spo_unified.c

著名的入侵检测系统snort的最新版本的源码

    {
        if((unifiedData->data->current +
            sizeof(UnifiedLog)+
            unifiedData->logheader->pkth.caplen) > 
            unifiedData->data->limit)
        {
            UnifiedLogRotateFile(unifiedData->data);
        }
    }
    else
    {   
        if((unifiedData->data->current + sizeof(UnifiedLog) + sizeof(DataHeader) 
                    + unifiedData->logheader->pkth.caplen) > unifiedData->data->limit)
            UnifiedRotateFile(unifiedData->data);
    }

    if(unifiedData->dHdr)
    {
        SafeMemcpy(write_pkt_buffer, unifiedData->dHdr, sizeof(DataHeader),
                   write_pkt_buffer, write_pkt_buffer +
                   sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET);

        offset = sizeof(DataHeader);

        unifiedData->data->current += sizeof(DataHeader);
    }

    SafeMemcpy(write_pkt_buffer + offset, unifiedData->logheader, 
                sizeof(UnifiedLog), write_pkt_buffer, 
                write_pkt_buffer + sizeof(DataHeader) + 
                sizeof(UnifiedLog) + IP_MAXPACKET);

    offset += sizeof(UnifiedLog);

    unifiedData->data->current += sizeof(UnifiedLog);

    if(packet_data)
    {
        SafeMemcpy(write_pkt_buffer, packet_data, 
               offset + unifiedData->logheader->pkth.caplen,
               write_pkt_buffer, write_pkt_buffer + 
               sizeof(DataHeader) + sizeof(UnifiedLog) + IP_MAXPACKET);

        if(fwrite(write_pkt_buffer, offset + unifiedData->logheader->pkth.caplen,
                  1, unifiedData->data->stream) != 1)
            FatalError("SpoUnified: write failed: %s\n", strerror(errno));

        unifiedData->data->current += unifiedData->logheader->pkth.caplen;
    }
    else 
    {
        if(fwrite(write_pkt_buffer, offset,
                  1, unifiedData->data->stream) != 1)
            FatalError("SpoUnified: write failed: %s\n", strerror(errno));
    }

    /* after the first logged packet modify the event headers */
    if(!unifiedData->once++)
    {
        unifiedData->logheader->event.sig_generator = GENERATOR_TAG;
        unifiedData->logheader->event.sig_id = TAG_LOG_PKT;
        unifiedData->logheader->event.sig_rev = 1;
        unifiedData->logheader->event.classification = 0;
        unifiedData->logheader->event.priority = unifiedData->event->priority;
        /* Note that event_id is now incorrect. 
         * See OldUnifiedLogPacketAlert() for details. */
    }

    return 0;
}


/**
 * Log a set of packets stored in the stream reassembler
 *
 */
void RealUnifiedLogStreamAlert(Packet *p, char *msg, void *arg, Event *event,
        DataHeader *dHdr)
{
    UnifiedLogStreamCallbackData unifiedData;
    UnifiedLog logheader;
    UnifiedConfig *data = (UnifiedConfig *)arg;
    int once = 0;

    /* setup the event header */
    if(event != NULL)
    {
        logheader.event.sig_generator = event->sig_generator;
        logheader.event.sig_id = event->sig_id;
        logheader.event.sig_rev = event->sig_rev;
        logheader.event.classification = event->classification;
        logheader.event.priority = event->priority;
        logheader.event.event_id = event->event_id;
        logheader.event.event_reference = event->event_reference;
        /* Note that ref_time is probably incorrect.  
         * See OldUnifiedLogPacketAlert() for details. */
        logheader.event.ref_time.tv_sec = event->ref_time.tv_sec;
        logheader.event.ref_time.tv_usec = event->ref_time.tv_usec;

