UnifiedAlert);
}

void RealUnifiedLogAlert6(Packet *p, char *msg, void *arg, Event *event, 
        DataHeader *dHdr)
{
    UnifiedConfig *data = (UnifiedConfig *)arg;
    UnifiedIPv6Alert alertdata;

    bzero(&alertdata, sizeof(alertdata));

    if(event != NULL)
    {
        alertdata.event.sig_generator = event->sig_generator;
        alertdata.event.sig_id = event->sig_id;
        alertdata.event.sig_rev = event->sig_rev;
        alertdata.event.classification = event->classification;
        alertdata.event.priority = event->priority;
        alertdata.event.event_id = event->event_id;
        alertdata.event.event_reference = event->event_reference;
        alertdata.event.ref_time.tv_sec = event->ref_time.tv_sec;
        alertdata.event.ref_time.tv_usec = event->ref_time.tv_usec;

    }

    if(p)
    {
        alertdata.ts.tv_sec = (u_int32_t)p->pkth->ts.tv_sec;
        alertdata.ts.tv_usec = (u_int32_t)p->pkth->ts.tv_usec;
       
        if((p->packet_flags & PKT_REBUILT_STREAM) && stream_api)
        {
            DEBUG_WRAP(DebugMessage(DEBUG_LOG, "man:Logging rebuilt stream data.\n");); 

            stream_api->traverse_reassembled(p, UnifiedFirstPacketCallback, &alertdata);

       }

        if(IPH_IS_VALID(p))
        {
            /* everything needs to be written in host order */
            IP_COPY_VALUE(alertdata.sip, GET_SRC_IP(p));
            IP_COPY_VALUE(alertdata.dip, GET_DST_IP(p));
            if(GET_IPH_PROTO(p) == IPPROTO_ICMP)
            {
                if(p->icmph != NULL)
                {
                    alertdata.sp = p->icmph->type;
                    alertdata.dp = p->icmph->code;
                }
            }
            else
            {
                alertdata.sp = p->sp;
                alertdata.dp = p->dp;
            }
            alertdata.protocol = GET_IPH_PROTO(p);
            alertdata.flags = p->packet_flags;
        }
    }
    
    /* backward compatibility stuff */
    if(dHdr == NULL)
    {
        if((data->current + sizeof(UnifiedIPv6Alert)) > data->limit)
            UnifiedAlertRotateFile(data);
    }
    else
    {
        if((data->current + sizeof(UnifiedIPv6Alert)) > data->limit)
            UnifiedRotateFile(data);
    }

    if(dHdr)
    {
        if(fwrite((char *)dHdr, sizeof(DataHeader), 1, data->stream) != 1)
            FatalError("SpoUnified: write failed: %s\n", strerror(errno));
        data->current += sizeof(DataHeader);
    }
    
    if(fwrite((char *)&alertdata, sizeof(UnifiedIPv6Alert), 1, data->stream) != 1)
            FatalError("SpoUnified: write failed: %s\n", strerror(errno));


    fflush(data->stream);
    data->current += sizeof(UnifiedAlert);
}


void UnifiedLogPacketAlert(Packet *p, char *msg, void *arg, Event *event)
{
    DataHeader dHdr;
    dHdr.type = UNIFIED_TYPE_PACKET_ALERT;
    dHdr.length = sizeof(UnifiedLog);
    
    if(p->packet_flags & PKT_REBUILT_STREAM)
    {
        DEBUG_WRAP(DebugMessage(DEBUG_LOG, 
                    "[*] Reassembled packet, dumping stream packets\n"););
        RealUnifiedLogStreamAlert(p, msg, arg, event, &dHdr);
    }
    else
    {
        DEBUG_WRAP(DebugMessage(DEBUG_LOG, "[*] Logging unified packets...\n"););
        RealUnifiedLogPacketAlert(p, msg, arg, event, &dHdr);
    }

}


void RealUnifiedLogPacketAlert(Packet *p, char *msg, void *arg, Event *event,
        DataHeader *dHdr)
{
    UnifiedLog logheader;
    UnifiedConfig *data = (UnifiedConfig *)arg;
    int offset = 0;

    if(event != NULL)
    {
        logheader.event.sig_generator = event->sig_generator;
        logheader.event.sig_id = event->sig_id;
        logheader.event.sig_rev = event->sig_rev;
        logheader.event.classification = event->classification;
        logheader.event.priority = event->priority;
        logheader.event.event_id = event->event_id;
        logheader.event.event_reference = event->event_reference;
        logheader.event.ref_time.tv_sec = event->ref_time.tv_sec;
        logheader.event.ref_time.tv_usec = event->ref_time.tv_usec;