        DEBUG_WRAP(DebugMessage(DEBUG_LOG, "------------\n");
        DebugMessage(DEBUG_LOG, "gen: %u\n", logheader.event.sig_generator);
        DebugMessage(DEBUG_LOG, "sid: %u\n", logheader.event.sig_id);
        DebugMessage(DEBUG_LOG, "rev: %u\n", logheader.event.sig_rev);
        DebugMessage(DEBUG_LOG, "cls: %u\n", logheader.event.classification);
        DebugMessage(DEBUG_LOG, "pri: %u\n", logheader.event.priority);
        DebugMessage(DEBUG_LOG, "eid: %u\n", logheader.event.event_id);
        DebugMessage(DEBUG_LOG, "erf: %u\n", 
               logheader.event.event_reference);
        DebugMessage(DEBUG_LOG, "sec: %lu\n", 
               logheader.event.ref_time.tv_sec);
        DebugMessage(DEBUG_LOG, "usc: %lu\n", 
               logheader.event.ref_time.tv_usec););
    }

    /* queue up the stream for logging */
    if(p && stream_api)
    {
        unifiedData.logheader = &logheader;
        unifiedData.data = data;
        unifiedData.dHdr = dHdr;
        unifiedData.event = event;
        unifiedData.once = once;
        stream_api->traverse_reassembled(p, UnifiedLogStreamCallback, &unifiedData);
    }
    
    fflush(data->stream);
}

/*
 * Function: UnifiedParseArgs(char *)
 *
 * Purpose: Process the preprocessor arguements from the rules file and 
 *          initialize the preprocessor's data struct.  This function doesn't
 *          have to exist if it makes sense to parse the args in the init 
 *          function.
 *
 * Arguments: args => argument list
 *
 * Returns: void function
 *
 */
UnifiedConfig *UnifiedParseArgs(char *args, char *default_filename)
{
    UnifiedConfig *tmp;
    int limit = 0;

    tmp = (UnifiedConfig *)calloc(sizeof(UnifiedConfig), sizeof(char));

    if(tmp == NULL)
    {
        FatalError("Unable to allocate Unified Data struct!\n");
    }

    /* This is so the if 'nostamps' option is used on the command line,
     * it will be honored by unified, and only one variable is used. */
    tmp->nostamp = pv.nostamp;

    DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "Args: %s\n", args););

    if(args != NULL)
    {
        char **toks;
        int num_toks;
        int i = 0;
        toks = mSplit(args, ",", 31, &num_toks, '\\');
        for(i = 0; i < num_toks; ++i)
        {
            char **stoks;
            int num_stoks;
            char *index = toks[i];
            while(isspace((int)*index))
                ++index;
          
            stoks = mSplit(index, " ", 2, &num_stoks, 0);
            
            if(strcasecmp("filename", stoks[0]) == 0)
            {
                if(num_stoks > 1 && tmp->filename == NULL)
                    tmp->filename = strdup(stoks[1]);
                else
                    LogMessage("Argument Error in %s(%i): %s\n",
                            file_name, file_line, index);
            }
            else if(strcasecmp("limit", stoks[0]) == 0)
            {
                if(num_stoks > 1 && limit == 0)
                {
                    limit = atoi(stoks[1]);
                }
                else
                {
                    LogMessage("Argument Error in %s(%i): %s\n",
                            file_name, file_line, index);
                }
            }
            else if(strcasecmp("nostamp", stoks[0]) == 0)
            {   
                tmp->nostamp = 1;
            }
            else
            {
                LogMessage("Argument Error in %s(%i): %s\n",
                        file_name, file_line, index);
            }
            
            mSplitFree(&stoks, num_stoks);
        }
        mSplitFree(&toks, num_toks);
    }

    if(tmp->filename == NULL)
        tmp->filename = strdup(default_filename);
    
    //LogMessage("limit == %i\n", limit);

    if(limit <= 0)
    {
        limit = 128;
    }
    if(limit > 512)
    {
        LogMessage("spo_unified %s(%d)=> Lowering limit of %iMB to 512MB\n", file_name, file_line, limit);
        limit = 512;
    }

    /* convert the limit to "MB" */
    tmp->limit = limit << 20;

    return tmp;
}


/*
 * Function: UnifiedCleanExitFunc()
 *
 * Purpose: Cleanup at exit time
 *
 * Arguments: signal => signal that caused this event
 *            arg => data ptr to reference this plugin's data
 *
 * Returns: void function
 */
static void UnifiedCleanExit(int signal, void *arg)
{
    /* cast the arg pointer to the proper type */
    UnifiedConfig *data = (UnifiedConfig *)arg;

    DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified: CleanExit\n"););

    fclose(data->stream);

    /* free up initialized memory */
    free(data->filename);
    free(data);
}



/*
 * Function: Restart()
 *
 * Purpose: For restarts (SIGHUP usually) clean up structs that need it
 *
 * Arguments: signal => signal that caused this event
 *            arg => data ptr to reference this plugin's data
 *
 * Returns: void function
 */
static void UnifiedRestart(int signal, void *arg)
{
    UnifiedConfig *data = (UnifiedConfig *)arg;

    DEBUG_WRAP(DebugMessage(DEBUG_FLOW, "SpoUnified: Restart\n"););

    fclose(data->stream);
    free(data->filename);
    free(data);
}



/* Unified Alert functions (deprecated) */
void UnifiedAlertInit(char *args)
{
    UnifiedConfig *data;

    DEBUG_WRAP(DebugMessage(DEBUG_INIT, "Output: Unified Alert Initialized\n"););

    pv.alert_plugin_active = 1;

    /* parse the argument list from the rules file */
    data = UnifiedParseArgs(args, "snort-unified.alert");

    UnifiedInitAlertFile(data);


    //LogMessage("UnifiedAlertFilename = %s\n", data->filename);
    /* Set the preprocessor function into the function list */
    AddFuncToOutputList(OldUnifiedLogAlert, NT_OUTPUT_ALERT, data);
    AddFuncToCleanExitList(UnifiedCleanExit, data);
    AddFuncToRestartList(UnifiedRestart, data);
}
/*
 * Function: UnifiedInitAlertFile()
 *
 * Purpose: Initialize the unified log alert file
 *
 * Arguments: data => pointer to the plugin's reference data struct 
 *
 * Returns: void function
 */
void UnifiedInitAlertFile(UnifiedConfig *data)
{
    time_t curr_time;      /* place to stick the clock data */
    char logdir[STD_BUF];
    int value;
    UnifiedAlertFileHeader hdr;

    bzero(logdir, STD_BUF);
    curr_time = time(NULL);

    if(data->nostamp) 
    {
        if(data->filename[0] == '/')
            value = SnortSnprintf(logdir, STD_BUF, "%s", data->filename, 
                              (u_int32_t)curr_time);
        else
            value = SnortSnprintf(logdir, STD_BUF, "%s/%s", pv.log_dir, 
                              data->filename, (u_int32_t)curr_time);
    }
    else
    {
        if(data->filename[0] == '/')
            value = SnortSnprintf(logdir, STD_BUF, "%s.%lu", data->filename, 
                                  (u_int32_t)curr_time);
        else
            value = SnortSnprintf(logdir, STD_BUF, "%s/%s.%lu", pv.log_dir, 
                                  data->filename, (u_int32_t)curr_time);
    }

    if(value != SNORT_SNPRINTF_SUCCESS)
    {
        FatalError("unified log file logging path and file name are "
                   "too long, aborting!\n");
    }

    DEBUG_WRAP(DebugMessage(DEBUG_LOG, "Opening %s\n", logdir););

    if((data->stream = fopen(logdir, "wb+")) == NULL)
    {
        FatalError("UnifiedInitAlertFile(%s): %s\n", logdir, strerror(errno));
    }

    hdr.magic = ALERT_MAGIC;
    hdr.version_major = 1;
    hdr.version_minor = 81;
    hdr.timezone = thiszone;

    if(fwrite((char *)&hdr, sizeof(hdr), 1, data->stream) != 1)
    {
        FatalError("UnifiedAlertInit(): %s\n", strerror(errno));
    }
        
    fflush(data->stream);

    return;
}


void OldUnifiedLogAlert(Packet *p, char *msg, void *arg, Event *event)
{
    RealUnifiedLogAlert(p, msg, arg, event, NULL);
}

void UnifiedAlertRotateFile(UnifiedConfig *data)
{

    fclose(data->stream);
    data->current = 0;
    UnifiedInitAlertFile(data);
}

/* Unified Packet Log functions (deprecated) */

void UnifiedLogInit(char *args)
{
    UnifiedConfig *UnifiedInfo;