        DEBUG_WRAP(DebugMessage(DEBUG_LOG, "------------\n");
        DebugMessage(DEBUG_LOG, "gen: %u\n", logheader.event.sig_generator);
        DebugMessage(DEBUG_LOG, "sid: %u\n", logheader.event.sig_id);
        DebugMessage(DEBUG_LOG, "rev: %u\n", logheader.event.sig_rev);
        DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification);
        DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority);
        DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id);
        DebugMessage(DEBUG_LOG, "erf: %u\n", logheader.event.event_reference);
        DebugMessage(DEBUG_LOG, "sec: %lu\n", logheader.event.ref_time.tv_sec);
        DebugMessage(DEBUG_LOG, "usc: %lu\n", logheader.event.ref_time.tv_usec););
    }

    if(p)
    {
        logheader.flags = p->packet_flags;

        /* 
         * this will have to be fixed when we transition to the pa_engine
         * code (p->pkth is libpcap specific)
         */ 
        logheader.pkth.ts.tv_sec = (u_int32_t)p->pkth->ts.tv_sec;
        logheader.pkth.ts.tv_usec = (u_int32_t)p->pkth->ts.tv_usec;
        logheader.pkth.caplen = p->pkth->caplen;
        logheader.pkth.pktlen = p->pkth->len;

    }
    else
    {
        logheader.flags = 0;
        logheader.pkth.ts.tv_sec = 0;
        logheader.pkth.ts.tv_usec = 0;
        logheader.pkth.caplen = 0;
        logheader.pkth.pktlen = 0;
    }
    
    /* backward compatibility stuff */
    if(dHdr == NULL)
    {
        if((data->current + sizeof(UnifiedLog) + logheader.pkth.caplen) > 
                data->limit)
            UnifiedLogRotateFile(data);
    }
    else
    {   
        if((data->current + sizeof(UnifiedLog) + sizeof(DataHeader) 
                    + logheader.pkth.caplen) > data->limit)
            UnifiedRotateFile(data);
    }
    if(dHdr)
    {
        SafeMemcpy(write_pkt_buffer, dHdr, sizeof(DataHeader),
                write_pkt_buffer, write_pkt_buffer + 
                sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET);

        data->current += sizeof(DataHeader);
        offset = sizeof(DataHeader);

    }
        
    SafeMemcpy(write_pkt_buffer + offset, &logheader, sizeof(UnifiedLog),
                write_pkt_buffer, write_pkt_buffer + 
                sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET);

    data->current += sizeof(UnifiedLog);
    offset += sizeof(UnifiedLog);
    
    if(p)
    {
        SafeMemcpy(write_pkt_buffer + offset, p->pkt, p->pkth->caplen,
                write_pkt_buffer, write_pkt_buffer + 
                sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET);

        if(fwrite(write_pkt_buffer, offset + p->pkth->caplen, 
                  1, data->stream) != 1)
            FatalError("SpoUnified: write failed: %s\n", strerror(errno));

        data->current += p->pkth->caplen;
    }
    else 
    {
        if(fwrite(write_pkt_buffer, sizeof(DataHeader) + 
               sizeof(UnifiedLog), 1, data->stream) != 1)
            FatalError("SpoUnified: write failed: %s\n", strerror(errno));
    }

    fflush(data->stream);
}

typedef struct _UnifiedLogStreamCallbackData
{
    UnifiedLog *logheader;
    UnifiedConfig *data;
    DataHeader *dHdr;
    Event *event;
    int once;
} UnifiedLogStreamCallbackData;

/**
 * Callback for the Stream reassembler to log packets
 *
 */
int UnifiedLogStreamCallback(struct pcap_pkthdr *pkth,
                             u_int8_t *packet_data, void *userdata)
{
    UnifiedLogStreamCallbackData *unifiedData;
    int offset = 0;

    if (!userdata)
        return -1;

    unifiedData = (UnifiedLogStreamCallbackData *)userdata;

    /* copy it's pktheader data into the logheader */
    unifiedData->logheader->pkth.ts.tv_sec = (u_int32_t)pkth->ts.tv_sec;
    unifiedData->logheader->pkth.ts.tv_usec = (u_int32_t)pkth->ts.tv_usec;
    unifiedData->logheader->pkth.caplen = (u_int32_t)pkth->caplen;
    unifiedData->logheader->pkth.pktlen = (u_int32_t)pkth->len;

    /* backward compatibility stuff */
    if(unifiedData->dHdr == NULL)